While intrusion detection systems have seemed like plenty of security in the past to some network managers, a recent Gartner Inc. report suggests intrusion detection systems are on their way to becoming obsolete. With that in mind, Gartner recommends companies redirect the money being spent on IDSes
to other, more worthy security measures.
According to Richard Stiennon, research vice-president for Stamford, Conn.-based Gartner and the author of the report, the ability to simply detect intrusion is not enough for network security. Investing in such systems, which can cost anywhere from US$20,000 to US$90,000, doesn’t always pay off, the report states.
Hacker behaviour has a distinct feel to it, Stiennon says, and intrusion detection systems were designed to sniff out such behaviour and report it to network managers. Unfortunately, IDSes can’t be 100 per cent perfect, and they miss some intruder activity (known as false negatives) and flag some regular traffic as intrusions (known as false positives). In addition, IDSes create boxes full of reports, and IT departments may have to spend more money on staff in order to keep on top of those reports.
“”I call into question, and Gartner calls into question, the fundamental idea that there’s value in telling you after the fact that you’ve had a hacker,”” Stiennon says. He says expensive IDSes will be replaced by systems that prevent intrusions rather than just detect them. The Gartner report states IDS technology will be obsolete by 2005. Forensic functions will still be necessary, Stiennon says, but not in the line of defence.
Jack Sebbag, the Canadian general manager and vice-president of Santa Clara, Calif.-based Network Associates Inc., also foresees the end of IDSes. Sebbag says intrusion prevention systems will be the next big thing.
“”When IDS first came out a few years ago, it was huge. ‘Wow. We’re actually going to get notified every time somebody tries to intrude?’ Then this thing starts spitting out report after report after report,”” Sebbag says. “”The problem is, once the [hacker’s] got in and intruded and stolen digital assets or wreaked havoc on your network, he’s gone. The reports are not really worthy any more because we’re getting boxloads of reports. And yes, it allows us to learn from them, but it doesn’t allow us to protect ourselves.””
WhiteHat Inc.’s Tom Slodichak says the IDS issue is more complex than others suggest. The Burlington, Ont.-based security consulting and training firm’s chief security officer says he agrees IDSes aren’t a “”magic mousetrap”” like some believe they are, but adds they give network managers a good idea about what kind of traffic is going through their networks.
“”I don’t think it was ever intended to stand alone as the only defensive measure,”” Slodichak says. “”There are other technologies that work in concert with IDS.”” The strength of IDSes is in network monitoring, but used with other tools, like honeypots, they are valuable tools for network managers as alarms for suspicious traffic and behaviour on the network.
Although the Gartner report indicates IDSes are on the verge of extinction, some vendors suggest they will evolve into a new species. Kelly Kanellakis, director of technology for the office of the chief technology officer at Andover, Mass.-based Enterasys Networks Inc., says companies will still need to detect intrusions even as they are trying to prevent them.
“”The other part of that Gartner article was saying intrusion prevention systems are really the way that people should go,”” Kanellakis says. “”Now, that’s actually a really good statement, except that with most intrusion prevention systems today, you can’t tune them to the point where you’re only going to prevent just bad things and not good things.”” He says if intrusion prevention systems are tuned very strictly on the prevention side, they’ll stop everything that even looks suspicious from getting in, and some of that traffic could be legitimate. On the other hand, if they are tuned loosely, they’ll allow in good traffic and likely some malicious traffic as well.
“”What do you do if you don’t have an intrusion detection system on the back-end to tell you that’s happened?””
Detection and prevention systems will likely evolve together. Having one without the other is dangerous, Kanellakis says.