On Sat, 20 Dec 2008, Randy Bush wrote:
unfortunately snort does not really scale to a larger provider. and, to the
best of my poor knowledge, good open source tools to black-hole/redirect
botted users are not generally available. universities have some that are
good at campus and enterprise scale.
cymru and a few security researchers responded privately to my plea for solid
open source tool sets and refs. knowing the folk involved, maybe we'll see
some motion. patience is a virtue, within limits.
Pretty much the same thing I've been telling "security vendors" since
2003. In 2003 the hard problem wasn't, and still isn't, detection (IDS,
AV scanners, honeypots, etc), its customer remediation (fixing things).
Unfortunately, if all you are selling are hammers.... A security vendor's
sale person concept of "scaling" is "more commission."
You may need to leave the network engineer's world and start talking to
the customer care engineer's side of the house. Its a different set of
systems, and a different set of scaling issues. How do you notify 50
million customers about an issue? Marketing people probably know how to
do it better than network engineers.
1. Add flags to your customer support systems about different customer
status, so when customers contact your call centers the agents can start
on the best script for "known" problems.
2. Include customer status flags on your portals (details behind some
level of authentication in case the account is being shared).
3. Obtain and communicate with your customers through multiple channels
respecting their preferences (e.g. e-mail, alternate e-mail, postal mail,
telephone). Even non-US ISPs may want to look at the US FTC "red flag"
rules.
Why do I mention those things? Because I've found out (mostly the hard
way) the remediation part of the process is the bottleneck. It doesn't
matter how many bad things you detect, if you can only fix a limited
number at a time. Detecting stuff below the remediation threshold is
going to be wasted; and those resources probably would have been better
used for more remediation efforts.
Yes, the bad guys may know that too. But if we got to the point where the
bad guys actually worry about staying below the remediation threshold;
that would be more progress than now.
Hint: if you could prove to a large ISP you could shave 60 seconds off the
average customer care call by fixing security problems faster; they would
probably be beating down your door begging for it.
