Extended Detection and Response (XDR) is a security technology designed to improve compromise detection and response by analyzing data from multiple security technologies. Although there are a range of definitions for what technologies should be included in an XDR product, the two technologies that every product includes are Network Detection and Response (NDR) and Endpoint Detection and Response (EDR).
The issue with building a security strategy relying on a foundation of NDR plus EDR is that they offer only partial visibility of network activity in today’s multi-cloud and hybrid networks. They were not designed to operate in highly encrypted networks that also include OT and IoT devices, and organizations relying on them will struggle to gain pervasive, real-time anomaly and compromise detection.
Limitations of NDR + EDR for XDR
Large enterprises face three common challenges when using NDR + EDR for XDR:
- Pervasive Blind Spots: NDR and EDR products can create significant gaps in an organization’s ability to detect compromise. With NDR deployed on-prem, the challenge is the pervasive use of encryption as organizations embrace Zero Trust. Most NDR products can only inspect unencrypted traffic for malicious content and behavior, which means that they blind except in those few segments where organizations have deployed complex decryption technology (such as the data center). With EDR the challenge is the lack of ability to deploy endpoints on IoT and OT devices due to those devices lacking the compute resources to run an EDR agent. For many enterprise networks, OT and/or IoT devices represent a significant portion of their overall attack surface.
- Cloud Complexity: NDR deployed in cloud environments requires virtual sensors for traffic mirroring for threat detection, which is difficult and extremely expensive. NDR vendors that have built capabilities to ingest cloud flow logs typically support a subset of cloud providers only, leaving major visibility gaps for multi-cloud customers. While EDR provides good visibility at the device level, it lacks visibility beyond each individual system. As a result, organizations must add other tools to protect their cloud environment.
- High TCO: NDR runs on appliances to monitor on-prem network activity, and the cost of deploying physical or virtual appliances to monitor every conversation in a distributed network is simply prohibitive. Additionally, for those NDR appliances to work as intended, organizations need to deploy complex decryption technology (which introduces additional costs, complexity, and latency). In cloud environments, NDR is often used to provide monitoring of cloud activity. However, NDR requires virtual sensors for traffic mirroring for threat detection, which is difficult and extremely expensive. In addition, the pricing models for cloud monitoring can result in high TCO as costs can quickly escalate based on the volume and type of log data ingested and stored.
Use Netography Fusion to Extend XDR Across Your Modern Network
To overcome the limitations of XDR that rely on NDR + EDR, you need to deploy security technology engineered to monitor every conversation across your multi-cloud or hybrid network.
Netography Fusion® is a cloud-native 100% SaaS platform. It provides real-time detection and response to anomalies and compromises across your network from a single platform without deploying sensors, agents, or taps. Fusion shows what your devices, users, applications, and data are doing and what’s happening to them in real-time.
It closes critical visibility gaps created by NDR and EDR – in the cloud and on-prem, in IT, IoT, and OT environments, accelerating your ability to detect threat actors and respond before they disrupt operations.
Overcoming the Challenges of Legacy Technologies for XDR
Fusion addresses the challenges described above and removes the barriers to fast, effective detection and response to Zero Trust policy violations:
Comprehensive Visibility: Detect malicious or anomalous behavior across your entire enterprise network without the need to decrypt traffic. Because Fusion analyzes enriched metadata instead of packets, it can identify active threats even in encrypted data, eliminating a favorite technique employed by threat actors to evade detection. Fusion also complements EDR to monitor activity in segments running devices without EDR agents deployed.
Cloud Simplicity: Monitor all five major cloud platforms – Amazon Web Services, Google Cloud, Microsoft Azure, IBM Cloud, and Oracle Cloud – without the need to mirror network traffic or install and maintain agents on workloads. Fusion aggregates and normalizes the different flow data to provide consistent visibility of activity across your cloud footprint.
Low TCO: Because Fusion is a 100% SaaS platform, you can start ingesting flows in minutes from anywhere in your network. Using enriched metadata from your existing technology stack, there are no additional appliances, agents, or taps to deploy, eliminating the need to size appliances or find rack space. Flow data also provides visibility into communications by endpoints without relying on agents deployed on devices.
Fusion Detection and Response Capabilities
Continually monitor enriched metadata from everywhere in your network to respond faster and more effectively to anomalies and threats:
- North-South and East-West network traffic visibility monitors network traffic and device communications across on-prem infrastructure, between clouds, cloud to on-prem, and on-prem to remote locations.
- Integration with existing tech stack enables fast integration with response workflows with third-party products, including SIEM, SOAR, EDR, and ticketing systems.
- Centralized, user-customizable dashboards for security monitoring and governance.
- Automatic context labeling with Context Creation Models (CCMs) that automatically create labels to identify assets or groups of assets, reducing the time to detect anomalies and malicious activity.
- User-configurable detection & response with Netography Detection Models (NDMs) that pinpoint anomalous activity and enable multiple response workflows from a single NDM.
- Common language of Netography Query Language (NQL) eliminates silos with a uniform detection, analysis, and reporting framework.
- Flexible licensing and data retention to tailor your license to your requirements.
If you’d like to learn more about the Netography Fusion platform, contact us for more information, a demo, or to get started with a trial.
About Netography
Netography is the leader in using context-enriched metadata to detect activity that should never happen in your multi-cloud or hybrid network. Netography Fusion is a 100% SaaS, cloud-native platform that provides real-time detection and response to compromises and anomalies at scale, without the burden of deploying sensors, agents, or taps.
Based in Annapolis, MD, Netography® is backed by some of the world’s leading venture firms, including Bessemer Venture Partners, SYN Ventures, and A16Z.