Skip to main content

Gartner says IDS is dead

IDS is dead, according to Gartner. This subject came up a few weeks ago in a conversation with the CEO of a network management company that works mainly with US Federal clients. He told me, "Federal Agencies have been dropping millions on IDS for years, and it's not doing them any good. They aren't getting any value out of it. My staff thought I was crazy the first time I said this." It's common for security officers, consultants, and staff to think that a lack of management support and a lack of organizational investment is the reason for IDS failure. The other side of the coin is that IDS technology is simply too expensive to operate, and doesn't provide enough ROI. If your car required a full time on-site mechanic to rebuild different parts of the engine and transmission, you couldn't afford to drive, either. One of our clients has an industry leading IDS system. They routinely receive alerts about worm outbreaks on their network from that IDS system two days after it started -- when the new fire-breathing signatures finally arrive. The IDS paradigm, like the AntiVirus paradigm, probably has a "sweet spot", things it can do well. But, like AntiVirus, IDS also has limitations that can't be overcome without stepping outside the paradigm. Stretching IDS outside the sweet spot (without stepping outside the IDS paradigm) inflates the cost of operations, and complexity of implementation. Unfortunately, every major IDS on the market today is reaching beyond the IDS sweet spot. The vendors want to help solve problems like worm and botnet invasions, because those are the most common, most damaging, and most expensive intrusions that potential IDS customers face. IDS systems are not well suited to the AntiWorm task. Even in the sweet spot of the paradigm, IDS suffers from a few basic problems:
  1. many false positives
  2. difficult to implement
  3. costly to operate
The response of the IDS industry to these problems is to "tune down" (or tune off) major chunks of the promised and desired functionality of the IDS system. This reduces the rather stunning false positive rate of the typical IDS system on the typical network, (which, by the way, the IDS industry euphemistically calls "events" rather than "false positives") to a "manageable level". In other words, stop detecting needle of the intrusions so that the system can be operated by the limited and overtaxed security staff available, not by the hypothetical dedicated full time team required to sort through the haystack looking for it. That's the root problem with IDS. It's just not possible to coordinate data from so many disparate sources, looking for so many different potential "security events" without generating an unmanageable event load. Yes, Gartner sometimes has an axe to grind, but in this case I don't see it. They seem to be making an honest assessment that agrees with the honest assessment of the CEO I mentioned -- a professional who makes part of his living installing and operating IDS systems for his clients because they want IDS systems. IDS products are dreadfully out of alignment with the security demands and operational efficiency requirements of a modern network.

Technorati Tags: , , , , , , , , ,

Comments

Post a Comment

Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the Verified by Visa system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not visa.com I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual dom
20 comments
Read more

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident. I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company. Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber
Post a Comment
Read more

Jailbreaking iOS is a Dead Man Walking

Rumor has it that Apple will include a new security feature (possibly known to the developers in Apple as "Rootless") in the upcoming releases iOS 9 and OS X 10.11. Although details are sparse, it looks like Apple may have implemented what other UNIX systems call "namespaces" (See this nice discussion of namespaces on Linux ). Most of the public speculation about the rumor concerns a possible end to jailbreaking , a sport which has fallen on hard times with successful jailbreaks coming fewer and farther between. Since the defects which enable jailbreaking are inherently open to malware, Apple's ongoing efforts to find and fix these bugs with the LLVM/Clang compiler's ever-more-diligent static analyzer make it harder for the jailbreak community to find a toehold. However, a namespaces-like security architecture might fix one of the biggest issues that leads people to desire a jailbroken iPhone. When iOS was created, the system extension features were
Post a Comment
Read more