How Network Detection and Response (NDR) Fills the Security Gaps of Intrusion Prevention Systems (IPS)

Intrusion incidents have become very common in recent years, with widescale cyberattacks affecting organisations virtually every week. Threat actors are constantly trying to break into enterprise networks and compromise business assets. To prevent a breach from occurring, many companies employ Intrusion Prevention Systems (IPS).

In order to identify and prevent threats, these solutions rely on signature-based detection, which allows for automatic intrusion detection. However, this approach can cause various blind spots and weaknesses in network protection. Network Detection and Response (NDR) can overcome these drawbacks for more reliable and holistic protection against intrusions.

Intrusion Prevention Systems: Workflow and Limitations

An IPS can detect and actively block threats. To do so, it utilises a signature database of known cyber threats. These pre-programmed signatures help security admins identify and prevent attacks within the network. Consequently, an IPS can be an integral component of an enterprise’s cyber defence strategy.

However, the approach also has several limitations. For one, IPS can only detect and prevent attacks for which signatures already exist. This is problematic because the system cannot detect zero-day vulnerabilities, which are often responsible for the most devastating cyber breaches. One well-known example is the 2021 zero-day attack in which attackers exploited a remote code execution flaw in SolarWinds Serv-U products and remained undetected for several months. In such instances, IPS is ineffective and consequently an unreliable security measure.

IPS is also inadequate for analysing encrypted network traffic. According to the European Union Agency for Cybersecurity, encrypted traffic already accounted for 70-90% of all loaded HTTPS pages on the Internet in 2019, with tendencies rising each year. The adoption of encryption protects the confidentiality and integrity of sensitive business data. On the flip side, however, the signature-based detection approach by IPS and other solutions cannot be applied to encrypted payloads in order to detect and prevent intrusion attempts. To overcome this limitation, the firewall would have to decrypt all traffic, which can create a multitude of other security issues.

Further, IPS solutions typically generate individual alerts for each threat. They don’t combine these alerts to provide “a bigger picture” of the threat landscape, which makes it cumbersome for security teams to separate a real threat from false alerts. In addition, IPS cannot definitively capture if an alert indicates an actual attack vector and poses a real threat to the organisation. This limitation can significantly impair the response time, giving attackers a head-start to break into the enterprise.

How NDR Eliminates the Limitations of IPS for More Reliable Intrusion Detection

Unlike IPS, NDR systems do not rely on signature-based intrusion detection and prevention. Instead, they use advanced analytical protocols and machine learning algorithms to inspect network communications in near real-time. By continuously analysing raw traffic, they build a baseline of “normal” network behaviour. If they detect suspicious traffic, they raise alerts that there might be a potential threat within the network environment.

Since an NDR tool doesn’t rely on pre-programmed signatures to detect threats, it can detect anomalous network traffic and unknown threats that traditional tools, such as IPS and IDS, often miss. In addition, NDR solutions can detect unknown zero-day attacks for which no signatures exist yet. For example, the ExeonTrace NDR Platform features an ML model that can detect the Domain Generation Algorithm (DGA) used in the SolarWinds Sunburst attack of 2020 as well as novel malware for which signatures are not yet available. Traditional IPS tools cannot deliver these advanced detection capabilities.

malware

Further, NDR solutions combine and differentiate between detection alerts over both time and space with fewer false positives. This enables security personnel to detect malicious behaviours and identify the immediate threats that would remain under the radar of IPS. For instance, if a client is suddenly transmitting high data volumes through attempted administrative activities, it could be an indication of a threat that should be investigated. NDR supports such investigations because it doesn’t simply generate stand-alone alerts but creates a more holistic picture of the threat landscape.

In addition, NDR solutions based on metadata analysis, such as ExeonTrace, are able to inspect all network communications, even if they are encrypted. Traditional NDR providers, which rely on deep packet inspection, as well as IPS/IDS are unable to analyse encrypted payloads making them blind to a large percentage of the network traffic. As many threat actors utilise encryption in their attack protocol, this is a major drawback for their network protection capabilities.

Finally, NDR solutions retain an archive of past activities to enable network forensics and incident investigations. Thus, if an organisation wants to check if a client is infected by a vulnerability, the security teams can simply scan the client’s activities initiated by their server networks. Consequently, investigations can be conducted to prevent the recurrence of a security incident.

Conclusion

While IPS can detect known attacks and allow organisations to automatically eliminate some network vulnerabilities, NDR solutions can help detect and respond to more sophisticated and yet unknown attacks. If the IPS fails or an attacker manages to get into the network, an NDR solution allows for faster detection and more efficient threat hunting.

The NDR solution ExeonTrace provides enhanced visibility into the entire enterprise network and can even detect yet unknown cyber threats. Consequently, it is a key tool for security teams to detect different attack patterns, even if the traffic is encrypted. In addition, the platform’s threat scoring mechanism can easily integrate IPS/IDS detection events to provide organisations with comprehensive and ongoing protection from adversaries. Book a free demo to discuss how ExeonTrace can make your organisation more cyber resilient.