IDS criticisms kindle debate

Computerworld - A Gartner Inc. report that called intrusion-detection systems a failed technology that isn't cost-effective evoked fervent reactions last week from users, vendors and analysts on both sides of the argument.

Some concurred with Gartner's position, saying IDSs are difficult to manage and generate far more data than is useful.

"I couldn't agree more," said Eric Beasley, network administrator at Baker Hill Corp., an application service provider in Carmel, Ind., that replaced its IDS with a Web application firewall. "IDS did little to increase our overall security," he said. "All I got was information overload."

Others said that despite the problems, it's premature to completely write off IDS technology.

"I think that broadly describing IDS as a market failure because of product shortcomings is a bit alarmist," said Eric Goldreich, manager of technology at Latham & Watkins LLP, a law firm with 1,500 attorneys in Los Angeles. "The existing solutions are not perfect, but they are much better than nothing at all."

An IDS typically operates behind a firewall looking for patterns or signals in network traffic that might indicate malicious activity. Over the past two years, the sensor-based technology has been gaining increasing attention from users who see it as an added layer of protection against attacks that breach other defenses, such as firewalls and antivirus software.

However, several problems with IDSs make the technology more trouble than it's worth, said Richard Stiennon, a Gartner analyst and author of the IDS report.

The biggest is the fact that the systems impose a heavy management burden on companies by requiring full-time monitoring, Stiennon said. The tendency of such systems to generate a very large number of false alarms also adds to this burden, he said. The technology's inability to monitor traffic at transmission rates greater than 600Mbit/sec. can also be a problem, especially with widely deployed high-speed internal networks, according to Stamford, Conn.-based Gartner.

Because of these issues, IDSs will become obsolete by 2005, Stiennon predicted. Instead of spending on technologies that detect intrusions, companies would be more prudent to invest in technologies that are designed to prevent intrusions from occurring in the first place, such as "deep-packet-inspection" firewalls, he added.

"I don't know about obsolete, but IDS is not all the rage it was two to three years ago, that's for sure," said Michael Engle, vice president of information security at Lehman Brothers Holdings Inc.

When New York-based Lehman Brothers installed an IDS about three years ago, the system generated more than 600 alerts daily, he said. Since then, the firm has invested in an event-correlation technology for analyzing IDS data and distilling it into a more manageable volume, Engle said.