The evolution of IDS

Drowning in signature libraries and reactive event information that is of little value in locating attacks in progress, network security managers are fed up with signature-based intrusion-detection systems that have been the backbone of network security. Amid an ever-shrinking time gap between vulnerabilities and exploits, signature-matching IDS already has become obsolete, analysts and users say.

"We've hit the wall with IDS," says Bill Boni, chief information security officer of Motorola in Schaumburg, Ill. "We get a million IDS alerts a week. It's choking our consoles, and we can't tell the difference between an event and a non-event."

Sales of the burdensome, expensive technology are flattening, according to Infonetics Research. The research firm predicts that this year will close with sales of $281.1 million, and sales are forecast to edge up to $341.5 million in 2007.

But don't count on IDS to die in 2005 as Gartner predicted in a controversial report last year. Instead, IDS will become part of a greater framework of security information management (SIM), in which IDS data can be augmented by more reliable monitoring and reporting technologies. In the near term, this relegates IDS to a forensics and analysis role for after-the-fact inspection, users and analysts say. In five years or so, a coalescence of compliance management and endpoint, kernel-level security could cause the demise of signature-based IDS altogether.

"What we're going to see is a hybrid. Monitoring at the edge and core, sensor devices and remediation consoles all over the network that work together," says Joel Snyder, principal at Opus One and a Network World Lab Alliance member. "Just like your network isn't one box that you plug everything into, it's the same with your IDS landscape."

Monitoring mania

Already, frustrated IT leaders like Boni are working around IDS' maddening shortcomings by correlating IDS alerts with other security and vulnerability information - something Boni's team did by writing its own middleware. SIM vendors also have become more modular in their approach to security information analysis by layering proprietary vulnerability management, anomaly detection, network assessment and even honeypot modules with IDS modules to better pinpoint and respond to security events.

"Where we've failed is in that detection has been binary before - yes, this is an attack; no, it's not an attack," says Andre Yee, CEO and president of intrusion management vendor NFR Security. "There needs to be qualitative assessments of each detection. So the first change you'll see in intrusion management is the inclusion of vulnerability management and other discovery tools falling under a category of what I call enterprise security intelligence."

Leading the charge in better security information are the intrusion-prevention system (IPS) vendors, which use a variety of proprietary network and traffic analysis engines to reduce reliance on signatures and avoid the same false-positive mistakes their IDS forefathers made. IPS sits in-line at the network perimeter, scanning incoming traffic for signs of malicious code. Unlike IDS, it can drop suspect traffic automatically or alert network security staff, who will handle it manually.

IPS vendors project that their tools ultimately will replace IDS altogether. Infonetics projects a jump from $132.3 million to $425.5 million in sales for inline IDS between 2004 and 2007. Gartner, too, sees IPS sales surpassing IDS sales by the end of next year, says Greg Young, a Gartner analyst. "Most vendors have already made the switchover from pure IDS to IPS with some sort of mitigation," he says.

"The average intrusion-detection system has about 6,000 signatures. But our clients are only running intrusion prevention's blocking mode on about 25 to 50 signatures. The rest are still run in detection mode," says Paul Proctor, vice president of the security and risk strategies practice at Meta Group.

For example, Boni's team at Motorola is looking into using IPS as a means to dramatically reduce IDS alerts by blocking the most commonly known viruses, worms and attacks at the network edge. "If we can calibrate the IPS sensors and they block 900 of 1,000 attacks, then that leaves only 100 events hitting our IDS," he says.

But all of this extra monitoring capability will be costly. According to Snyder, replacing a traditional $10 LAN switch with IPS-capable LAN equipment costs hundreds to thousands of dollars per port sensor. That doesn't include the cost of human management and maintenance costs of the IPSs on those ports.