-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, August 23, 2000 3:27 PM > > The problem with offering incident response along with > IDS/monitoring is > credibility. If you conveniently fail to detect the intrusion, or > you detect it too late, and then you come stomping in after the > fact to bill a ton of hours, how does that make you look? If you > guys have any good solutions to that issue, I'd love to hear about > them. Well, if they fail to detect the intrusion, they don't know of the compromise anyway. If the intrusion works and they know the client has been compromised, then that would mean the countermeasures failed (i.e. firewall). Wouldn't look too good if they installed them themselves. What grinds the credibility into dust would be if they come in on a weekly basis for forensics based on an attempted intrusions. I don't think anyone can be that good that they could detect a successful intrusion to act on (and not a failed one) while giving the assurance that they don't miss a successful intrusion that went by undetected. (does that sound too confusing? :) So, if one can not separate successful from unsuccessful intrusions without having to come in and bill, than the whole concept seems worthless. Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.1 Comment: PGP or S/MIME (X.509) encrypted email preferred. iQA/AwUBOaSZIkRKym0LjhFcEQLlgwCeJgZ1hi+oReuLTH2FT3EucNRT0m4AoKHR 0D6Ep5T6YHZQjy5Pjgs2IZnw =JJWW -----END PGP SIGNATURE----- - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
