funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: heuristics are dead?

From: "Alex Eckelberry" <AlexE () sunbelt-software com>
Date: Mon, 2 Mar 2009 15:04:24 -0500
Amrit, I don't despise analysts.  It's just that my interactions with
one particular firm have been, in some instances, distasteful (and in
one particular case, appalling), but it certainly depends on whom one
talks to in an organization.  We engage the services of the analyst
community extensively in our own go to market strategy.  And I'm glad
that Gartner hired someone like you, fresh from the trenches.  That is a
good thing. 

 

The fact remains that heuristics and behavioral detections are detecting
a vast amount of malware -- in many cases, the bulk of new malware (it
actually depends which AV engine you evaluate).  I only took issue with
that part of the discussion, which Martin McKeay started off as saying
"it doesn't work".   Grab any fresh piece of malware you find out there,
run it against a bunch of engines, and you'll see that many have no clue
what the file actually is -- only that it's bad. 

As I said in my blog, I agreed with many of the panel's other points.  

 

Alex

 

 

         

________________________________

        From: Amrit Williams [mailto:johndoe321 () gmail com] 
        Sent: 02 March 2009 16:50
        To: david.a.harley () gmail com
        Cc: nick () virus-l demon co uk; funsec () linuxbox org
        Subject: Re: [funsec] heuristics are dead?

        Hey David,
        
        Before this thread turns into a lynching - I am the guy in the
middle - let me provide some context. Speaking for myself as I am loathe
to defend the comments of those who are not me, especially when I
disagree with them and didn't actually say anything was "dead", I do
understand the difference. To give you some perspective I worked in the
engineering AV division of McAfee from 1995 - 2000, I was also a Gartner
analyst in their security and risk practice (sorry Alex - I know how you
despise Analyst) and spent my time there talking to large organizations
in every vertical, as well as every vendor that sold to them. I am
currently the CTO of BigFix, which partners with Trend Mico to provide
endpoint security through our unified management platform. 
        
        At the highest of levels I would agree with the comments made by
Alex on his blog. The challenges I stated in terms of these technologies
were aimed at the inherent problems of operationally implementing these
tools in a large enterprise production environment. These include, but
are not limited to, policy definition and tuning - when required (many
orgs have 100's of internally developed apps and thousands of apps
deployed enterprise wide across many different OS platforms and multiple
variants), minimizing application conflict between the protection
technologies and the corporate applications, minimizing impact on the
user, and of course just basic enterprise management (care and feeding,
updating, etc) - managing these technologies on 1-100 endpoints without
issue is one thing, managing them on 100,000 endpoints+ is completely
different. Show of hands - how many people have depoyed CSA at
enterprise scale without causing more problems than it solved or
required months of tuning? 
        
        You may disagree with me, you may think I have no clue, that is
your opinion and your right, but I wanted to provide you - all of you -
with an opportunity to discuss your concerns directly with me.
        
        btw - I sent this to Michael yesterday, I meant to reply all but
it was late;
        
        I would assume that if you are able to show that
heuristic/behavioral based technologies are providing benefit by
blocking or limiting security incidents, and are doing this without any
impact to productivity or conflicting with corporate applications, and
you are able to manage these technologies in your organization at scale
and within budget, without dedicated FTE's, than I am sure you will have
no trouble highlighting this to the organization regardless of what a
couple of "experts" say.
        
        Regards,
        
        Amrit

        On Mon, Mar 2, 2009 at 3:50 AM, David Harley
<david.a.harley () gmail com> wrote:

        I'm not sure that people who know the difference between
heuristics and
        behaviour analysis qualify as distinguished. :-/
        
        --
        David Harley BA CISSP FBCS CITP
        Small Blue-Green World

        
        
        
        > -----Original Message-----
        > From: funsec-bounces () linuxbox org

        > [mailto:funsec-bounces () linuxbox org] On Behalf Of Nick
FitzGerald
        > Sent: 02 March 2009 03:38
        > To: funsec () linuxbox org

        > Subject: Re: [funsec] heuristics are dead?
        >
        > Alex Eckelberry wrote:
        >
        > > ... a group of security experts ...
        >
        > They were introduced as "three distinguished security
bloggers".
        >
        > Maybe I should get a blog?
        >
        >
        >
        > Regards,
        >
        > Nick FitzGerald
        >
        >
        > _______________________________________________
        > Fun and Misc security discussion for OT posts.
        > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
        > Note: funsec is a public and open mailing list.
        
        _______________________________________________
        Fun and Misc security discussion for OT posts.
        https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
        Note: funsec is a public and open mailing list.

         


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: