"IDS as a security technology is going to disappear," says Richard Stiennon, a Gartner research director.
Stiennon contends that organizations are going to so successfully harden their internal systems that the "burglar-alarm" service intrusion-detection systems provide will no longer be necessary. "Imagine a world where there are no intrusions," he says.
That world will be made possible as network-based firewalls gain more intelligence, dig and analyze network traffic more deeply, and eventually protect applications, rather than just networks, from attack. Companies, he says, will also conduct continuous vulnerability assessment and remediation, and will rely more heavily on network and host-based intrusion-prevention software, antivirus technology, and better security-management apps. As part of the security architecture, companies will have in place robust application-access controls and encryption to protect business data.
With that type of security architecture, intrusion-detection systems will no longer be necessary, Stiennon says. "In such a world, if someone had IDS running, it wouldn't be alerting them often," he says.
Other analysts aren't so sure. "When hackers stop putting on their thinking caps about new attack techniques and companies stop making configuration mistakes and the technology industry stops bringing new technology to market, which always brings new vulnerabilities, maybe in that perfect world, intrusion-detection systems might not be necessary," says Pete Lindstrom, research director for Spire Security.
But Stiennon says intrusion-detection systems haven't been providing value to organizations in proportion to their expense. Companies have often complained that the systems they deploy generate more alarms than they could possibly investigate—and many times those alarms go off when there's actually no attack under way. That often creates an unwieldy management burden for IT shops. Stiennon says intrusion-detection systems also have failed to monitor traffic at rates higher than 600 Mbps.
Stiennon says companies are better off investing in firewalls with advanced application protection than standalone intrusion-detection systems.
Check Point Software Ltd. took a step in that direction last month when it unveiled its Application Intelligence features, which help protect companies against attacks lodged against common protocols—but doesn't yet provide the deep application analysis and protection provided by such application firewall vendors as Kavado, NetContinuum, Sanctum, and Teros. But that strength is coming soon, analysts say.
Not surprisingly, intrusion-detection vendors say Gartner's vision of a world without their products is a bit out of focus. "Many large corporations around the globe, prior to IDS, didn't have any visibility into the hacking activity and the threats against their systems if it wasn't for their investment into IDS software," says Tim McCormick, VP of marketing at Internet Security Systems Inc.
Gartner's prediction certainly bucks the buying trends of organizations. According to the Computer Security Institute-FBI annual Computer Crime and Security Survey, only 43% of organizations bought intrusion-detection systems in 1998. That percentage has climbed steadily every year to reach 73% in 2002. Nonetheless, Stiennon says investments in intrusion-detection systems have stalled because of all of their shortcomings.
"It's a utopian vision," says Martin Roesch, founder and chief technology officer at intrusion-detection vendor Sourcefire Inc. "It's like all of a sudden they found some religion or something, or suddenly these guys got dumber. You can't do away with auditing and monitoring network activity. And the technology is constantly getting better. They're wrong on this."
While ISS's McCormick and Sourcefire's Roesch both concede that intrusion-detection systems have had their failings—such as their difficulty to tune and issuing too many alerts—both say their companies are continuously improving their technology. Later this year, Sourcefire will make available its Real-Time Network Awareness appliances, which the company says will constantly monitor systems for vulnerabilities while alerting security pros to anomalous network behavior. Sourcefire says the new technology will greatly enhance the accuracy and effectiveness of its systems.
ISS says intrusion detection won't vanish, but it does agree with Gartner that a large part of its functionality will converge with application and network firewall protection. And for its part, ISS is increasing the power of its line of Proventia appliances, which by year's end will include protection from denial-of-service attacks, in-line attack-prevention capabilities, stateful network and application firewalls, antivirus protection, and centralized management.
But McCormick says companies will still keep their intrusion-detection systems on. "You still need a camera monitoring traffic. You need that big wide-angle view," he says.
Lindstrom agrees. "To say intrusion-detection systems are dead is out of touch and unreasonable. To suggest you go and just put firewalls throughout your enterprise is like [the state] assuming everyone travels at 20 mph on the highway because you put down speed bumps. With speed bumps, you still don't know how fast people are driving or understand how many accidents are caused by speeding."
Gartner's Stiennon isn't swayed. "Many corporations dabbled in IDS, but found it too troublesome to manage," he says. "Their value is not in proportion to their expense."
But don't tell that to Sourcefire CEO Wayne Jackson. "We just signed an eight-figure deal last week," he says. Companies are still investing in intrusion-detection software, he says, "because there's real value there."