Life Cycle of the IDS Infrastructure Project | Protect Your Information with Intrusion Detection (Power)

Planning

Planning consists of providing a description of the criteria that must be satisfied by the intrusion detection system. Currently, there are no intrusion detection systems that can satisfy absolutely all criteria and absolutely all customer requirements. Because of this, planning is a very important step. Its results will serve as the basis for successful creation of the intrusion detection infrastructure. More detailed coverage of IDS evaluation criteria will be provided in Chapter 9.

This step is not complete after you form a list of criteria, but rather continues in parallel with such steps as choosing the IDS manufacturer and testing the system. According to the results produced at these stages, the list of criteria can be amended or even changed. At this stage, after obtaining information from the manufacturers and carefully testing the intrusion detection system, it is necessary to determine the financial parameters related to each of the tested systems, including the Total Cost of Ownership (TCO), the Return on Investment (ROI), etc. In the long run, this information will enable you to make your final choice and start implementing the pilot project.

Choosing the Manufacturer

After composing the list of requirements to the intrusion detection system, it is necessary to start searching for a manufacturer whose solutions can satisfy the requirements on your list. Taking into account the fact that this market is constantly growing and that new leaders are constantly appearing, I won't provide a list of manufacturers and their solutions. Instead, I recommend that you visit the following site: http://www.networkintrusion.co.uk/, where you can find a regularly updated list of intrusion detection systems, security scanners, deception systems, and integrity control tools. Another list of popular intrusion detection tools can be found at: http://www-rnks.informatik.tu-cottbus.de/~sobrey/ids.html.

After composing your list of potential manufacturers, it is necessary to send them Requests for Information (RFIs), in which it is necessary to provide an informal description of your requirements to the intrusion detection system. This document will be your first attempt to interact with the manufacturer, and from it the manufacturer (or vendor) will get information about your needs. If you have not completely formulated your requirements for the intrusion detection infrastructure, the manufacturer's response describing its solution will help you to add to your list of requirements or elaborate on some of them.

Despite the fact that according to Table 8.1, this step requires approximately one month, it does not mean that during this month you or your employees need to dedicate all business time to that task. This interval simply takes into account the moment that you send the RFIs and the time it takes to receive replies from the manufacturers interested in selling their solutions to you.

Testing

At the testing stage, which will be covered in detail in Chapter 9, you have to check the correspondence of the parameters and functions that the manufacturer claims to the ones that actually exist. Sometimes, after careful testing, you might change your opinion and begin examining another IDS.

In the course of testing, you might want to contact other companies that have already purchased the solution that you are currently testing. This will help you to detect problems that other customers encounter before they happen to you. Information on other customers can be obtained from the manufacturer. Note that if the manufacturer truly provides a valuable solution, there is no need to conceal information about other customers (if, of course, there are no agreements concerning privacy and confidentiality between them). In any case, practically all manufacturers publish so-called Case Study information on their websites, from which you can get information about successful projects.

The testing is finished when you send a Request for Proposal (RFP) to the chosen manufacturer. This document must contain more detailed requirements of the intrusion detection system. When answering this request, the manufacturer can elaborate on its answers to specific questions and provide more detailed data concerning the requirements satisfied by its system. The main difference between RFI and RFP lies in focusing on specific requirements.

Pilot Project

The placement of the IDS components can not start before the actual purchase of the intrusion detection system. However, it is possible to start the pilot project at this early stage. Why might you need to do this? Testing will show you whether the system implements (or does not implement) some of the declared properties and features. However, only a pilot project can show you how the system performs in your working environment. Since it is impossible to bring the system into operation simultaneously on all segments of your corporate network, it would make sense to choose a relatively small segment (usually a typical one) and place, set up, and start working with the chosen system within that segment.

Placement

This stage starts immediately after you have finished the pilot project (or when this project is very close to completion), and signals the fact that the chosen system suits your needs, and that you can start deploying it on all segments of the corporate network. This process will be covered in detail in Chapter 10.

Operation and Maintenance

After placing all the sensors and scanners within the corporate network, the continuous process of IDS infrastructure operation and maintenance starts, which will be covered in detail in Chapter 11 Various aspects of responding to detected attacks will be covered in Chapter 14.