Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

Making IDS Cool Again

Over the years, intrusion detection systems (IDS) have fallen off the radar for most security organizations. They seem about as relevant to today as pagers. This view is largely tied to the perception that IDS has been subsumed by intrusion prevention systems (IPS), which in turn has been subsumed by next-generation firewalls and UTMs.

Over the years, intrusion detection systems (IDS) have fallen off the radar for most security organizations. They seem about as relevant to today as pagers. This view is largely tied to the perception that IDS has been subsumed by intrusion prevention systems (IPS), which in turn has been subsumed by next-generation firewalls and UTMs.

This view has been largely confirmed by IDS/IPS vendors who focus almost exclusively on improving their IPS features and treating IDS as a deployment option in their IPS product portfolio.

“Want to detect intrusions? Great! Just deploy our IPS in out-of-band mode!”

Today, the lack of innovation in intrusion detection is coming home to roost. Modern attackers are far more sophisticated and increasingly successful at infiltrating a target network. Intrusions are increasing and harder to detect.

It has become very clear that intrusion detection and intrusion prevention are not simply deployment options of the same technology. They are in fact separate disciplines with unique requirements, goals and roles in the security stack.

The when and the where

IPSThe most obvious difference between modern IDS and IPS is that they address different phases of an attack. Intrusion prevention is all about keeping threats out of the network by detecting the moment of infection or initial compromise. IPS scans traffic for thousands of vulnerability exploits, known malicious domains and other harbingers of attack.

Conversely, intrusion detection are logically focused on the phases of attack that come after the infection. The very presence of an intrusion means that a compromise has already occurred, and security needs to look for different things to detect the intrusion.

Instead of searching for exploits, the game has shifted to finding signs of internal reconnaissance, malware spreading internally, signs that user credentials have been compromised, or that data is being harvested. At a fundamental level, modern intrusion detection must detect very different things than IPS.

These signs show up in different physical places. The job of keeping threats out makes IPS well suited for deployment at the boundary between the internal network and the Internet. While the perimeter is a logical place for prevention, the long tail of an attack plays out inside the network as well.

Spying, spreading, and stealing get done on the inside, and this is where IDS must be deployed. Although IDS is typically deployed deep inside the network, it’s important to make sure that it looks in the right places and for the right signs of threats. Failing in either case means you’re unlikely to find real threats.

When speed is king and when speed can kill

In addition to looking in the right place at the right time, IDS is in desperate need of a new brain. While IPS has gotten faster and relies on more types of signatures, the core detection methodology has remained stagnant.

For decades, signatures were the dominant detection method because they’re fast and adapt to finding a variety of malicious indicators. Using short character strings, signatures can find exploits, malicious domains, IP addresses, bad user agents, and countless other malicious payloads.

And while the weaknesses of signatures are widely known, there’s a good reason that they remain the basis of the IPS brain – speed. If you’re going to prevent a threat, then you have to make decisions very quickly.

As IPS was deployed in-line and integrated into UTMs and firewalls, decisions about good and evil had to be made instantly – there’s little time for IPS to think. Signatures must be fast and consume minimal memory, leaving scant room for context.

Modern intrusion detection is of no use with these types of restrictions. Instead of following the directive of in-line network devices, IDS must follow the directive of what is best for detecting threats.

Today’s cyber attacks are long, multi-step operations that evolve over time and evolve over multiple devices. Isolated events that appear benign can only be revealed as malicious when they are viewed in a temporal and network context.

This necessitates new detection methodologies and approaches. Although there are no silver bullets, a modern and effective IDS must have the flexibility to develop and use a wide variety of detection strategies without being married to just one approach.

Despite the industry’s overuse of the term “next-generation,” it’s clear that IDS has to take a giant step forward. Instead of being thought of as a defanged version of IPS, IDS must become the superset for all detection methods. It’s the only way to ensure that we have the brain to power the enforcement brawn of IPS.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...