Re: time for my lil opinion poll

I've sat through a number of meetings with vendors in the space
recently, plus, I stayed at a Holiday Inn last night, so that makes me
an expert. Here is my take:

There is no doubt that these systems are evadable and all the vendors
I spoke with accepted this fact (some had to be pressured more than
others). This is especially true if you don't implement host based
agents as well as the network appliances. So, if you are shopping this
market for the sole purpose of preventing malicious insiders from
walking away with your intellectual property, then my opinion is the
dollars are better spent on providing HR with the resources it needs
for doing things like proper background investigations as well as
improving the workplace (crazy how loyal happy employees are).

Inadvertant data leakage is a different story. I am an 8th degree
black belt in Binfu [0], so I can understand how an individual might
accidently email one customer's cost structures to another. These
systems can also help enforce compliance with things like HIPAA (are
you sure sensitive health information isn't being inadvertantly sent
in the clear?).

The best component of these systems that I have seen is their abililty
to discover "data at rest" (this is usually considered an additional
feature). I am a security monitoring and incident response guy by
trade so, quickly identifiying if (and what) sensitive data resided on
compromised systems is an important piece of information when you are
assessing the impact an intrusion has had on a company.

Even though I could see some value from the technology, I am still not
convinced that the costs are worth it. I am probably going to end up
doing a full eval on a few of the products in the space in the near
future. In the end I expect the CYA factor to be a leading driver on
why companies purchase products in this space and the vendors are
pretty good at pushing the FUD.

Bammkkkk

[0] binfu (bin foo): The fine art of inadvertantly causing unexpected
sytem downtime, outages, and file deletions. "binfu" was first used to
describe the action of "accidently" performing an "rm -rf" on the
directory /usr/bin. Once binfu has been exercised, it is best
bystanders stand clear, since vulgar language and flying objects often
follow the use of binfu. "My your binfu is so excellent." - Bamm to
Rich (circa 2000)


On 4/25/07, Arun Koshy <arunkoshy@xxxxxxxxx> wrote:
> A friend from the vuln research arena ( sorry .. no names etc ) told
> me in a convo a few hours ago  that this does not work :
>
> http://en.wikipedia.org/wiki/Information_Leak_Prevention
>
> Would like to know the community's opinion about the whole arena ..
> both public and private responses ( if you can't be public ) are
> welcome.
> _______________________________________________
> Dailydave mailing list
> Dailydave@xxxxxxxxxxxxxxxxxxxxx
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>


-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net