Gartner has created something of a flap with a string of reports saying intrusion-detection systems haven't lived up to their promises and will be eclipsed by intrusion-prevention tools.
The latest indictment was issued last month, a report called ‘Intrusion Detection is Dead - Long Live Intrusion Prevention,’ by Richard Stiennon, vice president of research. Gartner has, in fact, been banging this drum for a while. Last August the company recommended delaying investments in IDSs until better options emerged.
Network World also was urging caution at the time. In a test of eight IDS products in a production network we concluded: "All ask too much of their users in terms of time and expertise to be described as security must-haves." (We have another test running now and will report the results in the Autumn.)
But we didn't go as far as to conclude that IDS doesn't have a future, which is the Gartner theme that is gnawing at some security mavens. Gartner essentially is saying that, given the documented problems with detection systems, you're better off spending your money on other tools such as advanced firewalls and application security.
But some insiders don't add it up the way Gartner does. Network World Test Alliance member Joel Snyder, a senior partner at Opus One Inc. in Tucson, agrees that intrusion prevention is a technology, not a product, and he also expects to see it show up in devices such as firewalls and switches.
But he and others argue that if IDS makers can overcome problems such as false positives, there will be room in a layered defence for IDS because its role is different from other security components. As one person in our forum on the topic pointed out, instead of sitting inline, IDS systems are out of band and watch the network for signs of attack or misuse. Even with all our other safeguards, some stuff always gets through, and IDS systems represent the final safety net.
But Stiennon counters that there is no guarantee that IDS will pick up that activity. "You're better off spending your money on other things, like application security. You don't need to sniff packets."
IDS clearly still has to prove its worth, but we'll reserve judgment until we get the readings from our current test. After all, the vendors have had a year to address the early criticisms. These test results might prove to be sink or swim for the IDS community.