The IT security industry is filled with plenty of technologies that work, but don’t do enough—technologies that sell, even if they’re not particularly cost-effective. One of the most pervasive security technologies that typically isn’t cost-effective is the intrusion detection/prevention system. Some vendors might have you believe every company needs this kind of technology, but I’m not so sure. Particularly, I think small companies should be careful to think about whether it is really going to be a cost-effective solution.
The idea behind network-based intrusion detection and intrusion prevention systems (NIDS and NIPS, respectively) sounds pretty appealing. Stick a box on your network that will look at all traffic. The box will do some analysis and tell you when you’re being attacked (in the case of a NIDS) or even drop attacker traffic automatically (in the case of a NIPS).
It sounds like a good thing to have all that insight into what’s happening on your network, because it’s insight that you didn’t have before. But turn on your typical intrusion detection system for the first time, and you will get spammed. Intrusion detection systems regularly give off over 10,000 alerts a day.
Clearly, not all of those alerts map to real intrusions, but it’s clear that to get value out of an intrusion detection system, you need to be able to separate some of the good alerts from the many irrelevant ones.
Why are intrusion ...