Although it is far less common than it used to be, there are still some organizations that take an "ostrich" approach to information security. It's no surprise that I much prefer an analytical approach to information security (that is the name of this blog after all). An analytical approach involves collection and analysis, using a variety of tactics and techniques, of network traffic data for the purposes of detection, alerting, and forensics.
So what is the "ostrich" approach to information security? There are still some people who believe that they can deploy a few different alerting technologies, configure them with a bunch of different signatures, and then sit back and watch the alert queue. This tactic is a start, and in fact, it's an important part of an enterprise's overall security operations and incident response posture. Why isn't this enough? Because you're essentially looking for "known knowns". In other words, you will only be alerted to what you know to look for. You may have a great set of signatures, but they are never going to cover everything you need to be concerned about. You're essentially sticking your head in the sand regarding everything else flying across the network (hence the terminology "ostrich" approach). What's the issue with this approach? The most interesting and worrisome activity lies in the "unknown unknowns" -- things we don't yet know we need to be concerned with. There will come a time when you will need to analyze data and/or perform network forensics for something that wasn't a "known known". When this time comes, you want to be sure that you have the data and the situational awareness required to be successful. Can you then take what you've learned and incorporate it into your alerting? Absolutely, but only if you have the necessary data to allow you to draw those conclusions.
Don't be an ostrich. It will come back to bite you.
So what is the "ostrich" approach to information security? There are still some people who believe that they can deploy a few different alerting technologies, configure them with a bunch of different signatures, and then sit back and watch the alert queue. This tactic is a start, and in fact, it's an important part of an enterprise's overall security operations and incident response posture. Why isn't this enough? Because you're essentially looking for "known knowns". In other words, you will only be alerted to what you know to look for. You may have a great set of signatures, but they are never going to cover everything you need to be concerned about. You're essentially sticking your head in the sand regarding everything else flying across the network (hence the terminology "ostrich" approach). What's the issue with this approach? The most interesting and worrisome activity lies in the "unknown unknowns" -- things we don't yet know we need to be concerned with. There will come a time when you will need to analyze data and/or perform network forensics for something that wasn't a "known known". When this time comes, you want to be sure that you have the data and the situational awareness required to be successful. Can you then take what you've learned and incorporate it into your alerting? Absolutely, but only if you have the necessary data to allow you to draw those conclusions.
Don't be an ostrich. It will come back to bite you.