Bringing the IDS into Operation

So, you have finally managed to prove the necessity of deploying an intrusion detection system, succeeded in convincing management to purchase one, and started to deploy the intrusion detection infrastructure in your company. However, it is most likely that as soon as you begin implementing your plans, you will encounter quite a few difficulties and problems whose existence you did not even suspect. The more sophisticated your project, the more problems you will have to solve. It is commonly thought that intrusion detection systems are much easier to deploy and bring into operation than ERP or CRM systems. This is not the case, however. Creating a viable intrusion detection infrastructure according to the principles discussed in previous chapters is a rather difficult task, and you must consider and approach it seriously.

The well-known Lerman's Law of Technology states that "Any techical problem can be overcome given enough time and money." Lerman's Corollary goes on to say: "You are never given enough time or money." It is practically impossible to do anything quickly, cheaply, and well. Achieving the ideal simultaneously in all three areas is impossible. In most cases, even the goal of attaining the ideal of two of parameters can only rarely be achieved. Thus, the best approach is to choose a single criterion to take priority in your work (Fig. 8.2).

Fig. 8.2. The criteria to be used during deployment and implementation

Thus, when deploying an IDS infrastructure and bringing it into operation, it is necessary to adopt some well-known approaches and principles used to deploy other complex systems. In particular, you must do the following:

• Create a workgroup responsible for deployment. This group must include employees from the IT department, security specialists from the IS department, and representatives from management. The best approach is one that includes someone from top management into this team, since his or her authority will be very helpful when solving many of the organizational problems that will inevitably arise in the course of deployment.

• Carefully consider the possibility of inviting consultants or requesting services from third-party companies. Do not be too self-confident, and try to be objective when deciding whether you are able to implement the whole project on your own. If you fail to deploy and bring into operation an expensive system, this will be much worse and will cost your company much more than it would have cost to invite external consultants to help. It is impossible to be an expert in all areas, and because of this, using third-party services will likely play a positive role.

• Do not forget to test the deployed system. This will help you avoid a situation in which the system seems to operate properly, but in practice does not solve even one tenth of the problems it is supposed to.