Right, I understood the preauthroized part. I guess I was just wondering what their reactions were in the assumption that the signatures were deployed in a non-passive mode, meaning, they went into block mode.
Thanks for clearing this up. On 1/18/06, Adam Powers <[EMAIL PROTECTED]> wrote: > He did say "preauthorized group of sensors". I take that as a list of > customers that have approved signature beta testing. Nothing at all wrong > with that approach. > > > On 1/18/06 3:43 PM, "Sam Evans" <[EMAIL PROTECTED]> wrote: > > > Paul, > > > > I'm curious to know how these customers feel about their networks > > being used as guinea pigs? > > > > "ISS is also a managed services provider for a large number of customers. > > It leverages its Managed Security Services unit to efficiently field > > test security content updates prior to shipping these to the larger > > customer base. The update is shipped to a preauthorized group of sensors > > on various customers' networks in order to see live traffic in > > production networks. This added test cycle benefits all customers, and > > especially those customers in the test group, as we can be sure that > > these customers' traffic is accurately analyzed and verified. > > " > > > > > > On 1/18/06, Palmer, Paul (ISSAtlanta) <[EMAIL PROTECTED]> wrote: > >> David, > >> > >> I work for ISS. > >> > >> I can tell you that it is very challenging for the vendors to produce > >> quality signatures today. Vulnerabilities are announced at a record > >> pace. There is now financial incentive for criminals to research and > >> discover their own 0-day vulnerabilities, so we are going to see a lot > >> more of these now. This places incredible pressure on the vendors to > >> produce protection signatures as quickly as possible so as not to leave > >> their customers exposed. > >> > >> This should not be taken as an excuse, it is just the reality with which > >> each vendor must successfully come to terms. > >> > >> Every schedule is defined by the scope of the problem, the time > >> available, and the resources available. If you fix any two of them, the > >> other has to give. So, if you will produce a quality signature, you must > >> either invest more time or more resources. Given that the time element > >> isn't very flexible for this problem, it means that you must invest more > >> resources. To do otherwise results in late delivery or poor quality > >> (stability, false negatives, false positives, etc). > >> > >> So, the vendors that invest the most resources into the problem are the > >> ones that are going to produce the best quality over the long run. > >> However, there is a still a problem with scalability in the face of the > >> ever increasing rate that vulnerabilities (and for many vendors, > >> exploits also) are discovered. Only the vendors with very efficient > >> processes are going to be able to stay in the business over the long > >> run. > >> > >> The QA challenge for IPS products is unlike any other I have > >> experienced. One of the things IPS vendors learn very quickly is that > >> lab traffic alone is insufficient for testing IPS products. The products > >> must be exposed to as much real world traffic prior to the release of > >> updates as possible. The second lesson is that there is a very wide > >> variety of traffic on customer networks. An update exposed only to lab > >> traffic can work flawlessly on 9 out of 10 customer sites and fail > >> miserably on the tenth. Even if it is 99 out of 100, it is unacceptable. > >> > >> ISS is also a managed services provider for a large number of customers. > >> It leverages its Managed Security Services unit to efficiently field > >> test security content updates prior to shipping these to the larger > >> customer base. The update is shipped to a preauthorized group of sensors > >> on various customers' networks in order to see live traffic in > >> production networks. This added test cycle benefits all customers, and > >> especially those customers in the test group, as we can be sure that > >> these customers' traffic is accurately analyzed and verified. > >> > >> Every vendor is different. The ones that can and do consistently invest > >> in their processes will have the better quality record over the long > >> run. Look for the ones that have been investing in quality long enough > >> to have developed mature and efficient processes to have the best > >> quality. > >> > >> So, finally, I would expect that the trend in the industry overall is > >> towards higher quality as some vendors consistently improve their > >> processes and the ones that do not are gradually winnowed out. > >> > >> Paul > >> > >> -----Original Message----- > >> From: David Williams [mailto:[EMAIL PROTECTED] > >> Sent: Saturday, January 14, 2006 9:04 AM > >> To: [email protected] > >> Subject: Signatures taking down network > >> > >> > >> I'm evaluating a Tipping Point box and after gettting the latest > >> signatures I'm having problems with the box "crashing". My goal is not > >> to bash Tipping Point, but instead to gather information on how often > >> people have seen this type of thing among IPS boxes. > >> > >> Is there a trend with vendors to roll out signatures as fast as possible > >> without proper QA? This brings up a lot of questions about deploying > >> IPS. I want two opposite things from my vendors: 1) I want the latest > >> signatures super fast. 2) I want proper QA so that it doesn't bring > >> down my network. I realize those two things are contradictory, but I > >> thought I'd throw it out there to see if anybody had any thoughts. > >> > >> thanks, > >> > >> d > >> > >> ------------------------------------------------------------------------ > >> Test Your IDS > >> > >> Is your IDS deployed correctly? > >> Find out quickly and easily by testing it > >> with real-world attacks from CORE IMPACT. > >> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > >> > >> to learn more. > >> ------------------------------------------------------------------------ > >> > >> > >> ------------------------------------------------------------------------ > >> Test Your IDS > >> > >> Is your IDS deployed correctly? > >> Find out quickly and easily by testing it > >> with real-world attacks from CORE IMPACT. > >> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > >> to learn more. > >> ------------------------------------------------------------------------ > >> > >> > > > > ------------------------------------------------------------------------ > > Test Your IDS > > > > Is your IDS deployed correctly? > > Find out quickly and easily by testing it > > with real-world attacks from CORE IMPACT. > > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > > to learn more. > > ------------------------------------------------------------------------ > > > > > -- > > Adam Powers > Director of Technology > Lancope, Inc. > c. 678.725.1028 > e. [EMAIL PROTECTED] > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
