Dailydave mailing list archives
Re: lots of monkeys staring at a screen....security?
From: "Thomas Ptacek" <thomasptacek () gmail com>
Date: Fri, 27 Oct 2006 13:30:35 -0500
@dailydave: SourceFire isn't an IDS company; it's the leading indie IPS company. I think they're poised to take ISSX's place in the market. I don't want to dignify IPS, but I'm not convinced Snort's technology is any worse than any of the mainstream IPS vendors (though I'm not sure Bivio was a great move). CounterPane seems to have had ~20MM in revenue. 2x is still short for an MSSP play (Rothman's wrong about valuing CounterPane like a consultancy --- their revenue scales independently of whatever top talent they have, unlike @stake). But the writing is on the wall for MSSPs: SecureWorks is going to get picked up by a tier 1 this year as well. Credit MCI for being smart with their MSSP acquisition 2 years ago. I don't know if centralized IDS monitoring is the bread-and-butter for most of these companies or not, but I don't think that's where they're headed. Managed firewall is already huge, and managed desktop security is on its way. There are ~50,000 CISSPs, a subset of which practice, a subset of which form a basis to estimate how many competant security people there are in North America. If there are 10,000, and the Global 2000 take 3 each (a ridiculous lowball), what are 500-person manufacturing companies, regional hospital chains, and credit unions supposed to do? I am waiting for someone to tell me the story about how an IDS saved their bacon. I'm not interested in the story about how it found the guy with the spyware infection or the bot installation; secops teams find those things all the time in their firewall logs and they don't freak out about it when they do. This "signature" vs. "real intrusion detection" thing is a big red herring. Intrusion detection has been an active field of research for over 15 years now and apart from Tripwire I can't point to anything operationally valuable it has produced. Halvar, when you figure out how to parallelize enough striped tape I/O to keep up with a gigE connection, then, Halvar, then I will respect you. On 10/27/06, Halvar Flake <halvar () gmx de> wrote:
In this entire IDS debate, I would like to recommend reading an old blog post from FX: http://www.phenoelit.net/lablog/paradigms/weglassen.sl Security by weglassen --> Security by omission. I still agree with the concept of replacing an IDS with just a large quantity of tapes on which to archive all traffic. IDSs will never alert you to an attack- in-progress, and by just dumping everything onto a disk somewhere you can at least do a halfways-decent forensics job thereafter. Since everybody and his dog is doing cryptoshellcode these days you won't be all-knowing, but at least you should be able to properly identify which machine got owned first. Cheers, Halvar _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- lots of monkeys staring at a screen....security? Dave Aitel (Oct 26)
- Re: lots of monkeys staring at a screen....security? Dave Korn (Oct 26)
- Re: lots of monkeys staring at a screen....security? Joanna Rutkowska (Oct 27)
- Re: lots of monkeys staring at a screen....security? Gadi Evron (Oct 27)
- Re: lots of monkeys staring at a screen....security? Joanna Rutkowska (Oct 27)
- Re: lots of monkeys staring at a screen....security? Blue Boar (Oct 26)
- Re: lots of monkeys staring at a screen....security? Jamie Riden (Oct 26)
- Re: lots of monkeys staring at a screen....security? Kevin Johnson (Oct 27)
- Re: lots of monkeys staring at a screen....security? Dave Aitel (Oct 27)
- Re: lots of monkeys staring at a screen....security? Halvar Flake (Oct 27)
- Re: lots of monkeys staring at a screen....security? Thomas Ptacek (Oct 27)
- Re: lots of monkeys staring at a screen....security? Matt Beaumont (Oct 27)
- Re: lots of monkeys staring at a screen....security? Dave Aitel (Oct 28)
- Re: lots of monkeys staring at a screen....security? Ron Gula (Oct 28)
- Re: lots of monkeys staring at a screen....security? liquidfish (Oct 27)
- Re: lots of monkeys staring at a screen....security? Gadi Evron (Oct 28)
- Re: lots of monkeys staring at a screen....security? Thomas Ptacek (Oct 29)
- Re: lots of monkeys staring at a screen....security? Gadi Evron (Oct 29)
- Re: lots of monkeys staring at a screen....security? David Maynor (Oct 29)
- Re: lots of monkeys staring at a screen....security? Dave Aitel (Oct 27)
- Re: lots of monkeys staring at a screen....security? Dave Korn (Oct 26)
- Re: lots of monkeys staring at a screen....security? Florian Weimer (Oct 29)
- Re: lots of monkeys staring at a screen....security? Paul Wouters (Oct 27)