In an EDR-focused world, you still need network visibility
By Matt Wilson
Sr. Director Product Management
Gartner includes 72 different products in their Endpoint Detection and Response (EDR) Solutions Directory, each vying for a slice of the global EDR market which is expected to grow from $1.76 billion in 2020 to $6.72 billion by 2026. There are good reasons why this market is thriving and we’re increasingly living in an EDR-focused world. Agent-based endpoint detection has demonstrated clear value in protecting endpoints, and in many ways provides unique visibility into local processes.
However, EDR has a number of flaws when it comes to securing modern enterprise networks that consist of applications and data distributed across multi-cloud, on-premise, and legacy infrastructure, being accessed by mobile and remote workers. In this Atomized Network, complexity and fluidity create gaps that EDR simply can’t address.
The complex mix of endpoints
One of the challenges with EDR is that users find it burdensome to install and maintain agents on every cloud workload across their environment. But an even greater challenge is the fact that not every networked device is capable of supporting an agent.
The EDR market was formulated well before an explosion of Internet of Things (IoT) devices started connecting to corporate networks. IoT devices don’t have huge compute stacks so their operating systems can’t support the additional code that EDR must rollout to every endpoint it protects. Serverless platforms, like Amazon Kinesis, have similar limitations when it comes to loading code. While these platforms allow you to run code, you can’t access the underlying operating system to load an agent. Plenty of old school endpoints, like routers and switches also don’t support EDR, yet their operating systems can get compromised with malware – and they have. From VPNFilter that has been compromising routers and IoT devices for years to Enemybot, recently discovered hijacking computational resources of a wide range of unprotected endpoints for purposes including DDoS attacks and crypto-mining, there is no shortage of examples.
Finally, no one envisioned the acceleration of digital transformation over the last two years and the need by critical infrastructure sectors to quickly connect their operational technology (OT) networks to their IT networks and out to the cloud. Supervisory Control and Data Acquisition (SCADA) and Industrial Control System (ICS) environments are prevalent on OT networks and these proprietary, legacy systems typically don’t support endpoint agents, which puts them at risk of attacks. The most recent warning came on April 13, 2022, when the Department of Energy (DOE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigations (FBI) issued a joint advisory alerting of threat actors targeting SCADA/ICS devices to disrupt critical devices or functions.
Control and connections are fluid
Many devices connecting to your Atomized Network are also simply out of your control. SCADA and ICS equipment fall into this category. Sometimes critical infrastructure companies don’t control these systems, the manufacturer does, and any change to a system can void a warranty. Building Management Systems that every company relies on to run HVAC systems, lights, and elevators are another example.
Equally concerning is the bring-your-own-device (BYOD) environment that employees and contractors operate in; keeping up with and protecting personal devices is difficult. Not to mention rogue devices you aren’t even aware of because of the work-from-anywhere model – digital assistants, smart TVs, automotive systems, and 3D printers, to name a few – and the myriad home and Wi-Fi networks they connect to.
In a pure EDR world you wouldn’t even know about a new endpoint connected to your network that wasn’t running your EDR solution, or if a misconfiguration or failure to load an agent was preventing the device from being protected, because you’re blind to the network.
Network visibility closes the gaps
EDR is a powerful tool. But in the Atomized Network, EDR leaves cracks in your security stack. So, organizations also need a detection approach that is agentless and passive for more comprehensive protection as they expand their cloud footprint.
Netography fills the gaps, complementing EDR to provide complete coverage of all your endpoints. We do this by living off the land, collecting metadata in the form of flow data. Metadata is available for free across your multi-cloud, on-premises, and hybrid environment and is all you need for complete network visibility. The use of metadata allows for a very light deployment. There’s no hardware, no software, nothing to install – so it’s ideal for devices that aren’t capable of supporting an agent.
Additionally, Netography’s SaaS-based platform watches network traffic and doesn’t rely on knowledge of the device, giving you the capability to see anomalous traffic and behavior across your entire enterprise network footprint. This includes visibility into communications by endpoints you don’t control or don’t know about. A single portal provides a unified view of all your data, across your entire ecosystem, enriched with business and threat intelligence, to provide a complete picture of what’s happening so you can pinpoint malicious activity.
In an EDR-focused world, you still need network visibility. The combination of Netography and EDR gives you greater confidence that you have the coverage you need to protect all your endpoints across your Atomized Network.