I just read this article about ITM – yet another acronym, which stands for insider threat management. Looking at the products they reviewed in the infoworld article, I just don’t see what is so new about them. They seem to be either a NIDS or a HIDS on steroids. Why wouldn’t I be able to flag specific traffic with a NIDS? I can build a rule in snort which looks for SSN numbers floating around on my network. Yes, there are some nice managebility features built into these new products, but why don’t NIDS vendors add them on top of their products? I am over-simplifying, but think about it, all these new products are not really _that_ new. They wrap old concepts in new products.
Is marketing taking over completely?
January 24, 2006
ITM – Insider Threat Management
2 Comments »
RSS feed for comments on this post. | TrackBack URI
What many vendors discovered is that the same signature-based detection mechanisms typical of IDSs can be extended to monitor the transfer of proprietary data on internal segments of a LAN or across external segments of a WAN.
But what’s new is how these mechanisms are conjoined. Now you can have an agent-based application that resides on a host that creates document thumbprints and forwards them to an appliance that performs egress filtering. In turn this appliance can control the heartbeat of a firewall, make header modifications in conjunction with a Web proxy, etc.
Comment by Jeffrey — March 1, 2006 @ 12:58 pm
ITM must be one of the new fads. I’ve heard no fewer than 3 “luminaries” talk about internal honeypots, etc… since you wrote this article.
IMHO? We’re all just Jonesing for real data on threat communities, and someone just got the bright idea that we could actually gather data much easier from the inside.
Comment by A — March 6, 2006 @ 5:34 am