Would someone please define Proactive for the industry? My goodness. If I had a dollar for every time someone ...

Who is it this week? It was an article posted by on Infoworld.com

Marty Roesch, Founder of Sourcefire/Snort and Marc Willebeek-LeMair, CTO of TippingPoint recently acquired by 3com) get into quite the debate on Network Intrusion Prevention Systems. Watching those two guys go at it was like watching the season finally of the apprentice.

No one should be debating the utility of IPS but for the love of peet, don't call it Proactive. Brace yourself, here comes another one of those tk rants on Proactive vs Reactive.

Please read the article and judge for yourself. I'll offer my opinion and summary:

Willebeek-LeMair says This proactive security is unique to IPS and is a game-changing tool.

Roesch steps in and brings some sanity to the discussion with All marketing claims notwithstanding, IPS technology is not proactive. - True proactive security would be able to do more than just identify the conditions under which an attack is occurring.

Willebeek-Lemair then counters with Very accurate filters can be written based on vulnerability information, not exploit information. That is the definition of proactive protection: customers are protected before the attack (exploit) exists in time and space. These filters precede the existence of an exploit and proactively protect against any exploit targeting that vulnerability.

Why is dude talking about the authorship of filters? We are debating the context of the run-time value, not some action performed in development.

In my always humble opinion, (must be my Hawaiian heritage) :-) the confusion and debate expressed around proactive versus reactive has less to do with the technical aspects and EVERYTHING to do with the point in which the tool provides its primary value. As designers and engineers, we optimize the tool to where it can deliver its primary value (utility and usefulness). This is not to be confused by actions or functions leading up to or after this point in a logical sequence. Let us take a few examples:

• 1.a Building an effective incident response team is a proactive action.
• 1.b Successfully responding to incident is a reactive action but is where the primary value is experienced.


• 2.a The installation and testing of a fire suppression system in the data center is proactive.
• 2.b Having that damn thing go off is reactive and unfortunately is where the primary value is experienced.


• 3.a Successfully deploying an effective IPS system is a proactive action and as noted by Willebeek-LeMair, authoring content that the IPS will use is a proactive action.
• 3.b Preventing an Intrusion is a reactive event and as the name IPS suggests, it is where the primary value is experienced.

Why is it about primary value experienced by the consumer? Basic economics: higher the value, the higher the willingness to pay. If you don't understand where your customer articulates your primary value, no amount of marketing spin will help. :-)

If your product or service's primary value proposition is independent of incident or loss, you are proactive. If the primary value is at time of incident or post-incident, you are reactive. This is not to pass judgment, it just is what it is. Please people, lets not confuse customers any more than we already have.

--Tim "TK" Keanini