Dailydave: Re: Risk Management Services

["Jeff Moore" <cisoguy () gmail com>]

On 4/3/07, Paul Melson <pmelson () gmail com> wrote:

> Well, someone's using Retina at least.  Which makes sense,since Nessus
> on pure Windows is still undoable and NVA/pentest work is a big-money
Have you seen the state of Retina lately?  It appears, at least as a
customer, that they have put all resources into Blink which is a bad move.
Their coverage for Windows issues is now limited to simply checking registry
keys for patches and their alternative operating system scanning is broken
and never yields consistent results.  Somehow I have a hard time trusting a
solution that can give different results each time you scan the same system
on the same day where there have been no changes.  This would be why we are
now looking at Tenable and nCircle for our VA needs.

> http://marc.info/?l=full-disclosure&m=117524796007054&w=2
Too bad their patch for that issue was sloppy and very much like Blink.
Ineffective.

> Anyway, I think the reason HIDS in general doesn't see a lot of
> widespread adoption is that companies view their production networks -
> especially where Windows is running, where HIDS gets the most traction
> - as fragile.  They don't want "agents" or "clients" or anything that
> could hurt performance or stability.  And while I haven't personally
> ever touched Blink, I've seen it's competition implode when installed
> in just the wrong environment.  That, and at still roughly 5-10x the
> per-seat cost of AV products, it's hard to sell a product that
> basically does what IT managers think AV does.
I mostly agree.  In our installation, we spent a lot of lab time testing all
of the potential HIPS solutions and once we decided on one we spent even
more time in our lab tweaking it to not break our applications and to not
cause instability.

J

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave