The IT security industry is filled with plenty of technologies that work, but not very well. Technologies that sell, even if they're not particularly cost effective. One of the most pervasive security technologies that doesn't work very well is the intrusion detection/prevention system. Vendors might have you believe every company needs this kind of technology, but I'd say it is only a good investment for the largest 5% of companies.
The idea behind network-based intrusion detection and intrusion prevention systems (NIDS and NIPS respectively) sounds pretty appealing. Stick a box on your network that will look at all traffic. The box will do some analysis and tell you when you're being attacked (in the case of a NIDS) or even drop attacker traffic automatically (in the case of a NIPS).
It sounds like a good thing to have all that insight into what's happening on your network, because it's insight that you didn't have before. But, turn on your typical intrusion detection system for the first time, and you will get spammed. Intrusion detection systems regularly give off over 10,000 alerts a day.
Clearly, not all of those alerts map to real intrusions. But, it's clear that, to get value out of an intrusion detection system, you need to be able to at least separate out some of the good alerts from the many irrelevant ones.
Why are intrusion detection devices so spammy? People love to talk about false positives, and certainly there are plenty. However, it's not nearly the whole problem, the way some people think.
What tends to happen is that bad guys are continually crawling the Internet, trying to find issues they can leverage. Yes, the entire Internet is continually under attack. For instance, anybody who runs an SSH server with password authentication on will notice a sea of login attempts (my personal server doesn't allow password authentication, which keeps most such attempts away, and yet, yesterday I still got almost 600 attempts).
SSH is a legitimate attack vector, and it's certainly not a false positive for an intrusion detection device to report it. But, most of these attack attempts are going to fail. Some of them can easily succeed, though, if you've got people with very poor (or blank) passwords. So it doesn't necessarily make sense to ignore everything.
Just because NIDS and NIPS technologies have lots of noise that is not due to false positives, doesn't mean false positives aren't a problem. They certainly are, common reports are that many devices can be good for thousands a day. But the point is, even if you can get rid of all the false positives, you don't get rid of the high management costs. Lowering the number of alerts takes a lot of work. You have to understand each class of problem, which takes time.
The whole "tuning" process is this very expensive up-front cost. And, even after tuning, there can be a significant ongoing cost to review data on those alerts that you might want to review. For instance, some people might want to try to correlate failed SSH logins to other network traffic that might indicate a successful intrusion (whether manually, or with a security event management product). The upfront costs alone are large enough that it doesn't make much sense for most small and medium businesses to do this kind of thing.
Let's say you're managing a network of 40 users on a corporate DSL line. And let's say you get your NIDS/NIPS and somehow manage to eat the upfront costs, and tune the system to the point where it is down to just 30 messages a day that you see and need to action. Let's say that each message takes only 5 minutes to investigate. If your team is spending 2.5 hours a day on the problem, that's going to cost potentially 30K a year in opportunity cost (time where your IT staff could be more productive). Does your team really spend an average of 2.5 hours a week cleaning up infections? And even if you do, is the NIDS/NIPS system actually going to stop you from incurring the clean-up costs, or just bring them to the surface faster??
In short, the economics don't look that great for small and even medium businesses. But, they do typically make sense in the enterprise. There's more tolerance for the up-front costs, and even the ongoing cost, since having even a half dozen people spending their day mining IPS data could make sense when monitoring a network of 40,000 users than it does to spend for one person to monitor 40 users.
The only way that there's any hope of NIDS/NIPS being cost effective for small businesses is if they can somehow benefit from scale. This is the entire idea around Managed Security Services (MSS), as offered by such companies as Symantec (through their Riptech acquisition) BT Counterpane and Verisign (through their Guardant acquisition). Let those guys monitor and analyze data for 40,000+ users, so they can charge a lot less to a small company than it would take that company to do it themselves.
But, even a managed service costs enough money that it probably isn't worth the cost if you don't have the need for dedicated server IT. Running intrusion detection for a bunch of desktops doesn't make too much sense, because you can stick your entire in-house network behind a NATing router, and then all of the sudden, (more or less), all of the traffic bound for your network will be due to connections initiated from your network. While you can still do intrusion monitoring, with the external attack surface so low, I'd say it's generally more cost effective to go spend your security budget on other things.
Certainly, as a small business owner, I'm very wary of seeing a real cost benefit before I spend anything on intrusion monitoring products or services--I will need to be spending enough in dealing with intrusions that demonstrably could have been prevented to make it worth while.
If you do have the need for dedicated server IT, you can always manage those costs by pushing them off to the cloud. Why pay for running and administering your own web servers (it's much cheaper to secure a cluster of machines dedicated to offering only a single service, by the way), when you can just host your content, and then let someone else deal with the security problem?
If the answer is that you have lots of backend application stuff, then instead of hosting content in the cloud, why not host your applications in the cloud. Let Amazon or Google handle the security. Of course, you have to trust them to do a good job here, but the big guys can generally show their methods and their success at protecting the infrastructure they manage.
For small and medium businesses, this will tend to be an excellent solution, because cloud-based computing has all the scale advantages that makes it cheap for the small guy. There does come a point where you have enough scale that it's worth doing yourself, but that doesn't apply to too many people.
In summary, NIDS/NIPS is good for the big guys, but tends to be way too noisy to be cost effective for everybody else. Managed services can help make it cost effective for medium sized shops, but effective NIPS, even if managed, requires not just the infrastructure, but an ongoing investment of money and time--two things which small guys usually lack.
And, they have better alternatives, like the cloud, or simply going without, incurring cost on an as-needed basis.