After an online panel discussion on upgrading intrusion detection systems (IDS) to next-generation IDS, an interested participant reached out through LinkedIn. He had a simple question: "So, what is the definition of next generation intrusion detection system (NG-IDS)?"
I started to write a quick response, then reflected on the question and concluded an NG-IDS definition needed more context. This is what I sent my new LinkedIn connection.
Anything labeled next-generation (NG) implies there is something important that needs an upgrade. IDS, built for the network as the source of truth, fits that bill.
IDS started in the 1990s to address the primary threat of the time: weaknesses in computer software. Signatures, the IDS' detection strategy, have a close relationship with Common Vulnerabilities and Exposures (CVE). Rather, signatures are the antagonist to the exploits found in hacking tools like Metasploit. Signatures attempt to identify the traffic patterns of known exploits against known software vulnerabilities.
For IDS, NG can be confusing because vendors have put the threat intelligence red lipstick on the pig and called that NG-IDS. Threat intel is an important addition, but it doesn't address all the reasons why we need a next generation for IDS.
IDS Never Delivered on the Full Spectrum Promise
From the beginning of IDS, searching for patterns, tracking behavior, and finding anomalies were required for full-spectrum detection (NIST 800-94). IDS developers figured out the pattern part, but detecting behaviors and anomalies proved elusive since a good understanding of normal was difficult to achieve in dynamic environments using manual analysis techniques.
Today, machine learning creates the foundation for NG-IDS to deliver what is sorely lacking in traditional IDS: behavioral, anomaly, peer group, and rule-based pattern detections. This is critically important because it allows NG-IDS to detect known and unknown attacker tactics, techniques, and procedures (TTP).
The Perimeter Changed
Network perimeters are porous, elastic, and abstract—filled with unmanaged devices and cloud workloads crossing the boundaries without any observable security state. These devices may be infected outside of a security team's purview or through alternative communication channels such as 3rd-party VPN, mobile side channels, or trusted peering networks. All these methods are unobservable by outward-facing IDS.
NG-IDS adds east-west visibility to take a post-compromised posture to stop successful intruders or malicious insiders before they pivot and cause real damage.
Growth of the Encryption Blindspot
Back in the 1990s, most network traffic was delivered in cleartext. Today, we encrypt almost everything. For example, 95% of Google traffic is encrypted. As a result, security is blind to much of the important, the mundane, and the dangerous crossing the perimeter or moving laterally through data centers and cloud infrastructure.
Some IDS vendors added man-in-the-middle capabilities to the IDS packaged offering. Unfortunately, these have proven to be challenging to operationalize and increase risk through weak cipher transcoding as outlined in an NSA advisory.
NG-IDS applies full spectrum inspection on encrypted traffic, including the use of Perfect Forward Secrecy (PFS) ciphers in TLS 1.3. NG-IDS backs up its decryption capabilities with JA3 and JA3S fingerprinting.
Attacker Strategies Evolved
Software vulnerabilities were the primary threat consideration at IDS's inception, and CVEs continue to be an important security concern. However, attackers now find exploiting people through social engineering schemes, buying stolen credentials, or exploiting human error (misconfigurations) more effective than swimming in assembly code to develop or buy expensive zero-day exploits.
For example, the 2020 Verizon DBIR pointed out that vulnerability attack frequency peaked in 2017 at 5%, then steadily dropped to 2.5% of the investigated breaches.
Implementing a 100% prevention defense is unrealistic. This is often referred to as the defender's dilemma. Attackers don't follow rules and only have to get it right once, whereas defenders have to get it right every time to prevent a breach at the perimeter. NG-IDS provides the defense-in-depth detection backup against attackers sneaking past leaky prevention defenses as they pivot toward your valuables.
IDS Stops at Alerts
If tight budgets weren't enough, security leaders also face challenges finding skilled security professionals. IDS peers into traffic as it passes by looking for a pattern that matches a signature in its library that trips an alert. Unfortunately, IDS stops at alerts, leaving time-strapped analysts to search for root cause with other investigation tools and, in some cases, access yet another PCAP repository tool for forensic evidence.
NG-IDS aids time-strapped analysts with an optimized workflow that integrates detection, investigation, and response into a single tool. Typically, 90-days of traffic data records are available for lookback investigation, irrespective of an alert triggered or not.
What is ExtraHop's NG-IDS?
Reveal(x) NDR, an NG-IDS technology, monitors for malicious activity and policy violations. It does it with full-spectrum detection, powered by machine learning behavioral analysis and high-risk CVE exploit identification and a streamlined incident-response orchestration.
Unlike IDS, a brittle signature technology, Reveal(x) also spots east-west threats, stops post-compromise intruders, and closes compliance gaps caused by cloud initiatives and encryption blindspots.
Just as important, Reveal(x) helps time-strapped analysts be more effective by integrating detection, investigation, and response workflows into a single tool.