What Is a Next-Generation Intrusion Detection System?

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

After an online panel discussion on upgrading intrusion detection systems (IDS) to next-generation IDS, an interested participant reached out through LinkedIn. He had a simple question: “So, what is the definition of next generation intrusion detection system (NG-IDS)?”

I started to write a quick response, then reflected on the question and concluded an NG-IDS definition needed more context. This is what I sent my new LinkedIn connection.


Anything labeled next-generation (NG) implies there is something important that needs an upgrade. IDS, built for the network as the source of truth, fits that bill.

IDS started in the 1990s to address the primary threat of the time: weaknesses in computer software. Signatures, the IDS’s detection strategy, have a close relationship with Common Vulnerabilities and Exposures (CVE). Rather, signatures are the antagonist to the exploits found in hacking tools like Metasploit. Signatures attempt to identify the traffic patterns of known exploits against known software vulnerabilities.

For IDS, NG can be confusing because vendors have put the threat intelligence lipstick on the pig and called that NG-IDS. Threat intel is an important addition, but it doesn’t address all the reasons why we need a next generation for IDS.

IDS Never Delivered on the Full Spectrum Promise

From the beginning of IDS, searching for patterns, tracking behavior, and finding anomalies were required for full-spectrum detection (NIST 800-94). IDS developers figured out the pattern part, but detecting behaviors and anomalies proved elusive since a good understanding of normal was difficult to achieve in dynamic environments using manual analysis techniques.

Today, machine learning creates the foundation for NG-IDS to deliver what is sorely lacking in traditional IDS: behavioral, anomaly, peer group, and rule-based pattern detections. This is critically important because it allows NG-IDS to detect known and unknown attacker tactics, techniques, and procedures (TTP).

The Perimeter Changed

Network perimeters are porous, elastic, and abstract—filled with unmanaged devices and cloud workloads crossing the boundaries without any observable security…


Bad Bot Report 2021: The Pandemic of the Internet

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

The 8th Annual Bad Bot Report is now available from Imperva. Created using data from Imperva’s Threat Research Lab, it provides a comprehensive look at the bad bot landscape and the impact that this malicious traffic has across multiple industries.

Bad bot traffic amounted to 25.6 percent of all website traffic in 2020. This means that a record-breaking quarter of all internet traffic originated from bad bots last year.

Bad Bod Report Fig 1

Key findings from the 2021 Bad Bot Report:

Bad bot traffic now accounts for a quarter of all internet traffic. Increasing by 6.2 percent from the previous year, bad bot traffic now represents no less than a quarter of all internet traffic. Good bot traffic has risen 16 percent from last year, amounting to 15.2 percent of all traffic. Astoundingly, regardless of the increase in human traffic due to the global pandemic, human traffic decreased by 5.7 percent from last year to 59.2 of all traffic.

Telecom and ISPs were hit the hardest by bad bots. The bad bot problem is a cross industry one. Due to the wide variety of nefarious activities bad bots are capable of, such as account takeover using credential stuffing, to scraping of proprietary data, Grinchbots and more, their targets are varied, too. The top 5 industries with the most bad bot traffic include Telecom & ISPs (45.7%), Computing & IT (41.1%), Sports (33.7%), News (33%), and Business Services (29.7%).

Moderate and sophisticated bad bots still constitute the majority of bad bot traffic. Categorized as Advanced Persistent Bots or APBs, these accounted for 57.1 percent of bad bot traffic in 2020. These are plaguing websites and often avoid detection by cycling through random IP addresses, entering through anonymous proxies, changing their identities, and mimicking human behavior.

Bad bots have taken a liking to mobile identities. While Chrome remains a favorite identity for bad bots to impersonate, its overall share significantly dropped in 2020. Mobile clients like Mobile Safari, Mobile Chrome and others accounted for 28.1 percent of all bad bot requests in 2020. This is a significant increase compared to last year’s 12.9 percent.

Bad bots often originate from the same country they…


Ransomware: Looking beyond endpoint protection

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.

The last year has been one of the most active in the previous decade in cybersecurity. More than 1,000 data breaches took place in the United States alone, with a total of 155 million individuals impacted by data exposures, according to Statista. But when it comes to ransomware, the data on this insidious type of cyberattack is even more alarming.


Botnet attacks once ruled the threat landscape as the preferred method for threat actors to cash in, but ransomware quickly took its place. Data from Bitdefender’s Mid-Year Threat Landscape Report 2020 points to a 715 percent increase in ransomware attacks in 2020 globally. Email phishing campaigns, remote desktop protocol vulnerabilities, and software flaws are the most common means of infection.


What’s led to this distressing increase, and what can modern-day security professionals do to protect the business? The answer isn’t found on the endpoint.


The perfect storm: The 2020 threat landscape

First, let’s put the threat landscape into context when it comes to the events of the last 15 months. Yes, 2019 was a year for the record books regarding ransomware, especially considering that more than 900 U.S. government agencies fell victim to attacks. But the COVID-19 pandemic is what really put organizations into a tailspin in 2020, says Vinay Pidathala, director of security research at Menlo Labs.


“The rise of ransomware in 2020 can really be attributed to a culmination of things,” Pidathala says. “You have a sudden change in which organizations moved to remote workforces worldwide. Employees are also adjusting to working from home while balancing other duties at the same time, like taking care of their kids and household chores.”


These abrupt changes had a pretty significant impact on employee awareness related to remote work, leading to careless use of the Internet and not paying close enough attention to the barrage of emails that are coming in—resulting in risky behavior that could be costly for businesses.


“User awareness really took a hit,” Pidathala says. “Challenges were also presented when it comes to endpoints. In many cases, personal laptops are being used to conduct work, and…


Ransomware on the Rise, Organizations Doing Better at Detecting Intrusions – MeriTalk

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.

More security incidents were detected by the intruded organizations last year, a positive trend in the cybersecurity sector as cyber threat actors are increasingly exploiting the remote work setup, a 2021 trends report by Fire Eye and Mandiant – both cybersecurity firms – found.

The report also found that ransomware has become a “multifaceted extortion” scheme, identified a financial cyber threat group, and detailed how Mandiant worked with law enforcement after finding the initial SolarWinds Orion intrusion.

“Security practitioners faced a series of challenges in this past year which forced organizations into uncharted waters. As ransomware operators were attacking state and municipal networks alongside hospitals and schools, a global pandemic response to COVID-19 necessitated a move to remote work for a significant portion of the economy. Organizations had to adopt new technologies and quickly scale outside of their normal growth plans,” the report says.

“As organizations settled into a new understanding of “normal,” UNC2452, a suspected nation-state threat actor, conducted one of the most advanced cyber espionage campaigns in recent history,” the report continues. “Many security teams were forced to suspend wide-ranging analyses around the adoption of remote work policies and instead focus on a supply chain attack from a trusted platform.”

In addition to naming UNC2452, the report also names FIN11 as a threat actor to be aware of. FIN11 is a financially motivated group, suspected of committing “widespread phishing operations” and “several multifaceted extortion operations.”

On a positive note, the report notes that 59 percent of the intrusions Mandiant investigated were self-reported by the organizations experiencing the intrusion, a reported 12 percent increase from the year before.