On Wed, 23 Aug 2000 [EMAIL PROTECTED] wrote: > The problem with offering incident response along with IDS/monitoring is > credibility. Actually this issue is actually bigger than that. What is really an intrusion. After some normalization studies based on the activity of a certain organization. The following anamolies were observed or detected. But it takes a while to get to that point. IDS systems/monitoring services need quite a bit of tuning before they are truly effective for a particular organization. So the first couple of bells that go off, are really and most likely false postitives or woul dbe intruders rattling the cage. Similiar to heavy handed IDS testing. One huffs, one puffs and eventually the IDS will fall over, but at what stress point. Same thing with monitoring services, one good syn_flood or massive OC-3 outage on the INternet, and a monitoring service is temporaily blinded. Oops. How do you account for the outage. The monitoring service then pulls the SLA agreement with their favorite large ISP and bills them for the monitoring loss. Well, hope everyone has their SLAs in place with the big pipe players (Pray it is not with the ISP that provides Internet traffic for 1/6 of the Internet).. :) It is more than just an a small question, it is a giant question with a lots of small answers and reasons why thinks won't scale they way some Online Security Service think they should scale.. :) If you conveniently fail to detect the intrusion, or you > detect it too late, and then you come stomping in after the fact to bill > a ton of hours, how does that make you look? If you guys have any good > solutions to that issue, I'd love to hear about them. > > -gabe - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
