RE: Intrusion Detection and Secuirty Policy

[Russ <Russ.Cooper () rc on ca>]

The idea of AI-based "thought-ware" for policy generation, to paraphrase
Bill Royds' thoughts, is certainly an interesting idea. SHL/Systemhouse
are not alone, but do have a package called Transform that addresses
this fairly completely (amongst every other aspect of IS development).

Problem is, its also damn expensive, selling IP usually is.

Policy generation deals with all those intangible Intellectual Property
rightsy things that are, virtually, the sole commodity a consultant has
to sell.

Getting vendors to make it easier to define "what's right", in some
rule-based kinda way, would certainly make a lot of the Policy
generation details a lot easier (and doesn't cut in on what we
consultants sell either...;-]).

I think the aspects of policy generation that take the largest effort
are things like "what do you do when..." or "can we fire him/her
after..." or "should this even be connected to the network..."

AI isn't going to make those decisions any easier, and I don't really
think I would trust it to tell me whether or not a "risk" is one I
should or shouldn't take.

If all it did was outline what a policy should include, well, that's
probably already around in abundance anyway.

Now a "learning" policy generator, now there's an idea. It learns policy
based on what I don't slap it for (i.e. if someone gets away with
something enough times then it must be acceptable policy...;-]). I use
it to enforce my policy violations and it learns that what it saw was a
no-no, it happens again, it pops up an alert (i.e. "someone else just
did that no-no thing over there Boss...").

That would seem to have some legs?? Thoughts??

Cheers,
Russ Cooper
R.C. Consulting, Inc. - NT/Internet Security
Moderator of the NTBugtraq mailing list
http://www.ntbugtraq.com