Summary Monitoring and assessment is a critical part of information security. It is useful both in keeping systems running and in dealing with security events. It can alert administrators to problems, identify attacks in progress, and provide information for use in dissecting events or provide information for legal prosecution after a security event has occurred. In order to effectively perform these chores, the administrator must be knowledgeable in the use of many tools and be given the time to evaluated their results. In the day-to-day operation of networks, both knowledge and review tasks are often ignored or trivialized in favor of just keeping systems running. Unfortunately, this chapter can only provide the knowledge part of the monitoring and assessment task. Organizations must be motivated to provide appropriate intellectual bandwidth for systems review of and action based on that review. If they do, they will be rewarded with systems that work better, faster, more efficiently, and longer. They will be able to do more than "just keep systems up and running." |