Why IDPS Lacks the Capability
to Detect Modern Attacks
In my previous blog, I talked about how intrusion detection and prevention systems (IDPS) leads to alert fatigue by overwhelming security operations teams with false positive alerts, ultimately leading to missed attacks. In this blog, I’d like to touch on how IDPS is ill-equipped to detect what is known as lateral movement, east-west traffic, or simply put, attackers moving around inside your deployments.
The notion of a fixed perimeter around hosts and servers that are protected by a firewall is a thing of the past. Everyone now accesses workloads deployed in cloud environments. The idea of traffic being inside or outside a perimeter is gone. By focusing only on traffic that passes through the corporate firewall, IDPS solutions are quickly becoming obsolete. This traffic now represents only a fraction of all communication in a modern deployment. It’s like putting one reinforced steel door in the middle of an open field.
But detecting lateral movement is still an important part of any detection and response strategy. Bad actors rarely target just one system in an attack. Instead, they pursue a land-and-expand approach by compromising a low-privilege host or account, and then move laterally across the network in search of assets to steal.
IDPS relies primarily on signatures to detect threats, including exploits and malware that target vulnerable systems and applications. They typically do so via packet-level inspection, which compares the hash of a packet to the hash of a malicious packet. If there’s a match, IDPS triggers an alert and possibly blocks it, depending on the configuration. And while signatures have their uses, there has been a significant shift in attacks moving away from malware to account-based attacks.
In fact, the Verizon Business 2020 Data Breach Investigations Report states “our data shows that this type of malware peaked at just under 50% of all breaches in 2016 and has since dropped to only a sixth of what it was at that time (6.5%). As this type of malware decreases, we see a corresponding increase in other types of threats. As time goes on, it appears that attackers become increasingly efficient and lean more towards attacks such as phishing and credential theft.” The signature-based approach is completely unable to detect attacks that involve credential theft and misuse.
Conversely, the Vectra Cognito NDR platform combines threat intel with rich contextual data, such as host user behaviors on the network, user and device privileges, and knowledge of malicious behaviors. Powered by machine-learning algorithms developed by security researchers and data scientists, Vectra identifies attacks that are real threats, while eliminating noise. This instills confidence that you are detecting and stopping known and unknown attacks in cloud, data center, IoT, and enterprise networks. Vectra is in 100% service of detecting and responding to attackers, and our job is to find them early and with certainty.
It starts with having the data to make it happen. This is not about the volume of data. It is about the thoughtful collection of data from a variety of relevant sources and enriching it with security insights and context to solve customer use-cases. Attack behaviors vary, so Vectra continuously creates unique algorithmic models for the widest range of new and current threat scenarios. Performing well beyond the abilities of humans, Vectra gives you a distinct advantage over adversaries by detecting, clustering, prioritizing and anticipating attacks. By doing the thinking and reducing the security operations workload, you’ll spend more time on threat hunting and incident investigations and less time tuning IDPS signatures.
If you’re ready to change your approach to monitoring and protecting your environment, get in touch with us to see a demo.