Re: IDS thoughts

["Andrew Plato" <aplato () anitian com>]

> There's really not a whole lot else to be done in the IDS market except
> product improvements (code refinement,etc), signature maintenance, and
> keeping up with data rates. Oh, and press releases.
>
> So for the IDS consumer, which the majority of us on this list are, all
that
> really matters is what has always mattered. Feature sets, GUI's, unit
cost,
> usability/manageability, forensics, maintainability, a product's
ability to 
> integrate
> with third-party tools, low false-positive and false-negative rates,
etc.
> Little of what the vendor reps had to say about PSD had anything
> to do with that. If you go back and look at the posts by any vendor
> rep over the last year or two, it'll be the rare one that addresses
> a customer's standard issue set.
>
> So when you vendor guys start talking objectively about things
> IDS consumers like me really care about, I'll listen. I won't
> be holding my breath waiting. In the meantime, save your
> thinly veiled digs at each other for your marketeers.

I disagree. If you really get under the covers of many of the popular
IDSs on the market, you quickly realize, they are not all the same.
Sure, all of them might SAY they detect a PSD, but that doesn't mean
they will do it correctly or consistently. I won't point fingers or play
favorites, but some IDSs are mostly fluff and BS. They sell because they
have a big named attached to them and pushy sales people. 

I think the IDS space has a long way to go and there is a lot to do in
the market. For example, we're just now seeing the acceptance of IPS
technologies. And IDSs are getting better and more capable at filtering
through the garbage and finding the gems (or turds, depending on how you
look at it.) There's innovation there. However, I would agree that some
basic stuff, like GUIs and my personal pet peeve - documentation - are
still very much in the crappy column. 

I think one problem is that a lot of vendors suffer from poorly
conceived sales strategies. The people who formulate sales strategies
are dorks in suits sitting in big offices, with little customer contact.
They have never once in their life had to actually install or manage an
IDS, so they aren't aware of what really affects customers. These guys
dream up strategies based on what they read on billboards and the back
of milk cartons. They then push those strategies on sales people and
channel managers who must religiously bark the company dogma to every
person they meet. The result is a pitch that's more about propaganda
than honest capability. 

If you want to really know about an IDS, talk to the people who install
and manage them and not to sales people and vendor reps. Naturally, I
encourage people to work with smaller, consulting-oriented resellers
(like me!) who can offer honest advice on a number of different
products. A good reseller skips over the sales pitch and talks about the
realities of installing and using an IDS. As such, you will get insight
into those issues you mentioned. 

___________________________________
Andrew Plato, CISSP
President / Principal Consultant
Anitian Corporation

Enterprise Security &
Infrastructure Solutions
 
503-644-5656 Office
503-644-8574 Fax
503-201-0821 Mobile
www.anitian.com 
___________________________________

-------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?

IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities
- including intrusion identification, relevancy, direction, impact and analysis
- enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at:
http://www.securityfocus.com/IntruVert-focus-ids2
-------------------------------------------------------------------------------