Monitoring Methods and Mechanisms

Previous page
Table of content
Next page

The process of monitoring should consist of a structured plan that examines an organization's internal controls and validates those controls through internal and/or objective third-party mechanisms. Monitoring can be regular or irregular, but the most applicable type of monitoring to the audit perspective is continuous monitoring, also called continuous audit.

This type of monitoring ensures adherence to standards, be they industry standards, a security policy, or general security specification lists. A more specific type of monitoring from an operations perspective is the use of monitoring tools and mechanisms required to accomplish organization business objectives. Monitoring mechanisms provide a means to infer what is happening on a system that is being administered or one that the administrator wants to understand to determine security posture and compliance. The value of understanding what is happening on their own information systems is essential to providing adequate protection from prying eyes. Many adept network administrators will scan their own networks to see if any sniffer programs are running that might be able to intercept data passing in the clear, unencrypted, over a production network. There are some products like AntiSniff that can sometimes detect network sniffers. Unfortunately, while software like this can sometimes be useful, there is a very low chance of it actually detecting a passive sniffer.

Preventative measures such as removing local administrative access for Windows-based systems, or root access via sudo, su, or other mechanisms can prevent the installation of sniffing software in the first place. Monitoring can also be a logical control that can help ensure compliance with an information security policy by verifying the actual use against the use specified in the organizational information security policy. A good example of the latter is monitoring unauthorized downloads of software onto enterprise systems.

Scorecards

Scorecards demonstrate security policy effectiveness through benchmarking. They show management the results of monitoring programs and are a good way to demonstrate if their IT dollars are well spent.

Scorecards, like monitoring programs, are integral parts of the security framework. The results of audits in the form of scorecards should be reported to senior management in a clear and concise format on a regularly scheduled basis to ensure compliance. A scorecard is a high-level report that summarizes organizational security compliance for senior management. Scorecards provide a unique historical view to indicate improvements in overall information protection posture over time. Each scorecard provides a unique perspective that shows changes in information security posture for an organization. Ideally, these scorecards can then be tied to high-level information protection initiatives and provide a useful historical perspective. Scorecard criteria can be derived from government sources such as the National Institute of Standards (NIST) Computer Security Response Center publications including ISO/IEC 17799:2000 Information Security Management, Code of Practice for Information Security Management at: http://csrc.nist.gov/publications/secpubs/otherpubs/reviso-faq-110502.pdf

Intrusion Detection Systems

An intrusion detection system (IDS) provides an alert when an anomaly occurs that does not match a predefined baseline or if network activity matches a particular pattern that can be recognized as an attack. There are two major types of intrusion detection: Network-based IDS (NIDS) which will sniff all network traffic and report on the results, and host-based IDS (HIDS) which will operate on one particular system and report only on items affecting that system. The Intrusion Detection Work Group (IDWG) is advancing the specifications used for IDS communication of both of these types. More about how this interesting field is developing can be found on the Internet Engineering Task Force Web site www.ietf.org.

  • Network-based Intrusion Detection Systems (NIDSs) monitor a network segment and report alerts based on network traffic. The placement of the NIDS is important and understanding the typical traffic for that particular environment is crucial. One of the most time consuming tasks that determines the effectiveness of both types of IDS is establishing a baseline and tweaking the rule set to minimize false positives.

  • Host-based Intrusion Detection Systems (HIDSs) reside on the host and can detect host-specific activity that is anomalous. If the central processing unit (CPU) cycles increase during off-business hours and a change to an executable program has also occurred a breach might be suspected. HIDSs are specialized to the system nuances and can provide a level of detail that NIDSs are not privy to since they monitor entire network segments.

Both types of intrusion detection can be a critical component of the continuous audit process. Intrusion detection can be considered a detective control, as it will identify circumstances where there has been a violation in policy.

Pattern Recognition (Signature Based)

Signature based pattern recognition, also known as misuse detection, uses a list of known attacks for which all traffic is compared to this list. As new exploit signatures become known, the database is updated and software requires signature updates. This is the most common type of IDS software generally available. Pattern recognition monitors all network traffic and then uses string matching to see if events occurring match a predefined signature. This type of IDS must have processing power capable of keeping up in real time since it is examining traffic on the wire in real time. A signature based IDS is similar to a virus detection program which asks the question "Does the rule match the behavior being observed? If so, send an alert."

