Have you ever wondered why academic literature – however silly much of infosec academic research is – always talks about “signature-based IDS” (“misuse”) and “anomaly-based IDS” (“abuse”), but most industry people instantly assume that “IDS = signature-based IDS”? Is this because anomaly-based IDS never worked well in the real world … or for some other reason?
Now, some of you may sneer and utter something like this: “Anton, the 1990s are over, why are you talking about IDS?” Well, 2000s are over as well and with them, that embarrassing “IDS is dead” story…
In fact, we all know that “IDS is dead” is fake news. Detection is still rising to its proper place at the head of the table, next to Prevention. It is also dragging their third buddy, Response, with it.
So, why are we looking in this direction? Because of our planned research of NTA.
Now, WTH is NTA? This Gartner term (NTA for “Network Traffic Analysis”) is essentially our view of the evolution of NBA or NBAD of the olde times. IMHO, NTA was born to separate the old, mostly flow-based (layer-3) technology from the modern layer-7 based tech (see this BTW) that analyzes network activities for security purposes. And because NBAD does sound like the 1990s band name (“punish me … I’ve been so NBAD!!!”)…
But can somebody please explain to me why NBA then and NTA now is not just another kind of network intrusion detection system?
Hey… look at our 2018 “Magic Quadrant for Intrusion Detection and Prevention Systems”, for example. There are some players there who are in fact NTA [and will appear in the upcoming NTA Market Guide] and who predominantly use machine learning and other anomaly detection techniques, not signatures.
As context, some arguments I’ve heard include: IDS is a perimeter tech (while NTA is not), NTA does not detect intrusions per se, but mostly post-intrusion activity (but so can IDS?), “IDS is dead”, or IDS does not detect unknown threats.
So… any thoughts?