Dailydave mailing list archives
Re: lots of monkeys staring at a screen....security?
From: Dave Aitel <dave () immunitysec com>
Date: Fri, 27 Oct 2006 19:43:16 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To paraphrase Immortal Technique, *There's a market* out there for everything, for pet psychologists, nipple rings, and SYN flood detectors. Honestly, every time I see a stack of those fake Airborn "Cold Prevention" tablets in the airport magazine stores I think of a CISSP recommending some random IPS vendor because they took him out to lunch at one of those horrible Chinese restaurants near Wall St. IPS is just as silly as IDS, and every time I own someone's browser over SSL via my own personal exploit hidden inside an encrypting javascript blob I can thank that CISSP for not putting their money somewhere it does some good. These days I do less coding than I used to, but I know if I move 10K and one month into defeating an IPS someone in the IPS company is going to have to spend a 100K and one year into counteracting that. And the curve is growing in my favor. A year from now it will be 200K and two years. I like FX's take. "We decided to remove them. They were bad for security." - -dave Thomas Ptacek wrote:
@dailydave: SourceFire isn't an IDS company; it's the leading indie IPS company. I think they're poised to take ISSX's place in the market. I don't want to dignify IPS, but I'm not convinced Snort's technology is any worse than any of the mainstream IPS vendors (though I'm not sure Bivio was a great move). CounterPane seems to have had ~20MM in revenue. 2x is still short for an MSSP play (Rothman's wrong about valuing CounterPane like a consultancy --- their revenue scales independently of whatever top talent they have, unlike @stake). But the writing is on the wall for MSSPs: SecureWorks is going to get picked up by a tier 1 this year as well. Credit MCI for being smart with their MSSP acquisition 2 years ago. I don't know if centralized IDS monitoring is the bread-and-butter for most of these companies or not, but I don't think that's where they're headed. Managed firewall is already huge, and managed desktop security is on its way. There are ~50,000 CISSPs, a subset of which practice, a subset of which form a basis to estimate how many competant security people there are in North America. If there are 10,000, and the Global 2000 take 3 each (a ridiculous lowball), what are 500-person manufacturing companies, regional hospital chains, and credit unions supposed to do? I am waiting for someone to tell me the story about how an IDS saved their bacon. I'm not interested in the story about how it found the guy with the spyware infection or the bot installation; secops teams find those things all the time in their firewall logs and they don't freak out about it when they do. This "signature" vs. "real intrusion detection" thing is a big red herring. Intrusion detection has been an active field of research for over 15 years now and apart from Tripwire I can't point to anything operationally valuable it has produced. Halvar, when you figure out how to parallelize enough striped tape I/O to keep up with a gigE connection, then, Halvar, then I will respect you. On 10/27/06, Halvar Flake <halvar () gmx de> wrote:In this entire IDS debate, I would like to recommend reading an old blog post from FX: http://www.phenoelit.net/lablog/paradigms/weglassen.sl Security by weglassen --> Security by omission. I still agree with the concept of replacing an IDS with just a large quantity of tapes on which to archive all traffic. IDSs will never alert you to an attack- in-progress, and by just dumping everything onto a disk somewhere you can at least do a halfways-decent forensics job thereafter. Since
everybody and
his dog is doing cryptoshellcode these days you won't be all-knowing, but at least you should be able to properly identify which machine got owned first. Cheers, Halvar _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iD8DBQFFQpmTzOrqAtg8JS8RAt43AJ9nESIeUw6azt8nl1nBe0IV1NQ+dgCgiA7i n6a81Wp4EGxFzOjKMbnooNA= =TwhL -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: lots of monkeys staring at a screen....security?, (continued)
- Re: lots of monkeys staring at a screen....security? Dave Korn (Oct 26)
- Re: lots of monkeys staring at a screen....security? Joanna Rutkowska (Oct 27)
- Re: lots of monkeys staring at a screen....security? Gadi Evron (Oct 27)
- Re: lots of monkeys staring at a screen....security? Joanna Rutkowska (Oct 27)
- Re: lots of monkeys staring at a screen....security? Blue Boar (Oct 26)
- Re: lots of monkeys staring at a screen....security? Jamie Riden (Oct 26)
- Re: lots of monkeys staring at a screen....security? Kevin Johnson (Oct 27)
- Re: lots of monkeys staring at a screen....security? Dave Aitel (Oct 27)
- Re: lots of monkeys staring at a screen....security? Halvar Flake (Oct 27)
- Re: lots of monkeys staring at a screen....security? Thomas Ptacek (Oct 27)
- Re: lots of monkeys staring at a screen....security? Matt Beaumont (Oct 27)
- Re: lots of monkeys staring at a screen....security? Dave Aitel (Oct 28)
- Re: lots of monkeys staring at a screen....security? Ron Gula (Oct 28)
- Re: lots of monkeys staring at a screen....security? liquidfish (Oct 27)
- Re: lots of monkeys staring at a screen....security? Gadi Evron (Oct 28)
- Re: lots of monkeys staring at a screen....security? Thomas Ptacek (Oct 29)
- Re: lots of monkeys staring at a screen....security? Gadi Evron (Oct 29)
- Re: lots of monkeys staring at a screen....security? David Maynor (Oct 29)
- Re: lots of monkeys staring at a screen....security? Dave Aitel (Oct 27)
- Re: lots of monkeys staring at a screen....security? Dave Korn (Oct 26)
- Re: lots of monkeys staring at a screen....security? Florian Weimer (Oct 29)
- Re: lots of monkeys staring at a screen....security? Paul Wouters (Oct 27)
- Re: lots of monkeys staring at a screen....security? Blue Boar (Oct 27)
- Re: lots of monkeys staring at a screen....security? Florian Weimer (Oct 29)