IDS is Dead -- Long Live IDS?

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Gartner Group, the well-known analyst firm, caused something of a stir recently with its pronouncement that Intrusion Detection Systems (IDS) and their Intrusion Prevention Systems (IPS) offspring were a market failure — and in fact will be obsolete by the middle of the decade.

The Stamford, Conn.-based firm declared that IDS and IPS don’t deliver the extra layer of security that was promised, and that many IDS implementations have been ineffective.

Gartner clearly has picked up on a massive source of end-user industry pain. IDS have long been derided as difficult to manage, creating many false positives and negatives, which is one of the reasons that security event management solutions evolved — to make IDS both more manageable and more effective.

But does isolating the symptom — IDS can be a challenge to manage — mean that the technology is ineffective? In declaring IDS a failure because of manageability issues, is Gartner running the risk of missing the point altogether, and what does its proposed solution imply?

The Real Challenge — Making IDS Work, Whatever It’s Called

There are many challenges with IDS, but as a set of technologies they are pretty effective. They fire off alerts when they see traffic that matches whichever technology they use to detect the problem packets. Far from declaring this approach as failing, Gartner suggests that this technology — “deep packet inspection” — will move into firewalls in the coming years.

Why does the location of the packet inspection matter? If it’s doing what an IDS does except on a firewall, doesn’t that still make it an IDS? And won’t it still have the same problems?

The problem is that most packet sniffing solutions — whether an IDS, IPS or “deep packet inspection firewall” are context-free. They have no idea whether an attack is relevant, and the volume of events that they produce tend to hide the dangerous attacks in low-risk noise.

Like most security operations with a layered security philosophy, each layer (and each device within a layer) is managed and run independently. There’s no intra-layer or inter-layer cooperation, communication or correlation. Simply moving the packet inspection out to the firewall doesn’t help this issue at all; the volume of false alarms will still be enormous, and the sensors will still be unaware of the larger IT ecosystem that they exist to protect.

IDS Isn’t the Problem — Ineffective Security Event Management Is

To make IDS work, whatever its form, you need to get out of the security silos and get all your layers working together — and in concert with the rest of your IT infrastructure.

Security event management solutions can help overcome many of the issues that Gartner highlighted in its report. By intelligently correlating real-time event data streams from IDS, firewalls, network hosts and other sensors, these solutions are capable of dramatically reducing the wasted time spent chasing false alarms, as well as identifying false negative threat that would otherwise have gone unnoticed.

By linking disparate data sources from multiple sensor classes from diverse vendors, efficient and effective security operations in heterogeneous environments are enabled, delivering context sensitive screens that enable user to make smarter decisions earlier in the incident response cycle.

Real-Time Firewall Event Correlation a Must

So if you haven’t taken the IDS plunge yet, or are simply figuring out how to manage 50 firewalls from multiple vendors, you might think you’re off the hook, and all you have to do is wait for the firewall vendors to solve the problem, right?

Not so fast. If you’re not watching, correlating and reacting to events detected by your firewall then you’re simply missing every reconnaissance scan perpetrated against your systems. And without IDS, you have no idea which scans are being successful, or missing new attack patterns.

Remember the havoc that Slammer wrought? If you had been monitoring your firewall logs in real time you would have identified the threat in a few seconds as a dramatic rise in requests against port 1434, and would have been able to take quick remedial action.

Today’s leading real-time security solutions can deliver significantly enhanced value, security and risk reduction, even in a firewall-only environment.

Phil Hollows is vice president of product marketing for OpenService Inc., a provider of network security management software.