MARS sold almost "too well" this past year. I expect a backlash against Cisco for MARS, CSA/CCA, and NAC in 2007. Especially when companies start to renew their SMARTNet contracts and realize the utter lack of value any of those products provided.
MARS detected one script kiddie running land.c until they graduated from idiot university and ran snot/sneeze/etc
combine the usefulness of Cisco IPS and it appears we have a winner for "most silicon snake-oil in 2006".
Anton Chuvakin
· 2 years ago
Sorry, I have to snicker at the miserable failure of #4 prediction :-) Just as I predicted.
"What’s taking you guys so long?"
Same as what I mentioned in our discussion thread: ongoing maintainance and log source support.
Daniel Cid
· 2 years ago
As far as #4 goes, I think we have something very close to a "credible" open source sim. OSSEC is being used more and more as a commercial SIM replacement and we currently support multiple log formats:
Most people think of it as an HIDS only, but its log analysis and correlation options are side by side with most commercial solutions (and even better most of the times).
On #4, I'd agree with Anton partially (though I think log format support is less of an issue) but also point out that really what most companies are buying are the rules that are used by the SIM and the integration with ticketing systems, oh and the GUI. There are a couple good open source correlation engines out there (APE & OSSIM just off the top of my head) but having the other pieces is just a huge pain in the ass. I can't tell you how many really cool ideas I had pitched by VCs for a SIM based on a really neat technical approach. None of them figured in the issue of integrating with all the ticketing systems or building a good GUI with functional workflow (see BASE & SGUIL vs. ACID in terms of workflow clarity), etc... I don't expect to ever see a complete open source SIM. The correlation engines have existed for a couple years though.
Bamm
· 2 years ago
From the orignal 2006 Prediction post:
"Expect a mainstream open-source combination of Argus and Sguil to own the security management conversation next year."
Also, Sguil has used SANCP (or a similar app) to provide flow/connection/session data since its inception. I've done a bit of research and haven't been able to find a compelling reason to create some type of hook between Sguil and Argus (yet).
Tom- On #1 - why didn't the # of M$ vulnerabilities drop? Is it too early (i.e. you'll repeat this prediction for 2007 and declare you were just ahead of the curve) or are their investments in SDL and security audit not working?
Thomas Ptacek
· 2 years ago
I think we need to get a spreadsheet of the vulnerabilities and work them out by application and impact. I'm also probably giving the research community credit for things that turn out not to be reliably exploitable on XPSP2. I also get the sense that this has been a rough year for browsers in general and IE in particular.
Dominique Karg
· 2 years ago
An interesting thread,
I'm sure we're lacking marketing but at least I'd like to know why:
#4 OSSIM
is not an option, after almost five years of development.
You get: - Correlation engine. - Simple correlation engine language (xml). - Lightweight plugins. - Cross correlation (Snort-Nessus) - Various anomaly detection engines (OS, Mac, Services, IP/TCP/UDP/...) - Website provides more information.
I'd be glad to provide more information, samples and documents in case I get the opportunity.
Dominique
Hikaru
· 2 years ago
We're using OSSIM in out company. I think it's a good replacement of commercial SIMs, although it hasn't got so much report funcionality.
All Comments
NAC was countered with http://kevin.sf.net
CSA was countered by Slipfest at CanSecWest
MARS detected one script kiddie running land.c until they graduated from idiot university and ran snot/sneeze/etc
combine the usefulness of Cisco IPS and it appears we have a winner for "most silicon snake-oil in 2006".
"What’s taking you guys so long?"
Same as what I mentioned in our discussion thread: ongoing maintainance and log source support.
http://www.ossec.net/wiki/index.php/Supported-Logs
Most people think of it as an HIDS only, but its log analysis and correlation options are side by side with most commercial solutions (and even better most of the times).
Link to it: http://www.ossec.net
Thanks,
Daniel Cid
I can't tell you how many really cool ideas I had pitched by VCs for a SIM based on a really neat technical approach. None of them figured in the issue of integrating with all the ticketing systems or building a good GUI with functional workflow (see BASE & SGUIL vs. ACID in terms of workflow clarity), etc...
I don't expect to ever see a complete open source SIM. The correlation engines have existed for a couple years though.
"Expect a mainstream open-source
combination of Argus and Sguil to own the security management
conversation next year."
Sorry to let you down. I'd take half the blame except adding Argus to Sguil doesn't a SIM make (http://infosecpotpourri.blogspot.com/2006/01/sg...).
Also, Sguil has used SANCP (or a similar app) to provide flow/connection/session data since its inception. I've done a bit of research and haven't been able to find a compelling reason to create some type of hook between Sguil and Argus (yet).
OSSEC (http://www.ossec.net) is starting to get more exposure though and as much as I despise the term SIM, it is starting to fill that void (even if it is labeled as a HIDS). Here is a list of log types it supports: http://www.ossec.net/wiki/index.php/Supported-Logs.
On #1 - why didn't the # of M$ vulnerabilities drop? Is it too early (i.e. you'll repeat this prediction for 2007 and declare you were just ahead of the curve) or are their investments in SDL and security audit not working?
I'm sure we're lacking marketing but at least I'd like to know why:
#4 OSSIM
is not an option, after almost five years of development.
You get:
- Correlation engine.
- Simple correlation engine language (xml).
- Lightweight plugins.
- Cross correlation (Snort-Nessus)
- Various anomaly detection engines (OS, Mac, Services, IP/TCP/UDP/...)
- Website provides more information.
I'd be glad to provide more information, samples and documents in case I get the opportunity.
Dominique
you can take a look at http://www.ossim.net to check it.
Hkr.