Home page logo

firewall-wizards logo Firewall Wizards mailing list archives

RE: RE: IDS (was: FW appliance comparison)
From: "Marcus J. Ranum" <mjr () tenablesecurity com>
Date: Wed, 01 Feb 2006 16:31:21 -0500

Bill Royds wrote:
Most IT shops these days see the
word programming (or even scripting) and give you the sign of the cross.
Computer people don't know how to program these days and it is the kiss of death
for anything to say "just a little programming". 

Yes; yet those same managers and IT professionals shake their
heads in puzzlement over the high cost of "off the shelf solutions"
and the poor quality of commercial software.

That is why people ask for $80K SIM systems.
They want someone else to tell them how to pick out the important data out of
log files. A 20 line Perl program is much too complex.

The problem is that the SIM solutions don't know how to pick important
data out of log files. They pick data out of the log files based on their
developers' notion of "important" rather than being based on an understanding
of site policy.

In a way this is exactly the same as IDS - which came under fire for
producing "too many false positives."  The "false positive" problem,
however, is not really a failure of IDS - it's that the IDS designers made
decisions about what was interesting that their customers did not
agree with. So the IDS identifies that "some user is doing an awful
lot of IRC traffic! possible botnet?" and the customer gets mad at the
IDS and shuts it off because his site-specific knowledge tells him that
"that's just our VP of Big Round Things and he plays IRC all day"

So those IT managers who pay tons of $$ for a SIM are going to be
complaining that their SIM is useless in a couple years. And they
will be right -- because a SIM that can't turn a moron into a clueful
security practitioner really _is_ pretty useless, after all. IDS failed
at that, as well. I wonder what Gartner will say about SIM when the
time comes? Will it be the "pet rock" of security, like IDS, or will
it be some other quaint similie.

What you're really pointing to is the sad observation that most
IT managers would rather pay $80,000 to remain stupid than
to go to the trouble of getting a little bit intelligent for free.


firewall-wizards mailing list
firewall-wizards () honor icsalabs com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]