On Thu, 24 Aug 2000, John G Taylor wrote:
> I've been following this discussion with interest. This is due that
> I am going through this process. So these are my thoughts;
>
> 1. IDS tools are important. What is actually needed is a judgement
> Vs cost call. I view them as my eyes of what is occurring on the network
> and a way to ensure that the security policy is adhered to. An interesting
> book I am half way through at the moment is Network Intrusion Detection, an
> Analyst's Handbook by Stephen Northcutt (I purchased this over the web at
> fatbrain.com). I have dealt with Stephen before via another mail list and I
> feel he has no particular barrow to push.
Well sort of, this discussion thread has taken on many different heads,
but it more about Online Security Services and what value do they serve.
Take a look at www.mycio.com or www.esecurityonline.com for example.
>
> 2. With using the external people like KPMG, Ernst&Young etc I see
> as a way of providing an external, independent view of where the security is
> at. ie review of policy, vulnerabilities etc.
Why, are they really independent views or one chooses them because they
have a name. Review of what, 'Who is watching the experts??'
>
> Both areas you can do yourself. The external monitoring services
> is the installation of IDS software and all they do is let you know when an
> alert is activated.
Well sort of again, it is really about understanding what applications,
what operating systems work best in what environmentusing the FCAPS model
versus profiling an organization's network. If you really look at if one
profiles an organization's network, then there is an issue of change,
updates, re-architecture. Today's information can be drastically changed
tommorrow if one decides to provide services to let's say large ISP or a
large DSL provider, where availability is more key than integrity.
> To me that is IDS. You don't really need that external party to let
> you know. You can hire a security administrator for that. Most IDS
> software can be set to send an e-mail or ring you - that is the service that
> the external monitoring companies are offering.
IDS, firewalls, administration, day to day feeding of the admins are
pieces of a security framework, that is where the problem really is, not
in online security services where they are just band-aiding one little
boo-boo.
>
>
> John Taylor
>
>
>
> From: Frank Knobbe <[EMAIL PROTECTED]> on 24/08/2000 11:12
> To: [EMAIL PROTECTED]@SMTP@Aus Exchange, Frank Knobbe
> <[EMAIL PROTECTED]>@SMTP@Aus Exchange, [EMAIL PROTECTED]@SMTP@Aus
> Exchange
> cc:
>
> Subject: RE: Online Security Services and Continous Risk
> Management
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 23,
> > 2000 7:38 PM To: Frank Knobbe; [EMAIL PROTECTED] Subject:
> > RE: Online Security Services and Continous Risk Management
> >
> > OK, let's then put into your thinking then. Manufacturers:
> > vendors who
> > make firewalls, IDS, virus protection, etc
> > Installers - high end to low end consulting services that install
> > and configure them (rack and stack ) Consulting - verify that
> > everything looks and smells ok, the alarm trips when the door is
> > locked type of thing. (Don't really do to much). Monitoring
> > companies - 24 x7 if the alarm trip they call or page you.
> >
> > OK, so where does online security services come in, mind you
> > the category I
> > am talking about is very ill-defined, especially when they
> > advertise they
> > are a one-stop security solution but they are just going
> > after replacing
> > the Consulting piece stated above.
>
> I would say they fit the Monitoring companies. Back to your
> question,
> though: Are they worth it.
>
> I think that can be answered by comparing them to traditional
> security monitoring companies (A*T etc). Are they worth it?
> Shouldn't
> alarm bells and whistles be enough? Hardly, because by the time you
> return from vacation your stuff is gone. Does a monitoring company
> help? My personal opinion is no because when they show up, my stuff
> is gone already.
>
> Now reflect that to IT security monitoring. If they monitor and send
> me an email saying that around 2am on Sunday something strange
> happened what appears to be a break-in, then they're worthless
> because I'll find that out on Monday when I review my logs (or check
> my email etc).
> If they show up Monday, it's too late.
>
> If a security monitoring company could be on site immediately to
> catch the intruder and prevent damage, start forensics and have a)
> my
> data saved from the evil hackers, and b) evidence or at least a
> report for me on Monday, then I think they would be worth an
> appropriate amount of money.
>
> Are they worth it? Only if they can prevent damage or minimize it. I
> don't think they are worth it if they just let me know I have been
> hacked.
>
> So the question becomes: What service can they offer that really
> help
> my company and its data? Just being a watchdog and bark is not
> enough. They oughta be able to bite the intruder.
>
> If they are so cheap that I don't need a network admin capable of
> reading log files, than this might be another reason to contract
> them
> (Saves me from setting up/getting a log analyzer/IDS system). Money
> is the deciding factor in that case and I doubt that the security
> consulting companies are as cheap as A*T.
>
> Another question is: Does my company want to take the risk and
> responsibility of trusting such a contractor? How do I explain my
> shareholders that my alarm system failed because the contractor
> failed.
>
> > >The problem I see is that pretty much everyone wants to do it
> all,
> > >trying to present themselves as a one-stop security shop.
> >
> > The one stop solution model stopped working a while back, it
> > is more of a
> > partnering type of ASP, MSP type architecture these days.
> > Not one company
> > can do it all,and what end it ends up doing is confusing
> > CIOs, CEOs on who
> > to go with. The biggest result for each security dollar spent.
>
> Yet we still find companies that acquire instead of
> partnering/outsourcing. I know of a press announcement due next week
> that fits this shoe perfectly. And I think everyone has seen
> company's A stock dip when they acquired company B to add to their
> portfolio of services offerings because the market does not believe
> that company B's line of business fits in company A real of
> expertise.
>
> Sorry for drifting off topic there for a minute...
>
> Regards,
> Frank
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.1
> Comment: PGP or S/MIME (X.509) encrypted email preferred.
>
> iQA/AwUBOaR2e0RKym0LjhFcEQIjcwCg/g/eH1ieb5ooJE4p9XcS8FksHcIAnRfB
> oJHuK1E6cAdyqRP91DwfBD3a
> =1/On
> -----END PGP SIGNATURE-----
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
>
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
