informa
Commentary

Was Gartner The IDS Market's Terminator?

Nearly three years after contributing to a report that has been accused of sounding the death knell for the intrusion-detection system, or IDS, technology market, a former Gartner analyst stands by his convictions. While I was reporting this week's InformationWeek cover story, "Credibility of Analysts," I had asked a number of sources if they could remember a time when an analyst firm had created a stir by m
Nearly three years after contributing to a report that has been accused of sounding the death knell for the intrusion-detection system, or IDS, technology market, a former Gartner analyst stands by his convictions. While I was reporting this week's InformationWeek cover story, "Credibility of Analysts," I had asked a number of sources if they could remember a time when an analyst firm had created a stir by making a bold prediction that flew in the face of the vendor community as well as conventional thinking. Repeatedly, I was referred to Gartner's "IDS is dead" report. Gartner's stance on IDS escalated all the way to the Pentagon (literally) and begs the question: was IDS destined to fade as threats to networks proliferated and evolved, or was Gartner's report responsible for its decline?The report, actually entitled, "Intrusion Detection Should Be a Function, Not a Product," was authored by Richard Stiennon, John Pescatore, and Ant Allan and released in July 2003. Not surprisingly, the report made Stiennon and his colleagues public enemy No. 1 for many vendors making a living selling IDS technology. In fact, Stiennon, who left Gartner in 2004 to work for anti-spyware developer Webroot Software, told me last week that it took six months for him to quell the vendor insurgency that the report caused.

The main point of Gartner's report was that "IDS is ineffective, and that people should start investing in more proactive efforts instead of watching worms and viruses cross their networks," Stiennon told me. He argues that IDS technology never offered value commensurate with its cost because of its limited capabilities. "There's always some value into looking at how your systems would be attacked," and IDS's ability to identify patterns of character strings within traffic does provide a more granular view of possible threats than a firewall does, Stiennon acknowledged. But, what good is this information unless it's coupled with some other technology that can act against network threats?

Gartner's position on the IDS market caused a stir among potential buyers that went as high as the Pentagon, which in July 2003 called a meeting with IT managers and procurement officials from the Army, Navy, Air Force, Federal Aviation Administration, and departments of Energy, Justice, and Homeland Security to sort out Gartner's analysis. "I'd been telling them for about a year they shouldn't be investing in IDS," Stiennon told me. Stiennon was asked by an official at the Pentagon to speak to his staff about the technology's future, given that they were thinking about spending "hundreds of millions" on IDS technology.

At the briefing Stiennon was surprised to walk into a room filled with IDS vendors, including Arbor Networks, Internet Security Systems, NetForensics, NFR Security, and Sourcefire Network Security. What happens next is subject to debate. Stiennon told me that after the meeting, the Pentagon left IDS off its list of technology priorities but added intrusion-prevention systems to the list. However, Greg Shipley, chief technology officer at consulting firm Neohapsis, was also in attendance and told me that, while the Pentagon was considering removing IDS systems from its list of IT spending priorities, ultimately it didn't.

Stiennon told me he wouldn't change a word in his original report. He still stands by his assertion that companies are better off investing in firewalls with advanced application protection than standalone intrusion-detection systems. Today's IDS market exists but certainly isn't what it was a few years ago. Companies are overwhelmed with data about network traffic and frustrated by the false positives created when their network security systems cry wolf.

So, what's the answer: did Gartner doom the IDS market, or was that done by the nature of today's security needs? Many IDS vendors are still around or have been snatched up by larger companies. However, it's also logical to assume that, once IDS companies started to think about their own mortality, they shifted their resources to developing more progressive types of network security technology. Maybe it's like the paradox faced by time travelers in science-fiction movies (see The Terminator): Someone with knowledge of the future has the power to change that future.

What do you think? Was Gartner the IDS market's "terminator"?

Recommended Reading: