Comodo: Cloud Native Cyber Security Platform

An Overview on EDR and NDR


The increasing number of attacks against organizations has prompted the creation of detection and response tools. However with many security solutions in the market today, it’s easy to get confused which one makes sense for you.

In this article, we will take a look at the differences between EDR and NDR and which one fits your needs.


Detecting and Responding 101

The commonality among all these tools is their ability to detect and respond proactively. To understand these functionalities, we need to better understand how legacy tools work when they were first released.

During the early days of cybersecurity, antivirus was the most popular solution and its approach was straightforward. As the potential threat matches a pattern or signature of a known threat, it prevents the program from being executed. This strategy was great for a while until it got outdated as the threat landscape soon evolved.

Malware authors soon figured out how to write polymorphic code that could get past antivirus software. And then traditional antivirus software provided little, if any, protection against a live human attacker. As a result, a new strategy was needed.

The current approach entails the ability to detect a wide range of risks using methods other than signature matching, as well as the ability to respond swiftly and efficiently once a threat has been identified. As we go over these options, you’ll notice that this strategy is at the heart of each one.

EDR NDR Comparison | What is EDR?

Endpoint detection and response or EDR is the most used offering nowadays. Its popularity stems from people’s perspective that it is an innovative successor of the traditional antivirus, which can solve antivirus’ loopholes.

The crucial distinction of EDR is it concentrates on endpoints. Every device — whether it’s a laptop, desktop, server, virtual machine, or a smartphone — is a potential entry point for an attacker. As a result, it’s necessary that defenders have complete visibility into what happens on these devices.

When EDR agent software is installed on an organization’s endpoints, it begins recording activities on that system. We can imagine these agents as security cameras monitoring the device’s processes and happenings. This data collected is used by the agent to detect potential risks.

There are numerous methods for identifying risks in EDR. Some utilize machine learning to detect locally on the endpoint; others send all recorded data to an on-premise control server for analysis; still others upload the data to a cloud resource for detection and inspection. There are also those who employ a hybrid approach combining all of those approaches.

Depending on the vendor, EDR detections are based on a variety of technologies such as artificial intelligence (AI), threat intelligence, behavioral analysis, indications of compromise (IOCs), and more.

They also provide a variety of reactive functions, such as alerting, isolating the system from the network, reverting to a known good state, eliminating threats, and generating forensic evidence data.

When you’re using EDR, it is vital to deploy the agent in as many devices as possible. This can be time-consuming but it is necessary if you want to get the most of the EDR tool.

EDR NDR Comparison | What is NDR?

NDR or network detection and response observes the network traffic data flowing through the organization. NDR vendors may use various approaches in observing and analyzing traffic but generally, a network sensor is necessary. This can be a physical network device, a virtual appliance, or both of them. These sensors are placed in line with the network, either in a:

  • mirrored configuration – where a copy of the data is transferred for analysis
  • direct connection with the network – where you can monitor traffic as it moves towards its destination

The majority of NDR detections are based on a comprehensive view of the environment. Rather than identifying attacks based on atypical processes or granular events, as EDR does, NDR examines for potential threats based on abnormal or illegal protocols, port utilization, unusual timing and transfer sizes, and other factors.

NDR works like a highway patrol officer that observes traffic. Once they see a vehicle violating traffic rules, they would pull over the car to ensure the safety of everyone. NDR works similarly. It triggers alerts, stops network traffic, quarantines devices, and analyzes forensic evidence.

NDR doesn’t rely on deployed agents at every device. It is able to detect and respond even to unauthorized devices. For instance, if someone plugs an unauthorized smartphone into your system, an NDR tool can detect this and you can decide what to do with it next.

The challenge of NDR, however, is the evolving nature of modern networks. As many companies now shift to remote work, it blurs the lines of traditional network borders. If a company has a high number of remote workers who generate traffic within a defined corporate network, NDR will have little visibility into what happens and may be of limited use.

EDR NDR Solution: Which is Best for You?

The monitoring of EDR solutions is usually dependent on agents. Agents, on the other hand, don’t always get supported. They may require too much processing overhead, or the organizations’ power to deploy agents on all systems may be restricted.

Having NDR in place can bridge EDR agent gaps and detect exploit-aware malware that tries to avoid EDR monitoring. Contact Comodo to ensure your organization is always protected!

Scroll to Top