The Cornerstone of XDR: Why NDR is So Essential

Introduction

One of the questions we are most often asked is “What makes Gradient Cyber’s MXDR solution different and better?” We love this question, and there are actually several pillars upon which our view of a top-notch MXDR solution is built. But the one I’d like to delve into deeply in this blog is how our network detection and response (NDR) / network threat analytics (NTA) heritage sets us apart. 

There is no question that more clever and effective cybersecurity threats are evolving at an astonishing pace. That has been true for years, but never more so than now given the advent of easily-accessible AI. The frequency and sophistication of phishing and ransomware attacks alone are pretty clear indicators that we are entering a new phase of nasty activity from attackers. And mid-market organizations are often ripe for the picking. It may sound cliche, but if your organization has money in the bank, intellectual property, or Personal Identifiable Information (PII), you are a target. It has nothing to do with the size of your company.

XDR to the Rescue

To counter modern threat radiation, Extended Detection and Response (XDR) has been championed as the next frontier in cybersecurity, promising a comprehensive approach to threat detection and response.

Why? Three ‘simple’ reasons:

1. Your organization’s digital attack surface is growing larger and more complex by the day
2. The attackers are scaling relentlessly in terms of numbers, skill, tooling ecosystem and motivation
3. Dollars to doughnuts, your IT (and more specifically, security) function is overwhelmed, understaffed, probably undertrained, and very likely under-tooled.

XDR platforms - and even better, Managed XDR (MXDR) services - are designed to level the playing field on your behalf - faster, easier and more cost-effectively than you can do on your own.

Aren’t All XDR Platforms Pretty Much the Same?

In short, no. As it turns out, XDR solutions (and by extension MDR/MXDR services) have typically evolved from one of three distinct heritages:

1. EDR-heritage XDR
2. SIEM-heritage XDR
3. NDR-heritage XDR

The platform heritage often shapes the XDR (and MDR/MXDR) capability set. Let’s look at each in a bit more detail to understand why this is important.

EDR-Heritage XDR

While Endpoint Detection and Response (EDR) plays an integral role in cybersecurity, over-reliance on it within an Extended Detection and Response (XDR) system can lead to significant security gaps. Let's explore the limitations of EDR-based XDR and its impact on organizational security.

Limited Scope of EDR

EDR is designed to focus on endpoints, which means it is inherently limited to workstation and server activities. This leaves a vast array of threats that occur across the broader network and cloud environments undetected. An XDR solution that is not complemented with robust NDR capabilities can overlook crucial data points from network traffic or cloud logs, resulting in incomplete threat visibility and an unprotected attack surface.

The Endpoint Dependence Issue

EDR's effectiveness is tied to the installation of agents on endpoints. However, endpoints can be unmanaged, or agents can be incorrectly installed, leaving these devices outside the protective umbrella of EDR. An XDR framework that is overly dependent on endpoint data won’t extend its reach to unmanaged devices, creating vulnerabilities that could be exploited by adversaries without detection.

Resource Intensity of EDR Solutions

The heavy resource demand of EDR agents can hinder endpoint performance, leading to intentional or unintentional deactivation or suboptimal configuration by users. Consequently, the quality of data fed into the XDR platform is compromised, weakening detection capabilities. An effective XDR solution must balance resource consumption with performance to maintain continuous and comprehensive monitoring.

Complexity and Alert Fatigue

EDR systems are notorious for generating voluminous alerts, many of which could be benign. The complexity of managing these alerts can overwhelm even the most equipped security teams, let alone mid-market organizations with more constrained cybersecurity resources. XDR systems built predominantly on EDR are at risk of inheriting this issue, which can dilute the focus on genuine threats and impede efficient response.

Adapting to Evolving Threat Landscape

EDR solutions excel at detecting known threats but can struggle with novel, sophisticated attack vectors, such as zero-day exploits and advanced persistent threats. An XDR that doesn't adequately leverage broader network and cloud-based analytics might miss these types of threats. It's imperative that XDR systems incorporate NDR capabilities to ensure they are equipped to recognize and respond to evolving and sophisticated threats.

