EDR was the single best control investment of the last decade. CrowdStrike Falcon, SentinelOne, and Defender for Endpoint genuinely changed what was detectable on a Windows host. But attackers read the same reports you do. They moved up the stack (identity) and out of the stack (SaaS, cloud control planes, OT). If your detection strategy still centers on the endpoint, you are watching the door the adversaries stopped using.
Identity is the new endpoint
The 2023 Okta support-system breach, the Microsoft Midnight Blizzard compromise, and most Scattered Spider intrusions had one thing in common: no malware on a workstation. A valid session, a stolen token, a help-desk social engineer. EDR had nothing to say.
You need ITDR — identity threat detection and response. In practice that means:
- Detections on impossible travel, token replay, anomalous OAuth consent, and risky sign-ins — and someone actually triaging them.
- Hardening for Active Directory and Entra ID: tiered admin model, privileged access workstations, alerting on
DCSync,Kerberoast, and service-principal credential additions. - Monitoring your IdP the way you monitor your EDR — with tuned rules, not out-of-the-box defaults.
SaaS and cloud posture, not just cloud workloads
Most orgs now run payroll, CRM, code, and communications in SaaS. The attack surface is configuration, not binaries. A misconfigured sharing link in Google Drive or a legacy auth protocol in Microsoft 365 is the breach, and no endpoint agent will see it.
- SSPM for SaaS posture: tools like AppOmni, Obsidian, or the native posture features in your IdP.
- CSPM and CNAPP for cloud: Wiz, Prisma Cloud, or Defender for Cloud — the value is continuous configuration assessment, not another dashboard.
- OAuth app inventory and consent governance. The app someone approved three years ago is still reading mail.
OT and ICS visibility
If you run manufacturing, utilities, healthcare devices, or building management, your OT network is probably monitored by nothing. EDR will not install on a PLC. The Colonial Pipeline incident was an IT-to-OT precautionary shutdown, but the more recent water-utility intrusions show direct OT access is well within reach of commodity attackers.
Passive network monitoring — Claroty, Dragos, Nozomi — gives you asset inventory and anomaly detection without touching the devices. Start with inventory. You cannot defend what you cannot name.
Network detection and centralized logs
NDR is not dead. Encrypted traffic made payload inspection less useful, but flow analysis, DNS anomalies, and beacon detection are still how you catch the thing that slipped past the endpoint. Corelight, Darktrace, and the open-source Zeek/Suricata stack all work.
And all of this is noise if the logs do not land in one place. A SIEM or data lake with authentication logs, EDR telemetry, network metadata, cloud audit logs, and SaaS admin events — correlated, searchable, retained long enough to investigate a dwell time that is now often measured in weeks.
EDR catches the noisy attacker on a laptop. It does not catch the quiet attacker who logged in.
The takeaway
Map your detection coverage against the attack surfaces that matter: endpoints, identity, SaaS, cloud control plane, OT, network. For each one, name the control, the telemetry source, and the person who tunes the rules. The gaps are where the next incident lives. EDR is the floor of that map, not the whole building.