Intruders: Is detection or protection the answer?

Intrusion detection systems are dead, a panel of analysts told the RSA Conference on Monday. The question remains what should replace them, and whether the newly fashionable "intrusion prevention systems" are more than just a change of buzzword.

"IDS is dead," said Vic Wheatman of Gartner Group. "People bought it, installed it and turned it down when they had too many alerts."

Analyst Mike Rasmussen of Giga agreed: "Seventy-five percent of IDS installations were failures," he said, blaming a failure to allocate enough resources to weed out the false positives, where the IDS issues a false alarm. But intrusion prevention -- where systems are designed to respond automatically to prevent an attack having any effect -- is not necessarily the panacea it is made out to be, he warned: "In many cases, it's the old vendors abusing the term."

The phrase "intrusion prevention" remains problematic for some. "I hate the term. Isn't that what a firewall should do?" said analyst Pete Lindstrom of Spire Security. Where IDS systems use pattern matching on payloads to identify an attack, intrusion prevention systems should operate more intelligently, he said.

On the show floor, delegates were if anything more cynical. Several who declined to be named said they felt that intrusion prevention systems were simply an attempt to make a fresher-sounding buzzword.

Despite the supposed death of IDS, interest in the concept remains strong, however. Jack Phillips, managing partner of the Institute for Applied Network Security, reported that at seminars he organises, IDS and related issues of prevention remains a very strong topic of interest, along with the issue of managing enterprise security.

For IT managers, concerns are even more practical. "If they buy a best-of-breed device, such as an IDS system, they are sceptical about being 'inherited' by a suite vendor that merges with their vendor of choice," said Phillips.

Let the editors know what you think in the Mailroom.