People often ask me if they still need our host based scanner THOR now that they have bought a network appliance that already checks all content that goes into and leaves their network. I normally answer that it is not a question of one solution versus another, but a combination of solutions to achieve the best possible result.
It is not difficult to understand that both solutions apply different detection techniques as they analyze different elements and provide different perspectives. It is difficult for an host based solution to detect Zero Day exploits, C2 back connects and malicious content in a network connection. But, in the same way it is impossible or difficult for a network based solution to detect system anomalies, malware-less backdoors, web shells and Eventlog or Registry based traces of hacking activities.
I collected and composed different aspects of advanced persistent threat protection in the following info graphic. The color (grey and aquamarin) indicates the coverage by the different solutions. The graphic is not based on research and may vary in specific cases. It is meant to roughly visualize the different perspectives and high coverage you achieve by combining both solutions.
I should add that we currently provide THOR only for a limited group of customers, mainly European corporations, government institutions and certain CSIRTs within the European Union. THOR’s little brother LOKI provides a very reduced feature set but may be enough and FENRIR is a dependency-less IOC scanner for Unix based target systems written in bash. For a Windows Powershell solution check out Kansa by Dave Hull. It also allows a distributed scan run using LOKI.