Re: Couple of security questions

["Bob Beringer" <bob.beringer () usa net>]

Brent,

I think that you have a valid question and that the intent of your question is
a good one.  

Bruce Schneier has a formula for how many analysts should be hired for a
specific shift, but I don't think that anyone has broken down how many
analysts are needed by server.  

I believe that Bruce has stated that three analysts are required for a single
seat, for a 24x7 shop, but without the aid of aid of direct reference, I
mention this only to help point you in the right direction.

I think that the reason that your question doesn’t have a simple answer to
it, is primarily due to the varying roles that different servers have, to
include the number of users, the number of structured business transactions,
the number of unstructured business transactions and other unintended
interactions that the system might have that are not related to the intended
business function at all.  We can further look at the complexities that might
exist for a server that is a part of an enterprise, verses a server that is in
a DMZ, you can go on and on, but the basic gist of the matter is that if you
are going to build metrics or to utilize metrics those numbers should be
specific to your environment.

A really good way of determining how many analysts that you will need is to,
first determine how much monitoring that you want to perform, then what type
of lag time in response is acceptable for your organization or business
activity, then what the risk / exposure factor is for the type of lag time
that you want to introduce and ensure that they are both on par with each
other, then you will want to look at how many different structured /
measurable business transactions that you can monitor and verify that no
standard deviation in actual traffic exists, the more that you can prove that
your server is doing what it was supposed to be doing the less time that you
will need to monitor it.  Proper and effective development can help out a lot.
  

I have been working on a new approach to monitoring complex business systems,
I call it "IP Based Transactional Accounting", I have been using real-time
operational modeling to ensure that my structured business transactions are
verified in multiple ways, this technique and the math that supports it can
help to reduce analytical time on a per server and per business system basis.

The real problem comes into play when you have unstructured transactions, with
unstructured numbers of users, who will be allowed to access your systems at
will.  When these types of transactions occur and when unstructured or complex
types of interactions are needed from a server, then you also have to look
into the number of services that communicate on a given network, the number of
packets that you expect for that service to communicate with and the number of
vulnerabilities that are out in the wild, when the exposure factor increases,
then so does the number of labor hours that you will need to invest into
analytical efforts as well.

Please also know that you will need to take into account the sensitivity of
the data, the experience of the analyst, how much effort was invested in
hardening the system, in hardening the processes for the systems' interaction,
how much time was spent testing with blue and red team efforts the
configuration that was previously believed to be hard.  These and more issues
all factor into the amount of time that your environment will need.

I work out of the DC area and own an 8(a) firm, if you would like to sit down
and talk about some of these issues in person, I would be happy to donate time
to your cause or would be even happier to provide bleeding edge technical
solutions to meet your needs.

In closing there was an article on Metrics that was published by the folks at
CSOonline, the article hit the streets yesterday, you might want to check out
the following link for some more details:  
http://www.csoonline.com/read/080106/fea_metrics_pf.html

Another and final helpful hint for the night is based on an article from
Marcus Ranum, on "artificial ignorance" that will provide some alternate
thoughts on how to reduce labor hours by effective baselining of an
environment.


Hope this helps,
Bob Beringer
240-475-6858

------ Original Message ------
Received: Thu, 24 Aug 2006 04:40:56 PM EDT
From: brent.thompson () csd disa mil
To: security-basics () securityfocus com
Subject: Couple of security questions

Can anyone tell me is their metric on how many intrusion detection analyst per
number of servers?  If so, where can I find it?  Also…Does anyone know where
I can obtain security metrics for success (i.e. how do you measure what you
are doing and if it is being reached).



---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------