Why You Need Both EDR and Zero Trust Segmentation

People sometimes ask us if they need Illumio if they already have an Endpoint Detection and Response (EDR) product. Or they ask if they still need EDR if they already have Illumio.

The answer is that you need Zero Trust Segmentation and an EDR product. Illumio and EDR complement each other, creating a more robust defense against cyberattacks.

Here’s why Illumio and EDR are both essential security tools and why, together, they will make your organization’s cyber defenses even stronger.

Different products for different NIST cybersecurity roles

The best way to compare Illumio and EDR is to consider the largest context of cybersecurity.

Illumio and EDR products fulfill different roles in the NIST Cybersecurity Framework, the US government’s official standard for cybersecurity tools and practices. The NIST Cybersecurity Framework calls out five functions that, at their highest level, organize cybersecurity operations. These five functions are:

• Identify
• Protect
• Detect
• Respond
• Recover

EDR products, as their name suggests, cover the Detect and Respond functions. They detect suspicious activity or an outright attack on an endpoint. Then they respond to suspicious activity or attacks by taking corrective action. They might send an alert to your security information and event management (SIEM) system, kick off a process to activate an antivirus tool, delete or quarantine files, and perform some combination of these or other actions.

Illumio Zero Trust Segmentation plays a different role in cybersecurity. Illumio continuously protects the network against attackers moving from one endpoint to another. If a subtle attack gets through on an endpoint — and eventually, because of software vulnerabilities or Zero-Day attacks, an attack will get through on some endpoint somewhere — Illumio protects your organization by denying access and preventing it from moving laterally across your organization’s network.

Illumio restricts attackers’ movements by denying all network traffic by default — that’s the Zero Trust security model. Instead, Illumio allows only the traffic that security and operations teams have deemed necessary after reviewing Illumio’s real-time application dependency map. The application dependency map shows the network paths that business-critical applications depend on.

In addition, Illumio makes it easy for security teams to enforce policies that block network protocols essential to many malware attacks. For example, nearly half of ransomware attacks in Q3 2021 relied on the RDP protocol. Originally designed to give help desk agents access to employees’ computers, RDP has ended up serving as a wide-open network of back alleys for attackers to traverse inside organizations. Illumio lets security teams define and enforce policies restricting RDP and other dangerous protocols in just minutes, significantly increasing protection against attacks.

When an endpoint is breached, Illumio prevents the attack from spreading any further, maintaining the availability of your systems and the business. When the EDR system detects the attack, an automated process can shut down and quarantine any infected workloads: 

1. Attacks are isolated at the point of attack
2. The attack is detected by the EDR or XDR
3. Infected workloads are quarantined
4. Appropriate protocols are blocked throughout the infrastructure

Whatever endpoint security tools you have in place, your organization should also take advantage of the protection provided by Zero Trust Segmentation. As good as EDR and Extended Detection and Response (XDR) products are today, they’re not foolproof. And with visibility limited to endpoints themselves, EDR products sometimes miss multi-stage attacks as they unfold. In other words, EDR tools don’t provide full protection and even their detection is often limited.

EDR vs. XDR vs. Illumio

EDR products, by definition, run only on managed endpoints. Not surprisingly, they provide an endpoint-centric view of threats.

Extended Detection and Response (XDR) products expand the scope of security monitoring to include email, endpoints, servers, cloud workloads and network traffic. By providing security teams with a broader collection of correlated data for analyzing threats, XDR products make it easier to detect stealthy attacks. For example, XDR products might be able to detect multi-stage attacks that traditional EDR products might miss.

But while XDR products provide a broader view of IT activity, their work falls into the same NIST Cybersecurity Framework functions as EDR — they detect and respond. Neither technology fulfills the need for protection that’s provided by Zero Trust Segmentation.

Neither EDR nor XDR provide a systematic way of analyzing all the traffic associated with an application. To get that view, you need Illumio's application dependency map. Nor can EDR and XDR products instantly generate host-based firewall rules for enforcing Zero Trust Segmentation at scale. To generate those rules, you need the capabilities found in Illumio’s Policy Compute Engine.

Illumio complements EDR and XDR products by reducing the attack surface with Zero Trust Segmentation policies that leave attackers little room to maneuver.

Better together: Illumio with EDR or XDR

Regardless of which EDR or XDR product you deploy, you still need a fast, flexible and scalable way of segmenting the network, enforcing Zero Trust controls, and preventing attackers from engaging in lateral movement.

To learn more about how Illumio, the leader in Zero Trust Segmentation, can help:

• Read the latest Forrester Wave reports on Zero Trust and microsegmentation.
• Contact us today to schedule a consultation and demonstration.