IDS and Gartner: 12 months later

Can it really be 12 months since the infamous press release from research company Gartner shocked the network security world when it declared that intrusion detection systems (IDSs) had proved to be a market failure and would become obsolete by 2005?

A lot has happened within the IDS marketplace since then, but back on June 11, 2003, when this single page missive from Gartner first appeared on the internet, it quickly became referred to as – grammar notwithstanding – the "IDS is Dead" report.

The release referred to a longer "hype cycle" report, which many today believe was not fully digested by all who commented on the issue.

IDS vendors immediately used the media and any available electronic forum to launch an attack on the author, Richard Stiennon, a research vice-president at Gartner, who had written: "IDSs are a market failure and vendors are now hyping intrusion prevention systems (IPSs), which have also stalled. Functionality is moving into firewalls, which will perform deep packet inspection for content and malicious traffic blocking, as well as anti-virus activities."

Strong stuff, but at the time, Stiennon was the analyst whose pronouncement led to him being ranked 30th on Network World's list of most powerful industry people... way ahead of a slew of luminaries and the only analyst to be included on the list.

One of his most vociferous critics was Andre Yee, the CEO of NFR Security, which has much invested in its Sentivist IDS. Yee has argued time and again throughout the past 12 months that Gartner oversimplified the choices facing enterprises and it could not simply be an either IDS or IPS choice.

He did try to inject a little humor into the controversy by writing to a forum: "Of course, I have a prediction of my own: How about the demise of current generation industry analysts by 2005? Reason? Excessive false positives and lack of corporate value. They will be supplanted by next-gen analysts who will deliver outrages (sic) claims with no loss of performance. After all, if you can make stuff up, why bother with thoughtful analysis."

In the past year, according to Yee, NFR has improved its IDS offerings to answer the criticisms that were included in the Gartner report, and the company has also got serious about IPSs... and Yee says that started to happen well before the Gartner report. "The reality is there is a place for both technologies. No one is going to rip out their IDSs and replace them with an IPS when we launch ours," he says.

That launch was planned for late last month, after this issue of SC Magazine went to press, but Yee says the new product can be classified as a "second generation" IPS.

The perceived advantage IPSs have over IDSs is that they can drop malicious traffic. To some customers that was not seen as an advantage, because, for example, they do not trust IPS enough to allow them to stop what could have been legitimate transactions.

NFR's IPS will have what Yee calls a "trust indexing" mechanism. A known threat will receive a high score on the index and the traffic dropped; an unknown incident will receive a lower score and the decision to drop the traffic will be made by a security analyst.

"After a period of time, customers will be able to calibrate the index to get a maximum level of protection while minimizing the risk of dropping legitimate traffic," says Yee.

NFR is not the only company that says it is finding businesses reluctant to trust relatively immature security products with decisions on whether or not to drop traffic. Symantec has heard similar concerns.

"I have talked to CIOs of large banks and they want to be sure there are no accidents when you block something and it's a million dollar second of processing that they are doing," says group product manager John Harrison.

Symantec acquired its IDS, ManHunt, two years ago when it bought Recourse Technologies. Since then the company has built on its strengths of flagging anomalies and zero-day protection by scaling the product to work on the biggest of networks.

Both Harrison and NFR's Yee say that vendors were already working on negating Gartner's main criticisms of IDS even before the research group called the technology a failure.Those criticisms, in a nutshell, are that IDSs throw up masses of alerts – the vast majority of which are false positives. The high number of alerts leads to a data overload, which in turn forces customers to waste employee time sifting through reams of false alarms.

Bringing down the number of false positives was, during the past 12 months and more, a passion at any company that wanted to remain a player in either the IDS or the IPS spaces.Network Associates (NAI) was also determined to beat the problem, and shortly before the Gartner report came out bought two companies – Entercept and IntruVert – to give it combined IDS and IPS offerings protecting (respectively) the host and the network.

To NAI there was never an either/or when it came to IDS and IPS technologies. The company's vision is that IPSs are a subset of IDSs.

Within the company, the respective product divisions have worked to curtail the number of false positives that plagued IDS. "We have to be more conservative, because we cannot have the failure rate," says Parveen Jain, executive vice-president of McAfee marketing and strategy at NAI. "We can't have the false positives. We can't have all those issues that have bogged down traditional IDS products."

The company claims that with McAfee Entercept and McAfee IntruShield, it is the only one that can deliver protection from the desktop and servers to the core and edge of the network and branch offices.

It is now working to develop the products separately as well as integrate them better, but its next move will be to couple Entercept with its VirusScan product.

"When we bring this sophisticated technology with the traditional anti-virus technology and power-pack all of it into a single agent that can be managed into a very easy fashion by the end users... that is a very powerful proposition to the customers," says Jain.

A combination is also the key at Enterasys, another company that was also determined to beat the problem. The company says that melding its networking infrastructure management capabilities with its IDS offerings seems to have brought it closer to the "Holy Grail" of fewer false positives.

Touting its recently launched Secure Networks architecture, John Roese, the company's chief technology officer, says Enterasys has coined a metric which states that if a customer builds an integrated system with the network and the security frameworks collaborating and co-operating, then the number of measured security events that a human being is asked to look at should drop by more than 75 percent.

Infrastructure and integration are the answer, says Roese, but adds: "Over the past 15 years, customers have spent billions of dollars throwing widgets at security problems and are no more secure today than they were ten years ago... in fact, they are probably worse."

And what of Stiennon, who started all this fuss over a year ago? He is generally unrepentant. He says he expected some negative feedback, but of a different type to what he actually received.

He said he thought the trend away from IDS was so obvious that critics would even say Gartner was late with the obvious conclusions. "That's what usually happens," he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.