Firewall Wizards mailing list archives
Re: When to do something about detected attacks (was Re: how to do...)
From: sedayao () orpheus sc intel com (Jeff Sedayao)
Date: Mon, 20 Apr 1998 18:03:04 -0700 (PDT)
I was going to lurk, but no sooner do I sign up, someone says...
Marcus brings up a key point that one of my coworkers who has spent a career building measurement systems (first for manufacturing systems and then for measuring network performance) is always saying:
If you don't know what you will do with data, don't collect it.
Otherwise, you are just wasting your and other people's time and resources.
It'd be hard to think of a reasonable sounding statement about security that I disagree with more - "If you don't know what you will do with data, don't collect it." I apologize if someone has already discussed this, but...
One of my biggest criticisms of IDS's, security scanners, and security programs in general is that they look for security problems, rather than gathering information and process it with a security mindset. The problem, as I see it, is that people try to solve the problem by knowing what the answer is before they start... and sure enough, they get their answer (if fortunate), but learn zero, and the tool generally turns out to be very limited, and worse yet, stays that way.
We're still in the dark ages here. I've never met anyone who *understood* security - perhaps it's my limited background, or that I don't understand it myself, but everyone seems to have bits and pieces of the picture, and not the whole. And when they build things with this limited understanding, the result seems to follow suit.
What you seem to be saying is keep lots of data around for forensics and later analysis or data mining. That seems pretty reasonable to me, if you intend to do forensics or do more analysis. I can't imagine, though, that every business hooked up to the Internet, from big to little, really has time, skill, or the inclination to do that. It's argueably a shame that that is true, but it's reality.
I don't *want* to have to rescan my 10K+ systems to find out which hosts are running a vulnerable service if I get the latest cert advisory listing the bug de jour. I don't want to have to say "well, geez, I guess we'll never know" because we threw away 99% of the "useless" logs 'n' data and now, when we figure out that we have an intrusion & want to know how long they've been on our nets, we want it back.
Auditting and forensic information are always good to keep around, if you intend to do later auditting and investigation of security breeches. I don't see, though, how an IDS that tells you that www.microsoft.com tried to bonk you (and failed) will help you determine which one of your 10K systems are running a vulnerable service.
Heck, most of the time when I learn something it's when I don't have a clue, grab everything, point some tool I steal or put together at it, and say wow! Or when I go back and look at something that I thought was worthless before, that I saved for some odd reason, and then the light over my head turns on...
Yes, I'd rather throw everything except what I need away. I don't want to have to deal with all the stuff. And certainly there are tons of issues with keeping *everything* - sheer processing power to grab & manipulate the data, storage space, time limitations, etc.
That's really my issue here. Not every one does security research at your level. If they don't, can they really afford to keep lots of records around? But if you do that kind of research or want to keep forensic information available, then do so. In that case, you really do know what you will do with your data and then you'll do something with it later. But if you don't, and you have other tradeoffs to make, then don't keep around data you don't know what to do with.
(Oh, how I wish I could *really* monitor my fddi ring!) But by all means, keep every last scrap of data that you can - buy new disks, tape drives, cd burners, whatever - and don't throw away a single byte (because you can bet that byte is the one that holds the answer to the unverse & everything as soon as you throw it away (yes, 42 does fit into one byte ;-))) until we finally understand security and have the tools to give us the answers we *really* want. And I'm not holding my breath on that one.
dan
-- Jeff Sedayao Intel Corporation sedayao () orpheus sc intel com
Current thread:
- Re: When to do something about detected attacks (was Re: how to do...) d (Apr 15)
- Re: When to do something about detected attacks (was Re: how to do...) Sheila Or Bob (depends on who is writing0 (Apr 15)
- Re: When to do something about detected attacks (was Re: how to do...) Aleph One (Apr 16)
- Re: When to do something about detected attacks (was Re: how to do...) tqbf (Apr 16)
- Re: When to do something about detected attacks (was Re: how to do...) Jeff Sedayao (Apr 20)
- <Possible follow-ups>
- Re: When to do something about detected attacks (was Re: how to do...) d (Apr 16)
- Re: When to do something about detected attacks (was Re: how to do...) d (Apr 22)
- Re: When to do something about detected attacks (was Re: how to do...) Sheila Or Bob (depends on who is writing0 (Apr 15)