Storm Chasing: Detecting security threats in the cloud with EDR and NDR

Written by Ian Tinney

August 23, 2021

How is the security threat growing in the cloud, and what can you do to improve detection? Ian Tinney looks at how SIEM, EDR and NDR technologies can be used to carry out virtual storm chasing.


Networks have never been more exposed. Security threats are growing, and the rapid rollout of services to facilitate working from home during the pandemic has increased the attack surface and placed resources under significant strain. So given the sheer scale of the problem, how should you seek to improve your security monitoring and detection capabilities? What can be done?

Consulting firm McKinsey recommended companies expand web-facing threat intelligence and security information and event management (SIEM) programs to compensate for the risks associated with working from home, but the reality is that many SIEMs aren’t collecting and feeding the right data to the Security Operations Center (SOC).

The Verizon 2021 Data Breach Investigations Report (DBIR) found that breaches have increased by a third over the course of the past year, and 80% of them weren’t even detected internally, suggesting SOCs are struggling. It’s a view borne out by the Ponemon Institute, which found only 50% of organisations think their SOC is effective (an increase of 10% from the previous year) due to a lack of visibility into network traffic, information overload and alert fatigue.

Securing the network

Approaches to network security have and are continuing to evolve to try to automate detection.

Initially, the early SOCs struggled with limited visibility of endpoints and other third-party systems, as well as too much data generating too many alerts. SIEMs were then used to help filter that data, primarily by focusing on log files, and then began to apply User and Entity Behaviour Analysis (UEBA) to focus efforts, but this still left big gaps in monitoring the information estate. Cue the emergence of Endpoint Protection and Response (EDR) and Network Detection and Response (NDR) technologies to fill those gaps, with both performing distinct roles:

  • EDR – Uses agents that collect data from hosts and applies some behavioural analysis to attempt to capture unusual behaviour.  Many (especially large) organisations already have an EDR tool.

  • NDR – Captures and analyses network packets coming in and out of your network (referred to as the ‘North’ and ‘South’) and between interior infrastructure (‘East’ and ‘West’). NDR combines a Network Intrusion Detection System (NIDS) and Network Traffic Analysis (NTA) technologies to detect the things that an EDR can miss or is not capable of seeing.


SOC Triad-triangle-03.jpg

The SOC Visibility Triad

In an ideal world, you’d want both EDR and NDR. These, combined with SIEM/UEBA, form what is commonly referred to as the SOC Visibility Triad, a term coined by Gartner. It’s a military term based on the Nuclear Triad of earth, air and sky defence dating from the days of the Cold War and is appropriately named because it gives you the widest visibility of the network.

The virtualisation of SOC technology means many more businesses are now able to take advantage of these sophisticated security tools, but they cannot necessarily justify the investment needed to roll out both EDR AND NDR.

EDR seems like the easier option because it generates less data, and it’s because of this that even larger businesses have chosen to deploy EDR. But the reality is that an experienced attacker can easily subvert an EDR. In contrast, NDR sees all and cannot be fooled. For this reason, it could be argued it’s actually more important to have NDR as part of your arsenal than EDR.

In our next blog, we’ll look more closely at what NDR does, why businesses have baulked at deploying NDR, and what can be done to make it more viable. In the meantime, if this is a subject that’s of interest to you, please contact us for more information.

Follow Us