When it comes to intrusion protection systems, does it make more sense to take a best of breed approach or an integrated solution approach? The answer depends on who is talking. In a face-off at Network World, Martin Roesch, founder and CTO of Sourcefire, makes a case for getting the best possible point products, while Wade Williamson, senior security analyst at Palo Alto Networks, argues for taking a holistic approach.

A best of breed IPS provides a "high fidelity offering," Roesch says. Alternatively, he argues, the main goal of an integrated solution is to provide a "good enough" capability in conjunction with other functionality at a relatively low cost. "The reasoning is that if security is made easy for people to acquire and manage 'under one roof' we'll see more adoption of expanded functionality and, therefore, better security," he says.

In general, increased functionality demands increased computing power, and devices eventually reach overload and network performance and protection quality suffer. Roesch takes aim at Unified Threat Management technology in particular. In these tools, security won't "protect us from the threats we face" but will instead "protect us from the top 10 threats on the Internet and [not] impact anything," he says.

Williamson takes issue with the entire question, arguing that best of breed versus integrated solution is a false choice. Trying to address new security challenges with new devices isn't effective in the end, he says. Information silos develop, leading to device sprawl and that puts more demand on management and operational resources.

Equally important, in Williamson's view, is the need for context to effectively detect and address increasingly sophisticated attacks that involve a combination of exploits, malware, remote access tools, unknown threats and more. "To stop these types of threats we must ensure visibility into the traffic itself, control all of the various threat disciplines and do it all in context," he says. "A stand-alone IPS does none of these things, and is a leading reason why all of the stalwarts IPS vendors have either been acquired by larger network security vendors or are rushing to develop their own 'next-generation' firewalls."

The debate, according to Williamson, is "relatively settled" for now because an IPS has to see the big picture to be effective. "An IPS will miss every threat that it can't see or is looking for in the wrong place, so the battle can be lost before traffic ever reaches the IPS," he writes. "As the bad-guys have evolved from single-shot exploits to multi-dimensional, multi-vectored threats we can only play into their hands if we continue to artificially segment our network security intelligence and enforcement into specialized silos."

For more:
- see the debate at Network World

Related Articles:
How to know if you've been breached
Three data breaches that underscore human error
Study says a data breach costs $7.2 million