A Gartner report that called intrusion-detection systems a failed technology that wasn't cost-effective has provoked fervent reactions from users, vendors and analysts on both sides of the argument.
Some concurred with Gartner's position, saying IDSs are difficult to manage and generate far more data than is useful.
"I couldn't agree more," said Eric Beasley, network administrator at Baker Hill, an application service provider in Indiana, that replaced its IDS with a web application firewall. "IDS did little to increase our overall security," he said. "All I got was information overload."
Others said that despite the problems, it's premature to completely write off IDS technology.
"I think that broadly describing IDS as a market failure because of product shortcomings is a bit alarmist," said Eric Goldreich, manager of technology at Latham & Watkins LLP, a law firm with 1,500 attorneys in Los Angeles. "The existing solutions are not perfect, but they are much better than nothing at all."
An IDS typically operates behind a firewall looking for patterns or signals in network traffic that might indicate malicious activity. Over the past two years, the sensor-based technology has been gaining increasing attention from users who see it as an added layer of protection against attacks that breach other defences, such as firewalls and antivirus software.
However, several problems with IDSs make the technology more trouble than it's worth, said Richard Stiennon, a Gartner analyst and author of the IDS report.
The biggest is the fact that the systems impose a heavy management burden on companies by requiring full-time monitoring, Stiennon said. The tendency of such systems to generate a very large number of false alarms also adds to this burden, he said. The technology's inability to monitor traffic at transmission rates greater than 600Mbit/sec. can also be a problem, especially with widely deployed high-speed internal networks, according to Gartner.
Because of these issues, IDSs will become obsolete by 2005, Stiennon predicted. Instead of spending on technologies that detect intrusions, companies would be more prudent to invest in technologies that are designed to prevent intrusions from occurring in the first place, such as "deep-packet-inspection" firewalls, he added.
"I don't know about obsolete, but IDS is not all the rage it was two to three years ago, that's for sure," said Michael Engle, vice president of information security at Lehman Brothers Holdings.
When New York-based Lehman Brothers installed an IDS about three years ago, the system generated more than 600 alerts daily, he said. Since then, the firm has invested in an event-correlation technology for analyzing IDS data and distilling it into a more manageable volume, Engle said.
"I think it takes an inordinate amount of time to get meaningful IDS data from those systems, hence our investment in event-correlation software," he said.
Engle declined to identify the software Lehman was using, but vendors of such products include NetForensics, ArcSight and Intellitactics.
"We agree with a fair amount of the criticism" surrounding traditional IDSs, said Chris Hovis, a vice president at IDS vendor Lancope. But using such issues to dismiss the technology entirely was a mistake, he said.
New correlation, statistical and rules-based filtering technologies are beginning to help companies cut through the noise generated by traditional IDSs and mine useful information from them, said Martin Roesch, chief technology officer at Sourcefire, an IDS vendor.
"I think the Gartner report is short-sighted and ignores basic security principles," Roesch said. The notion that intrusion-prevention technologies can stop all attacks is just not realistic, making the need for IDS technology apparent, he added.
"While the technology has been plagued with issues from the past, such as high false positives, evasion tactics and mismanagement, the leading vendors in this space have responded with products that are very powerful in the hands of the right security staff," agreed Michael Rasmussen, an analyst at Forrester Research.