InformationWeek

Whatever the approach, there's no such thing as bulletproof security. Even if a company goes with an intrusion-detection service provider, there are no guarantees its security tools and experts will catch every unauthorized ping or Trojan horse. Intrusion-detection tools can't actually stop a denial-of-service attack, but they can at least give a heads up if one is infiltrating a network.

"Intrusion detection shouldn't provide a false sense of security," Foundstone's Kurtz says. "There are still many attacks and events that aren't captured, as well as the superfluous information."

And as with antivirus software, network managers have to keep intrusion tools up-to-date with the latest threats. They can't just install the software and let it go. That's the advantage of going with a security provider, which would be responsible for keeping the software updated. "If you buy it off the shelf, install it, and forget about it, you're going to get infected," says Frank Swift, manager of security operations at Pilot Network Services.

Even with an intrusion-detection service, there's the risk of hackers shutting down the sensors so they can sneak into a network, says Depository Trust's Jarocki. That's why risk management and regular audits by white-hat hackers are crucial. "I still use auditors," Jarocki says. "I need proof that we're doing a good job with intrusion-detection services."

Intrusion-detection software has a long way to go before it's truly automated and intelligent, experts say. An intrusion-detection service must be customized to protect a company's internal applications, such as human-resource tools, so its security software can defend against any attacks on that app. "Our consulting group has to have an option in its service [contract] to write company-specific attack measures," says Scott Gordon, director of product management for Axent Technologies.

An ironic twist is that encryption can block a sensor. Intrusion tools can't read traffic encrypted in a Secure Sockets Layer session. But an intrusion tool or service that includes host-based monitoring would have a chance of detecting an attack once the server on the receiving end decrypts the traffic, Foundstone's Kurtz says.

The next generation of intrusion-detection products and services will be more intelligent and able to make more informed decisions on whether to shut down a port under siege. "Down the road it will be more self-learning, with the system being able to pick up trends from signatures of attack," says DefendNet's Giordano.

Even with all the potential automation for these tools, intrusion detection still will require human interaction from a security group, which could include the help desk, the telecommunications staff, and, if it's a big event, the management and legal staffs. Says Depository Trust's Jarocki, "You can never take the human element out of it."