Points such as: IDS is used throughout a network - not merely at the
border, DMZs are penetrated because firewalls operate irrespective of
application data, regardless of the marketing buzzwords involved Gartner is
simply suggesting IDS features will exist in firewalls and IDS data is
nearly useless without a way to mine and analyze the data are extremely
valid points. Most of the messages regarding the Gartner report have been
fantastic.
A harsh indictment such as "technology X is dead" shouldn't be based on
marketing/sales data with supplemental claims by CTOs. Market research
performed in this manner resembles meteorology: a little science and a lot
of guesswork. Decision makers within large companies frequently make
purchasing decisions based on incomplete data. We're lead to believe these
decision makers are so busy that anything longer than a ten minute
presentation using a handful of power point slides is unacceptable. If
you've tried to summarize the need, cost and implications of deploying a
technology as complex as IDS to a decision maker in this manner you
probably share my bewilderment. A responsible market research organization
must keep this in mind before giving authority to the statements made by
decision makers concerning the viability of complex technology.
In general, it's probably best to wait until you've actually deployed IDS
on a large scale and then analyzed the data of the system before making
broad statements as to the usefulness or lack thereof of the technology.
It helps if you've actually written an IDS or components of one too. I'd
love to know the background of the two Gartner researchers as it relates to
large scale IDS deployment, management, analysis and development.
Dan Geer wrote an article in the latest issue of ;login: ("Getting the
problem statement right"). His article contains new and significant
arguments, I encourage everyone to read it (especially Gartner). A Gartner
proposed system operating only at network borders doesn't appear to address
the need to do something innovative with IDS. Geer hints at some ideas
such as: scrutinize a marketing system communicating with a source code
management system. Instead, the Gartner report restates a number of
previously stated arguments (some updated to with purely made-up marketing
buzzwords), puts a new spin on some existing arguments but makes few new
and significant arguments. The lack of technical evidence to support their
theories is frustrating.
Wasn't it Gartner themselves who said something to the effect of they can
singlehandedly control the success or failure of a security product?
Depending on the context, a statement of that sort is troublesome.
It's rude to accuse the entire Intrusion Detection industry as being
hopelessly myopic, particularly when the accusing organization doesn't
actually produce any of its own technology. I thank Gartner for their
pointers as to what is being done incorrectly and I anxiously await their
hybrid firewall product complete with intrusion detection technologies.
- -Jeff
- --
http://cerberus.sourcefire.com/~jeff (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
minds."
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)
------------------------------------------------------------------------
-------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
------------------------------------------------------------------------
-------
Hash: SHA1
(This is longer than intended, sorry).
Points such as: IDS is used throughout a network - not merely at the
border, DMZs are penetrated because firewalls operate irrespective of
application data, regardless of the marketing buzzwords involved Gartner is
simply suggesting IDS features will exist in firewalls and IDS data is
nearly useless without a way to mine and analyze the data are extremely
valid points. Most of the messages regarding the Gartner report have been
fantastic.
A harsh indictment such as "technology X is dead" shouldn't be based on
marketing/sales data with supplemental claims by CTOs. Market research
performed in this manner resembles meteorology: a little science and a lot
of guesswork. Decision makers within large companies frequently make
purchasing decisions based on incomplete data. We're lead to believe these
decision makers are so busy that anything longer than a ten minute
presentation using a handful of power point slides is unacceptable. If
you've tried to summarize the need, cost and implications of deploying a
technology as complex as IDS to a decision maker in this manner you
probably share my bewilderment. A responsible market research organization
must keep this in mind before giving authority to the statements made by
decision makers concerning the viability of complex technology.
In general, it's probably best to wait until you've actually deployed IDS
on a large scale and then analyzed the data of the system before making
broad statements as to the usefulness or lack thereof of the technology.
It helps if you've actually written an IDS or components of one too. I'd
love to know the background of the two Gartner researchers as it relates to
large scale IDS deployment, management, analysis and development.
Dan Geer wrote an article in the latest issue of ;login: ("Getting the
problem statement right"). His article contains new and significant
arguments, I encourage everyone to read it (especially Gartner). A Gartner
proposed system operating only at network borders doesn't appear to address
the need to do something innovative with IDS. Geer hints at some ideas
such as: scrutinize a marketing system communicating with a source code
management system. Instead, the Gartner report restates a number of
previously stated arguments (some updated to with purely made-up marketing
buzzwords), puts a new spin on some existing arguments but makes few new
and significant arguments. The lack of technical evidence to support their
theories is frustrating.
Wasn't it Gartner themselves who said something to the effect of they can
singlehandedly control the success or failure of a security product?
Depending on the context, a statement of that sort is troublesome.
It's rude to accuse the entire Intrusion Detection industry as being
hopelessly myopic, particularly when the accusing organization doesn't
actually produce any of its own technology. I thank Gartner for their
pointers as to what is being done incorrectly and I anxiously await their
hybrid firewall product complete with intrusion detection technologies.
- -Jeff
- --
http://cerberus.sourcefire.com/~jeff (pgp key available)
"Great spirits have always encountered violent opposition from mediocre
minds."
- - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (OpenBSD)
iD8DBQE+882SEqr8+Gkj0/0RAp36AJ0c7w+6BHr2UrU+BTnTETLc3WW6DwCguUzp
Tg2UiC9JyO7ntvQYGVIvjNY=
=Hxp9
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
-------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
------------------------------------------------------------------------
-------
[ reply ]