How Intrusion Detection Systems Work!

How intrusion detection systems work effectively beyond and network edge

Intrusion detection systems (IDS) are one of the most common ways to detect malicious activity against a network, computer, or application. One of the advantages of this technology is that it is designed to analyze traffic and threats without impacting network performance.

The limits of the network edge make this task an almost impossible feat for legacy IDS solutions, however. To provide comprehensive protection, an IDS solution should protect all exposed points in a network, including the edge and points beyond, like cloud and public infrastructure, data centers, and individual low capacity access points.

That requires analysis of a massive amount of data, which must be assessed without impacting network performance. Any access point offers an attack opportunity for cybercriminals, which means perimeter protection of the immediate enterprise network is simply not enough. After all, with today’s organizations moving to a more perimeter-less state, how can you protect a perimeter-less IT infrastructure with a perimeter protection solution?

The network edge is not a security boundary

The network edge is perhaps the single greatest challenge for IDS offerings. Today’s networks have a massive number of endpoints, including low-capability IoT devices. These access points can’t provide strong edge protection, and are exceptionally vulnerable to cybercriminals.

A comprehensive, next-generation IDS solution is one that supports a variety of monitoring capabilities for these edge devices, ideally also affordably and precisely. Data should be integrated with cloud and data center instances for fully transparent threat visibility

An effective IDS offering must also be able to monitor active intrusions and behaviors once a criminal has breached the network perimeter. It must be able to protect against threats, tactics and procedures (TTPs) that may be used after a breach has occurred.

Unfortunately, many legacy IDS solutions leave visibility gaps and fail to provide the multi-faceted approach to security that is required for today’s complex network environments.

To understand why the network edge is such a limitation for legacy IDS systems and how that can be overcome in next generation offerings, it’s important to examine how these systems operate. By understanding exactly how IDS solutions work, and how they fit in with the security practices dictated by today’s complex networks, we can determine a baseline for how to find the right IDS solution. Specifically, how to find a solution that overcomes the limitations of the network edge.

Why legacy intrusion detection systems solutions fail at the network edge

Traditional IDS offerings typically monitor for malicious activity and policy violations on a network. Violations are often collected centrally through a Security Information and Event Management (SIEM) system, which generates alarms.

A legacy IDS solution works by gathering network metadata and logging information, centralizing that information in the SIEM system, and then receiving an alert from the SIEM. It then gathers evidence about the alert, uses programmatic logic to connect the events that generated the alert, then finally responds to the attack.

There are many problems with this approach to security, however, including the significant amount of manual labor necessary to evaluate massive amounts of data. The costs of data capture are high and as discussed previously, legacy IDS solutions simply don’t capture data from access points beyond the network edge, leaving major gaps in coverage.

Next-generation intrusion detection systems solutions cover the network edge and beyond

In today’s networked world, the cloud, IoT devices, data centers and more are all important elements. A next-generation IDS offering should therefore provide complete coverage beyond the network edge, and it must do so affordably and holistically.

That means an IDS solution should be automated and easily integrated with a variety of network topologies.

Importantly, an effective IDS solution will also directly address the limitations and shortcomings of legacy IDS offerings. Meaning it will require less manual effort and will use less raw data. Automation, AI and machine learning will be integrated to provide full Network Traffic Analysis (NTA), offering comprehensive coverage and visibility of the entire network, well beyond the edge.

This will be accomplished through close integration with network perimeter protection. Strong access controls can be used to prevent unauthorized access, combined with 24×7 activity monitoring. Traffic analytics can detect malicious activities and behaviors if an intruder breaches the perimeter defenses.

Finally, a next-generation IDS solution should easily integrate with a network’s existing security infrastructure. This includes taking advantage of APIs and other integration tools to ensure all network elements within, along with, and beyond the network edge are monitored.

Securing today’s complex networks using next-gen intrusion detection systems

Comprehensive performance and detection solutions such as Accedian Skylight powered Security take into account all elements of the network topology, and this is key for next-generation IDS. Skylight uses machine learning and deep analytics to gain a comprehensive, holistic view of network performance and security challenges.

Network traffic analysis (NTA) also is a critical component when considering a next-gen IDS solution. NTA takes advantage of intelligent data and machine learning while also complementing perimeter protection solutions. The result is a holistic solution providing round-the-clock monitoring and comprehensive network traffic analytics.

Legacy IDS solutions simply cannot offer the range and agility needed in today’s complex networking environments. Any organization considering an IDS solution to secure its digital infrastructure should look for a next-generation offering that covers the network edge and beyond.

This blog post is part of a three-part series on the importance of next-generation IDS solutions for securing complex networks.

The last post in this series is Protecting against perimeter breaches with Network Traffic Analysis (NTA).

In the last post we discuss how machine learning and intelligent data may be used to implement full network traffic analysis: The importance of intelligent network traffic analysis in next-generation intrusion detection systems solutions.

Authot - Andrey Yesyev - Before joining Accedian as the Director of Cybersecurity Solutions, Andrey spent nearly 6 years at IBM as a security engineer and a threat analytics architect working on QRadar Incident Forensics and DNS Analytics projects. He was also a part of the IBM team that supports collaboration with Quad9, a secure public DNS service that was created as a collaboration between PCH, IBM, and the Global Cyber Alliance. With more than 10 years of experience in deep packet inspection and traffic analytics, Andrey placed 1st, 2nd, 3rd, and 2nd in the Network Forensic Puzzle Contest at DefCon 21, 22, 23 and 24, respectively.