IDS thoughts

[Randy Taylor <gnu () charm net>]

The recent debate on Polymorphic Shellcode
Detection (PSD) illustrates something about the IDS field
that isn't discussed often, if at all.

IDS has made the transition from leading-edge space to
commodity space.

PSD is a good example. Every major IDS product on the market
provides some form of PSD. It may be a partial or an exact
match, but all of them will say something along the lines
of, "there's something not right here - pay attention". Any enterprise
with a good network security team either in-house or outsourced
will start paying attention immediately.

With that point established, the differentiation debate between
IDS vendors has to shift to commodity-style arguments:
"We have a better algorithm!", "We're faster!", "We're provide
better ROI!", "Now with Boron! (tm)", etc. This is what was really
at the heart of the recent discussion between representatives
of IntruVert, ISS, and Enterasys on PSD.

Fragrouter has done about everything that can be sanely done
to a packet through Layer 4. Everything else that is happening
is Layer 5 and above - most of that is a derivative of something
that has gone down the wire before and in the main it's not even
trying to hide.

There's really not a whole lot else to be done in the IDS market except
product improvements (code refinement,etc), signature maintenance, and
keeping up with data rates. Oh, and press releases.

So for the IDS consumer, which the majority of us on this list are, all that
really matters is what has always mattered. Feature sets, GUI's, unit cost,
usability/manageability, forensics, maintainability, a product's ability to 
integrate
with third-party tools, low false-positive and false-negative rates, etc.

Little of what the vendor reps had to say about PSD had anything
to do with that. If you go back and look at the posts by any vendor
rep over the last year or two, it'll be the rare one that addresses
a customer's standard issue set.

So when you vendor guys start talking objectively about things
IDS consumers like me really care about, I'll listen. I won't
be holding my breath waiting. In the meantime, save your
thinly veiled digs at each other for your marketeers.

Thanks,

Randy

-----
"To succeed in the world, it is not enough to be stupid,
 you must also be well-mannered."
          -- Voltaire ---



-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities 
- including intrusion identification, relevancy, direction, impact and analysis 
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------