Security Basics mailing list archives
Re: Couple of security questions
From: "Bob Beringer" <bob.beringer () usa net>
Date: Thu, 24 Aug 2006 23:12:08 -0400
Brent, I think that you have a valid question and that the intent of your question is a good one. Bruce Schneier has a formula for how many analysts should be hired for a specific shift, but I don't think that anyone has broken down how many analysts are needed by server. I believe that Bruce has stated that three analysts are required for a single seat, for a 24x7 shop, but without the aid of aid of direct reference, I mention this only to help point you in the right direction. I think that the reason that your question doesn’t have a simple answer to it, is primarily due to the varying roles that different servers have, to include the number of users, the number of structured business transactions, the number of unstructured business transactions and other unintended interactions that the system might have that are not related to the intended business function at all. We can further look at the complexities that might exist for a server that is a part of an enterprise, verses a server that is in a DMZ, you can go on and on, but the basic gist of the matter is that if you are going to build metrics or to utilize metrics those numbers should be specific to your environment. A really good way of determining how many analysts that you will need is to, first determine how much monitoring that you want to perform, then what type of lag time in response is acceptable for your organization or business activity, then what the risk / exposure factor is for the type of lag time that you want to introduce and ensure that they are both on par with each other, then you will want to look at how many different structured / measurable business transactions that you can monitor and verify that no standard deviation in actual traffic exists, the more that you can prove that your server is doing what it was supposed to be doing the less time that you will need to monitor it. Proper and effective development can help out a lot. I have been working on a new approach to monitoring complex business systems, I call it "IP Based Transactional Accounting", I have been using real-time operational modeling to ensure that my structured business transactions are verified in multiple ways, this technique and the math that supports it can help to reduce analytical time on a per server and per business system basis. The real problem comes into play when you have unstructured transactions, with unstructured numbers of users, who will be allowed to access your systems at will. When these types of transactions occur and when unstructured or complex types of interactions are needed from a server, then you also have to look into the number of services that communicate on a given network, the number of packets that you expect for that service to communicate with and the number of vulnerabilities that are out in the wild, when the exposure factor increases, then so does the number of labor hours that you will need to invest into analytical efforts as well. Please also know that you will need to take into account the sensitivity of the data, the experience of the analyst, how much effort was invested in hardening the system, in hardening the processes for the systems' interaction, how much time was spent testing with blue and red team efforts the configuration that was previously believed to be hard. These and more issues all factor into the amount of time that your environment will need. I work out of the DC area and own an 8(a) firm, if you would like to sit down and talk about some of these issues in person, I would be happy to donate time to your cause or would be even happier to provide bleeding edge technical solutions to meet your needs. In closing there was an article on Metrics that was published by the folks at CSOonline, the article hit the streets yesterday, you might want to check out the following link for some more details: http://www.csoonline.com/read/080106/fea_metrics_pf.html Another and final helpful hint for the night is based on an article from Marcus Ranum, on "artificial ignorance" that will provide some alternate thoughts on how to reduce labor hours by effective baselining of an environment. Hope this helps, Bob Beringer 240-475-6858 ------ Original Message ------ Received: Thu, 24 Aug 2006 04:40:56 PM EDT From: brent.thompson () csd disa mil To: security-basics () securityfocus com Subject: Couple of security questions Can anyone tell me is their metric on how many intrusion detection analyst per number of servers? If so, where can I find it? Also Does anyone know where I can obtain security metrics for success (i.e. how do you measure what you are doing and if it is being reached). --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Couple of security questions brent . thompson (Aug 24)
- RE: Couple of security questions Robert D. Holtz - Lists (Aug 25)
- <Possible follow-ups>
- Re: Couple of security questions revnic (Aug 25)
- Re: Couple of security questions Bob Beringer (Aug 25)