Dailydave mailing list archives
FW: lots of monkeys staring at a screen....security?
From: Des Ward <security () senticom co uk>
Date: Sat, 28 Oct 2006 19:55:23 +0100
-----Original Message----- From: "Des Ward" <security () senticom co uk> To: "Thomas Ptacek" <thomasptacek () gmail com> Sent: 28/10/06 09:32 Subject: RE: [Dailydave] lots of monkeys staring at a screen....security? IPS is effectively using IDS technology with bells on. IDS is still SourceFire's core business IMHO. How many customers have the IPS as opposed to IDS? To say that IDS is a purely journalling technology is a very blinkered view as all IDS have the ability to alert on an event. If you deploy an event correlation system, actually define logical security domains and apply some logic it does become useful as part of a security architecture. The issue IMHO is that most security professionals preach technology and demand to be listened to without realising that by marketing their function better they could get more buy in. I have just completed my dissertation on changing the value perception of security and the journey has changed ny view from one that would obstensibly have agreed with you to one that is seeing the need to change tact. -----Original Message----- From: "Thomas Ptacek" <thomasptacek () gmail com> To: "Halvar Flake" <halvar () gmx de> Cc: "dailydave" <dailydave () lists immunitysec com> Sent: 27/10/06 19:30 Subject: Re: [Dailydave] lots of monkeys staring at a screen....security? @dailydave: SourceFire isn't an IDS company; it's the leading indie IPS company. I think they're poised to take ISSX's place in the market. I don't want to dignify IPS, but I'm not convinced Snort's technology is any worse than any of the mainstream IPS vendors (though I'm not sure Bivio was a great move). CounterPane seems to have had ~20MM in revenue. 2x is still short for an MSSP play (Rothman's wrong about valuing CounterPane like a consultancy --- their revenue scales independently of whatever top talent they have, unlike @stake). But the writing is on the wall for MSSPs: SecureWorks is going to get picked up by a tier 1 this year as well. Credit MCI for being smart with their MSSP acquisition 2 years ago. I don't know if centralized IDS monitoring is the bread-and-butter for most of these companies or not, but I don't think that's where they're headed. Managed firewall is already huge, and managed desktop security is on its way. There are ~50,000 CISSPs, a subset of which practice, a subset of which form a basis to estimate how many competant security people there are in North America. If there are 10,000, and the Global 2000 take 3 each (a ridiculous lowball), what are 500-person manufacturing companies, regional hospital chains, and credit unions supposed to do? I am waiting for someone to tell me the story about how an IDS saved their bacon. I'm not interested in the story about how it found the guy with the spyware infection or the bot installation; secops teams find those things all the time in their firewall logs and they don't freak out about it when they do. This "signature" vs. "real intrusion detection" thing is a big red herring. Intrusion detection has been an active field of research for over 15 years now and apart from Tripwire I can't point to anything operationally valuable it has produced. Halvar, when you figure out how to parallelize enough striped tape I/O to keep up with a gigE connection, then, Halvar, then I will respect you. On 10/27/06, Halvar Flake <halvar () gmx de> wrote:
In this entire IDS debate, I would like to recommend reading an old blog post from FX: http://www.phenoelit.net/lablog/paradigms/weglassen.sl Security by weglassen --> Security by omission. I still agree with the concept of replacing an IDS with just a large quantity of tapes on which to archive all traffic. IDSs will never alert you to an attack- in-progress, and by just dumping everything onto a disk somewhere you can at least do a halfways-decent forensics job thereafter. Since everybody and his dog is doing cryptoshellcode these days you won't be all-knowing, but at least you should be able to properly identify which machine got owned first. Cheers, Halvar _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: lots of monkeys staring at a screen....security?, (continued)
- Re: lots of monkeys staring at a screen....security? Paul Wouters (Oct 27)
- Re: lots of monkeys staring at a screen....security? Blue Boar (Oct 27)
- Re: lots of monkeys staring at a screen....security? Florian Weimer (Oct 29)
- Re: lots of monkeys staring at a screen....security? Kevin Johnson (Oct 29)
- Re: lots of monkeys staring at a screen....security? Joanna Rutkowska (Oct 29)
- Re: lots of monkeys staring at a screen....security? David Maynor (Oct 29)
- Re: lots of monkeys staring at a screen....security? Joanna Rutkowska (Oct 30)
- Re: lots of monkeys staring at a screen....security? Ross Brown (Oct 31)
- Re: lots of monkeys staring at a screen....security? Jan Münther (Oct 29)
- Re: lots of monkeys staring at a screen....security? dmc (Oct 30)