freemode.net

Latest (last?) Gartner IDS report    [ Geekiness ]

Gartner, ye olde purveyor of Insighte Into The IT Fielde, has graced us with an interesting new report on the state of IDS products.   In short:

• Current IDS (intrusion detection system) technologies just ain't cutting the cheese when it comes to return on investment - they're costly and not that effective at improving security
• New IPS (intrusion prevension system) technologies are the future of this field, since they detect and automagically block attacks instead of merely detecting attacks (oooh, shiny!)
• IDS vendors need to integrate IPS functionality into their product lines soon, or they'll die a grisly death

Well, grisly in a "corporate board meeting regarding our bankruptcy filing" sense.   Nothing that you couldn't pick up from using this stuff yourself, but go and buy the article if you want all the fun Magic Quadrant who's-hot-who's-not-for-CIOs details.

A discussion about this came up at work where one of the security team guys (Kevin) strongly objected to the report, pointing out how the Enterasys Dragon product far outshines its competitors in the IDS arena.   I agree, but... well, my inner debater got the better of me.   Hence the following treatise:

Mainframes still get you good performance, incredible reliability and unsurpassed data protection. They're also hideously expensive. When's the last time a company or agency you worked for bought a mainframe? Better yet, when's the last time anyone you know got hired to work on a mainframe? For me, it was 1995, and that organization regretted the purchase ever since and migrated to high-end HP Unix systems within 5 years; and 1999, when a guy who touched COBOL 20 years ago got moved to a 6-month contract fixing Y2K bugs.

How are current IDS products like mainframes? They need to adapt - add more prevention features, provide better defensive capabilities, and make their investments truly valuable to buyers - or they'll wither away to occupy a smaller and smaller computing niche, sooner rather than later. The report doesn't mean that individual products are bad, but it points out a trend in the security device market.

Why should we care about this? 40 years ago, if you were an organization that needed a mid-range computer, you bought a mainframe, probably from IBM. 20 years ago, if you needed a computer, you bought a VAX from DEC. 10 years ago, you would buy a SPARC from Sun. 5 years ago, you would buy a PC from Dell. IBM, DEC, Sun and Dell became successful in one era. Then the world changed, challenging their success (not quite yet for Dell). Some survive those changes, some don't. That's the nature of IT, where market forces trump technical merit most of the time. Gartner makes money off of this uncertainty by selling their analysis so that managers can spend their money wisely and avoid expensive mistakes.

While the technical points Kevin brings up are valid, that's not the impact of the report and it's not even what folks who buy Gartner reports care about. Dragon's a good product, but how many good products have ended up replaced or obsolete because their company went out of business, the product line got cancelled, or some other reason not inherent to the product's technical merits? Gartner's audience is the people who pay money for IT in their organization, and they care deeply about not buying products that they'll have to replace ahead of their scheduled 3-5 year refresh cycles because the @#$! vendor goes away or does something stupid to their product line.

Not to say that Gartner's always right, but they have their reputation in the business because they're right enough of the time. Further, their word has weight because there's not that many competitors in their space, and what government or Fortune 500 CIO/CTO wants to buck what's seen as "industry-wide trends" from a company who does nothing except predict trends? Reports like this are tailored to relatively large conservative consumers of IT, who don't spend a whole lot of time on the bleeding edge, and frankly don't care to. Their priorities are vastly different from the priorities of folks like us who actually make the stuff work, but their priorities are important precisely because they give us stuff to work on.

And hey, if this report means that customers start spending money on IPS products instead of or in addition to their IDS products, that's not a bad thing. It just means that we need to keep our skills up to date (vendor training!), get familiar with new products (demo/test equipment!) and sell more products and services to our customers (more money!) if we don't want to end up like a lone mainframe operator sitting in the basement somewhere.