|
Building a Solid Foundation
Engineers often have difficulty understanding legal issues. One of the fundamental reasons why is very easy to understand: System Administrators, Network Engineers, and anyone generally within an engineering discipline usually prefer things in black and white or in concrete terms. We tend to work best when we operate within a world of "If condition X occurs, then result Y will also occur." Lawyers, on the other hand, are very comfortable operating within a world of nuance. And it is through the manipulation of these nuances that a lawyer will either win or lose cases for their clients. Why? Because, due to the nature of political and societal systems, laws tend to be generalized and thus, are left to interpretation.
Think of the laws like correlation rules. In event correlation, there is strict-rule correlation, and then there are more "gray" correlation types like statistical, baseline, fuzzy logic, and the furthest extreme-artificial intelligence. Which of the models of correlation is the easiest to understand and gives the most definitive if-then construct? Strict rules correlation. Why? Because there is an explicit rule for each and every condition to be correlated. To troubleshoot strict rule correlation is easier; to understand its principles is straightforward because every condition has an explicit rule to govern it. But which correlation type is easier to manage? That answer isn't so clear. With the explicit nature of strict-rules comes the need to have 1:1 relationships: One rule for every condition I need to evaluate. When these start getting into the hundreds or thousands, manageability goes right out the window. So how do we address this within the world of correlation? We generalize, with one common method being grouping. So, now I categorize events, and then I can structure correlation rules that work against the categories, creating a one-to-many condition. The legal system has to work in a similar fashion if it is to be manageable, but there is one additional component of the legal system that a correlation engine doesn't have: true artificial intelligence, adding an extra dimension to how the rule is applied. Thus, we have "interpretations" of the law and these interpretations are then rendered as decisions or judgments.
Now, we introduce an important principle to the fundamental understanding of law. Many societies that govern by "the rule of law" have a construct of Case Law that often brings with it an understanding that is derived from the Latin phrase "stare decisis", which means "let the decision stand." This simply means that when adjudicating a case both lawyers and judges will look to past cases that are similar in nature, or as close as possible, to the case at hand, in order to support their positions or judgments. Think of it like gaining consensus. How often do you want to have the opposite opinion of others in a group? Following this principle maintains stability in the system and allows people who are governed under the law to feel safe, which comes from knowing and understanding the rules by which the society operates. This is opposed by societies ruled by dictators or where laws are arbitrarily enforced, interpreted, and applied-resulting in fear, much like working in the office with "that person", who you never quite know what might set him or her off.
If you are wondering what any of this has to do with logs from computing and networking systems, stay with me. The answer is, a lot. It doesn't matter what country you are in when reading this White Paper; the underlying principle just discussed is universal and applicable. It's when we go building on these foundations that the deviations and differences become more prevalent and important to understand. Because it is to these "Systems" that the log data must be presented and evaluated.
|
