No one wants to simply "detect" intrusions. Everyone, quite rationally, wants to prevent intrusions. Leading up to 2003, IDS vendors claimed ever greater capabilities to detect intrusions, with supposedly lower false positive rates. Customers naturally asked the question, "If you can detect it, why can't you prevent it?" Companies selling so-called "intrusion prevention systems" answered "We can!" and dealt a body blow to the IDS market.
The undeniable fact of the matter, however, is that preventing a network-based intrusion requires detecting it. No one has built, or ever will build, a network-based (or host-based, or anything-else-based) system that performs 100% accurate detection, so that means 100% prevention is also impossible. What should you do with events that are not regarded with 100% confidence as being malicious? If you block them, you could deny legitimate business traffic. The sensible alternative is to alert on them and let a human analyst investigate the situation. Hence, we have returned to seeing IDS as a useful tool. IPS, incidentally, is quickly becoming another feature on the network firewall.
This was first published in January 2008