Intrusion detection doesn’t get the attention like other security trends such as deception or identity. However, it is still a proven, if not essential, part of a layered security posture.
It’s a segment of the security market that’s prime for modernization because the threat landscape has evolved so much. For example, modern intrusion detection deploys sensors that capture metadata rich enough to get started with threat hunting.
Here are seven trends we see shaping intrusion detection technology.
1) Data quality matters in security analytics
Security information and event management (SIEM) promised event correlation and insight to understand and prevent cyber threats. However, many of these projects fell short. Why? Security operations centers (SOCs) simply plugged in every data source they had and then waited for magic that would never happen.
As it turns out the quality of the analysis is contingent on the quality of the data. If you put garbage data into security analytics, you will get garbage analysis out. The sensors of intrusion detection must provide greater detail and context to enable faster and more accurate triage.
2) Threats hiding among the alert deluge
Security organizations are drowning in security alerts. It’s not uncommon for a SOC to experience a deluge of alerts ranging from thousands to millions. False positive alerts and trivial true positive alerts – those that are technically true, but irrelevant – overwhelm security resources and enable real threats with a shot to slip by.
This is a hard problem to solve because IT environments are heterogeneous and vary from organization to organization. Good intrusion detection must offer flexibility to enable security analysts to establish unique and nuanced alert thresholds that can be customized to a specific environment.
3) Ransomware pressures pricing
As it turns out, stealing data to sell on the dark web may not be as profitable as holding the data hostage for ransom. The use of ransomware has grown by 50% in recent years in part perhaps, because some organizations have paid the ransom, and others say they are willing.
Perhaps not coincidentally, insurance carrier AIG reported recently that 25% of its cyber claims in 2017 were the result of ransomware attacks. It’s a greater percentage than any other category of attack.
To that end, cybersecurity is as much a battle of economics as it is an arms race. For intrusion detection, it’s not just about preventing or stopping the threat of ransomware, it’s about doing it in a way that both makes financial sense and while improving overall enterprise security.
4) Malware that spreads laterally
The impact of laterally spreading malware, like WannaCry and Petya, is going to be felt for the foreseeable future. This is because where the capacity to spread used to require some user interaction – clicking a link – variants today can spread without user interaction.
Take laterally spreading ransomware for example. Once it’s inside, it wants to spread as rapidly as it can and encrypt as much data as possible. This allows attackers to slow or shut down business operations to the extent it becomes economically appealing to simply pay the ransom.
Intrusion detection cannot rely on just one method of detection, it must incorporate multiple methods of detection and examine threats rapidly from different perspectives. Doing so provides multiple golden opportunities to stop a threat on a network.
5) Zero trust posture
At one time security built a perimeter around an organizational network. Everything inside that perimeter was trusted, and everything on the outside was not. The only way in or out was controlled and provided a place for deep packet inspection.
Those days are over. Cloud, BYOD, IoT and a groundswell of trends – on the heels of the consumerization of business technology – created more ways for threats to slip inside. This has provided new ways for threat actors to attack while also providing more targets of opportunity.
Increasingly security is adopting a philosophy of “zero trust” which means traffic inside its network must be monitored and segmented. Intrusion detection deployed at choke points in the network is proving to be a supportive technique.
In the past, IT operations objected to the instrumentation of an internal network for fear of latency. However, techniques like file carving enable modern sensors to provide protection or detection at high speeds that have assuaged such concerns.
6) Rise of threat hunting
Threat hunting is a hot emerging trend in cybersecurity. Threat hunting is the idea that organizations assume they have been breached already, the threat is hiding on the network biding its time to activation, and so security uses a combination of analytics and intuition to go hunting for it.
Intrusion detection with the capacity to monitor networks for anomalies do this by capturing metadata about network transactions. For example, which machines are communicating and over what protocols. This also provides a useful way to perform incident response, forensics and most importantly, to hunt for threats.
In other words, as this independent intrusion detection product review in CSO Online points out, this is a straight-forward way for SOCs to begin threat hunting – with a tool their staff likely already knows and uses.
We’ve recorded an excellent webinar titled Introduction to Network Threat Hunting for those interested in a brief explanation, rationale and practical ideas for getting started.
7) Integration becomes paramount in security
New threats often evolve in a way that require new tools to address them. As a result, the SOC can rack up a portfolio of security tools totaling 25 or more. Often these tools don’t work well together and security winds up trying to make sense of disparate sources of data.
Given the nature and purpose of intrusion detection sensors, it’s imperative the data collected comes with a capability to share anyway a security leader deems fitting. Good intrusion detection systems treat security data as intellectual property belonging to the customer.
* * *
Is there a trend you think we’ve overlooked? Tweet us up: @BricataInc
If you enjoyed this post, you might also like:
What is Zeek [Bro IDS]? And Why IDS Doesn’t Effectively Describe It [Overview and Resources]