[Emerging-Sigs] Emerging Threats Sells Out!!!

Matthew Jonkman jonkman at emergingthreatspro.com
Sat Oct 2 16:48:21 EDT 2010

Excellent comments Martin. Some of my own inline. I appreciate your frankness.
> It's clear to me that there are both pros and cons to this move from
> my perspective, (that of an avid ET user but also a VRT subscriber).
> There is one big pro that I can see in this, and that is if the Telus
> intel is comparable to what VRT is getting from MAPP, and the ET Pro
> sigs are GID 1, not GID 3, then this is a huge win for the community.

Mapp is just MS, Telus is everything including MS. Extremely high quality research!

> As a user of the GID 3, I have to say that I am thoroughly
> underwhelmed.  The sigs end up being almost entirely useless because I
> have no idea why they do or do not hit.  Add on top of that the fact
> that I cannot even get them to run without segfaulting on most CentOS
> 4 x86_64 and RHEL 4/5 x86_64 with Endace DAG, and it becomes clear
> that it's not worth the money.  Sourcefire should also note that the
> major reason we choose Sourcefire over their competitors has in the
> past been that open signatures allow for proper incident response and
> investigation, whereas closed signatures do not (such as alerts from
> Cisco, Symantec, et al.).  In short, the one thing that has set
> Sourcefire apart from its competitors is rapidly eroding.

We made that choice as a community in suricata not to support rule obfuscation, and we've made the same choice here in ET Pro. We will not distribute obfuscated rules. It's not required, necessary, or helpful. In fact it's counterproductive. If we have an intel source that requires obfuscation we will get the data elsewhere. 

> Enter ET Pro/OISF, which seems to be positioning itself to be
> completely Sourcefire independent.  I wish I thought this was a bad
> thing, but honestly, we are just not getting the value of out SF the
> way we did 3-4 years ago, so I think this competition is healthy and
> needed.

I agree there. We owe SF for the years of support and dev. They do good stuff. But competition is not just good, but NECESSARY, it makes us all step and do more. You should choose what kind of coverage you want. In sec we shop and compare everything we get to no end, except our intel sources. We're missing something here... 

> That said, there is a large con to the situation here, and that is
> that the mission statement has now officially changed from "help the
> community" to "make money, then help the community."  If that's not
> the case, then you are a non-profit, not a business.  The first order
> of any business is to make money.  I don't think it's unfair or
> immoral to make money, I just get annoyed when companies insinuate
> that there is different top priority.  This is applicable because we
> all know that at some point, there will be a situation in which the
> good of the community comes after the good of the paying customer.  If
> I were a paying customer, I'd certainly be offended to hear otherwise.
> This is a huge shift, and though it may not end up hurting the
> community, it could.

I understand that concern, and we do have to make money or we can't provide the support, QA, optimizations and conversion back to the community. But we're also not coming into this with massive hardware development R&D debt. No VC either. So it's simpler.

But this is the main reason I volunteered to put ET under the control of a board of our peers. And I'll get that charter written and out in a week or so. That I believe removes the possibility that I will be tempted to do something stupid and alienate the community. It is not inconceivable that I will do something stupid. Someone please stop me when you see it coming. :)

> I would like to recognize Matt (and many of you) here for the work
> he's done thus far.  When you do work for free, it becomes more and
> more awkward because there's no written SLA or time/money trade-off to
> guide you when figuring out how much effort you're willing to donate.
> I've certainly benefited over the years from ET's work without paying
> for the service, and I am appreciative of that.  ET Pro will allow
> Matt et al. to be up front with expectations and costs, which I think
> is an inevitable milestone of any successful project.
> So, here's what it will come down to for FY12 procurement in my org:
> If ET Pro is anywhere near the pricing for VRT, we will be dropping
> VRT in favor of ET Pro as long as VRT continues with GID 3.  Honestly,
> though, I don't expect Sourcefire to be selling VRT sigs within a year
> or two as they move more and more towards appliance offerings, and are
> ultimately bought out shortly thereafter by, oh, let's say Cisco.

We are 350/sensor/year for up to 20 sensors. After that we work out a site license case by case. We also offer a steep EDU discount, and we will be introducing a program later where if you contribute hits anonymously vis sidreporter you'll have a discount as well. (that'll help us tune/obsolete rules and see trends coming)

>  I
> would love it if Razorback changes all of this, but it's got a long
> way to go, and it needs some serious community support to develop
> plugins, and it will have to compete with Suricata for that community
> time.  But that's what happens when you court stockholders instead of
> security analysts (beware, ET Pro!).

Point well taken. Thats my most significant fear in this venture.


