A call for better intrusion detection
Intrusion detection systems (IDS) have become the current "big thing" in information security. They are becoming as ubiquitous as the firewall, and are currently a hot button for auditors and consultants. If only IDS delivered on its promises. Instead of focusing on refinement and stability, it seems many vendors are working more on "spin." In fact, some of the exact same products and technologies that you looked at yesterday as intrusion detection systems have begun to be marked as so called intrusion prevention systems. I don't know about you, but in my book, detection and prevention are two completely different things.
Let's take a step back for a minute. These devices are supposed to be like burglar alarms for our networks and systems. They are supposed to make noise and flash lights or something like that whenever they detect some event or anomaly. However, many IDS vendors still have problems performing these basic functions, let alone actually preventing intrusions. Then again, we should consider that intrusion detection is a tough technology. Networks are not really like houses. They are thousands of times more dynamic than the physical world. The traffic patterns and throughputs are several orders of magnitude above a complete city, let alone a home.
Vendors of IDS tools must rise to the occasion. As users of their security wares, we the customer, need more help. We need true integration of network IDS and host IDS tools into a truly workable solution and manageable console. We need the ability to monitor high speed networks with changing assets and applications. We need base lining and tuning of the deployments to be easier, faster and more reliable. We need understandable action items as alerts instead of arcane data dumps that must be deciphered. We need less false positives and no false negatives. We also need technology and working implementations instead of vaporware and empty promises. The price needs to also make sense in real world IT terms.
I know vendors out there are listening. I also know that many organizations share my frustrations and desires. So a word to the wise, IDS vendors: Take heed of our requests, pay some realistic attention to our desires and you might just become the market leader.