Gartner recently stated a position regarding the market failure of intrusion-detection systems by 2005. Giga's position is that intrusion-detection systems as a technology is not doomed for failure but is
Many want to drive a hard line between the intrusion-detection systems of yesterday and the ones of tomorrow — that is, intrusion prevention and advanced firewall capabilities at the application layer. The reality is that we are seeing an evolution of intrusion-detection technology to intrusion prevention that is simultaneously converging with firewalls. This will lead to a next-generation network security gateway by 2005 — but it is an evolutionary process, not a destruction of the old.
Stating that intrusion detection has failed to protect organizations is an overstatement — by that claim, firewalls and every other security technology have done so, too. Ask the victims of Code Red, Nimda, Slammer and many others how effective their firewalls were in most cases. Technology helps protect organizations, but they all require management and layers of defense.
The problem with intrusion detection today is management — most implementations lack the dedicated and experienced staff to manage intrusion detection. We are only now seeing the maturity in the security workforce that truly understands this technology and can appropriately tune, configure, manage and monitor these systems. While the technology has been plagued with issues from the past such as high-false positives, evasion tactics and mismanagement, the leading vendors in this space have responded with products that are very powerful in the hands of the right security staff.
Network intrusion prevention is not being implemented today en masse. Organizations deploying the new breed of intrusion-detection systems are typically implementing it in a listen mode that is akin to its intrusion detection forefathers. Until the technology proves itself, organizations are unwilling to allow these systems to block traffic. In the meantime, the major intrusion-detection system players (e.g., ISS, Cisco, Intrusion) all intend to evolve their intrusion-detection systems of today into inline intrusion-prevention systems of tomorrow.
Furthermore, the management issue with this new generation of intrusion-detection/-prevention systems that has caused failed implementations is not going away but is growing significantly. Today, intrusion detection is passive, and the headaches of configuration can be ignored. Tomorrow, intrusion detection moves inline to become intrusion prevention and requires a commitment to configuration and management as legitimate business traffic may be affected.
The evolution to intrusion prevention leads to a convergence with firewalls to define and build the next-generation network security gateway. As soon as intrusion prevention is effectively put inline to stop and prevent attacks, this builds firewall functionality that is further enhanced by the vendors offering additional stateful inspection filtering on their intrusion-prevention devices. This is not a fact being ignored by the firewall vendors. NetScreen sees this, and it is the motivation behind the company's OneSecure acquisition last year. Check Point sees this, and it is the motivation of that company's Application Intelligence push.
In 2004, we will see the complete evolution of intrusion detection into intrusion prevention, which will be followed by the convergence of firewalls and intrusion prevention in 2005. To say a technology is dead is premature since what is proclaimed as the new technology to replace it is an evolution of the old. Organizations should work with their existing intrusion-detection vendors and understand their road maps for moving their technology to the intrusion prevention space and beyond.
Furthermore, enabling a successful intrusion-detection system deployment requires that organizations commit the resources that are skilled in configuration, tuning and monitoring of these systems. These resources will only be needed more as this technology evolves.