I was going to lurk, but no sooner do I sign up, someone says... > Marcus brings up a key point that one of my coworkers who has spent a > career building measurement systems (first for manufacturing systems and > then for measuring network performance) is always saying: > > If you don't know what you will do with data, don't collect it. > > Otherwise, you are just wasting your and other people's time and > resources. It'd be hard to think of a reasonable sounding statement about security that I disagree with more - "If you don't know what you will do with data, don't collect it." I apologize if someone has already discussed this, but... One of my biggest criticisms of IDS's, security scanners, and security programs in general is that they look for security problems, rather than gathering information and process it with a security mindset. The problem, as I see it, is that people try to solve the problem by knowing what the answer is before they start... and sure enough, they get their answer (if fortunate), but learn zero, and the tool generally turns out to be very limited, and worse yet, stays that way. We're still in the dark ages here. I've never met anyone who *understood* security - perhaps it's my limited background, or that I don't understand it myself, but everyone seems to have bits and pieces of the picture, and not the whole. And when they build things with this limited understanding, the result seems to follow suit. I don't *want* to have to rescan my 10K+ systems to find out which hosts are running a vulnerable service if I get the latest cert advisory listing the bug de jour. I don't want to have to say "well, geez, I guess we'll never know" because we threw away 99% of the "useless" logs 'n' data and now, when we figure out that we have an intrusion & want to know how long they've been on our nets, we want it back. Heck, most of the time when I learn something it's when I don't have a clue, grab everything, point some tool I steal or put together at it, and say wow! Or when I go back and look at something that I thought was worthless before, that I saved for some odd reason, and then the light over my head turns on... Yes, I'd rather throw everything except what I need away. I don't want to have to deal with all the stuff. And certainly there are tons of issues with keeping *everything* - sheer processing power to grab & manipulate the data, storage space, time limitations, etc. (Oh, how I wish I could *really* monitor my fddi ring!) But by all means, keep every last scrap of data that you can - buy new disks, tape drives, cd burners, whatever - and don't throw away a single byte (because you can bet that byte is the one that holds the answer to the unverse & everything as soon as you throw it away (yes, 42 does fit into one byte ;-))) until we finally understand security and have the tools to give us the answers we *really* want. And I'm not holding my breath on that one. dan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:54:54 PDT