IDS criticisms kindle debate

A Gartner report which called intrusion-detection systems a "failed" technology evoked fervent reactions from users, suppliers...

A Gartner report which called intrusion-detection systems a "failed" technology evoked fervent reactions from users, suppliers and analysts.

Some agreed with Gartner, saying that IDSs are difficult to manage and generate far more data than is useful.

Others said that despite the problems, it was premature to write off IDS technology completely.

An IDS typically operates behind a firewall looking for patterns or signals in network traffic that might indicate malicious activity. Over the past two years, the sensor-based technology has been gaining increasing attention from users who see it as an added layer of protection against attacks that breach other defences, such as firewalls and antivirus software.

However, several problems with IDSs make the technology more trouble than it is worth, said Richard Stiennon, a Gartner analyst and author of the IDS report.

The biggest is the fact that the systems impose a heavy management burden on companies by requiring full-time monitoring, Stiennon said, adding that the tendency of such systems to generate a very large number of false alarms also adds to this burden.

The technology's inability to monitor traffic at transmission rates greater than 600Mbit/sec can also be a problem, especially with widely deployed high-speed internal networks, according to Gartner.

Because of these issues, IDSs will become obsolete by 2005, Stiennon predicted. Instead of spending on technologies that detect intrusions, companies would be better off investing in technologies designed to prevent intrusions from occurring in the first place, such as "deep-packet-inspection" firewalls.

"I don't know about obsolete, but IDS is not all the rage it was two to three years ago, that's for sure," said Michael Engle, vice president of information security at Lehman Brothers Holdings.

When New York-based Lehman Brothers installed an IDS three years ago, the system generated more than 600 alerts daily. Since then, the firm has invested in an event-correlation technology for analysing IDS data and distilling it into a more manageable volume.

Engle declined to identify the software Lehman is using, but suppliers of such products include NetForensics, ArcSight and Intellitactics.

"We agree with a fair amount of the criticism" surrounding traditional IDSs, admitted Chris Hovis, a vice president at IDS supplier Lancope. But using such issues to dismiss the technology entirely is a mistake, he said.

New correlation, statistical and rules-based filtering technologies are beginning to help companies cut through the noise generated by traditional IDSs and mine useful information from them, said Martin Roesch, chief technology officer at IDS vendor Sourcefire.

"I think the Gartner report is shortsighted and ignores basic security principles," Roesch said. The notion that intrusion-prevention technologies can stop all attacks is just not realistic, making the need for IDS technology apparent, he added.

"While the technology has been plagued with issues from the past, such as high false positives, evasion tactics and mismanagement, the leading vendors in this space have responded with products that are very powerful in the hands of the right security staff," agreed Michael Rasmussen, an analyst at Forrester Research.

Jaikumar Vijayan writes for Computerworld

Read more on IT strategy