Where We Need To Go

The goal here is not perfect security; the goal here is cost-effective security that works in the real world. Believing risk only comes from publically known vulnerabilities, new or old, is not living in the real world. Believing that you need perfect security is also an indication that you are not livinig in the real world. Believing that a human can possibly respond to alerts that a fast worm is spreading in time to mitigate a majority of the financial damage is not living in the real world. Welcome to the real world where attacks happen in milliseconds. We need to respond in milliseconds too. There will always be cases where the calculations and analysis have to move from milliseconds and silicon to grey matter and minutes, hours, and days. But we can keep the response in bullet-time far more often than we do now.

Using either time-scale, detection systems in general do not provide us with the depth of information that actually allows meaningful silicon or gray matter processing. The added attributes that allow co-stimulation to take place automatically also allow it to take place in our heads. I personally rather have a hex dump of tens of thousands of meaningful bytes than no data at all when my detection system says that something bad may be happening to my system. Though, I rather my detection system just respond to the problem and keep doing so until whatever entrance vector is being used is patched up and safe to apply to my system--oh--and that my detection system keeps protecting me from the new vulnerability introduced in the patch, because that is the real world too.