OT and IT
Cyber defense in the industry: EDR vs. NDR
Industrial companies are increasingly being targeted by cyber attacks - the interfaces between IT and OT systems are particularly at risk. The article sheds light on why endpoint protection (EDR) usually forms the basis of effective security strategies and how network detection (NDR) can usefully complement these.
Industrial companies are faced with the challenge of protecting IT systems such as servers and databases while at the same time having to maintain operational technology (OT systems) such as industrial control systems (ICS), human-machine interfaces (HMI), SCADA and IoT devices. In particular, the fear that sensors and IoT devices can be hacked and the data manipulated is causing uncertainty. Where should protection start?
Practice shows that cyberattacks often start at the endpoints. A damaged laptop belonging to a maintenance technician with access to production networks can serve as a starting point for cyberattacks and trigger lateral movement in OT systems. The statistics also point in this direction: in 2023 alone, industrial companies accounted for around 25% of all reported security incidents. IT was the main attack vector - 72% of attacks came from there.
Why are industrial companies particularly affected? The main reason for this lies in the ever-increasing attack surfaces due to the networking of IT and OT, the particularly vulnerable legacy systems and the high degree of technological and operational connectivity. Production is highly dependent on continuous processes, and delays can have a serious impact on the supply chain. Attacks can cause business disruption with serious repercussions, which is why companies often pay ransoms to restore operations. But what is the most effective way to protect against these attacks?
Protect endpoints or networks?
When choosing a cyber security solution, industrial companies are often faced with the choice between "Endpoint Detection and Response" (EDR) and "Network Detection and Response" (NDR). EDR monitors activity on endpoints such as desktops, laptops and servers, where threats usually begin. NDR solutions, on the other hand, focus on analyzing network traffic to detect threats through anomalies in the information flow. NDR tools are particularly useful for network segmentation, detecting lateral traffic between IT and OT, and protecting machines that cannot run security software.
EDR and NDR both use continuous monitoring to detect malicious activity. Upon detection, an alert is triggered that contains all the information needed to respond. The goal of detection and response technologies is to detect and respond to a successful intrusion and contain the attack before any damage is done. But where should this happen - at the endpoint, in the network or both?
Behavior in the event of ransomware, phishing and supply chain attacks
The annually updated Enisa Threat Landscape (ETL) report shows that ransomware, phishing and supply chain attacks are among the biggest challenges for companies.
Ransomware attacks often start on endpoints through phishing or infected attachments. EDR detects bulk file encryption through file system monitoring and behavioral analysis and terminates the malicious processes. NDR, on the other hand, monitors unusual outbound traffic to command and control (C2) servers. If trusted software has been compromised, NDR can detect unusual communication patterns. However, without the context of endpoints, false positives may occur.
In the event of phishing attempts, an EDR solution monitors all email clients and browsers to intercept malicious attachments or URLs. EDR can detect attempts to steal credentials and block the installation of malicious software. NDR can identify unusual network traffic or DNS requests to phishing domains. However, the options for preventing compromises and consistently enforcing HTTPS are limited.
In supply chain attacks, an EDR tool can monitor applications for unusual behavior and uses indicators of compromise (IoCs) to detect trusted software that is behaving maliciously. NDR is able to detect unanticipated communications from compromised software, but has difficulty distinguishing legitimate from malicious traffic without endpoint context.
When can EDR and NDR complement each other?
An NDR tool alone is often not enough, as it has difficulty distinguishing between legitimate and malicious data flows. NDR relies on existing network visibility, which is often limited in industrial environments.
There are scenarios where NDR makes sense for OT systems, for example when an EDR agent cannot be installed on older machines or IoT devices with limited memory. In this case, an NDR tool can monitor ICS or IoT devices in combination with EDR solutions that protect IT endpoints. However, NDR should not be considered as a primary protection measure.
For the protection of critical infrastructures that include a combination of IT and OT environments, it is advisable to carry out network segmentation, apply EDR to IT systems and implement NDR in a targeted manner. For other scenarios, an EDR tool is usually sufficient.
For most industrial companies, EDR is therefore the most effective solution for detecting and containing cyberattacks at their most common source, the endpoints. NDR can be seen as a complementary layer and should only be used when there are specific network visibility requirements.
An EDR tool should therefore form the basis of a cyber security strategy. An NDR tool can usefully complement this strategy by providing additional anomaly detection for unmanaged devices or detecting lateral movement within specific network architectures. However, an NDR tool is most effective when it supports an EDR and helps to close the gaps that arise in complex security environments.
You might also be interested in
European companies prioritize security over growth
With the integration of artificial intelligence (AI) into business-critical processes, European companies are shifting their priorities. Instead of pure innovation projects, the focus is increasingly on security, governance and scalability.
read more...NIS2 meets store floor
The NIS2 directive significantly increases the requirements for OT security. This article shows how companies can combine structure, verifiability and practical relevance with IEC 62443-2-1 - from governance to auditability on the store floor.
read more...From risk to resilience
NIS2 significantly increases the requirements for industrial security concepts. In addition to cyber resilience, physical access protection is becoming increasingly important.
read more...Security Operations Center module
When cyber attacks reach production
Adlon is further developing its Security Operations Center and adding another module to the existing Managed SOC for Microsoft 365 environments (based on Managed XDR): Managed SOC Advanced.
read more...Kisters at the Hannover Messe 2026
Protection of 3D CAD data in product development
The protection of design data is becoming increasingly important in cross-company exchange. Today, modern software solutions offer a wide range of technologies to effectively protect 3D CAD data from unauthorized access and reverse engineering.
read more...Cyber threats: Four key trends 2026
Autonomous AI agents, industrialized cybercrime and attacks on critical infrastructures are rapidly changing the threat situation. Why cybersecurity will only work at machine speed in 2026.
read more...Demir Imeroski takes over management of the Hamburg branch
With effect from September 1, 2026, Demir Imeroski will take over the management of the Hamburg branch of Assa Abloy Sicherheitstechnik in addition to his role as Head of Client Operations. He succeeds Klaus Germer, who is taking his well-deserved...
read more...Criminals use AI systematically
Trend Micro warns in a new study of the increasing professionalization of AI-supported cybercrime. Deepfakes, fraud and malware are gaining in importance.
read more...Lifecycle management and safe IO-Link communication
At SPS, Pilz will be presenting solutions that combine safety and security in production. The focus is on the digital Myzel Lifecycle Platform, a SaaS offering for the management of machinery and personnel over the entire lifecycle.
read more...