InfoSec Insider

Ditch the Alert Cannon: Modernizing IDS is a Security Must-Do

Jeff Costlow, CISO at ExtraHop, makes the case for implementing next-gen intrusion-detection systems (NG-IDS) and retiring those noisy 90s compliance platforms.

After more than 20 years of underwhelming results, security leaders have accepted their intrusion detection system (IDS) programs as no more than a compliance checkoff. It’s no secret that IDS’s reliance on bi-modal signatures is brittle, easily evaded and often referred to as an “alert cannon.”

Time has not been kind to IDS and has created wide security gaps. With low IT budgets and the rise of the cybersecurity jobs crisis, organizations are in need of a centralized way to optimize workflow by integrating detection, investigation and response into a single tool.

Infosec Insiders Newsletter

And that’s not to mention the lack of coverage traditional IDS solutions provide. According to the Verizon 2020 Data Breach and Incident Response (DBIR) report, out of 3,000 investigated breaches, 97.5 percent were caused by attacks that IDS wasn’t designed to detect.

To combat the outdated nature of IDS, organizations should adopt next-generation IDS (NG-IDS) to fulfill the defense-in-depth promise unmet by legacy IDS. NG-IDS is effective against more types of attacks and fills glaring decryption and cloud compliance gaps while improving security.

IDS Erosion Over Time

IDS boomed in the ’90s as security frameworks like the SANS 20 Critical Security Controls and mandates like PCI DSS called out IDS by name. But even after a quarter of a century of IDS innovation and adoption across many enterprises, the same challenges persist. NIST 800-94, written in 2007, calls out the top challenges of that time, including detection accuracy, extensive tuning, blindspots and performance limits.

Unfortunately, these shortcomings still plague IDS today, limiting it’s usability and effectiveness even in its original monolithic “castle-and-moat” paradigm it was developed to protect. When you add the major changes affecting enterprise networks today, continuing down the traditional IDS path is problematic.

While IDS was designed to detect and secure the network perimeter from attacks, the evolution of the adversary has exposed the limits of IDS. The one-size-fits-all technology misses the mark with a narrow view of threat detection efficacy, an inability to cover east-west traffic, a lack of support for network security hygiene, a need for high operational overhead and the potential for numerous false positives. IDS is still useful, but its effectiveness is growing increasingly limited.

The Next-Gen Super Shield

Security and compliance frameworks, including those from CIS, NIST and PCI SSC point to long lists of must-have technology to build secure and compliant defenses. But they don’t tell us which ones to do first or how to allocate our limited budgets. Additional contextual knowledge from NG-IDS gives you a roadmap to prioritize investments while leaving others as “good enough” that fit your budget and time constraints.

Integrated solutions like NG-IDS are part of a broader operation that improve on legacy technologies by harnessing the benefits of network detection and response (NDR), which makes monitoring an attacker’s land-and-pivot approach and preventing threats before significant damage is done much easier. Even more, solutions like NDR give better security efficacy with cloud-scale machine learning (ML) behavioral analysis, added visibility into encrypted and east-west traffic and extended detection across the full attack life cycle.

Visibility gets you many things, but the most important is peace of mind. Cloud-based ML gives organizations access to superior detections and analytics, scalability, global coverage across network boundaries, and rapid security updates. Added visibility into encrypted traffic can reveal bad actors trying to disguise their attempts at lateral movement and data exfiltration in encrypted traffic. SecOps teams desperately need to gain better and extended visibility into encrypted data to help eliminate bad actors.

Cover All Your Bases

Security must not slow the business. Most NG-IDS systems deliver agentless, unified security across on-premises and cloud environments and is frictionless to the DevOps innovation pipeline.

Digital transformation can create high-profile security lapses since widespread cloud adoption has upended almost everything. The migration of critical workloads from on-premises data centers to the cloud shifted into overdrive with urgency from the pandemic. This often inadvertently has caused teams to neglect cloud security strategy resulting in security gaps.

Meanwhile, cybercriminals have been quick to weaponize encryption as a means to hide their malicious activity in otherwise benign traffic. Without decryption, organizations are blind to 60 percent of the Cybersecurity and Infrastructure Security Agency’s (CISA) most exploited vulnerabilities. Cybersecurity teams need access to tools that allow for true decryption to achieve true visibility. Out-of-band SSL/TLS decryption provides organizations with deep, meaningful network traffic analysis without risk to sensitive data or data regulated by various industry standards such as HIPAA, PCI, GDPR and others.

 With a network detection layer at the point of intrusion and within the east-west corridor, security teams are prepared for situations where an attacker achieves a beachhead through leaky defenses or advanced techniques. Just as important, NG-IDS makes time- and budget-strapped analysts more effective by integrating detection, investigation and response into a single tool with a more efficient security workflow.

IDS programs had their time as the go-to technology to achieve network security compliance check-offs. With next-generation firewalls (NGFW) absorbing some IDS perimeter functions, there’s an opportunity to shift detection deeper into the network with NG-IDS.

Jeff Costlow is CISO at ExtraHop.

Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.

Suggested articles