North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Security Intelligence [Was: Re: Netblock reassigned from Chile to US ISP...]

  • From: Sean Donelan
  • Date: Sun Dec 21 18:35:07 2008
On Sat, 20 Dec 2008, Randy Bush wrote:
unfortunately snort does not really scale to a larger provider. and, to the best of my poor knowledge, good open source tools to black-hole/redirect botted users are not generally available. universities have some that are good at campus and enterprise scale.

cymru and a few security researchers responded privately to my plea for solid open source tool sets and refs. knowing the folk involved, maybe we'll see some motion. patience is a virtue, within limits.

Pretty much the same thing I've been telling "security vendors" since 2003. In 2003 the hard problem wasn't, and still isn't, detection (IDS, AV scanners, honeypots, etc), its customer remediation (fixing things). Unfortunately, if all you are selling are hammers.... A security vendor's sale person concept of "scaling" is "more commission."

You may need to leave the network engineer's world and start talking to
the customer care engineer's side of the house. Its a different set of
systems, and a different set of scaling issues. How do you notify 50 million customers about an issue? Marketing people probably know how to do it better than network engineers.

1. Add flags to your customer support systems about different customer status, so when customers contact your call centers the agents can start
on the best script for "known" problems.

2. Include customer status flags on your portals (details behind some level of authentication in case the account is being shared).

3. Obtain and communicate with your customers through multiple channels
respecting their preferences (e.g. e-mail, alternate e-mail, postal mail,
telephone). Even non-US ISPs may want to look at the US FTC "red flag" rules.

Why do I mention those things? Because I've found out (mostly the hard
way) the remediation part of the process is the bottleneck. It doesn't
matter how many bad things you detect, if you can only fix a limited
number at a time. Detecting stuff below the remediation threshold is going to be wasted; and those resources probably would have been better used for more remediation efforts.

Yes, the bad guys may know that too. But if we got to the point where the bad guys actually worry about staying below the remediation threshold; that would be more progress than now.


Hint: if you could prove to a large ISP you could shave 60 seconds off the average customer care call by fixing security problems faster; they would probably be beating down your door begging for it.