Security Monitoring, Detection, and Escalation Processes and Techniques

Previous page
Table of content
Next page

The IT organization should have clear policies and procedures for incident response, including how disruptive incidents are detected, corrected or restored, and managed. Both policies and procedures should outline how specific incidents are to be handled and how the systems, applications, and data involved in the incident can be restored to normal operation. The main goal of an incident-response plan is to restore systems damaged during the incident and to prevent any further damage. The incident-response plan should define a central authority (incident response team) and the procedures for training employees to understand an incident. The incident response team should ensure the following:

  • Systems involved in the incident are segregated from the network so they do not cause further damage.

  • Appropriate procedures for notification and escalation are followed.

  • Evidence associated with the incident is preserved.

  • Documented procedures to recover systems, applications, and data are followed.

An intrusion-detection system (IDS) should be part of the security infrastructure of the organization, to monitor the organization's systems and data to detect misuse. The IDS can be either network based or host based, and it operates continuously to alert administrators when it detects a threat. Both types of IDSs can use knowledge-based (signature-based) or behavior-based (statistical, neural) programs to detect network attacks. A network-based IDS can be placed between the Internet and the firewall, to detect attack attempts. A host-based IDS should be configured to run on a specific host and monitor the resources associated with the host system. Host-based IDSs can be used to monitor file systems, memory, CPU, and network traffic to the host system. Both network- and host-based IDSs use sensors to collect data for review.

An IDS can be signature based, statistical based, or a neural network. A signature-based IDS monitors and detects known intrusion patterns. A signature-based IDS has a database of signature files (known attack types) to which it compares incoming data from the sensors. If it detects a match, it alerts administrators. A statistical-based IDS compares data from sensors against an established baseline (created by the administrator). If the data from the sensors exceeds the thresholds in the baseline, it alerts an administrator. As an example, security administrators can monitor and review unsuccessful logon attempts to detect potential intrusion attempts. Neural networks monitor patterns of activity or traffic on a network. This self-learning process enables the IDS to create a database (baseline) of activity for comparison to future activity.

The correct implementation of an IDS is critical. If the type of IDS or the configuration of the IDS creates a large number of alerts that are not intrusions (false positives), the administrators might disregard alerts or turn off the rule(s) associated with the alert. The opposite might occur if the type of IDS does not fit the needs of the organization or is misconfigured, and intrusion activity might not be detected. The IT organization must continue to adjust the rules and signatures associated with the IDS, to ensure optimum performance.


Previous page
Table of content
Next page
Exam Cram 2. CISA
Cisa Exam Cram 2
ISBN: B001EEFNHG
EAN: N/A
Year: 2005
Pages: 146
BUY ON AMAZON
The CISSP and CAP Prep Guide: Platinum Edition
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
MySQL Cookbook
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
Comparing, Designing, and Deploying VPNs
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy