Information Security

Defending the digital infrastructure


News Stay informed about the latest enterprise technology news and product updates.

Opinion: 2003 Gartner Hype Cycle for infosec is wrong on IDS

Et tu, Gartner? The research firm's pronouncement that IDS is dead is just the latest Hype Cycle gone awry.

"Succumbing to vendor hype in the security management area can have expensive consequences."

-From the introduction to Gartner Inc.'s "Hype Cycle for Information Security, 2003"

By now you've read all about Gartner's much-ballyhooed Hype Cycle report, in which the esteemed analysts in Stamford advise us to trash our IDSes and invest all our shekels in integrated firewalls.

Gartner's criticism of IDSes isn't wrong; its conclusions are.

Expensive consequences, indeed.

Gartner is living proof of P.T. Barnum's quip that "there's no such thing as bad publicity." Regardless of how you feel about its recommendations, the Hype Cycle report is worth its weight in marketing gold. "Step right up, folks, and get a glimpse of the future of information security!! What's hot? What's hype? For a mere pittance of $495, we'll reveal secrets of ageless wisdom!"

A sucker born every minute? You bet.

This isn't the first time Gartner has capitalized by stirring public sentiment on a controversial topic. Remember John Pescatore's 2001 recommendation to abandon IIS because of its shoddy security? That was wacky advice that nobody took seriously, but it hardly mattered. Pescatore voiced the frustration of millions of Microsoft users fed up with the endless stream of IIS vulnerabilities--at precisely the time their frustration was boiling over.

Then and now, the genius behind Gartner's position is in its decisiveness. This is exactly what overburdened CIOs and CISOs need: not more mealy-mouthed consultants telling them "it depends," but a specific and definitive call-to-action: Kill Your IDS Now!

A Modest Proposal
Gartner's criticism of IDSes isn't wrong; its conclusions are.

Yes, false positives are a problem. Yes, IDSes require constant handholding. Yes, inline IDSes are slow. But that doesn't mean that IDSes are a waste of time and money. Security--and, in particular, intrusion defense--just isn't that simple.

Gartner recommends that we "redirect the money [we] would have spent on IDS toward defense applications such as those offered by thought-leading firewall vendors that offer both network-level and application-level firewall capabilities in an integrated product."

I have two problems with this. First, Gartner is essentially recommending that we replace standalone IDSes with firewall-based IDSes. Look under the hood of these new integrated firewalls and what you see is a souped-up app protocol anomaly detector supplementing layer 3-4 stateful inspection. So what Gartner's really telling us is not to dump our IDS, but move it somewhere else.

Second, Gartner recommends we roll up our threat management defenses into one box at a time when distributed, overlapping defenses are more necessary than ever. All the problems Gartner cites with IDSes--false positives and negatives, traffic degradation, configuration headaches--are merely compounded when you consolidate IDS functionality on a gateway firewall device. You think standalone IDSes are immature? This application-level intelligence is indisputably cool, but it's brand spanking new. What does that tell you?

The Gartner position on IDS is replete with many other logical inconsistencies. But, really, what's the point in futzing around with the complexities of modern-day attacks or intricacies of virtual networks or demands of truly reliable defense-in-depth? Why bother to mention the unique value NIDS has as a traffic-auditing tool? Why muddle the message discussing the progress IDS vendors are making in attack intelligence, correlation or logging? Why waste your breath on the notion of "target-based IDS," in which signature scanners and anomaly detectors work hand-in-hand with firewalls and VA tools to raise the good guys' situational awareness?

Why? I'll tell you why: Because wishy-washy doesn't sell. Declarations like "intrusion detection systems are a market failure" do.

Makes you wonder what's next. "Unplug your LAN from the Internet and go back to sneakernets and punch cards." Hmmmm, not a bad idea, eh?

Andrew Briney, CISSP, is editor-in-chief of Information Security magazine.

Article 11 of 15
This was last published in July 2003

Dig Deeper on Security industry market trends, predictions and forecasts

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All