Experts: IDS is here to stay

Conventional wisdom once had it that intrusion prevention systems (IPS) would eliminate the need for intrusion defense systems (IDS). But with threats getting worse by the day and IT pros needing every weapon they can find, the IDS is alive and well.

"IPS threatened to hurt the IDS market but IDS is better equipped to inspect malware," said Chris Liebert, a security analyst with Boston-based Yankee Group Research. "IPS specialises in blocking, so each still have their own uses, and that's why IDS is still around."

IDS is now part of a larger intrusion defense arsenal that includes vulnerability management and access control technology. In fact, one analyst believes standalone IDS products will still be in demand five years from now while IPS technology will likely be folded in firewall products.

"In the long term, I do not think IPS devices will remain as separate products," said Eric Maiwald, a senior security analyst for Burton Group. "We see this happening already. All of the major firewall vendors offer some amount of IPS functionality in their products. At the same time, there is much firewall-like capability in the IPS products."

IDS products will probably remain as separate devices because of the need to monitor happenings on a network and monitor actions of other policy enforcement points, he said.

Market leaders
Maiwald sees vendors like Internet Security Systems [a division of IBM], Sourcefire, TippingPoint and McAfee as leaders in the IDS/IPS market. "All four have a combination of good detection technology backed up by teams to identify and code new signatures," he said. "Juniper and Cisco could be included in this list as well but I think their muscle in the market is more from their large market share than from their technology." That said, he does think Juniper is moving quickly to integrate its firewall and IPS functionality.

Meanwhile, he sees Lucid Security and Reflex Security as two vendors worth watching. "It remains to be seen, however, if they can turn their technology into traction in the market," he said.

Maiwald sees the most innovation coming from some of the smaller vendors and the open source community. But he hasn't seen much in the way of revolutionary change in recent years. "I see more of an evolutionary change, small increases in detection mechanisms," he said.

User challenges
For users, the biggest headaches when using the technology involve the way devices are tuned and whether the right policies and procedures are in place so security or network teams know what to do when they get an alert. Mistakes on either front could result in too many false positives or legitimate alerts getting overlooked.

Before deploying the technology, Maiwald suggests customers examine what exactly they are trying to do with it. "Is it a monitoring device? Is it a prevention device? Once you have identified what you want it to do then you can identify the best products and the appropriate locations for deployment," he said.

Users also need to remember that intrusion defense involves much more than simply deploying an IDS/IPS device, experts say. It's about having a layered security program that includes antivirus software, access control and vulnerability management tools and firewalls.

Customer demands
As they grow dependent on more tools, industry experts say IT pros want security vendors to develop management systems that allow them to pull data from various security devices into one place where they can assemble the big picture and mount a quicker, more effective defense. As part of the bargain, they want more automation and quicker analysis.

Max Caceres, director of product management for Core Security Technologies in Boston, says that is indeed what his customers have been telling him.

"Customers want as much automation as possible and the ability to produce general reports," he says. Core Security's specialty is penetration testing, and the company has worked to inject more speed and ease into its products. "People see the value of efficient and thorough testing, but they're looking for ways to make it easier."

Liebert said the need for speed is driven by a threat landscape that's shifted from worms attacks to below-the-radar threats like botnets.

"IT administrators really want the tools to help them identify the source of an alert so they can respond more quickly," she said.