> I gotta jump in here to point out that a vendor is in business to > sell you something you think you need, and a good vendor >(read: salesperson) will spin the status quo as not good enough, > but, "I have what you really need." >If I were to walk into Anitian, or any other security vendor, and lay out > my security plan as a once a month, or even once a week log review, >along with NIDS/HIDS that notifies me daily of "suspicious" activity, >someone's not doing their job if they tell me that that's sufficient, > and there's nothing more I should be doing. My bet is you would describe my >monitoring plan as inadequate, and that you have one that would > allow me to sleep better at night. Here's the problem Michael, most organizations do not have unlimited security budgets. If you've ever run a business you learn very quickly that you have to make the most out of the least amount of resources. In a perfect world, every firm would have diligent, highly-skilled security experts on staff and use only the finest secured systems available. These systems would instantaneous repair themselves and we could warp ourselves to distant civilizations going where no one has gone before. Well, that utopia does not exist. Now, you can holler and scream and throw 93 simultaneous tantrums about what idiots people are for not using the world's best software and security measures ever created, or you can build solutions that raise the bar on security, without breaking the bank. Furthermore, what is "adequate" security? I'll bet if you asked that question to 10,000 security consultants, you would get about 10,000 different answers. And that frustrates a lot of IT folks. They hear a security community that is constantly at war with its own inflated ego over what is "adequate" security. The simple fact is - something is better than nothing. No it isn't perfect, but then again nothing is. Constant monitoring is expensive. It requires time, money, and man power. And quite simply, many organizations simply do not have the financial resources to afford such luxuries. Therefore, they have to make do with other solutions. Weekly or monthly analysis of logs is better than nothing. And its a lot more than what most firms are doing right now. I've been inside the bowels of a lot of IT departments. The grand majority of them are scrambling just to keep up with the basics. Weekly analysis of logs that are fed back into some kind of project/tracking database is a significant step forward for these places. And given the vast number of issues our analysts have spotted and resolved - its working very well. > My point is 2-fold: there's always someone willing to convince you they have something >better that you need, and, if you don't want! to have to defend your product, don't try to push > it on a list where most people know better. I am HARDLY alone in championing my technologies and solutions here. I won't name names, but this list is riddled with thinly veiled sales pitches from a wide array of people. ---------------------------------------------------------- Andrew Plato, CISSP President / Principal Consultant Anitian Corporation (503) 644-5656 office (503) 201-0821 cell http://www.anitian.com <http://www.anitian.com> ----------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 30 2002 - 09:01:10 PDT