There are a few types of detection and response models available for organisations. These are:
- NDR: Network Detection and Response
- EDR: Endpoint Detection and Response
- XDR: Extended Detection and Response
The question many people ask is:
- What are the differences between these three types of detection and response capabilities?
- Which solution is best for my organisation?
This blog will give you an overview of NDR, EDR and XDR and how these detection and response models can support your organisation’s cybersecurity.
What is NDR (Network Detection and Response)?
Security teams use network detection and response (NDR) to obtain complete visibility of known and unknown threats across an organisation’s network. Network detection and response analyses an organisation’s network traffic. Using machine-based analysis, NDR gives security teams the ability to be aware of relevant network activities as quickly as possible.
Unlike legacy security tools, network detection and response solutions do not rely on signature-based security tools.
Older tools often can’t detect new attacks without signatures unless these signatures have already been recognised as attacks on a network.
However, the NDRs’ purpose is to work out to analyse networks and then respond to the attack.
Gartner suggests that:
What is EDR (Endpoint Detection and Response)?
Endpoint detection and response (EDR) combines real-time monitoring, endpoint data collection, behavioural analysis, and automated response. It works via machine learning that monitors endpoints for malicious behaviours and known signatures.
EDR solutions improve an organisation’s overall security posture by identifying, responding to, and detecting internal/external attacks.
Gartner suggests that:
An EDR solution works to:
- Monitor data from endpoints.
- Analyse the above data to identify threat patterns.
- Respond to these threats to remove or contain them.
- Use forensics and analysis to research threats.
What is XDR (Extended Detection and Response)?
Extended detection and response (XDR) is the automatic correlation of a wider variety of data, including email, endpoints, servers, cloud workloads and networks across multiple layers of security. Extended detection and response solutions detect threats quicker by checking various layers of data, improving investigation and response times through security analysis.
Gartner suggests that:
NDR vs. EDR vs. XDR: Comparison
XDR | EDR | NDR | |
Scope | Endpoints, hosts, network, and inter-device traffic and finally applications. | Endpoints and hosts. | Network and inter-device traffic. |
Intention | Visibility/transparency at multiple security levels (network, endpoint, applications), detection of known and unknown threats, holistic monitoring and mitigation, vulnerability assessment, alerting and response, simplification and consolidation of events, and activities and targeted response. | EDR focuses on endpoint and access area protection. This is from infiltration, monitoring and mitigation, vulnerability assessment, alerting and response. | The visibility and/or transparency of network traffic as well as the detection of known and unknown threats and lateral movements, alerting and response. |
Methods | Machine learning, identification of attacker Tactics, Techniques and Procedures (TTPs), anomaly detection, malicious behaviour detection, and analysis of Indicators of Compromise (IoCs). | Malicious behaviour detection, TTP analysis, Indicator of Compromise (IoC) analysis, signatures and machine learning. | Indicator of Attack (IoA), anomaly detection, user behaviour and machine learning. |
Challenges | Integration with other vendor solutions. | Advanced Persistent Threats (APT), ransomware, malicious scripts, and more. | Advanced Persistent Threats (APT), ransomware, malicious scripts, and more. |