Endpoint Detection and Response (EDR) and Network Detection and Response (NDR) are critical technologies for combating ransomware.

• EDR protects individual devices such as desktops, laptops, and servers. It also constantly checks these endpoints from an internal system-level perspective for any unusual behavior or unauthorized access attempts. This continual awareness enables it to identify potential threats early on.
• NDR passively monitors and analyzes network traffic to detect malicious activities. This fills up any detection gaps left behind by EDR deployments, such as mobile devices, IoT/OT equipment, and other mission-critical legacy systems. Unlike EDR, which is looking at internal system-level details, NDR observes actual external communication patterns and employs behavioral analytics and machine learning to detect odd network and application activity. NDR has several key capabilities, including:

• Traffic analysis: Examining network traffic for symptoms of ransomware
• Behavioral analysis: Using machine learning to surface deviations from typical network behavior
• Threat intelligence integration: Using threat intelligence to identify known harmful entities
• Passive monitoring: Analyzing network trends and traffic to get a complete picture of network health
• Strategic decryption: Strategically decrypting network communications to identify common threat patterns that attempt to evade traditional network security solutions. This could be for detecting attacks such as SQL injection attacks on public-facing mission-critical web servers or forged tickets to Active Directory
• Advanced behavioral analysis: Using AI/ML to provide high-fidelity threat detection and prioritization

While EDR focuses on endpoint activity, NDR provides visibility into the network. Combining the two methods can create an effective defense against ransomware. This way, organizations can acquire a holistic understanding of their security posture, allowing for faster and more effective threat identification, specifically to:

• Build resilience by providing opportunities to detect ransomware at various phases of the attack kill chain.
• Respond rapidly to threats, reducing data loss and business impact.
• Obtain a complete view of the attack surface, including endpoints and network traffic. NDR is especially useful when deploying agents to all endpoints is difficult, such as with IoT devices, legacy systems, and mobile devices. Because all assets communicate across the network, NDR serves as a vital source of truth in cloud and hybrid systems, providing full insight across the entire attack surface, from on-premises data centers to multi-cloud systems.