Dark Reading has an new article yesterday based around a (non public, not free) report from NSS labs. Apparently the report says that intrusion prevention systems need tuning.
I hope this isn't news for anybody who has been in infosec for more than a few years.
And if anybody is selling these devices to customers without making this clear to them, they are doing a huge disservice and should be publically beaten.
No matter what the marketing from vendors is, IDS and IPS products have to be tuned. A vendor doesn't know what's in your network. And no matter what the marketing says, those systems also take a good amount of management to review alerts and continue tuning as new traffic types arrive on your network and old ones disappear.
How about a more appropriate question - are IDS/IPS worth the effort?
This is the type of question that companies want to understand. The answer is not simple, unfortunately. Questions to consider include:
If a client asked me for one question around which to frame the discussion, the last one is it. I think of IDS/IPS as "research" - it allows me to be informed about what's happening on my network, which I do believe all enterprises should have a good understanding of. But tcpdump/ntop/mrtg/etc provide basic research info. Frequently it is not worth spending thousands of dollars on. On the other hand, I always want to know when a system has been compromised, and as soon as possible.
On a highly secured network I might deploy network IDS/IPS, host-based IDS and log monitoring, with some form of centralized management/correlation over that. On a small to medium company's network, I focus resources on keeping systems patched, up-to-date, and in compliance with a corporate security policy. Once the basics are in place, then look at things like IPS.