Anomaly Detection

Alerts are generated whenever the system notices activity other than the normal network traffic. The dynamic nature of network computing makes this type of IDS particularly susceptible to false positives. The assumption here is that all intrusive events are considered anomalies. In order to do this, a profile of what is considered "normal" activity must be built first. Two unwanted possible scenarios result from this approach:

  • An anomaly that is not intrusive is flagged as intrusive (a false positive)

  • A true intrusion is not flagged as an anomaly (false negative)

While the first scenario is considered annoying and misleading, the second scenario has the potential for extensive undetected damage. The process that is applied to reduce the number of false positives consists of running data through the system, establishing the "normal" baseline, and examining the number of false positives. This "tuning" process is repeated over and over again until the false positives are reduced to an acceptable level that provides meaningful alert and notification. Anomaly detection IDS asks the question "Is the behavior being observed statistically deviant from what is expected? If so, send an alert."

Other approaches used in IDS include predictive pattern generation and neural networks. Predictive recognition of a pattern is designed to overcome the limitation of only looking at data in real time and considers past events to predict the probability of an event reoccurring. In predictive pattern generation, an event that is unrecognized gets flagged for follow up, which increases the probability of false positives but is then compared against the anomaly rules to see how far the event deviates. This combined approach can reduce the number of false positives and false negatives. Yet another approach in IDS is the use of neural networks which train the network to predict the next action. The difference here is that the predictive pattern approach looks back in time and the neural network approach trains the network to look forward in time, anticipating an event.

Note 

IDSs are covered in greater detail in Chapter 7.

Log Watching

Effective log watching requires a previously declared and well-defined end goal. Before the security administrator can sort through the extraneous information kept in logs, the nuggets they are looking for must already be clearly defined to be effective. Once the goal has been defined and they know which logs to check for the valuable nuggets of information, they can establish triggers that will provide meaningful alerts to log events.

Many of the available log-watching tools perform the same tasks as IDSs but have fewer features. These tools can watch a single log file or parse multiple log files with common triggers.

To search through a log file for relevant information, one must use a tool. The most commonly used tool on UNIX platforms is grep. By typing grep $pattern $file where $pattern is the text the administrator is looking for (the search pattern) and $file is the name of the log file in which they will be searching, the result will be all of the lines within the file that contain the search pattern. The grep tool is also available for Windows variants as part of the Cygwin package available from www.cygwin.com

Event Monitoring

In a relatively large organization, event monitoring is typically handled by a Computer Security Incident and Response Team (CSIRT). Event monitoring provides alerts, or notification, whenever a violation in policy is detected. IDSs typically come to mind, but firewall logs, server logs, application logs, and many other sources can be monitored for event triggers. Once an event has occurred, the process of determining whether the event is a legitimate security threat or a false positive must be determined. Incidents are tracked and followed up by the CSIRT and reported to management once incidents are identified as legitimate and facts have been verified.

Trend Analysis

Trend analysis draws on inferences made over time on historical data. Trend analysis for audit data can show how an organization increases or decreases its compliance to policy (or whatever is being audited) over time. The assumption for intrusion detection is that if the trend can be predicted, then a countermeasure can be deployed based on the anticipated event. Once a baseline is established, variations in expected trends can be set to provide alerts. However, determining what should be considered a significant variation in trend is a difficult challenge, and will likely require many changes to alerting controls in a similar manner that IDS systems need to work out the large number of false positives or noise after initial installation.


Previous page
Table of content
Next page
SSCP Systems Security Certified Practitioner Study Guide
SSCP Study Guide and DVD Training System
ISBN: 1931836809
EAN: 2147483647
Year: 2003
Pages: 135
Authors: Jeffrey Posulns, Robert J. Shimonski, Jeremy Faircloth
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Information Dashboard Design: The Effective Visual Communication of Data
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy