Re: When to do something about detected attacks (was Re: how to do...)

[zen () trouble org (d)]

> > One of my biggest criticisms of IDS's, security scanners, and security
> > programs in general is that they look for security problems, rather than
> > gathering information and process it with a security mindset.  The
> I think this is a poor generalization.

Well, I don't ;-)

> Security scanners don't necessarily
> "look for holes instead of valuable configuration information"; they tend
> to look for both.

I'm never mentioned configuration information, so I don't know who you're
quoting here.  I'm talking about *any* information.  And I said in my 
experience; I'm not trying to map this assumption onto all things.

> The problem here is that you can't always (or even
> usually) analyze general configuration information and accurately obtain a
> picture of which vulnerabilities are present. 

Exactly my point.  The data should be kept, however, so that if you ever
*do* get the analysis down, that you don't have to go back (if it's even
possible) and regather the stuff.

> You can collect "general" information such as the network topology,
> operating systems of all the machines, and the services they run, and
> "process it from a security mindset" to say "suchandsuch a machine is
> probably vulnerable to this problem". The information you obtain from this
> type of analysis is probably going to be inaccurate.

Of course; we have a long way to go before we get anything that remotely
gives us what we'll want, either now or later.

> A valid criticism (and this may be the criticism you are making) against
> these types of systems is that they don't do enough analysis of the
> information they obtain and don't report the general information (rather
> than the specific low-level vulnerabilities) well enough. This is
> different from the question of whether the information is collected at
> all, though.

That wasn't my criticism, or point, at all.

dan