F5-CrowdStrike network security partnership: Is EDR enough?
A new F5-CrowdStrike partnership extends EDR to vulnerable network infrastructure, but is it enough? Research shows NDR outperforms EDR in many places.
Seeking to better protect customers from exploitable network devices, F5 and CrowdStrike recently announced a technology alliance in which CrowdStrike Falcon will integrate with and run directly on F5's BIG-IP platform. This partnership will enable customers to use workload security from the Falcon agent, as well as CrowdStrike's Falcon Adversary OverWatch managed threat hunting service, across their BIG-IP footprint. The vendors have positioned this alliance as a new approach that redefines network protection and extends edge protection from laptops, desktops and mobile devices to vulnerable network infrastructure.
While this is a growing area of concern for many organizations, it is worth noting that this partnership comes on the heels of a significant breach F5 suffered in August and disclosed in October in which nation-state actors stole segments of BIG-IP source code and vulnerability details. As a result, eligible BIG-IP customers will be able to deploy Falcon and use OverWatch at no cost through October 2026.
So, while vulnerable network devices are a significant and ongoing issue -- a Fortinet FortiWeb vulnerability capable of remote code execution was recently exploited in the wild -- and this partnership represents an avenue to addressing the problem, it is in reaction to a specific event and has a fairly narrow focus, at least to start. That said, credit to F5 for moving quickly to engage with CrowdStrike and help ensure customers are protected and have the tools they need to defend themselves for this issue.
This announcement represents an interesting and much-needed development in detecting threats that target network infrastructure, but it overlooks the following key issues regarding the broader network infrastructure protection issue:
- The partnership currently only covers F5's BIG-IP family. Most organizations support multiple network device vendors. For full visibility across the network infrastructure, Falcon will need to integrate across many platforms. This could occur over time, but gaps will likely remain in the foreseeable future, meaning that security teams relying solely on endpoint detection and response (EDR) will be vulnerable.
- The "EDR everywhere" model is difficult to scale. This overlaps a bit with the first point. Connected IoT devices and cloud environments are two key areas where deploying agents is difficult, if not impossible. And if EDR isn't everywhere, organizations need something else to bridge that visibility gap.
- EDR itself can be vulnerable. In addition to attacks designed to evade EDR -- such as DLL side-loading and code injection, fileless and memory-based attacks -- and attackers generally living off the land, one of the first actions an attacker will attempt once they have access to an endpoint is to disable EDR to obfuscate their actions. The July 2024 CrowdStrike outage highlighted the potential for disruption when deploying agents on critical systems, which would certainly include network devices. In short, EDR has shortcomings.
Revisiting network visibility and detection
There's no question that device-level visibility is critical and provides data that other tools can't. However, a broader, network-level view offers some distinct advantages that don't necessarily replace but complement endpoint-level detection. Network detection and response (NDR) specifically can help address some of the issues previously discussed.
NDR does not require security teams to deploy agents, which helps cover parts of the environment where agent deployment is not possible or desired. Because it operates out of band, it cannot be disabled or tampered with. NDR can also provide a holistic view of the environment, enabling analysts and threat hunters to see every connection and identify anomalous activity and lateral movement across systems. NDR might not provide the depth of system-level visibility that EDR does, but it offers value through its ability to see the entire picture.
Recent research from Omdia, a division of Informa TechTarget, titled "The Role of Network Visibility in Protecting Modern Environments," highlighted how organizations view network-based tools in comparison to other aspects of their security stack, and the benefits they see using NDR. Some of the most telling findings include the following:
- NDR is well-positioned for hybrid cloud. Overall, 41% of respondents said NDR or visibility tools are best equipped to provide visibility across hybrid multi-cloud environments. Only 12% felt EDR tools were best equipped for this purpose.
- NDR is accurate. Overall, only 19% of respondents indicated that at least half of the alerts generated by their security tools turned out to be malicious true positives -- meaning false positives are still an issue overall. However, the results were better among those using network visibility as a first line of defense, with 24% reporting that at least half of their detections were true positives, versus only 11% using endpoint visibility as a first line of defense.
- NDR helps teams respond faster. Nearly two-thirds (61%) said network visibility has a significant impact on moving from detection to response, helping complete the step faster and with more confidence. An additional 38% said it had a moderate impact, helping complete the step somewhat faster with somewhat more confidence.
- NDR helps improve both efficiency and security. Organizations are seeing tangible benefits from their use of NDR. More than half (53%) reported that security operations center analyst efficiency had improved, and 49% said mean time to detection had been reduced, while 42% reported fewer data breaches.
What it all means
To be clear, the point here is not that NDR is the only tool that a security team needs to detect modern threats in distributed environments. In fact, device-level visibility into network infrastructure is a notable gap for NDR. But EDR is not a silver bullet either and needs to be complemented by network visibility.
Network visibility and detection can clearly help security teams close these gaps in visibility, improve efficiency and detect threats they would otherwise miss. As is often the case, security teams should prioritize a layered approach -- but one that emphasizes network visibility. For network infrastructure specifically, adding EDR where possible to detect compromised devices earlier could help. However, when this approach is augmented by NDR to detect lateral movement and suspicious activity emanating from those devices, security teams will be more successful overall.
John Grady is a principal analyst at Omdia who covers network security. Grady has more than 15 years of IT vendor and analyst experience.
Omdia is a division of Informa TechTarget. Its analysts have business relationships with technology vendors.
