But all those advances won’t eliminate the need for human intervention. "I don’t think organizations are willing to take the risk and liability of having a tool make [the decisions] for them," says Julia H. Allen, a senior member of the technical staff in the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. "There’s always going to be some human oversight in that process."

Others agree. "Intrusion detection is extremely high maintenance," says Bruce Larson, a system vice president and director of special network operations for San Diego-based SAIC International (he designs and deploys network security architectures for SAIC clients, including several government agencies and utilities). He estimates that you need at least one full-time network engineer to monitor and tune an IDS?or about $150,000 in fully loaded annual salary costs.

One alternative: Outsource IDS management to a managed services company such as Counterpane Internet Security, whose employees will screen IDS alarms and forward only the most significant alerts to your IT staff, in return for monthly fees of $7,000 to $12,000.

How to Make IDS Work

But outsourced or not, intrusion detection systems are expensive: Appliances can run to $15,000 or more apiece; full-blown systems may cost $100,000 or more. Add staffing support, and an IDS represents a significant investment (not to mention a management headache). That’s one reason the IDS market is still so much smaller than the firewall market, according to Jeff Wilson, executive director at San Jose, Calif.-based Infonetics, a market researcher and consultancy. The other is that it’s so hard to manage: "The IDS market isn’t that useful yet, and you have to sort through mounds of data to get anything useful out of it," he says.

On the other hand, if you have valuable assets to protect, you may have no option but to deploy an IDS. Auditors often require IDS technology before they will certify a company’s network as being adequately secured, particularly in highly regulated industries such as financial services and health care. Apart from regulatory requirements, deciding whether to buy an IDS is a matter of risk analysis. "You have to look at the whole solution space and ask, What am I trying to protect, what do I need, and what can I afford?" says CERT’s Allen.

But deploying an IDS is no cakewalk. According to Rasmussen, most company’s IDS deployments are doomed from the start. "Only one in four IDS implementations has any chance of success, and only one in 10 will be truly successful," says Rasmussen, citing issues around the problem of false positives, lack of adequate staffing and the failure of many organizations to put their IDS in the context of an overall security management process.