What You Hate About Your IDPS – It Doesn’t Detect Lateral Movement

What You Hate About Your IDPS – It Doesn’t Detect Lateral Movement

Detect Lateral Movement

5 Things You Hate About Your IDPS describes common complaints about legacy intrusion detection and prevention systems (IDPS) that we’ve heard from our customers. One issue that comes up frequently is the inability of stand-alone IDPS to detect lateral movement of threats inside the network.

Detecting lateral movement is an important component of an overall detection and response strategy. Bad actors rarely target only one system in an attack—often they pursue a “land and expand” approach by compromising a vulnerable Internet-facing system or user’s device, and then move laterally across the network to reach their ultimate destination.

There are several reasons why IDPS don’t detect lateral movement, including deployment location, lack of context, and lack of ability to detect anomalous activity.

  • Location: One reason for the inability to detect lateral movement is that many stand-alone IDPS are deployed at the perimeter and not on internal segments. By just inspecting traffic crossing the perimeter, the IDPS has the potential to detect only the initial attack and does not see any activity that occurs within the network as an attack progresses laterally. The per-device pricing model used by stand-alone IDPS vendors is too cost prohibitive for organizations looking to deploy multiple sensors on internal segments.
  • Context: Another reason IDPS can’t detect lateral movement is lack of context—the IDPS lacks an understanding of the applications and services running on a device, as well as the business function or criticality of that device. This lack of awareness limits the ability of the IDPS to detect traffic between external and internal systems, such as post-exploitation communication between a compromised system and a bad actor who is communicating using a legitimate remote management tool (such as PowerShell).
  • Anomalous activity: IDPS also lack the ability to detect anomalous behavior on the network, which is often an indicator of an active threat moving across a network. Because most IDPS rely on signature matching to detect malicious activity, they ignore unusual behavior by systems such as scanning for vulnerabilities or communication between two internal systems that don’t normally share data.

Complicating the issue of anomaly detection is that not all anomalous activity is malicious. Networks are dynamic environments, and anomalous activity is common as new users, new applications, and new devices are added. Simply adding anomaly detection capabilities to an IDPS will generate more false positives as benign anomalies trigger alerts that require follow-up by an already overworked SOC team.

Gartner’s View on the Need to Detect Lateral Movement

“The plethora of breaches continues unabated, which highlights how organizations need to better address the protection of internal assets and improve their ability to detect and prevent the lateral movement of threats. The “flat internal network” problem is one that Gartner sees still existing in a majority of our clients’ networks, and it is a systemic issue that span’s geographies, industry vertical and organization size.”1

Detect Lateral Movement with NDR

To improve threat detection and response, Gartner advocates the use of a network-centric approach. Gartner’s framework, Network Detection and Response (NDR), combines Network Traffic Analysis (NTA) with IDPS and perimeter controls to improve the visibility into lateral movement that stand-alone IDPS lacks.

“The escalating sophistication of threats requires organizations to use multiple sources of data for threat detection and response. Network-based technologies enable technical professionals to obtain quick threat visibility across an entire environment without using agents.”2


Lastline Defender is an NDR platform that combines NTA, IDPS and Artifact Analysis, all powered by artificial intelligence (AI), to deliver the industry’s most accurate detection and response for both cloud and on-premises networks. It provides the visibility into lateral movement that stand-alone IDPS lack, and its cloud-based architecture, flexible deployment options, and per-user pricing make it cost effective to deploy anywhere you want protection from advanced threats.

Schedule Your Demo to see how you can deploy Lastline Defender in as little as 30 minutes to replace your legacy IDPS.

1 Gartner Market Guide for Intrusion Detection and Prevention Systems, Craig Lawson, John Watts, 1 July 2019

2 Gartner Applying Network-Centric Approaches for Threat Detection and Response, Augusto Barros, et al, 18 March 2019