Several years ago, Gartner released a study that definitively proclaimed "IDS is Dead"! Within hours, battle lines were drawn. There were reports that affirmed Gartner's claim and there were reports that also vehemently refuted this assertion. The two schools of thought fought a valiant battle of ink with really no proclaimed winner.
That was then, and this is now. Several years after this epic battle, can we proclaim a winner? Looking at market reports it is undeniable that the amount of Intrusion Detection devices being sold is in decline while conversely the amount of Intrusion Prevention devices sold are on the increase. At first blush this supports the seemingly prolific assertion made by Gartner several years ago that IDS indeed in a slow but unavoidable decline.
But with the deployment of IPSs an interesting phenomenon has taken place. When visiting customers I try to learn "how" they are using their IPS. In more than 50% of the cases (keep in mind this is a non-scientific study) the customers I visited do not have the IPS taking any automated action whatsoever. No blocking or rerouting, just alerting. One financial services company confided in me that the only time they turn on automated actions when the "compliance auditors are in town".
Many reasons are cited as to why my surveyed companies do not turn on automated actions. They include:
· Well, this is the way we always did it.
· It will be a career limiting move to close out the wrong person at the wrong time for the wrong reason because of a false positive that the system may pick up
· I do not trust the system to take action without me confirming the action with me
And while these concerns are all valid, much of the market has de-facto deployed IPS devices to NOT take action, effectively making them a detection only device (read IDS)! With the advances in security technology today, many of the aforementioned concerns associated with automated actions can be largely eliminated, while also saving cost. The tide is beginning to turn and companies are starting to deploy security with automated actions when suspect traffic is detected. However until the prevention portion of IPS goes mainstream, IDS remains alive and well, and IDSs will live to fight another day.