Tuesday, January 10, 2012
And Then What?
I am at FloCon this week and enjoying the conference tremendously. I always enjoy FloCon, as it's a unique opportunity to catch up with peers in the community. It's also a great place to learn about different techniques and methods that people are using to analyze network security data. There was a presentation this morning from US-CERT that discussed some interesting analytical work US-CERT is currently doing. The presentation described some of the architecture, systems, processes, and procedures that US-CERT is using to perform analysis of various different types of data. The presentation was interesting, but it made me ask the question, "and then what?". All that analysis is great, but at the end of the day practitioners (like myself) need actionable intelligence and information that we can use to defend the networks we are responsible for. Unfortunately, we're not getting much in the way of actionable information and intelligence from US-CERT. As our national CERT, this is disappointing. My intention here is not to pick on or harass the analysts who work hard in service of our nation day in and day out. Rather, I'm hoping that the leadership in our government, and particularly the leadership within DHS will get a clue sometime soon. If I had a minute with the leadership I would ask them why they can't find some way to cut through the bureaucratic red tape and share information with a nation (and world) so desparate for it. After all, the security of our nation's most critical infrastructure depends on it, right? Analysis is great, but I am reminded this morning that analysis is not for analysis' sake. Analysis should serve some productive end, namely producing actionable information and intelligence for those who so desperately need it. Come on DHS -- get with the program.