Re: lots of monkeys staring at a screen....security?

["Thomas Ptacek" <thomasptacek () gmail com>]

@dailydave:

SourceFire isn't an IDS company; it's the leading indie IPS company. I
think they're poised to take ISSX's place in the market. I don't want
to dignify IPS, but I'm not convinced Snort's technology is any worse
than any of the mainstream IPS vendors (though I'm not sure Bivio was
a great move).

CounterPane seems to have had ~20MM in revenue. 2x is still short for
an MSSP play (Rothman's wrong about valuing CounterPane like a
consultancy --- their revenue scales independently of whatever top
talent they have, unlike @stake). But the writing is on the wall for
MSSPs: SecureWorks is going to get picked up by a tier 1 this year as
well. Credit MCI for being smart with their MSSP acquisition 2 years
ago.

I don't know if centralized IDS monitoring is the bread-and-butter for
most of these companies or not, but I don't think that's where they're
headed. Managed firewall is already huge, and managed desktop security
is on its way. There are ~50,000 CISSPs, a subset of which practice, a
subset of which form a basis to estimate how many competant security
people there are in North America. If there are 10,000, and the Global
2000 take 3 each (a ridiculous lowball), what are 500-person
manufacturing companies, regional hospital chains, and credit unions
supposed to do?

I am waiting for someone to tell me the story about how an IDS saved
their bacon. I'm not interested in the story about how it found the
guy with the spyware infection or the bot installation; secops teams
find those things all the time in their firewall logs and they don't
freak out about it when they do.

This "signature" vs. "real intrusion detection" thing is a big red
herring. Intrusion detection has been an active field of research for
over 15 years now and apart from Tripwire I can't point to anything
operationally valuable it has produced.

Halvar, when you figure out how to parallelize enough striped tape I/O
to keep up with a gigE connection, then, Halvar, then I will respect
you.

On 10/27/06, Halvar Flake <halvar () gmx de> wrote:
> In this entire IDS debate, I would like to recommend reading an old
> blog post from FX:
>
> http://www.phenoelit.net/lablog/paradigms/weglassen.sl
>
> Security by weglassen --> Security by omission.
>
> I still agree with the concept of replacing an IDS with just a large
> quantity
> of tapes on which to archive all traffic. IDSs will never alert you to an
> attack-
> in-progress, and by just dumping everything onto a disk somewhere you can
> at least do a halfways-decent forensics job thereafter. Since everybody and
> his dog is doing cryptoshellcode these days you won't be all-knowing, but
> at least you should be able to properly identify which machine got owned
> first.
>
> Cheers,
> Halvar
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave