RE: Managed Security Metrics

["Mike Smith" <msmith () infinity-its com>]

I'm still not sure this is useful to the client of a managed security
service provider.  If the service level agreement says, "provider shall
block X attacks per month," what does it mean to me if it blocks less or
more than X attacks in a given month?  A month could have fewer than X
blocked attacks because it was a quiet month for attacks in general.  Does
the provider owe me a rebate for failing to meet the target?  Is there an
incentive for the provider to surreptitiously encourage/launch blockable
attacks to boost its performance rating?

For the flip side, I'm hesitant to look for a service guarantee like
"provider shall block x% of attacks per month" or "provider shall permit no
more than X attacks to penetrate the firewall per month" because any
successful attack is unacceptable.  I can't see management signing an
agreement that says it's okay if some small number of attacks gets through
the firewall.

Anyway, I think such a requirement would be akin to proving a negative.  How
can I or the service provider be sure that an attack didn't get through;
perhaps neither of us has detected it yet.

So I'm back to asking, what are suitable, measurable criteria for judging
the quality of my security service provider's performance?

Mike Smith

-----Original Message-----
From: R. DuFresne [mailto:dufresne () sysinfo com]
Sent: Monday, March 05, 2001 12:24 PM
To: Mike Smith
Cc: firewall-wizards () nfr com
Subject: Re: [fw-wiz] Managed Security Metrics


On Mon, 5 Mar 2001, Mike Smith wrote:

[SNIP]

> I wouldn't think there'd be any point to counting blocked attacks (as a
> service metric).  I certainly want to know how many attacks got through,
but
> is that a metric for which I can usefully set a target (e.g., no more than
0
> successful attacks per month)?

I count what's blocked, if only to give a real time idea of what kinda of
BS packets are currently flying on the wire these days.  And to grab up
some good ole 'job security' <see what we are already preventing> BS for
the mgt folks.  This is the only valid reason I can come up with for
putting any IDS outside the FW.  Else, it's best place is behind the rest
of the perimiter devices and it sits there to warn if something passes
those devices.  If everything is done properly, that IDS box is silent,
and we hardly know it's even there, cept when we trip on it's cables
playoing with other devices.

Thanks,

Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards