Cisco Systems Inc. (Nasdaq: CSCO) got its Christmas shopping out of the way a day early this year, completing its acquisition of privately held security software designer Psionic Technologies Inc. yesterday (see Cisco Completes Psionic Acquisition).

Cisco announced the agreement in October, saying that it would exchange up to $12 million worth of Cisco stock for all outstanding shares in the Texas-based software company (see Cisco Buys Psionic). In yesterday’s announcement, however, Cisco did not specify how much it had paid for Psionic, nor how much of a charge it will take in connection with the acquisition. Psionic did not return calls by press time, and Cisco declined to comment further on the news.

While the financial details of the deal are still a bit blurry, the reasoning behind the acquisition seems clear. Psionic’s technology aims to increase the efficiency of traditional intrusion detection system (IDS) products by reducing the number of false alarms and quickly validating potential security breeches. As such, it fits into Cisco’s overall security scheme of mastering a large range of security technologies and embedding them throughout the network.

“This is consistent with their desire to create a more unified security story,” says Zeus Karravala, an analyst with the Yankee Group. “This is an area [Cisco] didn’t really have a product for... They’re plugging holes with small companies.”

“Intrusion detection has become a checklist item,” says David Newman of Network Test Inc., a testing house. "It’s a must-have for any vendor that wants to have a credible security story.”

Cisco does, in fact, already have several IDS products in its portfolio, but like most traditional IDS products, they are riddled with problems, according to industry observers.

Data overload is the main problem facing companies using IDS technologies in their network. While IDS is supposed to sound an alarm when it detects anomalies in the network, it often mistakes legitimate traffic for questionable traffic, leading to a huge number of false alarms. It becomes impossible to check every alarm, and systems administrators often decide to simply shut off IDS altogether. This helps shut out the noise – but of course it also utterly defeats the purpose, opening the network up to vulnerabilities.

“The perfect intrusion detection system is one that sends an alarm every time a packet goes by,” Newman says. “This is the crux of the problem that all intrusion detection products face.”

“This is a very good acknowledgement by [Cisco] that they have a problem in their portfolio,” says Yankee Group analyst Matthew Kovar. “Obviously corporations need a way to become more operationally efficient and address the alerts they’re getting... They’re overwhelmed.”

In addition to the sheer amount of noise that IDS technologies typically generate, analysts point out that the products also tend to perform poorly and miss attacks in the face of large amounts of traffic. They are also still very difficult to manage, demanding a lot of expertise on the part of the user. These are all problems Psionic aims to address, according to the company’s Website.

“Cisco believes that Psionic Software has an excellent combination of talent and technology,” Richard Palmer, VP and GM of Cisco’s VPN and Security Services Business Unit, said in a Q&A posted on Cisco’s Website in October. “Psionic develops security software that increases the efficiency of IDS by reducing false alarms by up to 95%. Psionic's software will provide Cisco security customers with increased productivity and lower total cost of ownership associated with network-based IDS by enabling customers to focus manpower and attention on validated attacks against their networks.”

On the other hand, Nir Zuk, the CTO of NetScreen Technologies Inc. (Nasdaq: NSCN), one of Cisco’s biggest competitors in the security arena, is not convinced that Psionic has chosen the right approach to solving IDS’s inherent problems. “For me,” he says, "Psionic is like a band-aid. It’s like taking a huge shotgun wound and putting a band-aid on it.”

Zuk joined NetScreen from OneSecure, the intrusion detection company NetScreen acquired in August (see NetScreen Acquires OneSecure). He insists that OneSecure’s technology not only detects intrusions, but is capable of preventing them as well.

NetScreen is doing better at addressing the IDS problem, Zuk says, because among other things it takes a network-based, rather than host-based, approach. “We can protect tens of thousands of hosts from one gateway,” he says.

Network Test's Newman, however, points out that the OneSecure technology might be difficult to sell, since it is located at the choke-point of the network, where the switch is.

No matter who has the best approach to solving the IDS dilemma today, Newman says it’s way too early to tell who will be the long-term winner in the space. What really ramped up sales of IDS’s predecessors, firewalls and VPNs, was the development of easy-use appliances, he says. “That hasn’t happened yet in intrusion detection.”

— Eugénie Larson, Reporter, Light Reading