Exeon: EDR requires NDR for comprehensive security

Zurich, August 29, 2022 - Swiss security firm Exeon Analytics warns against relying solely on traditional endpoint detection and response (EDR) solutions to secure endpoints. Numerous endpoints in modern, hybrid networks do not support the agents needed to do so, and where such agents are running, they can potentially be leveraged and disabled by sophisticated attacks. In addition, because of the trend toward working from home and BYOD (Bring Your Own Device), IT and security teams often don't have access to privately owned employee endpoints that may also be used by additional family members.

"EDR solutions provide real-time insights into endpoints and detect threats such as malware and ransomware," explained Gregor Erismann, CCO of Exeon Analytics. "By continuously monitoring endpoints, security teams can detect malicious activity, investigate threats and take appropriate action to protect the enterprise. However, because EDR only provides visibility into endpoints, many security gaps and challenges remain, significantly increasing the risk of undetected cyberattacks."

Many endpoints are not supported by EDR

These risks, in addition to the possible disabling of EDR agents on endpoints, include the misuse of the "hooking" technique that EDR uses to monitor running processes. It allows EDR tools to monitor programs, detect suspicious activity and collect data for behavior-based analysis. However, attackers can also use the same technique to access a remote endpoint and import malware.

Endpoints not supported by EDR primarily include legacy switches and routers, but also a variety of IoT and IIoT devices, which can thus become a gateway for malware to enter unnoticed. Another problem for EDR solutions can be SCADA environments, where individual critical systems may be outside the control of the company and thus outside the security scope of the EDR.

NDR as a remedy

"Network Detection and Response (NDR) provides a very effective way to close these types of security gaps," said Erismann. "One of the big advantages of log data-based NDR solutions like ExeonTrace is that they cannot be disabled by attackers and thus the detection algorithms cannot be bypassed. Even if an attacker is able to compromise the EDR system, suspicious activity will still be recorded and analyzed. The combination of EDR and NDR thus creates a comprehensive security system for the entire network."

Moreover, NDR not only enables monitoring of network traffic between known network devices, but also identifies and monitors unknown devices. Such solutions are therefore an effective means against the dangers of uncontrolled shadow IT. In addition, NDR also integrates end devices without EDR agents into the network analysis and thus into the company-wide security strategy. Finally, NDR uses log data analysis to detect misconfigured firewalls and gateways, which can otherwise also act as gateways for attackers.

Because NDR solutions like ExeonTrace do not require agents, they provide complete visibility of all network connections and data flows. As a result, they provide a better view of the entire enterprise network and all potential threats within it. In addition, network-based data collection is significantly more tamper-proof than agent-based data, making it easier to meet compliance regulations. This is especially true for digital forensics as required by regulators.

NDR with ExeonTrace

The ExeonTrace NDR solution is based on the analysis of network log data and therefore does not require traffic mirroring. ExeonTrace's algorithms are specifically designed for metadata analysis and are therefore not affected by increasing encrypted network traffic. Since ExeonTrace does not require additional hardware and enables the analysis of multiple data sources including native cloud applications, the solution is particularly suitable for highly virtualized and distributed networks.

Press Contact: Gregor Erismann, CCO Exeon Analytics, gregor.erismann@exeon.com, +41 78 797 05 09