NDR vs. MDR
Healthcare organizations need cybersecurity protection—but they want to stay smart and efficient, avoiding unnecessary additional headcount. With CISA enhancing security compliance guidelines to include detection and response capabilities, it’s not surprising when healthcare organizations outsource to Managed Detection and Response (MDR) services.
The key difference between MDR and Network Detection and Response: MDR is a service, while NDR is a tool. When you’ve got an MDR, you’re essentially outsourcing key security functions to third party experts who can use various tools to detect and respond to attacks—but they’re only as capable as the tools they’re empowered with
Defense in depth requires using the right tools for every layer. That’s where NDR (Network Detection & Response) comes in—with defense in depth at the network layer that goes beyond what an MDR can provide.
The TL;DR: MDR services typically use EDR tools, which monitor laptops and desktops, not IoT devices or the network. NDR is a must-have in the healthcare environment because of all the blind spots left by the EDR technologies used by MDR providers.
Wait…My MDR Provider Isn’t Using NDR?
Probably not.
MDR isn’t a specific software tool or platform, but instead a service offering. Security experts working for MDRs work for multiple clients, providing monitoring and incident response 24/7. No more trouble staffing the night shift—that kind of availability is worth a lot.
The vast majority of MDR providers keep their focus on endpoints. Their security experts are trained on understanding threats indicated by EDR tools, then triaging and responding to those threats before they turn into breaches.
For some operating environments, the EDR-based approach offers good coverage: in a typical corporate office, for instance, the vast majority of the attack surface consists of laptops, desktops, and servers. In healthcare, they’re also important…but a huge additional attack surface remains uncovered by EDR.
We’re talking here about IoT devices—and modern healthcare has them everywhere. Think thousands of infusion pumps. Surgical robots. Implantable devices. Those are endpoints, too—but because they don’t use typical operating system software like Windows, MacOS, or Linux, they’re totally invisible to EDR solutions.
That’s where NDR comes in.
By identifying anomalous behavior in the network layer, NDR (especially when using a tool specifically designed for healthcare needs) illuminates threats and allows rapid response while MDR services would still be in the dark.
Hidden Attack Surfaces: JekyllBot:5 And the Limits of MDR
Smart hospital robots were designed to improve healthcare by automating transportation and distribution of supplies. But what if a threat actor commandeered one of these robots—stopping them from reaching their intended destination, or even intentionally interfering with hospital operations?
Cynerio discovered exactly this issue with Aethon TUG robots. The vulnerabilities, which we called JekyllBot:5, could potentially have allowed an attacker to execute arbitrary commands using the robot—anything from taking unauthorized photos to accessing restricted areas, or even injecting malware in an administrator portal browser to expand the attack laterally.
That’s exactly the kind of attack MDR providers will miss—and it’s not their fault, just outside the scope of what their tools were meant to monitor.
How NDR Sees Beyond MDR
More than half of connections on a typical hospital network come from connected IoT devices—sometimes far more than half. NDR sees behavior at the network layer, and identifies when network traffic is behaving unusually.
With specialized healthcare-oriented NDR tools, you can empower your security team or MDR with deeper insights and capabilities, including:
- Wider coverage: See across your entire network, including the many devices based on IoT firmware and small operating systems invisible to the EDR tools MDRs use.
- Automated enforcement: Create policies for network behavior and automatically block traffic from sources that have begun to indicate a possible attack in progress.
- Deep healthcare security insights: Purpose-built healthcare NDRs know what traffic in a healthcare environment is supposed to look like and can rapidly detect indicators of compromise before attackers move laterally.
Just remember—MDRs are great for taking some of the burden off your security teams, but they don’t represent a complete security solution that covers all sources of risk.
If your MDR doesn’t yet have NDR capabilities, you can also talk to your MDR representative about offering these services, or ask whether they would manage an NDR solution that you purchased for your organization.
Talk to Cynerio today to learn how NDR built for healthcare can keep your entire network environment—and your patients, staff, and providers—protected.