IDS is still immature

Intrusion-detection systems have become the new darling of the security world. Many security professionals will tout IDS as the silver bullet to intrusions. Well, don't believe it. Like the mythic werewolf it kills, the existence of the silver bullet is as much a myth. There is no single product, technique or mechanism that can serve as the end-all-be-all security solution. There are so many aspects to consider when implementing security, from logical/technical controls to administrative and physical, that it is impossible for a single entity to meet the demands. That's why most seasoned security professionals say that the only silver bullet in security is not having a security policy, and the beast it kills is your organization.

OK, back to the topic at hand: IDS. Intrusion-detection systems have been hyped as the way to automatically and intelligently monitor your network for intrusion attempts and malicious attacks. Unfortunately, the technology behind IDS just isn't up to snuff to back up such a claim. And I've found proof to back that up.

An article in NetworkWorldFusion from June 2002 presents the findings of three independent security consultants who tested eight "top of the line" IDS products against the traffic at an ISP. Their findings are that every single IDS product performed dismally. Many of the products crashed on themselves by producing an over-abundance of false alarms. Most of the products completely failed to recognize real attacks

    Requires Free Membership to View

when they occurred. And all of the products were so complex to configure that human error and understanding became a serious issue.

The article is quite lengthy, and it goes into good detail about the configuration of the test environment and the lengths the authors went to in order to grant the IDS products as fair a chance as possible. They concluded that while IDS isn't exactly plug-and-play, it does show promise. IDS may be useful in some organizations, but extensive time is needed to train and configure the product for your specific IT environment. Even after three months of intensive tuning, all of the products in the test continued to produce an unwieldy level of false alarms.

The "Crying wolf: False alarms hide attacks" article can be found at: http://www.nwfusion.com/techinsider/2002/0624security1.html.

About the author
James Michael Stewart is a writer and researcher at Lanwrights, Inc.

This was first published in August 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.