NDR, EDR and XDR – More than just buzzwords?

NDR, EDR and XDR – More than just buzzwords?

NDR, EDR and XDR – these buzzwords often cause confusion among IT decision-makers who are responsible for their company’s cybersecurity. In many cases, due to the numerous offers and the differently advertised scopes of services, it is not clear what exactly is hidden behind these terms and which of the technologies really help in today’s fight against cyber attacks. It is, therefore, all the more worthwhile to take a closer look at these technology concepts.

Redefining cybersecurity with AI

Cyber actors are getting bolder and more astute day by day. Nevertheless, many companies still rely on traditional prevention strategies, such as firewalls or signature-based antivirus software. But once these measures are overcome, hackers may have unrestricted access to a victim’s network, where they can steal data unnoticed, maliciously encrypt it, or even threaten to sell or publish it.

That such attacks can often result in enormous damage is clear to most responsible parties. However, the many successful ransomware attacks show that companies still have a lot of awareness work to do when it comes to cybersecurity.

According to the cybersecurity survey by CrowdStrike and the independent research company Vanson Bourne, almost 60 percent of German companies surveyed were victims of a ransomware attack at least once in 2020 alone.

Companies, therefore, urgently need to address the ever-evolving threat landscape and rely on AI-powered security concepts to best protect their data and employees. But what offers the best protection? NDR, EDR or XDR?

AI-based security solutions

NDR (Network Detection & Response) is a security solution that deals solely with the log and packet data from the network level. Using AI as a tool, this technology analyzes network traffic and learns normal operations on the network. As soon as any deviations occur, the system sends an alarm.

NDR provides SOC teams with enhanced visibility across the network to detect the behavior of potentially hidden attackers. But endpoints such as laptops, mobile phones, and even cloud environments also generate telemetry that must be analyzed and flagged when unusual incidents occur. This is handled by the so-called EDR security technology (Endpoint Detection & Response).

EDR (Endpoint Detection & Response) continuously analyzes the data generated at the endpoint, but also collects large amounts of network data, just like NDR. And this is where it gets interesting. Because ultimately, this means that with the right EDR technology, NDR can also be realized.

This is particularly important in light of the ever-changing network environment. The cable jungles known from earlier times no longer exist today and the ongoing COVID-19 pandemic has contributed to a major shift from office work to the home office.

The current world of work is characterized by remote work and with it, more and more infrastructure is shifting to the cloud.

As the traditional NDR approach quickly reaches its limits here, EDR and endpoint protection are becoming increasingly important, as this is where important and critical data is increasingly collected, processed and analyzed.

Plus, endpoints are also becoming more diverse. Where once the focus was primarily on computers and physical servers, today it is about focussing on mobile devices, laptops and cloud environments. Nowadays, companies often have to keep an eye on thousands of endpoints at the same time. And the more endpoints that are operated, the more alarms there can be that need to be analyzed by SOC analysts in a time-consuming manner.

In recent years, specialists have therefore continued to develop the classic EDR approach to capture more and more potential data sources. But with the evolution of cloud infrastructure finding its place in the world’s enterprises and the increased use of SaaS and PaaS becoming the norm, these previous modifications to the EDR approach are no longer sufficient. Where their implementation and execution fails or is inadequate, XDR comes into play.

XDR as a logical further development of NDR and EDR

XDR (Extended Detection & Response) combines traditional security solutions into a unified system providing total protection and visibility across an organisation’s network.

With XDR solutions providing all-encompassing protection, it no longer matters where data resides. By linking NDR, EDR, behavioral analytics and automation under a holistic XDR platform, it becomes easier for security teams to detect and defend against attacks early before any damage is done. Data sets from different sources in the enterprise have different languages.

By using XDR technology, these are correlated to a common denominator, i.e., a common language. The technology in turn contextualizes, processes, and correlates the resulting datasets to provide additional context but most importantly identify threats!

The efficiency of the XDR approach can be explained by the retrievability of data. Thus, the XDR technique does not always analyze all data sets, but only steadily collects the most important ones.

However, for specific incidents and situations, the XDR approach can supplement all the data needed for this purpose if desired.  This means that data is always available when it is needed. This is essential for XDR.

XDR enables full access to the right information at the right time, regardless of the type of data, so that anomalies can be specifically investigated and countermeasures initiated if necessary.  This not only avoids unnecessary data floods and enables concentration on the essential data volumes, but also separates XDR sharply from SIEM solutions that first collect everything and then try to make something out of the chaos or mess of data. Moreover, with XDR solutions, thanks to the right amount of data at the right time, the algorithms and AI processes are more efficient, as the system has to process less unnecessary data, which greatly facilitates the work of the security team.

What do companies need to consider?

For an XDR solution to work without errors in a company, it first needs to fully understand the existing security problem. Only then those responsible can make the right technological decisions in the first place, which will ensure efficient use of XDR technology.

In this context, it is important to understand that companies operate in an increasingly complex IT environment that is ever-evolving and ever-changing. This is compounded by new vulnerabilities and a threat landscape that is also constantly evolving. This means that in six to 12 months, companies will be facing very different security issues than they are today. All parties involved have to factor this in. The XDR solution used must be designed and deployed in such a flexible and hybrid way that it can master not only current problems but also challenges of the future – since no company can afford to have security gaps or to implement the wrong security solution.

In addition, companies must not make the mistake of relying solely on technology. Humans are and will remain a central aspect for the success of a security strategy, even with XDR solutions. And it is not only the technology that must evolve with the growing challenges; human knowledge and skills of the security teams must also grow in parallel.

Collaboration between people and technology will always be necessary for a security system to work. While technologies help automate operations and analyze large amounts of data faster and better, security concepts always require an understanding of the environment that needs to be protected, and this is where people play a central role.

How to find a real XDR solution?

XDR is a big buzzword in the industry and has seen a huge surge in popularity in a short period of time. In practice, much like the early overuse of ML, it is used for many different things. Many security vendors are unable to provide the precise, contextual insights needed to implement a true XDR solution. So the first important thing is for decision-makers to never lose sight of the goal of their security strategy: Preventing all types of breaches. And that at all times and no matter how IT environments or threats evolve in the future. Security products must not be implemented based on a name alone but companies must take a close look at what technology can do what and what people power is needed to be truly protected in the end.

To find a genuine XDR solution in the jungle of offerings, companies should therefore pay attention to the following points, among others: Does the solution offer more than just network and endpoint data processing? A true XDR solution must be up to the challenge of operationalizing enormous and ever-growing volumes of data generated from around our digital environments. Information from our Cloud Services to our desktop machines. Each device, service, or application generates information that once combined, can provide extremely useful insights into how our networks are being used. These insights allow us from a security point of view to ultimately identify issues but more precisely stop breaches!

The chosen security vendor must also be able to provide the precise, contextual insights their customers need to effectively deploy XDR. And finally, stop breaches with low to no non-false positives.

Without the right technology, customers are left with large, complex data sets that lack context, causing security teams to miss key insights. An XDR solution must be able to capture and correlate data from multiple logs, application or feed to deliver actionable insights and real-time protection.

In addition, a true XDR approach must be open to any changes in IT infrastructure and be flexible to adapt to truly protect organizations now and in the future. Only when a solution can do all this is it called an XDR solution by security experts.

This opinion piece was written by Zeki Turedi, EMEA chief technology officer at Crowdstrike.



SecurMiddleEast Events Series; June 17th Dubai & June 21st Qatar – CLICK HERE to register your interest