• United States



by Sandy Kendall

Is Intrusion Detection a Dead-End Technology?

Jul 14, 20032 mins
CSO and CISOData and Information Security

A month ago, a Gartner research report declared that intrusion detection systems were a market failure. The report and a graph depicting Gartners Information Security Hype Cycle indicated that intrusion detection system (IDS) technology had gone beyond the peak of inflated expectations and was rapidly sliding toward the trough of disillusionment. While, according to Gartners Hype Cycles, some technologies emerge from that dread trough and climb respectably to a plateau of usefulness, Gartner had no such hope for IDS. It said the products have failed to provide value relative to costs and will be obsolete by 2005.

That made IDS vendors cross. People whove spent a lot of money with them werent very psyched about this report, either.

Vendors and spenders alike accept some of the criticisms that Gartner lobs at the young technology, such as its high demands on networks and IT staff, its high requirement for maintenance and its high rate of false positives (one IDS user told Computerworld that his companys IDS generated more than 600 alerts daily). But theyve called the reports prediction for IDS to completely fizzle short-sighted and emotional and alarmist. The products are evolving and improving, they say.

Intrusion detection systems typically work within a networks firewall to identify and record attempts to break into or misuse the system by sniffing packets off a switch port. They alert administrators to what they find but cant drop anything out of the flow of traffic.

Another technology often mentioned in the same breath as IDS is intrusion prevention systems (IPS), which are seen to combine the detection function of IDS but, being deployed differently, can respond more directly to perceived intrusion. The Gartner report, however, suggests that IPS is just following IDS along the hype trail to oblivion and that instead, functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as antivirus activities.

IDS vendors say no prevention system, be it IPS or advanced firewalls, is going to stop every attack. Therefore IDS is needed for monitoring and audit functions, in order to analyze a systems weaknesses and adapt prevention policies to that.

Does that ring true to you, or is it wishful thinking from those invested in the hype? Is it time to cut bait and try something else, or is Gartner looking for its own hype?