Re: heuristics are dead?

["David Harley" <david.a.harley () gmail com>]

I'm not offering to lynch anyone - after all, I've spent most of my security
career in customer organizations (one of them very large indeed.) rather
than working for a vendor, as I do currently. Surprisingly enough, I even
agree with some of the comments that were made: however, I get very tired of
hearing that the industry I'm employed by is misleading customers, claiming
unlikely detection percentages, insistent on pushing their obsolete solution
as the only way to deal with malware, and generally unfit to be discussed in
front of children and animals. So you'll have to forgive me if I'm
unreasonably irritated by some of the less technically-grounded assertions
made by some of the participants. (And I do understand that you were the guy
in the middle in more than one sense.) 
 
Actually, if you look again at the wording of my mail, you'll notice that
comment I made was a little more subtle than accusing you guys of being
incompetent. The point that I was making was that people who are
outstandingly knowledgeable on the topic (not that I'm suggesting that Nick
would necessarily leap in and defend the AV industry right or wrong...) will
have to participate in a very different way to the reverentially introduced
original panel, and from a very defensive position, if seen to represent the
interests of the AV industry.
 
Don't you think Richard stacked the deck somewhat?
 
--
David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
ESET


 


  _____  

From: Amrit Williams [mailto:johndoe321 () gmail com] 
Sent: 02 March 2009 16:50
To: david.a.harley () gmail com
Cc: nick () virus-l demon co uk; funsec () linuxbox org
Subject: Re: [funsec] heuristics are dead?


Hey David,

Before this thread turns into a lynching - I am the guy in the middle - let
me provide some context. Speaking for myself as I am loathe to defend the
comments of those who are not me, especially when I disagree with them and
didn't actually say anything was "dead", I do understand the difference. To
give you some perspective I worked in the engineering AV division of McAfee
from 1995 - 2000, I was also a Gartner analyst in their security and risk
practice (sorry Alex - I know how you despise Analyst) and spent my time
there talking to large organizations in every vertical, as well as every
vendor that sold to them. I am currently the CTO of BigFix, which partners
with Trend Mico to provide endpoint security through our unified management
platform. 

At the highest of levels I would agree with the comments made by Alex on his
blog. The challenges I stated in terms of these technologies were aimed at
the inherent problems of operationally implementing these tools in a large
enterprise production environment. These include, but are not limited to,
policy definition and tuning - when required (many orgs have 100's of
internally developed apps and thousands of apps deployed enterprise wide
across many different OS platforms and multiple variants), minimizing
application conflict between the protection technologies and the corporate
applications, minimizing impact on the user, and of course just basic
enterprise management (care and feeding, updating, etc) - managing these
technologies on 1-100 endpoints without issue is one thing, managing them on
100,000 endpoints+ is completely different. Show of hands - how many people
have depoyed CSA at enterprise scale without causing more problems than it
solved or required months of tuning? 

You may disagree with me, you may think I have no clue, that is your opinion
and your right, but I wanted to provide you - all of you - with an
opportunity to discuss your concerns directly with me.

btw - I sent this to Michael yesterday, I meant to reply all but it was
late;

I would assume that if you are able to show that heuristic/behavioral based
technologies are providing benefit by blocking or limiting security
incidents, and are doing this without any impact to productivity or
conflicting with corporate applications, and you are able to manage these
technologies in your organization at scale and within budget, without
dedicated FTE's, than I am sure you will have no trouble highlighting this
to the organization regardless of what a couple of "experts" say.

Regards,

Amrit


On Mon, Mar 2, 2009 at 3:50 AM, David Harley <david.a.harley () gmail com>
wrote:


I'm not sure that people who know the difference between heuristics and
behaviour analysis qualify as distinguished. :-/

--
David Harley BA CISSP FBCS CITP
Small Blue-Green World




> -----Original Message-----
> From: funsec-bounces () linuxbox org

> [mailto:funsec-bounces () linuxbox org] On Behalf Of Nick FitzGerald
> Sent: 02 March 2009 03:38
> To: funsec () linuxbox org

> Subject: Re: [funsec] heuristics are dead?
>
> Alex Eckelberry wrote:
>
> > ... a group of security experts ...
>
> They were introduced as "three distinguished security bloggers".
>
> Maybe I should get a blog?
>
>
>
> Regards,
>
> Nick FitzGerald
>
>
> _______________________________________________
> Fun and Misc security discussion for OT posts.
> https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
> Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.



_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.