Re: When to do something about detected attacks (was Re: how to do...)

[zen () trouble org (d)]

I was going to lurk, but no sooner do I sign up, someone says...

> Marcus brings up a key point that one of my coworkers who has spent a
> career building measurement systems (first for manufacturing systems and
> then for measuring network performance) is always saying:
>
> If you don't know what you will do with data, don't collect it.
>
> Otherwise, you are just wasting your and other people's time and
> resources.

It'd be hard to think of a reasonable sounding statement about security
that I disagree with more - "If you don't know what you will do with data,
don't collect it."  I apologize if someone has already discussed this,
but...

One of my biggest criticisms of IDS's, security scanners, and security
programs in general is that they look for security problems, rather than
gathering information and process it with a security mindset.  The
problem, as I see it, is that people try to solve the problem by knowing
what the answer is before they start... and sure enough, they get their
answer (if fortunate), but learn zero, and the tool generally turns out 
to be very limited, and worse yet, stays that way.

We're still in the dark ages here.  I've never met anyone who *understood* 
security - perhaps it's my limited background, or that I don't understand 
it myself, but everyone seems to have bits and pieces of the picture, 
and not the whole.  And when they build things with this limited 
understanding, the result seems to follow suit.

I don't *want* to have to rescan my 10K+ systems to find out which hosts
are running a vulnerable service if I get the latest cert advisory listing
the bug de jour.  I don't want to have to say "well, geez, I guess we'll 
never know" because we threw away 99% of the "useless" logs 'n' data and 
now, when we figure out that we have an intrusion & want to know how long 
they've been on our nets, we want it back.

Heck, most of the time when I learn something it's when I don't have a
clue, grab everything, point some tool I steal or put together at it,
and say wow!  Or when I go back and look at something that I thought 
was worthless before, that I saved for some odd reason, and then the light 
over my head turns on...

Yes, I'd rather throw everything except what I need away.  I don't want
to have to deal with all the stuff.  And certainly there are tons of issues
with keeping *everything* - sheer processing power to grab & manipulate the 
data, storage space, time limitations, etc.  (Oh, how I wish I could 
*really* monitor my fddi ring!)  But by all means, keep every last scrap 
of data that you can - buy new disks, tape drives, cd burners, whatever - 
and don't throw away a single byte (because you can bet that byte is the 
one that holds the answer to the unverse & everything as soon as you throw 
it away (yes, 42 does fit into one byte ;-))) until we finally understand 
security and have the tools to give us the answers we *really* want.
And I'm not holding my breath on that one.

dan