Re: lots of monkeys staring at a screen....security?

["Dave Korn" <dave.korn () artimi com>]

On 26 October 2006 13:10, Dave Aitel wrote:

> Well, it turns out IDS's and managed security services can at least provide
> financial security. :> 
>
> Sourcefire IPO's. Something they were on track to do anyways until
> Checkpoint offered them too much money to turn down, I assume. 
>
> http://www.sourcefire.com/news/press_releases/pr102506.html

  IMO:  Sourcefire offers OSS support services, relating to snort in
particular.  That seems reasonable to me, it's not like they're offering utter
vapour.  It may turn out not to be a successful business model, but it is
still a genuine one, whether wrong or right in the long run.

  (Also IMO:  Zone Alarm was brilliant until Checkpoint bought out ZoneLabs.
Now it sucks.  Bloated and featuritis-ridden.)

> BT Group buys Counterpane for 20M. What were Counterpane's revanues I
> wonder. You always heard about them, but I never saw them at an actual
> client.  
>
> http://www.schneier.com/blog/archives/2006/10/bt_acquires_cou.html

  Well, yes, in theory, but don't forget that Albert Einstein wears Bruce
Schneier pajamas (http://geekz.co.uk/schneierfacts/)...


> My feeling is that IDS is 1980's technology and doesn't work anymore. This
> makes Sourcefire and Counterpane valuable because they let people fill the
> checkbox at the lowest possible cost, but if it's free for all IBM
> customers to throw an IDS in the mix then the price of that checkbox is
> going to get driven down as well.    

  Up to a point.

  Well, for a start, it may be 80's tech., but there really weren't any
serious implementations of it in the 80's.  80's in the lab = late 90's/early
00's for something that's actually practical, commoditized, and can be plugged
in and "just work"(TM). 

  Second point is: defense in depth.  It's an extra barrier.  You don't /not/
run an AV just because someone can write a custom virus it won't detect.  You
run simple and automated systems that can deal with the 90% of threats that
are easily managed in order to free up valuable /human/ resource to look into
the 10% that really do need to be understood.  It does /work/; it's just that,
when working, it only has a limited role to fill and is not a
one-stop-shop-one-size-fits-all-be-all-and-end-all-turnkey-security-solution.

   But then again, nothing is.  Or at any rate, no automated system is.  The
only thing that *really* works for security is people.  Lots and lots of
people, looking at what's going on and thinking about it and worrying about
whether something's wrong or not.  It would require a huge leap in AI for any
IDS to be capable of distinguishing false positives from real alerts, or to
spot some anomaly elsewhere in the network that makes it take a closer look
for false negatives, that's something that only human intelligence is capable
of, and it's not the fault of IDSen in general that they aren't as smart as
people, it's the fault of anyone who expects an IDS could substitute for a
real live person.  Automated tools can help at filtering and prioritising the
human workload, and nobody should pretend they can replace it altogether, so I
think you're asking too much of it for it to count as "work[ing] anymore" by
your standards.

  So, even if it is "filling a checkbox", it's a checkbox that does need to
have at least /something/ to fill it.


    cheers,
      DaveK
-- 
Can't think of a witty .sigline today....

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave