It is a fact of life in security that the formerly relatively neat divisions in attacks -- based on which layer of the OSI network stack was targeted – are gone. Attacks looking for weaknesses now roam the stacks like rabid librarians hunting misshelved books. So, defenses aimed at a single layer of the network are no longer able to really see attacks that are multimodal, and may not be able to protect against them, since what happens at one level can determine how what is happening at other levels is perceived.

Security is not the only place where things might have a multi-layer profile. In the Shiny New Data Center of the Future (SNDCotF), layer 7 phenomena (XML traffic) can now have effects on every other level via web-services interfaces to network and security appliances. The problem is not just one of interaction across layers, either - it is also one of time: compromises don’t have to happen simultaneously on the several layers they attack. A layer 7 attack to compromise an XML load balancer might precede the attack on the router by days or weeks.

So, if IT is to have the right kind of investigatory and monitoring instrumentation in the SNDCotF, their tools need to be able to pull together data from sources as diverse as MAC address tables in a switch/router and message transformation logs in an XML security appliance. They need to support general functions like time-stamping, retention, compression, and indexing, and they need to have (as we have discussed in other posts) underlying organizational metaphors that are broadly applicable and intuitive to many kinds of IT users. Scalability and performance count too, in the SNDCotF, of course, so handling monster amounts of data and doing it fast are all to the good. When searching for the future (future bugs/performance problems/threats/mysteries, that is), IT will have to search high and low, and their tools had better be able to help them.