NDR vs. IDP/ IDPS

Aren’t Firewalls Good Enough Protection for Healthcare Networks?

You’ve secured your network perimeter with a firewall. You’ve even taken the next step to use an intrusion detection tool—like an Intrusion Detection System (IDS) or Intrusion Detection and Protection System (IDPS)—to prevent unauthorized network access. If everything’s working right, the network should be adequately defended … right?

Not quite.

What’s missing? Tools that block unauthorized access (like firewalls, IDP, and IDPS solutions) stop some attacks—but can’t detect traffic anomalies that occur after network access is granted. NDR (Network Detection and Response) tools fill the gap left by intrusion detection solutions.

Why Can’t I Just Keep Attackers Out of My Network?

The whole point of firewalls and IDP/IDPS tools is to stop attackers before they can get in. So if you’re stopping the bad guys from getting in, why would you need NDR (or anything else) to check on what your authenticated users are doing?

Think of it like preventative care versus emergency response: it’s a good idea to prevent illnesses and injuries whenever possible. But when—despite careful prevention—you’re sick or hurt, additional preventative care won’t heal you. You need care from someone who can understand your symptoms and treat the underlying issue.

Firewalls and intrusion detection tools are like preventative medicine—but an NDR can act like an automated emergency department for your network.

NDRs See (And Stop) What Firewalls and IDP Can’t

Because intrusion detection and firewalls don’t pay attention to network traffic once users are authenticated and begin to access the network, they miss significant attack vectors that are particularly dangerous for healthcare networks, with costly real world consequences:

• Insider threats: When authorized users attack healthcare networks, they can steal data and create the potential for massive privacy violations and legal costs. In February, Montefiore Medical Center reached a $4.75 million settlement after an employee stole and sold patient medical records for more than six months undetected. NDR solutions can detect unusual patterns of activity to identify authorized users behaving in suspicious ways.
• Advanced persistent threats (APTs): Healthcare networks represent a choice target for well-funded, skilled threat actors. VPN appliances produced by Ivanti Connect, for example, were actively exploited using CVE-2023-46805 (allowing MFA bypass) and CVE-2024-21887 (allowing command injection). When vulnerabilities allow attackers to bypass your authentication processes, attackers are invisible to firewalls and IDP/IDPS tools—but not to NDR solutions.

What Can NDR Do For Me That Firewalls/IDP Can’t?

Firewalls and intrusion detection systems can be great at their job—gatekeeping entry into your network. NDR solutions, however, monitor your network traffic from the inside. They can monitor, log, and analyze data in transit on your network any time any user gains access (whether they’re authorized or not).

By sampling network traffic at the packet level, Cynerio’s NDR-H (Network Detection and Response for Healthcare) checks for anomalies that don’t look like typical healthcare environment network use. Cynerio learns fast from your healthcare environment and combines the specific fingerprint of your typical network traffic with known baselines to get smart about what’s normal—and what’s a threat.

Talk to Cynerio today to learn more about how NDR capabilities can protect you from attacks that firewalls and IDP just can’t stop.