One of my favorite blog posts from Anton is the one about the “SOC nuclear triad”. As he describes, SOCs should use logs, endpoint and network data on their threat detection and response efforts. But we also know that organizations don’t have infinite resources and will often have to decide about which tool to deploy first (or ever). Leaving logs aside for a moment, as it usually has additional drivers (i.e. Compliance), the decision eventually becomes: Endpoint vs Network.
Considering a fair comparison, I believe endpoint wins. Some of the evidence we see out there apparently confirms that. Just look at the number of EDR and NTA solutions available in the market. The number of calls I get about EDR, compared to NTA, is also higher. Not to mention that some surveys are also pointing to the same thing.
Endpoint also wins on technical aspects:
- The network is not yours anymore: With cloud, including PaaS and SaaS, it becomes harder to find a network to plug your NTA technology too. The number of blind spots for network monitoring today are huge, and growing.
- Encryption: To make things worse (or better, I should say), network traffic encryption is growing tremendously. Almost everything that used to be HTTP now is HTTPS. Visibility on the higher layers is very limited.
- Endpoint has better signal to noise: This may be more contentious, but it seems that less deterministic detection seems to work better on the endpoint than on the network. What does that mean, in practical terms? That the detection approaches that go beyond simple signatures or indicators matching will generate better alerts, in terms of false positive rates, on the endpoint instead of on the network. Some people may disagree here, but that’s my impression from clients’ feedback about products from both sides.
- You can see all network stuff on the endpoint: If you really want to see network traffic, why not capture on the endpoints? Some products have been doing that for years.
I think these are some of the reasons why MDR service providers select EDR as delivery mechanism for their services. Having an agent in place also gives them more fine-grained response capabilities, such as killing a process instead of blocking traffic to or from an IP address.
So, endpoint wins. Why would anyone still bother with NTA?
There are reasons that could reverse the preference from endpoint to network. You may prefer to rely on NTA when:
- You need to protect IOT, OT/ICS, BYOD, mobile devices: Simply put, if you cannot install an agent on it, how would you do endpoint-based detection? There are many technologies being connected to networks that do not support or don’t have agents available. Sometimes they do, but you are not allowed to install the agent there.
- Organizational challenges: Not all organizations are a perfectly friendly environment for endpoint monitoring. The “owners” of the endpoint technologies may simple reject the deployment of new agents. Your silo may not have enough power to force the deployment of agents but may have better access to network instrumentation. There are many situations beyond simple technical reasons that would force you to look for an alternative to endpoint technologies.
- Price? Not sure here, but depending on the number of endpoints and the network architecture, it may be cheaper to do monitoring on the network level instead of on each endpoint. If you have a huge number of endpoints, but a network that is easy to instrument and monitor, the bill for NTA could be friendlier than the EDR bill.
So, there are two reasons to still invest in NTA. First, PERFECT visibility REQUIRES both. If you are concerned about super advanced threats disabling agents, using BIOS/EFI rootkits, you need to compensate with non-endpoint visibility too. Second, organizational or technology limitations may leave you with network as the only option.
Do you see any other reason why NTA would be the preferred option, instead of endpoint? Do you disagree that endpoint has won?
(this post, BTW is the result of our initial discussions on upcoming NTA research…)
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
6 Comments
OK, I’ll nibble at this click-bait. You aren’t one of the analysts that declared the death of end-point a couple of years ago are you?
As mentioned in Jake Williams’ survey and resulting conversation, it’s very likely cyclical. Ultimately, to me, that means you can’t have one or the other and to advocate for that would be silly. Every company already has an investment in both, so the question should probably be; which technology should I invest in in 2019?
As you say, a look at all the vendors in the end-point space right now shows that there is a big market there. We’re bound to see consolidation though as it clearly isn’t sustainable. I was just at SECTOR and there were a lot of network companies there with some cool new technology for the network. Maybe that’s the next resurgence?
Unless you have absolutely no infrastructure of your own, you need both. Invest wisely to mitigate the risk you determine your organization has has at the time.
Why do you say that every company already has an investment on both? I don’t see that in practice.
Note that I’m not saying at any time that you should do only one. I said more than once that you should have both. But many organizations face the need to pick one, even if it’s just to decide which one to do first.
Great timing on this discussion 🙂
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
1. You point out the “non-managed” device challenge which these days can be upwards of 40-50% of the environment.
2. In addition, on the endpoint you have a little bit of a “trusting the trust” issue where on an attacker controlled endpoint agents can be tricked, uninstalled etc. Neither solution is perfect but attackers cant really unsend a packet once its on the wire its out there.
3. Another aspect is time to value, most places taps / virtual taps are easier to get broad agent deployments. You also dont affect end users as much.
4. I think if you look historically, network-endpoint have had their waves that tend to alternate so not sure its a fair comparison between NTA and EDR :).
Anyways good food for thought
In summary I agree.
I would add two arguments:
1. In an endpoint deployment typically one would not only deploy EDR but some next gen AV, which also provides protection, not only detection. So this will actually stop threats, which is a huge benefit.
2. However, I see also huge increase in PaaS in Public, Private and Hybrid Cloud deployments. Most EDR tools won’t work in PaaS deployments so there’s another argument to use NTA.
You need both NTA and EDR and the metadata they produce for cross session and multi-faceted analysis, plus ML anomaly detection. Capturing endpoint (PCAPs) is great for forensic evidence, however, you cannot search or apply threat intelligence to captures without a large effort and time. Metadata is 90% of the data at 20% of the cost to store and contains content and context you will unlikely find in your firewall logs or SIEM dashboards.