Estimating and Timeboxing
Submitted by Daryle on Thu, 04/10/2014 - 12:46In the summer of 2001, I was a lowly System Administrator managing a farm of IBM AIX servers running a payment gateway for a major MasterCard franchise. My network was segregated from the rest of the organization using dedicated firewalls. Firewall logs were in a very raw format: Source IP#, Source Port #, Destination IP#, Destination Port # and a timestamp. I had repeatedly asked for some networking and monitoring intelligence tools to help parse the firewall logs and turn them into more human understandable data but was turned down. I even offered to write some PERL scripts to do some of this work myself if I could have a company supplied cell phone to send any alerts to. Nada.
When the "Code Red" worm was released, my manager freaked. "I want you to read every line of those firewall logs and make sure nothing is getting through!" he said. I responded that Code Red only affected Windows servers running IIS. He didn't care. "Read them!" he insisted. I countered that there were about 500,000 lines of digits a day coming through the logs; his task was impossible.