IDS mailing list archives
Re: Recent Gartner IDS/IPS report
From: Jeff Nathan <jeff () snort org>
Date: Fri, 20 Jun 2003 20:14:21 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (This is longer than intended, sorry). Points such as: IDS is used throughout a network - not merely at the border, DMZs are penetrated because firewalls operate irrespective of application data, regardless of the marketing buzzwords involved Gartner is simply suggesting IDS features will exist in firewalls and IDS data is nearly useless without a way to mine and analyze the data are extremely valid points. Most of the messages regarding the Gartner report have been fantastic. A harsh indictment such as "technology X is dead" shouldn't be based on marketing/sales data with supplemental claims by CTOs. Market research performed in this manner resembles meteorology: a little science and a lot of guesswork. Decision makers within large companies frequently make purchasing decisions based on incomplete data. We're lead to believe these decision makers are so busy that anything longer than a ten minute presentation using a handful of power point slides is unacceptable. If you've tried to summarize the need, cost and implications of deploying a technology as complex as IDS to a decision maker in this manner you probably share my bewilderment. A responsible market research organization must keep this in mind before giving authority to the statements made by decision makers concerning the viability of complex technology. In general, it's probably best to wait until you've actually deployed IDS on a large scale and then analyzed the data of the system before making broad statements as to the usefulness or lack thereof of the technology. It helps if you've actually written an IDS or components of one too. I'd love to know the background of the two Gartner researchers as it relates to large scale IDS deployment, management, analysis and development. Dan Geer wrote an article in the latest issue of ;login: ("Getting the problem statement right"). His article contains new and significant arguments, I encourage everyone to read it (especially Gartner). A Gartner proposed system operating only at network borders doesn't appear to address the need to do something innovative with IDS. Geer hints at some ideas such as: scrutinize a marketing system communicating with a source code management system. Instead, the Gartner report restates a number of previously stated arguments (some updated to with purely made-up marketing buzzwords), puts a new spin on some existing arguments but makes few new and significant arguments. The lack of technical evidence to support their theories is frustrating. Wasn't it Gartner themselves who said something to the effect of they can singlehandedly control the success or failure of a security product? Depending on the context, a statement of that sort is troublesome. It's rude to accuse the entire Intrusion Detection industry as being hopelessly myopic, particularly when the accusing organization doesn't actually produce any of its own technology. I thank Gartner for their pointers as to what is being done incorrectly and I anxiously await their hybrid firewall product complete with intrusion detection technologies. - -Jeff - -- http://cerberus.sourcefire.com/~jeff (pgp key available) "Great spirits have always encountered violent opposition from mediocre minds." - - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE+882SEqr8+Gkj0/0RAp36AJ0c7w+6BHr2UrU+BTnTETLc3WW6DwCguUzp Tg2UiC9JyO7ntvQYGVIvjNY= =Hxp9 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com -------------------------------------------------------------------------------
Current thread:
- Recent Gartner IDS/IPS report Gary Golomb (Jun 18)
- Re: Recent Gartner IDS/IPS report Stephen Samuel (Jun 18)
- Re: Recent Gartner IDS/IPS report Andreas Hess (Jun 22)
- Re: Recent Gartner IDS/IPS report Jeff Nathan (Jun 22)
- <Possible follow-ups>
- RE: Recent Gartner IDS/IPS report Carey, Steve T GARRISON (Jun 18)
- RE: Recent Gartner IDS/IPS report oherrera (Jun 19)
- RE: Recent Gartner IDS/IPS report Avi Chesla (Jun 19)
- RE: Recent Gartner IDS/IPS report Andre Yee (Jun 22)
- RE: Recent Gartner IDS/IPS report Golomb, Gary (Jun 22)