The Future of Intrusion Detection

IDS: Can’t Live With It, Can’t Live Without It.

By Bob Lonadier

It’s fun to predict The Future of Intrusion Detection, unfortunately today’s IDS is a technology collection that everyone loves to hate. Market and technology drivers are key to IDS evolution, but existing IDS imperatives will shape development over the next two years. Don’t look for stand-alone solutions then; they will have to be integrated in order to work effectively. The question is integrated with what?

The primary market drivers for IDS products and services are three-fold: increased network complexity fueled by the demand for increased connectivity among computer systems, performance requirements as bandwidth costs continue to fall, and the proliferation of "hack in a box" technology that makes developing next generation exploits easier.

The technology drivers are new detection and correlation algorithms, performance improvements via Moore’s law, and the proliferation of alternate intrusion data sources, including desktop anti-virus and personal firewalls.

IDS Imperatives

Forget the "security expert in a box" idea – it just won’t work. The idea is to capture how a security expert manages an IDS network and package it into an offering. There is only one problem -- experts thrive on complexity, not simplicity. Making a product or service reliable to the point where it can replace a phalanx of trained experts requires making it do less, not more (see #2 below). IDS is suffering from too much data and not enough information already and more features are not going to help.
Simplify, Simplify, and Simplify. Personal firewalls are effective because their controls are very simple to use. IDS needs to be designed such that any idiot can install, configure, and operate, because sooner or later any idiot will install, configure, and operate it.
Intrusion Detection will still be needed even after effective Intrusion Prevention. You’ll still need someone to watch the bank vault, no matter how difficult it is to break into. And don’t even think about asking an IDS system to prevent an attack; it is like arming your security cameras with tear gas. Both serve a valuable role, but combining them in one product makes little sense.

IDS Future Scenarios

IDS becomes part of the Network Operating System. The network needs to get a lot smarter before it can act as both as traffic cop and early warning system.
IDS gets embedded in the Host Operating System. The concept of a secure perimeter vanishes as the operating system and application take responsibility for identifying and isolating threats.
IDS joins with the Device Management and Control. In this scenario each network element (including security devices) has its own detection and reporting capabilities that provide information to a central repository that monitors not only network health but also security.

End-users will become less tolerant as product complexity increases; but fear not because sooner or later the vendors will realize that less is more. The customers will hold the vendors accountable and outsource as much as they can afford.

Robert Lonadier is the president of RCL & Associates, a Boston-based analyst and consulting firm specializing in providing implementation-ready counsel and advocacy services to senior management in information security. He can be reached info@rcl-associates.com.