Thanks for posting; great to have you chime in on this.

Sorry, yes, I know that visibility means a lot more to you than just network traffic — and that you’ve been working on these concepts for a very long time, as well the the AF involvement in the development of intrusion detection, etc. Great stuff.

I think that understanding the things around you are better done by going over to a [responsible party’s] desk and asking them what is going on, rather than guesstimating using pretty RRDTool graphs with your VP. This is what I mean by accountability. I’m also not discounting visibility, I’m just saying it takes a close second.

“Situational awareness” is probably also like this in combat. People can rely on their targeting equipment, communications, radios, radar, et al — all they want. But it’s nothing like having a few spotters with analog binoculars, hand signals, and an organized plan of attack with a responsible chain of command.

If you think my “visibility” ideas are confined to network traffic, you’re thinking too narrowly. If you think I only started doing this work when I started blogging, you need to back up several more years.

I continue to be surprised by people who think they can somehow understand or control what, in the same sentence, they assume cannot be detected. How do you be “accountable” but not need to see what is happening?

`prefer’ means that I like one thing over another. In other words, I’m saying that, yes, visibility is also important — it’s just not as important as accountability (to me, in 2008, with respect to frameworks, for the reasons that I mentioned).

Yes, Alex has nice comments as always.

As usual great post dre.

I would slight disagree with you on Visibility. I think Visibility is also important as accountability.

“Accountability along with visibility will reduce the problems which you have mentioned:
Visibility has a problem: it only sees what it can see; and it usually only sees what it wants to see. This is why I prefer accountability over visibility.”

nice comment Alex!

RE: Visibility & Accountability. If I were sitting in a CISO chair, I don’t thnk I would limit “visibility” simply to more information about network or host actions. I think visibility into quality of processes is just as important. I also wouldn’t “sour” on the concept just yet. Maybe if I explain why I’m keen on visibility, it might make more sense.

IMHO, the greatest problem our profession has is uncertainty . We have uncertainty surrounding our models of how risk works. We have uncertainty in the metrics we use to build risk expressions, we have uncertainty in what we do and how we do it. If visibility “only sees what it can see; and it usually only sees what it wants to see” (great quote, btw), I’m thinking it’s only because we’re not sure of everything we’re supposed to be looking for.

To me - gaining visibility is simply the act of reducing that uncertainty. And when we drive State of Nature -> State of Knowledge -> State of Wisdom analytical processes around that uncertainty, we tend to understand more about the way the world we live in works. I think visibility is a very noble pursuit, in this regard.

But that’s not to say that your “accountability” isn’t without merit. I think it is no less important than visibility.

What seems to be nice about CISF is that, if Mark pulls it off, it will help build visibility and accountability in the right places, expressing the concepts in the right way. It’s quite a task, when you think about it…