[Dailydave] lots of monkeys staring at a screen....security?

Dave Aitel dave at immunitysec.com
Fri Oct 27 23:43:16 Local tim 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
To paraphrase Immortal Technique, *There's a market* out there for
everything, for pet psychologists, nipple rings, and SYN flood
detectors. Honestly, every time I see a stack of those fake Airborn
"Cold Prevention" tablets in the airport magazine stores I think of a
CISSP recommending some random IPS vendor because they took him out to
lunch at one of those horrible Chinese restaurants near Wall St. IPS
is just as silly as IDS, and every time I own someone's browser over
SSL via my own personal exploit hidden inside an encrypting javascript
blob I can thank that CISSP for not putting their money somewhere it
does some good.

These days I do less coding than I used to, but I know if I move 10K
and one month into defeating an IPS someone in the IPS company is
going to have to spend a 100K and one year into counteracting that.
And the curve is growing in my favor. A year from now it will be 200K
and two years.

I like FX's take. "We decided to remove them. They were bad for security."

- -dave

Thomas Ptacek wrote:
> @dailydave:
>
> SourceFire isn't an IDS company; it's the leading indie IPS company. I
> think they're poised to take ISSX's place in the market. I don't want
> to dignify IPS, but I'm not convinced Snort's technology is any worse
> than any of the mainstream IPS vendors (though I'm not sure Bivio was
> a great move).
>
> CounterPane seems to have had ~20MM in revenue. 2x is still short for
> an MSSP play (Rothman's wrong about valuing CounterPane like a
> consultancy --- their revenue scales independently of whatever top
> talent they have, unlike @stake). But the writing is on the wall for
> MSSPs: SecureWorks is going to get picked up by a tier 1 this year as
> well. Credit MCI for being smart with their MSSP acquisition 2 years
> ago.
>
> I don't know if centralized IDS monitoring is the bread-and-butter for
> most of these companies or not, but I don't think that's where they're
> headed. Managed firewall is already huge, and managed desktop security
> is on its way. There are ~50,000 CISSPs, a subset of which practice, a
> subset of which form a basis to estimate how many competant security
> people there are in North America. If there are 10,000, and the Global
> 2000 take 3 each (a ridiculous lowball), what are 500-person
> manufacturing companies, regional hospital chains, and credit unions
> supposed to do?
>
> I am waiting for someone to tell me the story about how an IDS saved
> their bacon. I'm not interested in the story about how it found the
> guy with the spyware infection or the bot installation; secops teams
> find those things all the time in their firewall logs and they don't
> freak out about it when they do.
>
> This "signature" vs. "real intrusion detection" thing is a big red
> herring. Intrusion detection has been an active field of research for
> over 15 years now and apart from Tripwire I can't point to anything
> operationally valuable it has produced.
>
> Halvar, when you figure out how to parallelize enough striped tape I/O
> to keep up with a gigE connection, then, Halvar, then I will respect
> you.
>
> On 10/27/06, Halvar Flake <halvar at gmx.de> wrote:
>> In this entire IDS debate, I would like to recommend reading an old
>> blog post from FX:
>>
>> http://www.phenoelit.net/lablog/paradigms/weglassen.sl
>>
>> Security by weglassen --> Security by omission.
>>
>> I still agree with the concept of replacing an IDS with just a large
>> quantity
>> of tapes on which to archive all traffic. IDSs will never alert you to an
>> attack-
>> in-progress, and by just dumping everything onto a disk somewhere you can
>> at least do a halfways-decent forensics job thereafter. Since
everybody and
>> his dog is doing cryptoshellcode these days you won't be all-knowing, but
>> at least you should be able to properly identify which machine got owned
>> first.
>>
>> Cheers,
>> Halvar
>>
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunitysec.com
>> http://lists.immunitysec.com/mailman/listinfo/dailydave
>>
>>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunitysec.com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iD8DBQFFQpmTzOrqAtg8JS8RAt43AJ9nESIeUw6azt8nl1nBe0IV1NQ+dgCgiA7i
n6a81Wp4EGxFzOjKMbnooNA=
=TwhL
-----END PGP SIGNATURE-----

More information about the Dailydave mailing list