Intrusion detection debate heats up

Australia's Information Security Interest Group (ISIG) has rejected a Gartner Inc. report that calls intrusion-detection systems (IDS) a failed technology, blaming instead chief information officers (CIOs) who do not know how to manage the technology.

Gartner predicts IDSes will become obsolete by 2005 and that instead of spending money on technology that detect intrusions, companies will be more prudent and focus on prevention including "deep-packet-inspection" firewalls.

IDS is complex, not a plug-and-play technology, ISIG chair Mark Ames said, but there are plenty of CIOs "who put it in just because someone told them they needed it."

"What's the point of having a sophisticated alarm system if there's no response? Without a response IDS is annoying and costly, but that's not a problem with the technology," Ames said referring to the Gartner report which claims IDS isn't cost-effective, is difficult to manage and generates far more data than is useful.

Ames said the problems with IDS are based on two major trends including the exponential growth in the number of attacks and attackers and the "trenchant refusal of management to put adequate resources into network and security management; the two are related," he said.

"In the past decade traffic on the Internet has grown a million-fold; think of the difference between road traffic 40 years ago and what you see outside your door at rush hour. Then imagine there have been no changes in the roads, traffic signals, road rules, or policing, because that is what the Internet is like today.

"The number of IDS false positives increases with the traffic load and number of attacks per amount of traffic, simple mathematics. On that basis it is a miracle and a credit to the technology that it still works at all."

An IDS typically operates behind a firewall looking for patterns or signals in network traffic that indicate malicious activity, so the sensor-based technology is an added layer of protection against attacks that breach other defenses such as firewalls and antivirus software.

But Gartner analyst Richard Stiennon said problems with IDS make the technology more trouble than it's worth.

He said the biggest problem is the fact that the systems impose a heavy management burden on companies by requiring full-time monitoring, adding that the large number of false alarms only adds to the burden.

"The technology's inability to monitor traffic at transmission rates greater than 600Mbit/sec can also be a problem, especially with widely deployed high-speed internal networks," Stiennon said.

Ames likened IDS to antivirus products that look for signatures and sound an alarm, pointing out that antivirus was soon overwhelmed by the incredible growth in viruses.

He said IDS is evolving just as antivirus, which is still called antivirus although it now does far more.

"IDS is at a crossroads, existing products are adding new management and event correlation features and new products are doing the same thing under the guise of intrusion prevention or other silly names," Ames said.

"IDS users in the know have been doing that for years, sometimes with their own tools and integration work.

"Now IDS and a raft of security appliances have some pretty sophisticated management tools, but no tools on earth can substitute for good management in the first place."

This story, "Intrusion detection debate heats up" was originally published by Computerworld Australia.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies