Re: When to do something about detected attacks (was Re: how to do...)

[sedayao () orpheus sc intel com (Jeff Sedayao)]

> I was going to lurk, but no sooner do I sign up, someone says...
 
> > Marcus brings up a key point that one of my coworkers who has spent a
> > career building measurement systems (first for manufacturing systems and
> > then for measuring network performance) is always saying:

> > If you don't know what you will do with data, don't collect it.

> > Otherwise, you are just wasting your and other people's time and
> > resources.
 
> It'd be hard to think of a reasonable sounding statement about security
> that I disagree with more - "If you don't know what you will do with data,
> don't collect it."  I apologize if someone has already discussed this,
> but...
 
> One of my biggest criticisms of IDS's, security scanners, and security
> programs in general is that they look for security problems, rather than
> gathering information and process it with a security mindset.  The
> problem, as I see it, is that people try to solve the problem by knowing
> what the answer is before they start... and sure enough, they get their
> answer (if fortunate), but learn zero, and the tool generally turns out 
> to be very limited, and worse yet, stays that way.
 
> We're still in the dark ages here.  I've never met anyone who *understood* 
> security - perhaps it's my limited background, or that I don't understand 
> it myself, but everyone seems to have bits and pieces of the picture, 
> and not the whole.  And when they build things with this limited 
> understanding, the result seems to follow suit.
 
What you seem to be saying is keep lots of data around for forensics and
later analysis or data mining.  That seems pretty reasonable to me, if you 
intend to do forensics or do more analysis.  I can't imagine, though, that 
every business hooked up to the Internet, from big to little, really has 
time, skill, or the inclination to do that.  It's argueably a shame that 
that is true, but it's reality.

> I don't *want* to have to rescan my 10K+ systems to find out which hosts
> are running a vulnerable service if I get the latest cert advisory listing
> the bug de jour.  I don't want to have to say "well, geez, I guess we'll 
> never know" because we threw away 99% of the "useless" logs 'n' data and 
> now, when we figure out that we have an intrusion & want to know how long 
> they've been on our nets, we want it back.
 
Auditting and forensic information are always good to keep around, if
you intend to do later auditting and investigation of security breeches.
I don't see, though, how an IDS that tells you that www.microsoft.com
tried to bonk you (and failed) will help you determine which one of your
10K systems are running a vulnerable service.  

> Heck, most of the time when I learn something it's when I don't have a
> clue, grab everything, point some tool I steal or put together at it,
> and say wow!  Or when I go back and look at something that I thought 
> was worthless before, that I saved for some odd reason, and then the light 
> over my head turns on...
 
> Yes, I'd rather throw everything except what I need away.  I don't want
> to have to deal with all the stuff.  And certainly there are tons of issues
> with keeping *everything* - sheer processing power to grab & manipulate the 
> data, storage space, time limitations, etc.  

That's really my issue here.  Not every one does security research at
your level.  If they don't, can they really afford to keep lots of
records around?  But if you do that kind of research or want to keep
forensic information available, then do so.  In that case, you really do
know what you will do with your data and then you'll do something with it
later.  But if you don't, and you have other tradeoffs to make, then
don't keep around data you don't know what to do with.

> (Oh, how I wish I could 
> *really* monitor my fddi ring!)  But by all means, keep every last scrap 
> of data that you can - buy new disks, tape drives, cd burners, whatever - 
> and don't throw away a single byte (because you can bet that byte is the 
> one that holds the answer to the unverse & everything as soon as you throw 
> it away (yes, 42 does fit into one byte ;-))) until we finally understand 
> security and have the tools to give us the answers we *really* want.
> And I'm not holding my breath on that one.

> dan 
-- 
Jeff Sedayao
Intel Corporation
sedayao () orpheus sc intel com