Re: Recent Gartner IDS/IPS report

[Jeff Nathan <jeff () snort org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

(This is longer than intended, sorry).


Points such as: IDS is used throughout a network - not merely at the 
border, DMZs are penetrated because firewalls operate irrespective of 
application data, regardless of the marketing buzzwords involved Gartner is 
simply suggesting IDS features will exist in firewalls and IDS data is 
nearly useless without a way to mine and analyze the data are extremely 
valid points.  Most of the messages regarding the Gartner report have been 
fantastic.

A harsh indictment such as "technology X is dead" shouldn't be based on 
marketing/sales data with supplemental claims by CTOs.  Market research 
performed in this manner resembles meteorology: a little science and a lot 
of guesswork.  Decision makers within large companies frequently make 
purchasing decisions based on incomplete data.  We're lead to believe these 
decision makers are so busy that anything longer than a ten minute 
presentation using a handful of power point slides is unacceptable.  If 
you've tried to summarize the need, cost and implications of deploying a 
technology as complex as IDS to a decision maker in this manner you 
probably share my bewilderment.  A responsible market research organization 
must keep this in mind before giving authority to the statements made by 
decision makers concerning the viability of complex technology.

In general, it's probably best to wait until you've actually deployed IDS 
on a large scale and then analyzed the data of the system before making 
broad statements as to the usefulness or lack thereof of the technology. 
It helps if you've actually written an IDS or components of one too. I'd 
love to know the background of the two Gartner researchers as it relates to 
large scale IDS deployment, management, analysis and development.

Dan Geer wrote an article in the latest issue of ;login: ("Getting the 
problem statement right").  His article contains new and significant 
arguments, I encourage everyone to read it (especially Gartner).  A Gartner 
proposed system operating only at network borders doesn't appear to address 
the need to do something innovative with IDS.  Geer hints at some ideas 
such as: scrutinize a marketing system communicating with a source code 
management system.  Instead, the Gartner report restates a number of 
previously stated arguments (some updated to with purely made-up marketing 
buzzwords), puts a new spin on some existing arguments but makes few new 
and significant arguments.  The lack of technical evidence to support their 
theories is frustrating.

Wasn't it Gartner themselves who said something to the effect of they can 
singlehandedly control the success or failure of a security product? 
Depending on the context, a statement of that sort is troublesome.

It's rude to accuse the entire Intrusion Detection industry as being 
hopelessly myopic, particularly when the accusing organization doesn't 
actually produce any of its own technology.  I thank Gartner for their 
pointers as to what is being done incorrectly and I anxiously await their 
hybrid firewall product complete with intrusion detection technologies.

- -Jeff

- --
http://cerberus.sourcefire.com/~jeff       (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
minds."
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)

iD8DBQE+882SEqr8+Gkj0/0RAp36AJ0c7w+6BHr2UrU+BTnTETLc3WW6DwCguUzp
Tg2UiC9JyO7ntvQYGVIvjNY=
=Hxp9
-----END PGP SIGNATURE-----


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------