SIEM-Heritage XDR

SIEM-Based XDR: Understanding the Limitations

While Security Information and Event Management (SIEM) systems have been pivotal in aggregating and analyzing security data, relying heavily on a SIEM-based XDR approach has notable drawbacks when compared to NDR-infused XDR solutions. Here are several key weaknesses of SIEM-based XDR platforms:

Reactive Rather Than Proactive

SIEM systems traditionally excel at collecting and correlating data to identify security incidents after they occur. This reactive posture means that threats are often detected post-compromise, leading to delayed response times. In contrast, NDR-based XDR solutions continuously monitor network traffic, enabling the identification of suspicious behavior in real-time and allowing for a more proactive defense against emerging threats.

Complex Deployment and Maintenance

Deploying and maintaining a SIEM system can be complex and resource-intensive. SIEM-based XDR solutions inherit this complexity, often requiring significant customization, fine-tuning, and regular updates to remain effective. This not only increases the total cost of ownership but also demands skilled personnel to manage the system. Robust NDR-based XDR solutions, on the other hand, tend to be more streamlined, managing voluminous network traffic analysis at traffic capture points without burdening the core processing of XDR in the cloud. This alone helps to make NDR-based XDR solutions easier to deploy and maintain.

High Volume of Alerts and False Positives

One of the persistent challenges with SIEM systems is the high volume of alerts they generate, many of which can be false positives. This can lead to alert fatigue among security teams, making it difficult to identify and prioritize genuine threats. NDR-based XDR platforms typically leverage advanced analytics and behavioral analysis to reduce false positives, providing more accurate and actionable alerts.

Limited Visibility Across All Network Layers

SIEM systems primarily rely on logs and events generated by various devices and applications. While they offer valuable insights, they might miss threats that do not generate noticeable log entries. NDR-based XDR solutions provide comprehensive visibility across all layers of the network, capturing data directly from network traffic. This ensures that even the most subtle signs of malicious activity, such as lateral movement or command and control communications, are detected.

Scalability Issues

As organizations grow, the volume of data that needs to be ingested, processed, and analyzed by a SIEM system can become overwhelming. This scalability issue can lead to performance bottlenecks and delayed threat detection. NDR-based XDR solutions are designed to scale efficiently, handling large volumes of network traffic without compromising performance, ensuring consistent threat detection capabilities as the organization expands.

NDR-Heritage XDR

The Immutable Truth of Network Centrality

At the core of any digital operation lies the network — the ultimate conduit through which all data travels. It's here, in the vast streams of bytes and packets, that the subtle signs of cyber threats emerge - signs that include network reconnaissance, lateral movement, privilege escalation, command and control communications, and more. Recognizing the network as 'ground truth' in cybersecurity is crucial. Nothing occurs within the digital realm that doesn't traverse a network. It's the network's centrality that makes NDR not just relevant, but indispensable.

Not All NDR-Infused XDR Solutions Are Created Equal

Given that XDR really means (or should at least mean) that a threat detection and response platform can act upon network, endpoint, user and cloud telemetry, it is not surprising that XDR vendors will claim to have NDR capabilities covered. We advise buyers to take a closer look.

Firewall Logs: Necessary but Insufficient

Many ‘NDR-equipped XDR solutions’ only ingest firewall logs. Firewall logs are useful, but really only skim the surface of what can be learned from the network. Ingesting firewall logs alone is akin to monitoring the perimeter of a house while leaving the doors and windows unchecked. It's a single piece of the puzzle, not the complete picture.

Bidirectional 5-Tuple and PCAP Add So Much More

Full-spectrum NDR includes - but goes well beyond - firewall logs. It delves deeper, analyzing the entire flow of network traffic, encompassing both north-south and east-west communications. This comprehensive coverage includes bi-directional 5-tuple (source/dest IP, source/dest port, protocol) and full packet capture (PCAP) analysis, which unveils a far more granular view of the network activity that firewall logs alone cannot provide.

