Re: Recent Gartner Report on IDS/IPS

[InfoSec News <isn () c4i org>]

Forwarded from: Gary Golomb <gee_two () yahoo com>

Someone just replied saying I was ranting and missed the point of the
report. (Since it was sent directly to me and not the list, I'll leave
him anonymous. And man, no offense at all! Seriously!) For better or
for worse, he's right and some parts of this definitely are rants.

Because of Gartner's weight, there are some serious and negative side
effects of them just defining new terms on the fly, or saying some
technology is more/less useful based on non-technical findings. They
affect some of us more than others, but it does impact all us when
stuff like this is allowed to go by unchecked.

One of the biggest impacts (of several) this is going to have is on
non-technical folks. Now every IDS vendor under the sun will be
renaming their products to Intrusion
Prevention/Protection/Response/etc Systems. What's that going to do
for the people that don't know any better? Marketing is what makes the
world go around, and if we've made any progress in forcing IDS vendors
to hold to their claims, that's all probably just been thrown out the
window. (I could write another email on this subject alone, but I'm
probably pushing it enough as-is.) With technical people in one hand
and Gartner in the other, I'll give you one guess who'll win that
battle.

Not only is this going to hurt the public, who's trying to learn how
to effectively implement these technologies, it's going to hurt
products also. Especially to meet the 2005 forecast [read: deadline]
set forth by Gartner if [when] vendors reallocate R/D resources to
"prevention" advancements as opposed to evolving and expanding
"detection" technologies. It's nice to think the two methodologies are
completely interchangeable (as Gartner has so liberally done), but the
truth is, they're not. There isn't a person I know who'd say that
Intrusion Detection is fully mature and doesn't need any more
research. Granted, IP needs more resources dedicated to it also, but
there are other products purpose-built for "protection" that seem to
make better foundations for advancing this technology.

Anyways, there's one other point to be made about this report. As I
see it, the blame is not entirely on Gartner. This report was written
based on the information made available to the author from vendors.
IPS vendors had a more convincing story. Shame on the vendors still
taking a responsible approach to IPS technologies for not having a
stronger, louder, and more relevant story and actively lobbying it to
the Gartner's of the world. You reap what you sow, or don't sow....

-gary


--- InfoSec News <isn () c4i org> wrote:
> Forwarded from: Gary Golomb <gee_two () yahoo com>
> To: focus-ids () securityfocus com, isn () c4i org
>
> Ok, this is going to be long. Also, this email is being written
> entirely on my own impetus and **definitely does not** reflect the
> views of my employer. (In fact, I'll be surprised if I make it
> through this one without any bruises.)
>
> Gartner, Inc. has recently released a document authored by Richard
> Stiennon entitled, "Intrusion Detection Is Dead - Long Live
> Intrusion Prevention." (So I'm guessing we don't need to cover what
> that document is about.) Gartner is self-described as, "For 20
> years, Gartner's Research & Advisory services have been recognized
> as the definitive source for objective technology thought
> leadership." Ok, fair enough. I'm a fair person and everyone makes
> mistakes.
>
> Unfortunately, this is not Gartner's first mistake along these
> lines. Here's a quote from paper now a year and a half old (also
> from Gartner):
>
> "Intrusion Prevention Will Replace Intrusion Detection. Enterprises
> should delay new large investments in intrusion detection systems --
> which have failed to provide additional security -- until intrusion
> prevention systems emerge that provide a stronger defense against
> 'cyberattacks.'"
>
> No, this is not the first time Gartner has displayed such a
> grotesque misunderstanding behind detecting and defending against
> *real* threats, but this is definitely the most horrible.


[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.