“The new intrusion detection will have functionality that enables it to obtain information from multiple sources and then correlate it to determine that something is wrong and what its exact nature is.”

This is called a SEIM, see splunk, ArcSight, etc. These systems have the ability to correlate firewall, ids, netflow, etc and allow for defining relationships between those events. Usually, only in relation to causal and temporal metrics, IE A B and C happened in X time therefore its Z. The real interesting work here is figuring out how to automatically create those relationships and add extra dimensions and metadata to it so its easier to determine that the event is more important than another event.

“Because of the growing proportion of attacks against applications, Web applications in particular, application firewalls also need to be part of the new intrusion detection”

I’ve never really understood why a sub set of IDS/IPS functionality is another market. WAF’s are little more than specialized IDS/IPS devices that only focus on the HTTP protocol. There is nothing limiting an IDS/IPS from detecting the exact same attacks, and most if not all of them included plenty of functionality in this area. But that is really not here nor there, so sure all “new” IDS/IPS’s should detect web attacks.

I’ve break your flow analysis and data extrusion into two parts.

There are plenty of applications/products Sourcefire’s RNA included that can parse, correlate, and make decisions about network flows and whether or not they are normal/strange/or are leaking data. Additionally not to plug my company too much, as that isn’t the point of my comments, these flows can be tied to intrusion events so that its easy to make casual relationships between these events. Allowing the operator to determine that some hosts are acting strange, and could if an event happened tie that back to attack that changed that hosts behavior.

Before I get into extrusion detection, I think you missed a major feature that any new IDS should have. The ability to classify assets, classify users, and classify the movement of data on the network. If you don’t know what hosts/systems you have on your network, and how important they are to your organization its impossible to determine what if anything will happen if they are compromised. Additionally you don’t know what you should be protecting. Its like wrapping an egg in bulletproof vest and then dropping it off a building. Same goes for users and data, if you don’t know who is on your network, what capabilities they have on the network (admin, normal, contractor), you can’t determine risk of those assets if they are compromised. Data also goes into this category, if you don’t know where your data is or what it is, how can you possibly determine if it was leaked?

Now for data extrusion. If you don’t know were your data is, what it is, and its importance, its relatively difficult to do extrusion detection. I’m sure all the DLP vendors will disagree with my statements as there are tons of companies devoted to scanning network traffic blindly for SSN’s, Credit Cards, and the word “confidential”, but if your just blindly scanning for that content you have no context as to were it “should” be and how it should be used. Is it ok for Bob in accounting to send an XLS sheet of SSN’s to Mary in HR? Is it ok for Bob in sales to look up a customers Credit card? Is it ok for Bob to do that 10 thousands times in a day? (one last plug, Sourcefire, does all the above except data, working on that.)

Finally, when it comes to investigating hosts, its not cost effective. If you know what user was their, what events happened, what data was lost, (because you have all the stuff above I mentioned), then there is no reason to spend any money digging deeper. Just wipe the host.