Know your enemy, Virtual Honeynets, Yet more information

From: Benjamin Robson (ben@robson.ph)
Date: 08/20/02 

Date: 20 Aug 2002 17:39:12 -0000
From: Benjamin Robson <ben@robson.ph>
To: focus-ids@securityfocus.com
('binary' encoding is not supported, stored as-is)

I would like to pass commentary on the recently posted article, "Know
Your Enemy: Building Virtual Honeynets".

Whilst I find nothing wrong with the article, as such, I do think there
is a critical issue that the vast majority of security professionals are
missing.

If one were to be diligent enough to be seriously considering deploying a
honeynet, be it virtual or otherwise, it is a reasonable assumption that
a firewall and IDS sensor are already in place (if not multiple of them).

The critical issue now is we have too much information. We have logs
that require analysing from the firewall(s), the IDS sensor(s) and not
the honeynet device(s).

Data is only useful if it is read and understood.

The vast majority of people who are responsible for an organisation's
information security ARE NOT security professionals, and ARE NOT full
time, dedicated, security staff. They are usually over-worked, under-
appreciated systems administrators, who struggle enough as it is getting
useful information out of flaky users, and flaky vendors. So the concept
of spending multiple hours in a day analysing information from firewalls,
IDS sensors and honeynet devices is preposterous.

I feel strongly that security professionals need to get down off their
soap-boxes (at least one foot off) and stop advocating the need to deploy
every security technique that comes along. We need to advocate
appropriate solutions, for the appropriate environment, for the
appropriate level of expertise and resourcing available.