NDR vs. XDR
TL;DR: XDR (Extended Detection and Response) has limited visibility over network traffic—it only sees the basics. NDR (Network Detection and Response, including NDR-H products designed for healthcare environments) covers additional attack surfaces and detects threats invisible to XDR.
Isn’t XDR Supposed to Cover My Network?
To some extent, yes. Unlike EDR products that focus solely on endpoints like servers and laptops, XDR has some ability to see network traffic.
However, the network instrumentation of these products typically lacks depth—because of where they came from. Most XDR products evolved from a desire to add more holistic monitoring that enabled correlation of data across multiple domains, but their endpoint capabilities are still significantly stronger than their ability to detect anomalous behavior in other layers.
That’s bad for healthcare environments, because a supermajority of network connections in a typical hospital or clinic setting don’t belong to a traditional “endpoint” like a desktop or a server, where XDR products are strongest at detecting intrusions. In a typical healthcare environment, just 13 percent of connected devices are compatible with endpoint agents.
Today’s healthcare networks are dominated by IoMT devices, from infusion pumps to surgery robots. Limited by size constraints and confined to ultra-specific use cases, these devices often use specialized firmware, rather than Linux/Windows/Mac—and as a result, XDR technologies can’t provide them the same kind of protection they provide to a laptop running Windows.
NDR-H Gives XDR a Needed Network Protection Boost
The reason XDR products don’t play well with medical devices and IoT firmware is simple: most environments don’t use nearly as much IoT as healthcare networks do.
Not only do healthcare networks look different from those in other industries—their traffic patterns do, too. This is why the limited visibility over network traffic provided by XDR technologies can’t typically provide detection of network intrusions in a real-world healthcare environment.
NDR uses more sophisticated instrumentation, like deep packet analysis and network flow data, to observe and build an understanding of your environment. NDR-H products take this idea one step further: by starting with deep knowledge of healthcare environments and their traffic patterns, an NDR-H can rapidly understand your network and identify anomalies with greater accuracy.
Using a healthcare-specific NDR like Cynerio NDR-H rapidly boosts your ability to detect:
- Lateral movement: Cynerio NDR-H can identify abnormal patterns of traffic between network segments that may indicate lateral movement by an attacker. Detecting and stopping this movement can be vital—especially when preventing ransomware attacks.
- Data exfiltration: With Cynerio NDR-H you’ll know immediately if a surge of outbound traffic indicates large volumes of data are being sent to external IP addresses, and can rapidly stop a breach in progress.
- IoT and device attacks: Connected devices may be largely invisible to XDR, but not to Cynerio NDR-H, which has been designed from the start with medical devices in mind.
One big pro for XDRs: they’re designed to be highly extensible. You can easily add Cynerio NDR-H as a feed for your XDR tools, giving you unified protection against multiple types of intrusions.
While XDR solutions without an NDR-H feed do see more than traditional EDR, their network monitoring and anomaly detection capabilities don’t measure up to the deeper instrumentation and healthcare-specific pattern recognition offered by NDR-H.