-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Tina Bird writes: >I mean they give me all these >sophistiated architectures for building custom alerts based on what I care >about, and very little in the way of tools that help me quickly identify >things which are "odd." Well, hell. That's not a sufficient improvement >over the open source tools to make them worth the money...maybe it will be >soon... Well, part of this is obviously the heavily-entrenched `signature' mentality which characterises the (vast) majority of system monitoring/log analysis/intrusion detection/antivirus/spam handling products today. Let us imagine that I have just ranted for several paragraphs about this. Pause for thought: how many monitoring widgets (system monitors, log monitors, IDSes, or whatever) allow you to enunciate a risk analysis or threat model in their configuration? My contention: if you can't enunciate such a thing, then the concept of `anomaly' is almost certainly poorly defined. How many organisations have (or are capable of producing) a threat model or a risk analysis? How many organisations are out there that don't even have a formal security/usage policy at all? My point: either you tell a widget what is Known Bad (with the assumption that everything else is Good---or at least Acceptable) or you tell a widget what is Known Good (with the assumption that everything else is Bad). In the former case, you can rely on a savvy third party to maintain a laundry list of les exploites du jour. In the latter case, you have to either be able to enunciate a list of Known Good behaviours yourself, or you're expecting the vendor-supplied widget to accomplish an act of either psychic or theological significance. - -spb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (OpenBSD) iD8DBQFBJamEG3kIaxeRZl8RAvLkAKCkAIkfDL7iVu7d4FWhURASs4VoMgCgj/j5 qJsfU4eSHJ7xL+tgz4lGh5g= =SpYN -----END PGP SIGNATURE----- _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Fri Aug 20 2004 - 01:05:53 PDT