I had a long talk with a client yesterday regarding IPS. They were setting up a nice sized extranet infrastructure to serve their clients, and they needed to build some security into the design before they implemented. They had already thought of a lot of pieces, and now they were looking at putting in IPS. They were already being courted by one IPS company, but they wanted to know about others and what the strengths and weaknesses were.
So as I started into the discussion, I diverged a bit from the pure technical discussion and talked about the view of the network as a whole. Basically, I tried to get them to look at the big picture of what they were buying versus just an IPS as a single silo. What I talked about was how the one IPS they were looking at was an excellent IPS, but I also told them that they really had no big advantage over any of the other big IPS vendors in the market. If you look at the Gartner chart for IPS, there are about 5-7 vendors in the magic quadrant. Basically, the product is a commodity, just like anti-virus and other mature products. Though some boxes have advantages over others, they all really can do the job. Most are able to protect multiple segments and can handle multi-gig speeds. Most have a default set of policies that are not very noisy and protect against the big threats. Most are HA capable. Most have fail open or fail close options. Etc, etc, etc. Some people might disagree here, and I understand that. One IPS might have a feature that another one does not that may fit a certain need. But I contend that in a general sense, none of the big ones really have a huge advantage.
So in that light, what are the factors you have to consider? Well, it really comes down to the intangibles. Let’s look at a few of those:
Is the company diversified in their product line? In today’s converging security market, that tells us whether the company is likely to be snatched up or simply disappear, depending on product quality and whether there is someone out there who has money and has a whole in their product line.
Product diversification may also mean that the company is trying to take a look at the network as a whole versus just one piece. If they have developed or bought different products that compliment each other and are trying to bring them together in a way that gives insight into the network and allow collaboration, then that type of company is likely planning on sticking around for a while.
In this light, also look at management of the product. Though this is not exactly an intangible, it is still something that many companies don’t think about. What about the learning curve for you employees? Do you already have products from this vendor? If so, does this new technology fit well into that console, thus lessening the time the your employees need to learn it? If a company fits the diversification example above, they might have a problem in this area. Of course, if they are serious about making it work, they might very well have an EXCELLENT console. Take a close look. You also have to consider the talents of your employees with this factor.
Another intangible is support. How well do they support their product, keeping in mind that the company with one product may be better at this versus the big one with multiple products?
There are probably many other factors to consider here, but the basic point is that when you are looking at a mature, commoditized product (this does not just apply to IPS, obviously), a decision should not be made on technical issues alone. Look at your business. Look at your risk. Look at your employees. Look at the vendor as a whole. Compare their position in the market to other vendors. How do they stack up? Do they seem to have tunnel vision, or are they trying to diversify? Make sure you don’t let your technical folks make the decision by themselves and then hand you a PO to sign. They may like the product in the short term, but you have to think long term. You might piss off the team for a bit, but you can use the decision as a lesson to help mature your staff.
Vet
