Terry Zink's Cyber Security Blog

Discussing Internet security in (mostly) plain English

How many arrows in the quiver is enough? Part 2

How many arrows in the quiver is enough? Part 2

  • Comments 1

The second major disadvantage of multiple antispam strategies is the overall cost of maintaining multiple filtering strategies.  We have a spam team of less than 10 people.  I'd wager to say that most antispam organizations have a similarly sized team.  It takes a great deal of time to master an antispam strategy such as writing regular expressions to target spammy phrases.  Becoming an expert in IP reputation, Bayesian filtering and Distributed Checksum Filtering starts to become rather expensive over time.  The people actually using the tools are forced to wear multiple hats.  This is not a bad thing until you start adding lots of filters.  Then it becomes time consuming to switch all of the time, both between spam tools and swapping back and forth between dealing with spam and false positives.

Not only must the spam analysts become proficient with multiple tools, but your infrastructure must scale as well.  For example, you need to build and maintain a DNS infrastructure in order to consume IP-based blocklists, which means your operations team needs to be able to respond to alerts.  You also need to build and maintain a mechanism to deal with false positives.  If you have a regex engine, you need to build and maintain a rule-writing-and-modification process and a replication process.  If you use Distributed Checksums, you need a mechanism to calculate the checksum and then check the centralized database.

All this stuff is important because building infrastructure is not a one-time thing.  Stuff breaks.  Upgrades are needed.  Alerts need to be responded to.  In other words, maintenance is an expensive endeavor. You need a team of Operations personnel to deal with problems, but your developers need to be familiar with this stuff as well.  In a large organization (and even a small one), people join the team and then leave the team every year or two.  There is churn in an organization, therefore, having so many moving parts makes it difficult to maintain because your support team will forever be ramping up on the features in order to fix problems.

Thus, the development and maintenance cost of multiple engines comes into play.  If you have too many, it's going to be very difficult to juggle multiple balls in the air without dropping them.  It's best to stick to a few strategies and do them well rather than trying to do everything.

Leave a Comment
  • Please add 3 and 1 and type the answer here:
  • Post