If you tell enough stories, perhaps the moral will show up.


Wasted Time

I spent some time going through the security morning checks with Internal Audit.

Report on event logs every morning, examined every morning, security incidents found in three years: none. Firewall traffic logs, examined ad-hoc over four elapsed years, security incidents found: one - an agobot infection on a bad build.

Hours wasted -- hundreds.

We're doing the wrong thing.

What's the right thing? There's too much novelty and too few admins in our network for IDS to be worthwhile. Just retain the logs but stop looking for trouble? The trick will be to do that, but keep looking responsible.

No comments: