Forwarded from: Gary Golomb <gee_twoat_private> Someone just replied saying I was ranting and missed the point of the report. (Since it was sent directly to me and not the list, I'll leave him anonymous. And man, no offense at all! Seriously!) For better or for worse, he's right and some parts of this definitely are rants. Because of Gartner's weight, there are some serious and negative side effects of them just defining new terms on the fly, or saying some technology is more/less useful based on non-technical findings. They affect some of us more than others, but it does impact all us when stuff like this is allowed to go by unchecked. One of the biggest impacts (of several) this is going to have is on non-technical folks. Now every IDS vendor under the sun will be renaming their products to Intrusion Prevention/Protection/Response/etc Systems. What's that going to do for the people that don't know any better? Marketing is what makes the world go around, and if we've made any progress in forcing IDS vendors to hold to their claims, that's all probably just been thrown out the window. (I could write another email on this subject alone, but I'm probably pushing it enough as-is.) With technical people in one hand and Gartner in the other, I'll give you one guess who'll win that battle. Not only is this going to hurt the public, who's trying to learn how to effectively implement these technologies, it's going to hurt products also. Especially to meet the 2005 forecast [read: deadline] set forth by Gartner if [when] vendors reallocate R/D resources to "prevention" advancements as opposed to evolving and expanding "detection" technologies. It's nice to think the two methodologies are completely interchangeable (as Gartner has so liberally done), but the truth is, they're not. There isn't a person I know who'd say that Intrusion Detection is fully mature and doesn't need any more research. Granted, IP needs more resources dedicated to it also, but there are other products purpose-built for "protection" that seem to make better foundations for advancing this technology. Anyways, there's one other point to be made about this report. As I see it, the blame is not entirely on Gartner. This report was written based on the information made available to the author from vendors. IPS vendors had a more convincing story. Shame on the vendors still taking a responsible approach to IPS technologies for not having a stronger, louder, and more relevant story and actively lobbying it to the Gartner's of the world. You reap what you sow, or don't sow.... -gary --- InfoSec News <isnat_private> wrote: > Forwarded from: Gary Golomb <gee_twoat_private> > To: focus-idsat_private, isnat_private > > Ok, this is going to be long. Also, this email is being written > entirely on my own impetus and **definitely does not** reflect the > views of my employer. (In fact, I'll be surprised if I make it > through this one without any bruises.) > > Gartner, Inc. has recently released a document authored by Richard > Stiennon entitled, "Intrusion Detection Is Dead - Long Live > Intrusion Prevention." (So I'm guessing we don't need to cover what > that document is about.) Gartner is self-described as, "For 20 > years, Gartner's Research & Advisory services have been recognized > as the definitive source for objective technology thought > leadership." Ok, fair enough. I'm a fair person and everyone makes > mistakes. > > Unfortunately, this is not Gartner's first mistake along these > lines. Here's a quote from paper now a year and a half old (also > from Gartner): > > "Intrusion Prevention Will Replace Intrusion Detection. Enterprises > should delay new large investments in intrusion detection systems -- > which have failed to provide additional security -- until intrusion > prevention systems emerge that provide a stronger defense against > 'cyberattacks.'" > > No, this is not the first time Gartner has displayed such a > grotesque misunderstanding behind detecting and defending against > *real* threats, but this is definitely the most horrible. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jun 17 2003 - 02:29:01 PDT