The Evolution of Endpoint Security
Remember the time when McAfee antivirus was all that was needed to protect your systems against malicious viruses? While we may reminisce about those simpler times, we can’t deny that threats have invariably evolved and their potential to damage systems has increased multifold.
As organizations evolved from defending against known threats to detecting unknown threats using Endpoint detection and response systems (EDR), it seemed like a logical next step. However, while EDR was a significant advancement, it is only part of the journey toward the level of cyber defense required today, especially given the sophistication of modern attacks.
How EDR works?
Endpoint detection systems have a clear objective, to protect endpoint machines such as laptops, workstations and servers by installing a lightweight agent on them. These agents collect telemetry and send it to a central system, where analysts can access and analyze the data to identify threats. EDR telemetry typically consists of logs generated from the analysis of logins, network connections and other activities occurring on the end point.
Deliberate evasion of EDR by attackers
But what about machines that cannot have these agents installed on them? Is EDR completely blind to them? Unfortunately, yes! Since EDR detection requires activity to occur on monitored endpoints, it is inherently blind to anything that happens outside those endpoints.
A recent example of this is the Akira ransomware attack, where attackers exploited an unsecured camera to gain access to a victim organization’s network. In an enterprise environment, there are many such ‘ghost devices’. These could include cameras, printers or old, forgotten workstations. Devices with little to no security can easily become entry point for attackers to penetrate the network.
Challenges with EDR by design
So, should organizations rely on EDR as their key security tool?
Let’s consider another scenario.
Suppose attackers are not using these ghost devices to gain entry into the network, and all systems are functioning normally, including the EDR which is running perfectly. There are some limitations that exist inherently in EDR, simply because of how it is designed.
For instance, would EDR be able to differentiate between valid and stolen credentials?
According to Verizon’s 2025 report, stolen credentials are the top initial access vector, making them the most method attackers use to infiltrate networks. However, an EDR typically sees a login as legitimate as long as the correct username and password are used.
Once inside the network, attackers can move freely, potentially reconfiguring the EDR, or even disabling the EDR itself. If that happens, no telemetry will be generated while the attacker quietly operates within the network for months. In fact, recent reports indicate that attackers can remain undetected for as long as 8 months before launching their attack.
So, I ask again: should organizations rely on EDR as their key security tool?
What attackers can’t avoid?
Hope that with this new found perspective, your answer is No!
But what is the solution then?
If the attackers can tamper with, bypass or disable a security system like EDR, what hopes do we have to counter them? The answer lies in one unavoidable fact- once attackers are inside a system, they need to communicate. Whether they want to exfiltrate data, hoard files for ransomware encryption or move laterally to compromise new hosts, they must use the network to do so.
Network as the source of truth
The network becomes the truth source. Every command issued, every lateral movement attempted and every byte of exfiltrated data must ultimately traverse the network. By monitoring network activity for anomalies using a Network Detection and Response (NDR) solution, organizations gain visibility into attacker activity that cannot easily be hidden.
Not all NDRs are equal
Not all NDR vendors provide the same level of visibility. Some solutions rely on network logs generated from telemetry, which offers partial visibility at best. For deeper threat investigation and accurate forensic analysis, it is essential to do full, continuous packet capture and analyze even encrypted communications to identify hidden threats.
A layered approach to cyber defense
The most effective defense, therefore, lies in a layered security architecture that combines EDR and NDR. While EDR monitors activity on endpoints, NDR analyzes network traffic to detect suspicious behavior and attacker movement in real time. With NDR in place, even when attackers use valid credentials or legitimate tools, their abnormal network activity can still be detected and flagged.
EDR, although a road paved with good intentions, can only lead you halfway. Beyond that, the network (NDR) must be the ultimate source of ground truth.
