The Evolution of Threat Detection on the Network from IDS to NDR

Anyone who has observed the massive growth in both cybercrime and cyber espionage over the past 30 years cannot fail to notice the rapid response efforts by software and hardware vendors as they race against adversaries to defend digital assets.

From the early days of the internet, the history of network and computer security required constant development of new technologies: firewalls to protect the internal network from threats on the internet; antivirus software to protect workstations and servers from malicious programs; encryption on laptops to protect data in case of loss or theft; wireless encryption and authentication to prevent drive-by hacking of corporate wifi networks, and more.

The list of technologies developed by vendors to defend against attacks goes on, but not all technologies are completely original: new systems often evolve from older technologies, and the example that most people are probably familiar with is the evolution of antivirus software into endpoint detection and response (EDR) software. This marked the change from a basic signature and heuristics detection technology into a sophisticated solution to combat advanced threats that involved a deep understanding of how operating systems worked and how malware manages to defeat basic defenses and trick users into running it. Now, antivirus software has effectively been obsoleted or subsumed into EDR tools.

While EDR has vastly improved threat detection for many organizations, attackers have caught up. Sophisticated adversaries figured out how to use modern C2 frameworks to evade and then disable most EDR tools. Now these techniques, which have been widely published on the internet, are part of most hacking groups’ tradecraft.

EDR tools will once again outsmart adversaries, but in the meantime, security practitioners are turning to the network—which cannot be disabled by attackers—to defend their systems. The two tools primarily used by defenders today are intrusion detection systems (IDS) and network detection and response (NDR) systems.

IDS vs. NDR

Like antivirus software, IDS is primarily a signature-based solution with some heuristic analysis capability. IDS has mostly been used to defend the network perimeter by rapidly identifying common malware and CVE exploits, although it’s increasingly being seen inside the perimeter as compliance requirements including PCI-DSS have demanded a technology to defend internal networks from threats.

NDR, in contrast, is a much more sophisticated network defense technology that uses machine learning, behavioral analytics, and a small amount of signatures to detect threats across both the perimeter and internal networks. Indeed, the sophisticated traffic analysis models that NDR platforms use are specifically designed to detect the kinds of advanced persistent threats (APTs) that bypass perimeter IDS systems and that can only be caught by traffic analysis at scale, along with an in-depth understanding of the environment, including all devices functional in it. These are capabilities that IDS simply cannot perform, and it’s why ExtraHop believes NDR is going to replace IDS in exactly the same way that EDR replaced AV.

That said, the ability of IDS technologies to process tens of thousands of signatures that can identify common malware and CVE exploits extremely fast remains essential to today’s network defense community. For that reason, Extrahop is pleased to announce that we have released Extrahop IDS to bring this powerful capability to the Reveal(x) NDR platform. By combining Reveal(x) with ExtraHop IDS, customers looking to retire legacy IDS systems will be able to make the leap to modern NDR defense capabilities without weakening their compliance postures or losing the capabilities IDS has provided over the years. To learn more about ExtraHop IDS, download the solution brief.