Gartner Blog Network

A Good IPS Isn’t Necessarily a Good IDS

by Neil MacDonald  |  November 5, 2010  |  Comments Off on A Good IPS Isn’t Necessarily a Good IDS

Is IDS dead? Not at all. I previously blogged that complete protection will require a combination of prevention and detection.

Protection = Prevention + Detection

We cannot and will not be 100% successful in preventing all attacks. Many organizations continue to spend an ever-increasing amount of the IT budget in a futile attempt to prevent all attacks. They’ve reached the point of diminishing returns with prevention technologies. But most clients I talk with have very little in the form of really good detection capabilities to help us understand if we have been compromised and don’t know it yet.

Some network and host-based IPS vendors will argue they already have IDS capabilities, arguing that any good IPS can be put into “detect” mode. However, they miss the point.

Detecting attacks is a fundamentally different problem than detecting intrusions.

Detecting attacks relies on models and patterns of what something bad looks like and then proceed to look for similarities. These systems get their knowledge primarily from external labs and feeds.

Detecting intrusions relies on models and patterns of what something good looks like (typically built by baselining normal behavior) and looking for deviations/anomalies. These systems get their knowledge primarily by observing your own networks and systems in use.

These are quite different, and not every vendor does both well. Could a well-designed product do both? Sure. For example, some of the IPS vendors can consume and process Netflow data to build baselines of normal traffic patterns in their offerings.

Don’t assume that putting a network or host-based IPS into “detect” mode gives you IDS, Sure, it’s “detecting intrusions”, but using the same techniques the IPS engine uses based on external-facing knowledge, not internal. It’s not helping you understand if you’ve already been compromised by a targeted attack that the labs aren’t aware of yet. Despite calling it IDS, you’ve still only got half of the prevention + detection equation.

These are fundamentally different problems.

Additional Resources

Five Board Questions That Security and Risk Leaders Must Be Prepared to Answer

As board members realize how critical security and risk management is, they are asking leaders more complex and nuanced questions. This research helps security and risk management leaders decipher five categories of questions they must be prepared to answer at any board or executive meeting.

Read Free Gartner Research

Category: beyond-anti-virus  endpoint-protection-platform  next-generation-security-infrastructure  security-of-applications-and-data  

Tags: adaptive-security-infrastucture  beyond-anti-virus  defense-in-depth  endpoint-protection-platform  information-security  next-generation-security-infrastructure  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.