Originally posted here by Tiger Shark
Not really, when I get to work my scripts have pulled out all the "interesting" stuff from the logs so all I have to do it glance through them to see if there is anything of real interest. If there is I take a look to see if the logged activities indicate that there is actually a brain on the other end as opposed to a skiddie. If there is I use some other systems to get about the same information about the attacker as he now has about me and decide what to do. I spend maybe 30 minutes a day on it now.....
in order for that to work you MUST have a very VERY acurate baseline. how good is your "what is normal" vs "what is abnormal" activity? how do you intelligently and efficiently handle updates and changes to "what is normal"? if you were to do that in my environment I would have peers audit your methodology on a regular basis.

but thats not what this is about. what this is about is following security as per security model established by people that have been doing it a lot longer and are more successfully at securty than InfoSec. Follow military and law enforement models.

If you are going to establist a very secure boundry - you pull out your 10 foot barbwire fences, your CCTV, your guards andn yourt gates. you establish a very strong and real psycological detterent. the intruder needs to be reminded at every step of the way "this is a bad idea!". "this is a mistake!". "turn back!" e.t.c.. no stealth. if you approach guantanamo bay - trust me, you will be*very aware* that you are approaching guantanamo bay and you won't ever forget it!

the difference being that if you act like an idiot at guantanamo bay, you will get your head shot off. but the perception is, if you act like an idiot online, nothing will happen. thats because there are no percieved real work repercussions to the action. you need to establish a real world repercussion. fines. cancelation of service. litigation. baseball bat to the head. whatever you can get away with.

;-)