What You Hate About Your IDPS – It Floods Your SOC with Alerts
5 Things You Hate About Your IDPS is a new white paper from Lastline that describes how decades old intrusion detection and prevention systems (IDPS) leave your organization vulnerable. The first thing you hate about your IDPS is that it floods your SOC with alerts.
According to the white paper, stand-alone IDPS are hardwired to detect threats based on rules and signatures. Since IDPS has no contextual data (such as host behavior patterns, business criticality of assets, knowledge of malicious behaviors, and user behaviors on the network) to identify alerts that are real threats, it often generates high volumes of false positives and very low-level alerts.
An Enterprise Management Associates Info Brief notes that when security teams were queried about dealing with constant threat alerts, “79 percent said they were overwhelmed by the volume.” Inaccurate legacy detection technology such as IDPS is a large contributor.
Lastline has written another white paper called False Positives: The Cure is Worse than the Disease that explores some of the risky strategies SOC teams are employing to deal with their growing alert volumes. These are forcing the SOC into a “do what you can do” strategy that focuses on high-value, high-risk assets, tuning alert thresholds to reduce alert volume, and ignoring certain types of alerts.
From a network IDPS perspective, reducing false positives often means being overly exclusionary. Administrators frequently configure rules to monitor traffic going to a narrow range of IP addresses. For instance, they may choose to only monitor high-value assets such as Internet-facing servers with customer and financial data. Reducing false positives also means being selective about which IDPS sensors you turn on, once again protecting only network segments with high-value assets.
Inability to correlate event data often adds to the continual wave of alerts that the SOC team must triage. Many SOCs have turned to log management tools or SIEMs to perform event correlation between separate products, including IDPS. However, these require significant customization before they can accurately correlate events from across the network. Plus, correlation directives need to be frequently updated to match the changing network environment and the SOCs often lack the staff to make necessary changes.
Unfortunately, turning off the alert fire hose means that sooner or later you’re going to miss an attack.
There’s a Better Way Forward
Don’t spend another minute hating your legacy IDPS. Replace it with Network Detection and Response (NDR). NDR offers IDPS and much more, all powered by artificial intelligence (AI), including:
- Network Traffic Analysis — Detects anomalous activity and malicious behavior as it moves laterally across the network
- Artifact Analysis — Detects malicious content attempting to enter via your network, email, the cloud or the web
- Global Threat Intelligence — Recognizes emerging threats in real time, using data collected from our partners and customers
These technologies improve threat detection and eliminate most false positives since AI is automatically trained both on network traffic and malicious behaviors.
Schedule Your Demo to see how you can deploy a Lastline sensor in as little as 30 minutes to replace your legacy IDPS.
Latest posts by Teresa Wingfield (see all)
- Detecting and Responding to Ransomware - November 12, 2019
- What Your Plan for AI-Powered Cybersecurity Should Look Like - November 7, 2019
- What You Hate About Your IDPS – It Floods Your SOC with Alerts - October 22, 2019