The main point of Gartner's report was that "IDS is ineffective, and that people should start investing in more proactive efforts instead of watching worms and viruses cross their networks," Stiennon told me. He argues that IDS technology never offered value commensurate with its cost because of its limited capabilities. "There's always some value into looking at how your systems would be attacked," and IDS's ability to identify patterns of character strings within traffic does provide a more granular view of possible threats than a firewall does, Stiennon acknowledged. But, what good is this information unless it's coupled with some other technology that can act against network threats?
Gartner's position on the IDS market caused a stir among potential buyers that went as high as the Pentagon, which in July 2003 called a meeting with IT managers and procurement officials from the Army, Navy, Air Force, Federal Aviation Administration, and departments of Energy, Justice, and Homeland Security to sort out Gartner's analysis. "I'd been telling them for about a year they shouldn't be investing in IDS," Stiennon told me. Stiennon was asked by an official at the Pentagon to speak to his staff about the technology's future, given that they were thinking about spending "hundreds of millions" on IDS technology.
At the briefing Stiennon was surprised to walk into a room filled with IDS vendors, including Arbor Networks, Internet Security Systems, NetForensics, NFR Security, and Sourcefire Network Security. What happens next is subject to debate. Stiennon told me that after the meeting, the Pentagon left IDS off its list of technology priorities but added intrusion-prevention systems to the list. However, Greg Shipley, chief technology officer at consulting firm Neohapsis, was also in attendance and told me that, while the Pentagon was considering removing IDS systems from its list of IT spending priorities, ultimately it didn't.
Stiennon told me he wouldn't change a word in his original report. He still stands by his assertion that companies are better off investing in firewalls with advanced application protection than standalone intrusion-detection systems. Today's IDS market exists but certainly isn't what it was a few years ago. Companies are overwhelmed with data about network traffic and frustrated by the false positives created when their network security systems cry wolf.
So, what's the answer: did Gartner doom the IDS market, or was that done by the nature of today's security needs? Many IDS vendors are still around or have been snatched up by larger companies. However, it's also logical to assume that, once IDS companies started to think about their own mortality, they shifted their resources to developing more progressive types of network security technology. Maybe it's like the paradox faced by time travelers in science-fiction movies (see The Terminator): Someone with knowledge of the future has the power to change that future.
What do you think? Was Gartner the IDS market's "terminator"?