Firewall Wizards mailing list archives
RE: RE: IDS (was: FW appliance comparison)
From: "Marcus J. Ranum" <mjr () tenablesecurity com>
Date: Wed, 01 Feb 2006 16:31:21 -0500
Bill Royds wrote:
Most IT shops these days see the word programming (or even scripting) and give you the sign of the cross. Computer people don't know how to program these days and it is the kiss of death for anything to say "just a little programming".
Yes; yet those same managers and IT professionals shake their heads in puzzlement over the high cost of "off the shelf solutions" and the poor quality of commercial software.
That is why people ask for $80K SIM systems. They want someone else to tell them how to pick out the important data out of log files. A 20 line Perl program is much too complex.
The problem is that the SIM solutions don't know how to pick important data out of log files. They pick data out of the log files based on their developers' notion of "important" rather than being based on an understanding of site policy. In a way this is exactly the same as IDS - which came under fire for producing "too many false positives." The "false positive" problem, however, is not really a failure of IDS - it's that the IDS designers made decisions about what was interesting that their customers did not agree with. So the IDS identifies that "some user is doing an awful lot of IRC traffic! possible botnet?" and the customer gets mad at the IDS and shuts it off because his site-specific knowledge tells him that "that's just our VP of Big Round Things and he plays IRC all day" So those IT managers who pay tons of $$ for a SIM are going to be complaining that their SIM is useless in a couple years. And they will be right -- because a SIM that can't turn a moron into a clueful security practitioner really _is_ pretty useless, after all. IDS failed at that, as well. I wonder what Gartner will say about SIM when the time comes? Will it be the "pet rock" of security, like IDS, or will it be some other quaint similie. What you're really pointing to is the sad observation that most IT managers would rather pay $80,000 to remain stupid than to go to the trouble of getting a little bit intelligent for free. mjr. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Feb 01)
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Feb 01)
- Message not available
- Re: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Feb 01)
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Feb 02)
- RE: RE: IDS (was: FW appliance comparison) Bill Royds (Feb 02)
- RE: RE: IDS (was: FW appliance comparison) Marcus J. Ranum (Feb 02)
- RE: RE: IDS (was: FW appliance comparison) Paul Melson (Feb 02)
- RE: RE: IDS (was: FW appliance comparison) Paul Melson (Feb 02)
- Re: RE: IDS (was: FW appliance comparison) david_harris (Feb 02)
- Re: RE: IDS (was: FW appliance comparison) ArkanoiD (Feb 02)
- Message not available
- Re: RE: IDS (was: FW appliance comparison) Brian Loe (Feb 01)
- <Possible follow-ups>
- RE: RE: IDS (was: FW appliance comparison) Paul Melson (Feb 01)