Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/6/2006
06:26 PM
50%
50%

Was Gartner The IDS Market's Terminator?

Nearly three years after contributing to a report that has been accused of sounding the death knell for the intrusion-detection system, or IDS, technology market, a former Gartner analyst stands by his convictions. While I was reporting this week's InformationWeek cover story, "Credibility of Analysts," I had asked a number of sources if they could remember a time when an analyst firm had created a stir by m

Nearly three years after contributing to a report that has been accused of sounding the death knell for the intrusion-detection system, or IDS, technology market, a former Gartner analyst stands by his convictions. While I was reporting this week's InformationWeek cover story, "Credibility of Analysts," I had asked a number of sources if they could remember a time when an analyst firm had created a stir by making a bold prediction that flew in the face of the vendor community as well as conventional thinking. Repeatedly, I was referred to Gartner's "IDS is dead" report. Gartner's stance on IDS escalated all the way to the Pentagon (literally) and begs the question: was IDS destined to fade as threats to networks proliferated and evolved, or was Gartner's report responsible for its decline?The report, actually entitled, "Intrusion Detection Should Be a Function, Not a Product," was authored by Richard Stiennon, John Pescatore, and Ant Allan and released in July 2003. Not surprisingly, the report made Stiennon and his colleagues public enemy No. 1 for many vendors making a living selling IDS technology. In fact, Stiennon, who left Gartner in 2004 to work for anti-spyware developer Webroot Software, told me last week that it took six months for him to quell the vendor insurgency that the report caused.

The main point of Gartner's report was that "IDS is ineffective, and that people should start investing in more proactive efforts instead of watching worms and viruses cross their networks," Stiennon told me. He argues that IDS technology never offered value commensurate with its cost because of its limited capabilities. "There's always some value into looking at how your systems would be attacked," and IDS's ability to identify patterns of character strings within traffic does provide a more granular view of possible threats than a firewall does, Stiennon acknowledged. But, what good is this information unless it's coupled with some other technology that can act against network threats?

Gartner's position on the IDS market caused a stir among potential buyers that went as high as the Pentagon, which in July 2003 called a meeting with IT managers and procurement officials from the Army, Navy, Air Force, Federal Aviation Administration, and departments of Energy, Justice, and Homeland Security to sort out Gartner's analysis. "I'd been telling them for about a year they shouldn't be investing in IDS," Stiennon told me. Stiennon was asked by an official at the Pentagon to speak to his staff about the technology's future, given that they were thinking about spending "hundreds of millions" on IDS technology.

At the briefing Stiennon was surprised to walk into a room filled with IDS vendors, including Arbor Networks, Internet Security Systems, NetForensics, NFR Security, and Sourcefire Network Security. What happens next is subject to debate. Stiennon told me that after the meeting, the Pentagon left IDS off its list of technology priorities but added intrusion-prevention systems to the list. However, Greg Shipley, chief technology officer at consulting firm Neohapsis, was also in attendance and told me that, while the Pentagon was considering removing IDS systems from its list of IT spending priorities, ultimately it didn't.

Stiennon told me he wouldn't change a word in his original report. He still stands by his assertion that companies are better off investing in firewalls with advanced application protection than standalone intrusion-detection systems. Today's IDS market exists but certainly isn't what it was a few years ago. Companies are overwhelmed with data about network traffic and frustrated by the false positives created when their network security systems cry wolf.

So, what's the answer: did Gartner doom the IDS market, or was that done by the nature of today's security needs? Many IDS vendors are still around or have been snatched up by larger companies. However, it's also logical to assume that, once IDS companies started to think about their own mortality, they shifted their resources to developing more progressive types of network security technology. Maybe it's like the paradox faced by time travelers in science-fiction movies (see The Terminator): Someone with knowledge of the future has the power to change that future.

What do you think? Was Gartner the IDS market's "terminator"?

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
'BootHole' Vulnerability Exposes Secure Boot Devices to Attack
Kelly Sheridan, Staff Editor, Dark Reading,  7/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-16192
PUBLISHED: 2020-08-05
LimeSurvey 4.3.2 allows reflected XSS because application/controllers/LSBaseController.php lacks code to validate parameters.
CVE-2020-17364
PUBLISHED: 2020-08-05
USVN (aka User-friendly SVN) before 1.0.9 allows XSS via SVN logs.
CVE-2020-4481
PUBLISHED: 2020-08-05
IBM UrbanCode Deploy (UCD) 6.2.7.3, 6.2.7.4, 7.0.3.0, and 7.0.4.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181848.
CVE-2020-5608
PUBLISHED: 2020-08-05
CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to bypass authentication and send altered c...
CVE-2020-5609
PUBLISHED: 2020-08-05
Directory traversal vulnerability in CAMS for HIS CENTUM CS 3000 (includes CENTUM CS 3000 Small) R3.08.10 to R3.09.50, CENTUM VP (includes CENTUM VP Small, Basic) R4.01.00 to R6.07.00, B/M9000CS R5.04.01 to R5.05.01, and B/M9000 VP R6.01.01 to R8.03.01 allows a remote unauthenticated attacker to cre...