13.2 Detection

The setting up of the security policy will also introduce several technologies that will be key in the detection of possible incidents on a computer network. The firewall can often serve as the first warning sign of attacks or network activity from outside the company's own network. With the firewall, any intrusion detection systems (IDSs) will also flag known attacks found in packets on the network. This allows not only efficient detection, but also rapid evaluation of the threat.

It should be noted that an IDS will not serve as a perfect detection device. There are ways to fool an IDS, and even an IDS can miss new or novel attack patterns on the network. Another clear attack that the IDS might miss is someone discovering the password of a user or administrator. To the IDS, the activity may look normal. There is no substitute for knowing your own network and the vigilance of your network team.

Most applications support robust logging. They may record significant operational conditions or user actions such as log-in times and activity while connected. Each logging device should be capable of being time-synchronized with other devices and, if possible, all log information should be collected and stored on a central server such as a syslog server. The ability to store the information in a central location, along with time-stamping, will make it much easier to reconstruct a sequence of events along with providing easier management and easier detection of possible computer incidents.

In fact, so many applications and operating systems support logging information that it is sometimes a challenge to know what to collect. A good forensics investigator will recommend that the more information you are able to collect and store, the better. A network administrator who is responsible for the collection and storage of those logs might argue otherwise. In active networks, the amount of logging information that is collected can be enormous. Furthermore, logging everything that is capable of being logged and shipping it over the network can affect the performance of your system. At a minimum, logs should collect information regarding user log-in times, unsuccessful log-in attempts, and any attempts to change security policy. From there, the amount of logged information depends on the cataloging system available for the logs (extra information does you no good if you cannot find it), the performance of the network itself, and the ability to store the logged information for a reasonable period of time.

Finally, there is no substitution for common sense. Incident response teams, network administrators, and end users should all be trained to identify unusual behavior on the network. It may be changes to an important database that cannot be explained, problems with operating systems or servers, and the gradual or sudden use of network resources that occur without other explanation. Any of these symptoms and more may be the early warning signs of a computer incident.