What Is a Next-Generation Intrusion Detection System?


After an online panel discussion on upgrading intrusion detection systems (IDS) to next-generation IDS, an interested participant reached out through LinkedIn. He had a simple question: “So, what is the definition of next generation intrusion detection system (NG-IDS)?”

I started to write a quick response, then reflected on the question and concluded an NG-IDS definition needed more context. This is what I sent my new LinkedIn connection.

Next-Gen

Anything labeled next-generation (NG) implies there is something important that needs an upgrade. IDS, built for the network as the source of truth, fits that bill.

IDS started in the 1990s to address the primary threat of the time: weaknesses in computer software. Signatures, the IDS’s detection strategy, have a close relationship with Common Vulnerabilities and Exposures (CVE). Rather, signatures are the antagonist to the exploits found in hacking tools like Metasploit. Signatures attempt to identify the traffic patterns of known exploits against known software vulnerabilities.

For IDS, NG can be confusing because vendors have put the threat intelligence lipstick on the pig and called that NG-IDS. Threat intel is an important addition, but it doesn’t address all the reasons why we need a next generation for IDS.

IDS Never Delivered on the Full Spectrum Promise

From the beginning of IDS, searching for patterns, tracking behavior, and finding anomalies were required for full-spectrum detection (NIST 800-94). IDS developers figured out the pattern part, but detecting behaviors and anomalies proved elusive since a good understanding of normal was difficult to achieve in dynamic environments using manual analysis techniques.

Today, machine learning creates the foundation for NG-IDS to deliver what is sorely lacking in traditional IDS: behavioral, anomaly, peer group, and rule-based pattern detections. This is critically important because it allows NG-IDS to detect known and unknown attacker tactics, techniques, and procedures (TTP).

The Perimeter Changed

Network perimeters are porous, elastic, and abstract—filled with unmanaged devices and cloud workloads crossing the boundaries without any observable security…

Source…