> --Martin
> On Mon, Sep 27, 2010 at 9:18 AM, Matthew Jonkman <jonkman at jonkmans.com> wrote:
>> We are adding a full coverage premium subscription ruleset. So not really selling out I suppose, it's just us still. No outsiders... so we're kind of selling out to ourselves. If you have to sell out that's the way to do it I think!
>> We are building a new ruleset, one that has full vulnerability coverage. We have a professional research team on full time now, and we've bought the Telus Security Labs feed (the guys that supply the entire industry with research, rules, and intel, the big brains!). This has allowed us to fill in the historical gaps in coverage of the open ET ruleset, and will assist us in keeping completely up to date with new vulnerabilities and new exploits as they happen.  http://www.emergingthreatspro.com
>> But wait, there's more!!!
>> What's the biggest security threat on your network, and every network these days? (besides your users)
>> It's malware. I don't think there's any argument there, and that's why the ET ruleset has been so useful, because we all focus on malware. You don't get the malware coverage in the existing commercial rulesets because it just moves too quickly. And all the commercial rulesets are built for an appliance the same company sells, so adding more rules day after day doesn't make the appliance they also sell look good as it slows down. So the result: we have commercial rulesets with only minimal malware coverage, so we all use the ET ruleset to augment.
>> So we're changing that, we're making THIS the one ruleset you need, not the one you add on to the others. We have the full time research team, we have the intelligence feeds, and we have enough coffee to keep the state of Washington awake for a year straight. We're on it! We've hired most of our researchers from the Emerging Threats Community (and we're still hiring, shoot me a resume if you want to play with us!). So it's the people you already know and trust. We've been doing this for 10 years now.
>> We're JUST doing rules, not hardware. This is a major difference. You now have a CHOICE in what ruleset you use just like you choose the hardware that fits your needs.
>> We're rebuilding and expanding the ET Sandnet that's been feeding us so much good intel over the years, and we're partnering with all the names you already know in the industry to share intel, samples, and more.
>> But wait, there's more!!!
>> We're publishing in many engine formats. One of the drivers to do this was to get a full coverage ruleset out there that could take advantage of the new capabilities of Suricata. It's pretty clear no one else is going to do that, so we're going to make it happen.
>> At launch we are covering Snort 2.8.4 era, 2.8-CURRENT, and Suricata. We'll have a Snort 2.4 ruleset out shortly to support those of you using an older engine. And here's the big thing.... We'll support 2.4, and all of our platforms, until no one needs it anymore! If you can't upgrade, fine. Not everyone needs to, can, or wants to upgrade. As long as people need it we'll keep putting out a 2.4.
>> The Existing and future ET ruleset will also be published in these formats!
>> We'll be introducing new platforms and languages later this year as well, so keep an eye out.
>> But wait, there's more!!!!
>> Emerging Threats Pro exists because of the community, ET *is* the community, it's been my honor to be the moderator all these years. We will stay part of that community. So here's my personal commitment, and the commitment of the new company Emerging Threats Pro, to the community. Write this down, frame it whatever. (I'm hanging it on my office wall)
>> 1. ET Pro will support the Emerging Threats open project as long as needed. Hosting, infrastructure, manpower, everything.
>> 2. The Emerging Threats Ruleset will remain FREE, BSD licensed as it always has been. That will not change unless we all agree we need to change it.
>> 3. Every rule that comes from the community will immediately go through the ET Pro QA and load testing rig, and be converted to all the platforms we support as a company, and be IMMEDIATELY distributed to the community in ALL of those formats. All rules, in all formats, QA'd and converted, IMMEDIATELY. We'll do the grunt work.
>> 4. I will turn over control of the project to a board of five community members to make the decisions, those board members will be elected. (I will stand for election as well. VOTE JONKMAN! :) )
>> We'll set up that board for ET soon and get an election going. The reason I want to do that is we've seen things go bad in many other open source projects over the years when money and company interests come before keeping the community the project came from happy. I believe I will do a good job taking care of both projects for the long term, but I'm human like everyone else. I don't think anyone that's gone through this process of building a business behind an open project and ended up alienating a community went into it intending to do so. I would regret it forever if that happened to us. So to make SURE that doesn't happen I am going to give full control of the open project to the community.
>> That means you still have a stake in the project, and you have to step up and help govern it. You have to nominate responsible board members, and these board members have to put a little work into it now and then. And if you don't like how things are going you have to speak up, offer solutions, or get yourself elected to the board and make changes. If the you or the board really don't like how I and the ET Pro team are taking care of things then you may take over and manage the project. You'll have full power to do so at any time.
>> It of course worries me to give up full control of Emerging Threats. It's been my baby for many years now (8, 9?). But I have faith in this community. I KNOW we will take care of this thing we've built, and I KNOW it will last a very long time and continue to do good things. Because of that faith I think I can get over having sole control and let this thing live it's own life. (Maybe this is what it'll be like when my daughters go to college...)
>> So, more details coming soon on the technical changes. Your download url won't change if you want the 2.8.4 ruleset as it is now. I'll get the charter for this board out soon and we can get some nominations and election going.
>> Bottom line:
>> 1. ET Pro will offer a complete ruleset based on and expanding the ET open ruleset
>> 2. ET Pro will support the open project in all it needs
>> 3. You are going to have a say in how we run the open project from here out
>> 4. You have a choice where to get your rules now!
>> Comments welcome as always.
>> Matt
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Open Information Security Foundation (OISF)
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html

Matthew Jonkman
Emerging Threats
Open Information Security Foundation (OISF)
Phone 765-429-0398
Fax 312-264-0205

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list