Ok someone asked me about the TAR's....my basic problem with security right now is that we sit waiting for attacks....hiding behind a firewall. We have to use the internet and each other as the watchtowers, giving us a greater view of what is happening. That is what the TAR's are all about. If we see reports from 10 universites all showing an attack on web servers....maybe we will be next. Maybe it will give us the heads up we need to spot the attack and capture what it is doing. Feeding our capture back in....This is a tactical picture in action.

At present  there is little global correlation that exists. (cisco have added an interesting feature to their IPS global correlation) im keeping my eye on it, they do great things usually.

Modern day attacks are global. Patterns constantly change. Automated responses are not adequate, they provide way too much information ...the point the fire hydrant and the teacup problem.

I think rather than keep adding to the defenses and sitting waiting for attacks, we have to be more pro active. Im not advocating counter attacks, but simply the Greek 500 approach. If attacks are coming from all directions we will fail to defend against them. We cannot round up the wagons and pretend to continue doing business as usual. Ask Custer...It doesn't work. At the very least we should  limit the attacking sources to our sphere of influence. Sure allow yout web server (cahching web server hosted elsewhere) to be accessed if you feel the need to promote yourself to the world...but your network infrastructure??? Why? Save yourself some grief and limit the internet inbound to your sphere of influence.

The Greek 500 defeated a much larger army by mitigating the number of attackers using a funnel technique...basically forcing a large army to fight on a small front. Lets at least make it harder for attackers to just bounce off of China/North Korea...force them on to our turf and play by our rules....