In this section we discuss intrusion detection systems as a strategic portion of a network security strategy. Lets start with the bleating cry from the technical team seeking funding for intrusion detection hardware and software.
'What we need is an intrusion detection system (IDS) to protect our company data'
'Buy our XYZ intrusion detection software and your data will be protected'
Perhaps we need a bullshit detector....
Starting with the concept of an intrusion detection system similar to that of a car alarm, it has a number of sensors relating to pre-considered areas of attack, some sort of filtering to ignore false activation of sensors, a mechanism to ignore approved usage, an indicator and notification that intrusion has been detected.
Attacks
Running the car example against
the company data protection however there are key
differences. Given that the method of attack for a
car has remained relatively unchanged over time i.e
smash a window, pop a lock, coat-hanger down the
door, we could probably count the variance of attack
modis operandi as being less than 20.
Intrusion at a network security level however is constantly evolving not only against the existing network services as additional 'hacks' are created and publicised but also as the business drivers for change cause changes in those services creating additional exposure to attack.
As a result of this continual change in the network security area continuous updating of the intrusion detection system is required to not only counter additional new attacks and services but also to screen out additional false alarms.
With constant updating of attack 'signatures' to match both advances in hacking methods and changes in the services being protected an intrusion detection system can warn of attack attempts.
Deterrent
In the car example we have a
deterrent in the form of an audible /.visible alarm
that typically relies on the intruders desire not to
caught activating the alarm or even to cause an
intrusion to cease on alarm activation for the same
reason.
In the network security intrusion detection the luxury of public bystanders joining in the part of deterrent and the visible and audible activation of the alarm, is not available. Instead the network security model relies on trained staff monitoring and responding to an alarm usually without notification the the intruder that an alarm condition has been triggered.
This is little or no deterrent created through a network security intrusion detection system
Successful attack
So continuing with a
successful car attack presumably this will be
evidenced by a missing vehicle or goods within the
vehicle. In the network security intrusion example
however stolen data will not be missing in fact
success at cracking a system can result in the
activities of the attacker now appearing to be that
of normal activities.
Put another way once an attack has been successful the intrusion detection system will no longer detect the attack.
The requirement now becomes how can I detect inappropriate access to data once the perpetrator has a genuine set of credentials and appears to be a normal user. Something that intrusion detection is unable to do.
Real uses
Of course attacks can take many
forms such as denial of service - disabling the car,
destruction of data - destroying the car, or checking
it out for later attack - casing the joint.
In this examples the network security intrusion detection system will be effective at providing an audit trail of activities, and the opportunity to 'trace back' at a network level to identify the source of the attack - similar to a police dog sniffing out the criminals.
Bias
Remember most players in the network
security intrusion detection area have a bias,
technical people love the challenge of wits battling
the bad guys, the software vendors love to take your
money, the consultants are also able to show their
value for money in the number of intrusion attempts
attempted - a bit like reporting the fly's that hit
the windscreen though ... for a fee.
Priority
Since protection of data is
dependant on many factors detecting that an attack
was unsuccessful will not be as important as applying
the less attractive but more effective protection
such as system patches, physical security, secure
coded applications, strong passwords and of course
and effective, communicated security policy.
Summary
- Consider dealing with network security intrusion detection until other basic measures have been completed
- Watch for bias in the advice you are receiving - everyone has an angle.
- Recognize that the real implementation cost is not only the software but the ongoing update & configuration, monitoring & responding to false and real alarms, and access to the update data to meet the changes in attack types and services.
