Intrusion Detection Systems mailing list archives

Previous By Date Next
Previous By Thread Next

RE: BlackICE IDS (More comments ...)

From: genek () tripwiresecurity com (Gene Kim)
Date: Mon, 6 Dec 1999 13:21:14 -0800 

[Lurk mode OFF]

Hey, Ron...  

Thanks for the good word -- we at Tripwire are pretty focused on continuing
to raise the bar in the integrity space.  I've become increasingly convinced
that there are three critical capabilities that an enterprise needs to have:
counting the money, buying the safe, and then getting a burglar alarm
system.

To me, the role of Tripwire in the enterprise is counting the money.  When
the burglar alarm goes off, or the safe gets cracked, you eventually need to
know what's missing -- you still need to count the money regularly.
Tripwire's role is obviously complementary to theses other essential
capabilities.

To go overboard on this analogy, we are actively working on more currencies
to count -- i.e., we now count dollars (e.g., servers), and are working on
pesos, lira, yen, eurodollars, etc.  Basically, we want to provide integrity
capabilities to the infrastructure that runs critical business processes.

The note at http://www.cert.org/incident_notes/IN-99-07.html about trinoo
and such was extremely thought provoking.  To have a good security posture,
you need to know what is on your systems, and you need to know what's going
in your network.  As Stephen Northcutt has said over and over again,
instrumentation is everything.  Or better yet, having a clue is everything.
:-)

Cheers,
Gene

[Lurk mode ON.  :-)]

Gene Kim (mailto:genek () tripwiresecurity com)
Chief Technology Officer
Tripwire, Inc. (http://www.tripwiresecurity.com)
1631 NW Thurman St., 1st Floor
Portland, OR 97209
Office: 503-223-0280
Fax:    503-223-0182 

Tripwire in the news!
http://www.forbes.com/asap/html/99/0615/feat.htm

Tripwire is Linux World Security Editor's Choice!
http://www.wpi.com/linuxworld/lw-ec-winners.html


Let me pose a logic problem to everyone:  Does it make more sense to
place one system on each network that can handle 100k packets/sec OR
place one service on each desktop, where the desktops are 

each handling

100k packets a second and experiencing possible usability 

problems?  My

support staff would shoot me in my sleep if I put them through the
headache of supporting Yet Another Desktop Application -- 

esp. one that

can be handled at the network level.


I defiantly favor a dedicated system that can handle 100k/sec. I don't
want any of my desktops or servers sniffing because that is a process
that can be expensive to do. At the desktop, I am much more 
in favor of
IDS products like Tripwire.
Previous By Date Next
Previous By Thread Next

Current thread: