The rapid proliferation of IoT devices, network devices, and cloud infrastructure has drastically expanded the attack surface for organizations across all industries. As these attack surfaces change, organizations must adapt the way they monitor them. The growing reality is that endpoint-based security just can’t handle many of these environments, leaving significant gaps in coverage. As a result, security teams are left grappling with the challenge of achieving visibility and threat detection in all areas of their organization.
We believe the “2024 Gartner® Market Guide for Network Detection and Response” recognizes this emerging trend, highlighting how some NDR vendors are shifting towards what they call “hybrid-network NDR”. In these cases, the NDR solution is “expanding their coverage to include areas of the network not initially exposed to NDR.” These network segments — primarily Infrastructure as a Service (IaaS), Information Technology (IT) / Operational Technology (OT) convergence, Software as a Service (SaaS), and home networks — pose their own unique challenges when it comes to using NDR.
In this series, we have been unpacking the “2024 Gartner® Market Guide for Network Detection and Response.” In this blog post, we will discuss the challenges of securing the agentless attack surface while sharing how the Stamus Security Platform (SSP) can help organizations gain network visibility in environments where endpoint agents are impossible to install.
Please visit the Stamus Networks Blog to read the first two entries to this series, “Unpacking the 2024 Gartner® NDR Market Guide: The Return of IDS” and “Unpacking the 2024 Gartner® NDR Market Guide: The Critical Role of Automated Response.”
What does Gartner say about expanding attack surfaces?
When we talk about an agentless attack surface, we are talking about network environments where the organization is unable to deploy endpoint agents. This is due to Internet-of-Things (IoT) or OT technology, such as the kind we see in hospitals, or because of a bring-your-own-device policy with a lot of public networks, like we often see in universities. In some cases, an environment is forced to be agentless because of the use of cloud infrastructure. In other cases, the organization’s infrastructure is too outdated to support modern endpoint agents. Regardless of the environment, the challenge stays the same: endpoint security solutions become ineffective and – without additional security measures – the organization becomes a prime target for cybercriminals.
The “2024 Gartner® Market Guide for Network Detection and Response” highlights a growing reliance on “hybrid-network NDR” to address this challenge. As the report states:
"NDR providers continue to improve their detection capabilities and improve incident response workflows, highlighting the identified root causes of an incident. With this success and confidence, enterprises are experimenting with new NDR features and expanding their coverage to include areas of the network not initially exposed to NDR, especially to see all lateral movement between different types of infrastructure."
The need for visibility and threat detection across the organization, including agentless segments, is driving the shift towards more flexible NDR solutions. By extending their reach beyond traditional network segments, NDR solutions can help organizations identify and mitigate risks before they escalate.
The agentless attack surface presents some unique challenges for security teams. IoT devices, for example, often have limited processing power and storage capacity, making it impractical or impossible to deploy endpoint agents. The shift towards the cloud, while practical for many organizations, complicates threat detection as many security controls do not translate seamlessly to the dynamic nature of cloud infrastructure.
To effectively address these challenges, organizations require security solutions that can provide visibility and threat detection in an alternative way. NDR solutions that can analyze network traffic patterns and identify anomalies in these agentless environments are becoming an essential part of a comprehensive security strategy to protect critical assets.
The Stamus Security Platform: Comprehensive Visibility in Agentless Environments
The Stamus Security Platform (SSP) is equipped to help organizations address some of the challenges posed by expanding attack surfaces. Using advanced network traffic analysis capabilities, SSP provides maximum visibility across the entire network environment which enables organizations to maintain comprehensive threat coverage across critical agentless environments.
There are many environments where it is difficult or even impossible to install endpoint security controls. In these scenarios, Network Detection and Response (NDR) is the most effective way for the organization to maintain the needed level of visibility. In other situations NDR could be used to audit endpoint policies and configurations, providing visibility into gaps left by Endpoint Detection and Response (EDR) systems and adding another layer of security in the event that an endpoint fails. Some examples of environments that commonly cannot use endpoints or otherwise have wide gaps in coverage include:
- Automotive Manufacturing
- Medical
- Military
- Outdated Critical Infrastructure (such as those seen in finance or insurance)
It is important to note that while Gartner addresses the use-cases of Software-as-a-Service (SaaS) and home networks in their report, we believe that these use-cases are better served by other security controls. While it is possible for an NDR to address these networks, NDR may not be the best tool for the job.
The agentless attack surface use-cases Stamus Security Platform focuses on are IaaS and OT. We see these use-cases as excellent ways to apply NDR and enable organizations to gain greater visibility into the segments of their network where endpoint agents are impractical or impossible to place.
SSP's ability to analyze network traffic patterns within IaaS environments allows organizations to gain greater insights into cloud security posture and proactively address potential threats. The granular network visibility provided by SSP into server workflows can help identify lateral movement, insider threats, supply chain attacks, misconfigurations, and more.
When it comes to environments using OT, network monitoring is one of the most effective means of maintaining visibility. Many OT and IoT devices — which far outnumber non-OT/IoT devices – cannot have security controls installed directly on the devices. What this means for organizations is that there is no way to monitor these devices except through the network. By observing communications among these devices, we can gain a much fuller picture of the activity on an expanded network. As IT and OT converge, NDR provides a valuable layer of visibility and threat coverage that can identify shared vulnerabilities, monitor for unauthorized access, detect lateral movement, and improve incident response.
Download the 2024 Market Guide for Network Detection and Response
It is important to note that we do not believe that NDR solves all problems, and what works for one organization may not work for another. Ideally, organizations would have a variety of controls and security systems in place not only for redundancy, but also to gain the most comprehensive visibility possible. Organizations should continue to leverage endpoint-based security where they can, but the addition of NDR can fill the gaps in coverage left as the attack surface continues to expand.
Normally, Gartner reports are only available to Gartner clients. However, this year Stamus Networks is offering a complimentary copy of the “2024 Gartner® Market Guide for Network Detection and Response” to equip defenders with strategic insights on the NDR market. To download your copy, please visit our website here >>.
To stay updated with new blog posts from Stamus Networks, also make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.
Attributions and Disclaimers
Gartner, Market Guide for Network Detection and Response, Jeremy D'Hoinne, Thomas Lintemuth, Nahim Fazal, Charanpal Bhogal, 29 March 2024
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the
U.S. and internationally and is used herein with permission. All rights reserved.
