Have you ever wondered why academic literature – however silly much of infosec academic research is – always talks about “signature-based IDS” (“misuse”) and “anomaly-based IDS” (“abuse”), but most industry people instantly assume that “IDS = signature-based IDS”? Is this because anomaly-based IDS never worked well in the real world … or for some other reason?
Now, some of you may sneer and utter something like this: “Anton, the 1990s are over, why are you talking about IDS?” Well, 2000s are over as well and with them, that embarrassing “IDS is dead” story…
In fact, we all know that “IDS is dead” is fake news. Detection is still rising to its proper place at the head of the table, next to Prevention. It is also dragging their third buddy, Response, with it.
So, why are we looking in this direction? Because of our planned research of NTA.
Now, WTH is NTA? This Gartner term (NTA for “Network Traffic Analysis”) is essentially our view of the evolution of NBA or NBAD of the olde times. IMHO, NTA was born to separate the old, mostly flow-based (layer-3) technology from the modern layer-7 based tech (see this BTW) that analyzes network activities for security purposes. And because NBAD does sound like the 1990s band name (“punish me … I’ve been so NBAD!!!”)…
But can somebody please explain to me why NBA then and NTA now is not just another kind of network intrusion detection system?
Hey… look at our 2018 “Magic Quadrant for Intrusion Detection and Prevention Systems”, for example. There are some players there who are in fact NTA [and will appear in the upcoming NTA Market Guide] and who predominantly use machine learning and other anomaly detection techniques, not signatures.
As context, some arguments I’ve heard include: IDS is a perimeter tech (while NTA is not), NTA does not detect intrusions per se, but mostly post-intrusion activity (but so can IDS?), “IDS is dead”, or IDS does not detect unknown threats.
So… any thoughts?
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.