Endpoint detection and response (EDR)

Endpoint Detection and Response (EDR) is a cybersecurity technology designed to help organizations detect, investigate, and respond to threats on endpoint devices. An endpoint is any device that is connected to a network, such as laptops, desktops, smartphones, tablets, servers, and even some IoT (Internet of Things) devices.

With the rise of remote work, endpoints often operate outside the traditional corporate network perimeter, making them more vulnerable to attacks. EDR provides a layer of security that is not dependent on the physical location of the endpoint, thus extending protection to remote workers and their devices.

NetBird integrates with major EDR platforms to restrict network access only to devices managed by the company's IT department. With the integration enabled, NetBird synchronizes the list of devices managed by the EDR platform via the API and checks the presence of the EDR agent on the device, blocking access to the network if the agent is not installed.

In addition to the aforementioned features, the system also has the capability to check the Zero Trust Assessment (ZTA) score of the hosts. The system can limit network access based on this ZTA score. For instance, if a device has a ZTA score below the set threshold, it may be deemed too risky and thus, denied access to the network.

NetBird doesn't apply the EDR checks to all devices in the network. Instead, you can select specific groups of devices for the checks to apply.

This document offers instructions and best practices for setting up NetBird with different EDR platforms.

CrowdStrike

Before you start creating and configuring a CrowdStrike integration, ensure that you have the following:

• A CrowdStrike account with the permissions to create and manage API keys. If you don't have the required permissions, ask your CrowdStrike administrator to grant them to you.

Step 1: Create a CrowdStrike API key

• Navigate to the API clients and keys page
• Click Create API client at the top, right corner
• Set Hosts - Read permission
• Set Zero Trust Assessment - Read permission
• Click Create
• Copy the credentials. You will need these credentials when configuring an integration in NetBird.

Step 2: Configure a CrowdStrike integration in NetBird

• Navigate to the Integrations » EDR tab in the NetBird dashboard
• Click Connect CrowdStrike to start the configuration wizard

• First, select the region of your CrowdStrike account

• Then enter the client ID and secret key you created in Step 1 and click Continue

• Select groups you want to apply the integration to
• If you would like to apply a ZTA threshold, then enable the Zero Trust Assessment Score and set the desired limit, and click Connect.

• Peers that have the CrowdStrike agent installed will be granted access to the network. Peers without the agent will appear with a Approval required mark in the peers list and won't be able to access the network until the agent is installed.

• Optional. You can experiment and see how the integration works by hiding hosts in the CrowdStrike Host management console:
  • Navigate to the Host management page in the CrowdStrike console
  • Select a host you want to hide
  • Click Actions and then Hide
  • The host will be moved to Trash (you can restore it later)
  • After about a minute, the peer will be disconnected from the network and marked as Approval required in the NetBird dashboard.
  • To restore the host in CrowdStrike, navigate to the Trash and click Restore