In today’s network-based environment, legacy intrusion detection systems (IDS) can’t keep up. When IDS was first invented, its detection capabilities were limited, but as the organizational perimeter has evolved, traditional IDS has fallen further behind.
IDS traditionally relies on rules to detect intruders, but those rules aren’t as effective in multi-cloud environments filled with IoT and employee devices. At the same time, with the growing pressure to adopt a zero trust architecture, network traffic is increasingly encrypted or tunneled.
Meanwhile, attackers’ strategies have shifted to target people and software vulnerabilities. Security teams need more capabilities if they want to see and stop attacks before they cause harm. On Oct. 4, ExtraHop and Carahsoft hosted a webinar on how modern IDS solutions improve on legacy tools to secure modern, public sector organizations. Read on for a summary.
Behavior-Based Detections From Reveal(x) Close the Gap
Core, open-source IDS tools can detect critical CVE exploits, protocol abuse, and evasion attempts. Vendor solutions often add threat intelligence to these core capabilities. Meanwhile, modern network detection and response (NDR) solutions extend the capabilities of IDS, giving defenders the visibility they need by using both rule-based and dynamic, behavioral, or machine learning- (ML) assisted detections. By expanding beyond rule-based detections, these solutions can uncover attacks that don’t yet have known signatures. Modern NDR solutions also provide visibility into east-west traffic that legacy IDS can’t offer, which allows defenders to sniff out insider threats and post-compromise activities.
ExtraHop Reveal(x) takes network defense one step further than other NDR solutions by adding line-rate decryption; without it, security teams are blind to exploits leveraging encrypted traffic. Reveal(x) also goes beyond detection and alerts to help teams streamline their workflows and maximize their effectiveness with security hygiene, investigation, response, and forensics capabilities.
IDS has often been criticized as “noisy,” with lots of alerts that may or may not require action. Reveal(x) combats this by providing advanced triage and response capabilities, including integrated risk scoring, correlation, and investigation abilities, so you can quickly determine how to handle each alert.
How ExtraHop IDS Outperforms Legacy IDS
ExtraHop IDS isn’t a separate tool. It simply adds IDS detections to the broader ExtraHop ecosystem. This means no more swivel-chairing between tools. By connecting to your broader workflow, you can correlate IDS detections with others to tell the whole story and drill down from detection to raw packet data in only a handful of clicks.
ExtraHop IDS can be deployed in any IT environment, from fully on-premises to hybrid and cloud deployments. ExtraHop IDS works by sending a copy of raw network traffic to an IDS sensor. Unlike other solutions, Reveal(x) stores and indexes this raw packet data, which is increasingly becoming a requirement under regulations and mandates, such as OMB M-21-31, PCI DSS, and HIPAA.
Through partner integrations, ExtraHop IDS also functions as an intrusion prevention system (IPS). Instead of using a traditional inline firewall, its out-of-band packet sensors feed detections into SIEM or SOAR solutions to trigger actions, like archiving data, gathering additional information, or blocking activity.
By combining Reveal(x) with IDS, public sector organizations can take advantage of unrivaled network-based detections to achieve comprehensive coverage. ExtraHop IDS leverages tens of thousands of high-fidelity signatures that cover the major malware families, command-and-control channels and protocols, SCADA protocols, obfuscation, exploit kits, and exfiltration methods, as well as CVEs in the wild. ExtraHop curates a dataset based on the industry-leading ETPro ruleset, one of the world’s largest active malware exchanges.
IDS from ExtraHop makes triage and troubleshooting easier by extending detections beyond rules and seamlessly integrating with other security tools. With the powerful decryption native to Reveal(x), you’ll be able to see everything that happens on your network. Public sector organizations that have written off IDS should take another look at the capabilities in the latest solutions.