Will IDS Ever Be Able to Detect Intrusions Again?

November 3, 2015
Vectra AI Security Research team
Will IDS Ever Be Able to Detect Intrusions Again?

IDS has been around for decades and has long been a cornerstone of network security. But over the years, IDS was gradually absorbed by IPS, and IDS simply became thought of as a deployment option of IPS.

However, this subservient role of IDS in relation to IPS introduces a subtle but important compromise – detection takes a backseat to prevention. Because IPS is deployed in-line with network traffic, performance concerns are paramount. Prevention cannot slow the speed or flow of business, and that meant detections must be near-instantaneous.

The need to block threats within milliseconds locks IDS/IPS into using signatures for detections. While signatures can detect a wide variety of threats, they rely on the fast-pattern-matching of known threats.

This snapshot approach to detection is not suited for detecting the patient, multi-phased nature of modern cyber attacks. In order to keep pace, the industry needs to a new approach to intrusion detection that puts the priority of detection first and foremost.

Employee saying "I'm quitting to pursue my dream of finding an IDS that detects intrusions."

It’s time to put detection first

IDS and IPS have their rightful places, but they are no longer simply deployment options of the same thing. Today’s persistent attacks dictate that threat intelligence and enforcement must be separated and optimized for their respective purposes.

IDS must use new strategies and techniques to detect active network intrusions. It’s crucial for IDS to detect threats even if malware or exploits aren’t used.

This requires having visibility beyond perimeter defenses and into the internal network where attackers hide. A modern-day IDS must also detect the progression of an attack as it unfolds over hours, days and weeks.

Focus on behavior, not signatures

In today’s threat landscape, intrusion detection must ditch signatures and focus on identifying malicious attack behaviors. Despite always changing tactics to avoid signatures, attackers must perform certain actions when they spy, spread and steal inside a network.

By concentrating on the unique characteristics of malicious behaviors, security teams can reliably identify network intrusions, even if the tools, malware and attack are completely unknown.

But this level of detection requires a next-generation IDS with a deep understanding of sophisticated attack behaviors.

The modernization of IDS

Vectra is changing the way intrusion detection is done. It uses an innovative combination of data science, machine learning and behavioral analysis to detect active threats inside the network.

Algorithmic models reveal underlying attack behaviors that can’t be seen by logs or traffic flows. Vectra reveals the key actions that attackers must perform to succeed, regardless of applications, operating systems and devices—and even when traffic is encrypted.

Machine learning distinguishes threat behaviors from normal traffic and offers network-wide and local context. This enables the detection of hidden threats, including ones that can only be revealed when observed over extended periods of time.

Because Vectra detects malicious actions instead of malicious payloads, it can identify active threats without decrypting traffic. That means attackers can no longer communicate covertly with infected hosts by using SSL-encrypted web sessions or hidden tunnels.

While traditional IDS is fixated on detecting an initial compromise, Vectra detects active threats in every phase of the cyber attack kill chain—command and control, internal reconnaissance, lateral movement, and data exfiltration.

Most important, Vectra doesn’t burden overworked security teams. Instead, it maps detections to the hosts that are under attack and scores and prioritizes threats that pose the highest risk—automatically and in real time. This gives security teams the speed and efficiency they need to prevent or mitigate data loss.