Four years ago Gartner declared intrusion detection systems a "market failure," saying they would be obsolete by 2005 and that "money slated for intrusion detection should be invested in firewalls." Gartner was wrong about the firewall aspect but right that traditional IDS should be dead. This presentation will examine why popular alert-centric systems, whether IDS, IPS, or SIM/SEM/SIEM are doomed to be a source of frustration. I draw conclusions based on trying to use open source and commercial tools during recent incident response engagements. In brief, effective network defense requires understanding the network, not necessarily buying another tool. I will present a method of looking at the intrusion resistance, detection, and response problem that combines intelligent inspection of live network traffic with layered collection of network forensics data. Attendees will be able to leave the talk and immediately implement these ideas using open source tools on commodity hardware.