Re: The value of detecting neutralized threats. (was RE: IDS bla

[Vik Bajaj <vbajaj () sas upenn edu>]

On 26-Jan-99 Dominique Brezinski wrote:

> OK, here is a classic example of theory versus practicality.  I agree in
> theory with John.  I personally want to know every time someone tries to do

[snip]
> And one knowledgeable person to run it will cost you $100,000+ per year,
> not to mention all the legal research and effort necessary to come up with
> the threat response plan and policies.

It does not follow from the simple fact that a threat is known, perceived, or
detected that a response should be mounted.  If we accept that assertion,
than no IDS can ever be successful.  In fact, a persuasive argument can be made
for aggressive loging to be used as evidence, retrospectively, in the event of a
penetration, or as a form of liability risk mitigation.

In any case, I think the crux of the matter is that security involves applied
theory, subject to financial, personal, and political constraints.  Thus, a
generic consensus on what is an appropriate threshold for intrusion detection
is neither productive nor necessary.  As has been pointed out, it is even more
pointless to attempt to divide organizations across arbitrary lines (government,
military, corporate, educational), as the needs of users within large
organizations or sectors are disparate enough that a canned solution will serve
no single entity well.  Obviously, you have to know the client well enough to
generate solutions that fit his needs and budgets;  it's part of the job.

--Vik