tag:blogger.com,1999:blog-4482521283458453577.post2316366322784651713..comments2009-01-29T21:20:02.709-08:00Black Fisthttp://www.blogger.com/profile/10140419541264972382noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-4482521283458453577.post-88889994673270618292009-01-29T20:14:00.000-08:002009-01-29T20:14:00.000-08:00I haven't read it, but I think I will (or maybe I will wait for the pamphlet).<BR/><BR/>I have a hard time explaining to management why results aren't instantaneous, and with no cost (they don't think that about anything else), or explaining why real costs of security solutions are often several x the invoice costs (when you include policy development, user education, systems admin education, etc).<BR/><BR/>But the thing that you mention that I don't see often is security people how are business people as well as computer scientists. Part of the reason that I had to do some of that is because I am an old fart. But today, we have some sensitive logging going up to a security server. The logging has views associated with it. The CISSP in charge wrote a note that all views would be under change control. I log to the server as well, and I have special investigative views that change with the investigation. I suggested that he was right in putting production views into the logs of data coming from hundreds or thousands of machines under configuration management, but investigations is a one-off, and the documentation would begin to outweigh the utility. He said that change control reduces risk. Defense in depth, with no context. Then he suggested that I use a standalone analysis utility that is not as powerful if I didn't want to comply with change control. That didn't make sense for when I was logging for virtual machines. I encounter this frequently, usually with CISSPs that have about 20 years less experience than I do.<BR/><BR/>Hopefully the New School will help people to see the big picture again.JimMoorehttp://www.blogger.com/profile/11874453567335795148noreply@blogger.com