The Critical Role of Integrated IDS

An Integrated Intrusion Detection System (IDS) is another hallmark of robust NDR, one that goes beyond mere log analysis. The ability of NDR solutions to integrate IDS means they are not just recording events - they are actively monitoring for signs of malicious activity in real time. This integration is crucial for identifying sophisticated threats that would otherwise slip through the cracks.

Example Use Cases: The Power of Deep Network Visibility

Here are three example use cases where network threat analytics surfaced attacker activity early in the kill chain - before EDR alerts were received, and by definition before a SIEM could have reacted:

Use Case #1: Security Beyond Borders for K-12

A large K-12 school district benefited from NDR vigilance when it detected irregular east-west traffic within its network. The anomaly originated from the school’s VPN accounts - a common entry point for legitimate users - turned into a vulnerability. Notably, one account was being accessed from Venezuela, a flag for potential unauthorized access given the district’s U.S. base. The NDR system's ability to monitor internal traffic not only caught a potentially malicious actor in the act, but also highlighted the necessity for stringent access controls and monitoring, even within a trusted pool of users.

Use Case #2: Fortifying Financial Infrastructure

A credit union’s proactive stance on security paid off when its NDR system flagged an unusual spike in north-south traffic - sessions incoming from the internet. The traffic anomaly was traced to a Remote Code Execution (RCE) attempt, targeting a web application built on the Apache Struts framework. The attempted exploit aimed to leverage a known vulnerability, which could have allowed attackers deep access to the credit union’s critical systems. Thanks to the NDR's swift detection, the institution was able to thwart the attack, demonstrating the vital role of network monitoring in safeguarding sensitive financial data.

Use Case #3: Harvesting Security in Agriculture

For an agriculture production company, the harvest of data revealed a different kind of yield. An NDR system picked up a sudden increase in DNS queries from the company’s network to a known malicious domain involved in browser hijacking. This domain, celebfinancenews.com, was notorious for altering browser settings to exploit security vulnerabilities, changing content, manipulating user behaviors, and intercepting sensitive information. The quick identification of this traffic allowed the company to block access to the rogue domain and protect their network from a potentially devastating browser-based attack, underscoring the importance of NDR in a comprehensive cybersecurity strategy.

Conclusion

First, let’s be clear. An NDR-based (or as we like to say, ‘network first’) XDR platform - and by extension MDR/MXDR service - is not only network analytics focused. Our XDR platform and MXDR service fully leverage EDR telemetry whenever the end customer has it deployed, or wants to add it. We also derive significant value from user authentication, authorization and behavior tracking data, and cloud security telemetry. Our point simply is that we see XDR as being most powerful if in-depth network traffic analysis is front and center, rather than ‘lip–serviced’.

EDR- and SIEM-heritage XDR platforms offer valuable capabilities. But they often fall short in providing comprehensive, real-time threat detection and response. This is where NDR-based XDR platforms, like Gradient Cyber’s MXDR solution, truly shine.

Our NDR-infused XDR platform leverages the power of network traffic analysis to provide unparalleled visibility and proactive threat detection. By recognizing the network as ‘ground truth,’ we can identify and mitigate threats early in the kill chain, ensuring a more secure environment for your organization.

Whether it’s detecting lateral movement, thwarting remote code execution attempts, or blocking malicious domains, our network threat analytics have proven time and again to be an indispensable asset.

We always advocate for full MXDR deployment, as that affords the richest data for finding attackers early in the kill chain. But if your security stack is limited, or you prefer to start with just NDR, we can handle that easily. Learn more about Gradient Cyber Managed NDR here. 

In the end, the proof is in the pudding. There is nothing like seeing in action. Book a demo to see how our platform and service perform threat detection and response for you.  Better yet, sign up for a no-charge, fast, fully transparent proof of value where we can demonstrate Gradient Cyber MXDR value right in your network.