Monday, September 05, 2005

Gartner says IDS is dead

IDS is dead, according to Gartner. This subject came up a few weeks ago in a conversation with the CEO of a network management company that works mainly with US Federal clients. He told me, "Federal Agencies have been dropping millions on IDS for years, and it's not doing them any good. They aren't getting any value out of it. My staff thought I was crazy the first time I said this." It's common for security officers, consultants, and staff to think that a lack of management support and a lack of organizational investment is the reason for IDS failure. The other side of the coin is that IDS technology is simply too expensive to operate, and doesn't provide enough ROI. If your car required a full time on-site mechanic to rebuild different parts of the engine and transmission, you couldn't afford to drive, either. One of our clients has an industry leading IDS system. They routinely receive alerts about worm outbreaks on their network from that IDS system two days after it started -- when the new fire-breathing signatures finally arrive. The IDS paradigm, like the AntiVirus paradigm, probably has a "sweet spot", things it can do well. But, like AntiVirus, IDS also has limitations that can't be overcome without stepping outside the paradigm. Stretching IDS outside the sweet spot (without stepping outside the IDS paradigm) inflates the cost of operations, and complexity of implementation. Unfortunately, every major IDS on the market today is reaching beyond the IDS sweet spot. The vendors want to help solve problems like worm and botnet invasions, because those are the most common, most damaging, and most expensive intrusions that potential IDS customers face. IDS systems are not well suited to the AntiWorm task. Even in the sweet spot of the paradigm, IDS suffers from a few basic problems:
  1. many false positives
  2. difficult to implement
  3. costly to operate
The response of the IDS industry to these problems is to "tune down" (or tune off) major chunks of the promised and desired functionality of the IDS system. This reduces the rather stunning false positive rate of the typical IDS system on the typical network, (which, by the way, the IDS industry euphemistically calls "events" rather than "false positives") to a "manageable level". In other words, stop detecting needle of the intrusions so that the system can be operated by the limited and overtaxed security staff available, not by the hypothetical dedicated full time team required to sort through the haystack looking for it. That's the root problem with IDS. It's just not possible to coordinate data from so many disparate sources, looking for so many different potential "security events" without generating an unmanageable event load. Yes, Gartner sometimes has an axe to grind, but in this case I don't see it. They seem to be making an honest assessment that agrees with the honest assessment of the CEO I mentioned -- a professional who makes part of his living installing and operating IDS systems for his clients because they want IDS systems. IDS products are dreadfully out of alignment with the security demands and operational efficiency requirements of a modern network.

Technorati Tags: , , , , , , , , ,