Detection

Detection

Detection of security breaches can often be a challenge due to the complexity of today's computing environments. Businesses often do not understand the full scope of the normal working interactions of their own applications and processes, let alone the patterns of network activity or changes to data that may signal an attack. Detection involves being able to know when an attack is in progress and being able to separate real attacks from innocent, but unusual, behavior on the network. Defining what constitutes unusual behavior is part of the problem, since breaches can originate from a variety of sources, can be aimed at a variety of targets, and, have a variety of motivations behind them. Attacks can also vary widely depending upon the class of attack and can be conducted over short or long durations of time. An attack may not be apparent until a certain pattern of behavior has been observed for hours or even days.

As a best practice, detection must minimize the number of false positives. Too many false positives can lead to intrusion alerts that are taken less seriously and are reacted to with less urgency. Rather than being a standalone tactic, detection should be part of an overall security strategy and approach. Security policies should firstly define the levels of security that are required for various assets. Certain data, applications, and network elements will need to be more secure than others. Detection systems should first be applied to protect the most critical infrastructure elements within the organization. Security policies should also document best practices for network, application, and data configuration. Detection systems should look for both incoming network attacks via network monitoring and for changes to data such as Web pages or sensitive documents via host-based monitoring. For this reason, intrusion detection systems often fall into these two categories and include a central management function that can provide a single, centralized console for monitoring both data and network integrity status.

When making a decision related to the detection of security breaches, businesses can choose either to keep the function in-house or to outsource the function to a managed security services provider, or MSSP. MSSPs typically offer both intrusion detection systems (IDSs) and antivirus services as a part of their service offering. They also typically provide firewall, virtual private network, and vulnerability assessment services. For small- and medium-sized businesses, MSSPs can present an attractive way to gain these types of services at a lower total cost of ownership than by building the competency themselves. Larger enterprises are also starting to adopt MSSPs despite their initial apprehension about the outsourced business model and the stability of vendors. Most large enterprises favor keeping security in-house in order to maintain stricter control and not to rely on third parties for such a critical part of their business. The truth is, however, that many MSSPs are improving their value proposition for the business by providing well-defined service level agreements and by building their reputations for delivering quality customer service, best practices, and responsiveness.

Intrusion Detection

Intrusion detection software provides an alert mechanism for security breaches but can also help to protect data and network integrity in real time. For example, the Tripwire for Web Pages technology from Tripwire can detect changes to Web page content and can prevent changed content from being served to end users. Instead, it replaces the altered pages with a customized message that states that the page is temporarily unavailable. This can help to minimize public incidents due to "cyberhooliganism," financial losses, and downtime for problem resolution. In this manner, it maintains Web site integrity in addition to performing the real-time notification function. The company makes several intrusion detection products that can be applied to servers and also to a variety of infrastructure elements such as routers and switches that help to direct the flow of Internet traffic.

One of the first questions when deploying intrusion detection systems is where to place them on the corporate network. The National Security Agency recommends that intrusion detection sensors be located at positions on the network based upon the number of sensors available and the determination of what is critical infrastructure. It recommends that the first sensor be placed in the demilitarized zone, known as the DMZ, between the router and firewall, in order to protect from incoming attacks from the Internet. The second recommended location is on the corporate intranet just behind the firewall. This can help to detect attacks that have successfully breached the initial line of defense. Finally, it recommends that additional intrusion detection sensors be placed on critical local area network points within the Intranet, and on critical servers such as file servers, Web servers, and mail servers. The takeaway here is that intrusion detection needs to be placed along critical points of the infrastructure with a layered approach.

 



Business Innovation and Disruptive Technology. Harnessing the Power of Breakthrough Technology. for Competitive Advantage
Business Innovation and Disruptive Technology: Harnessing the Power of Breakthrough Technology ...for Competitive Advantage
ISBN: 0130473979
EAN: 2147483647
Year: 2002
Pages: 81

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net