While intrusion-detection technologies are clearly not a hot new thing anymore, they are still the subject of active industry debate. Since Gartner Inc.’s infamous “IDS Is Dead” piece was published in 2003, the discussion about the relevance of such systems in today’s world of commercial malware and Web exploits rages on. Furthermore, the relationship of IDS to newer technologies such as intrusion-prevention systems (IPS) and network-behavior anomaly (NBA) detection systems is also commonly discussed in the security community.
At the same time, everybody who is even slightly involved with security knows that prevention technologies will fail at some point. It’s necessary to have an additional layer to detect the consequences of a breach. Similarly, few question the need for comprehensive network monitoring aimed at increasing control over what should be “your” network but is sometimes “owned” by the attackers as well.
No matter what technologies become fashionable, the need for intrusion detection is constant. Whether you choose to implement an IDS is less important than having a process that enables you to know what is going on and to detect intrusions. Thus, enlightened companies will consider even their end users to be, metaphorically speaking, a kind of
IDS, since users will sometimes serve as indicators of suspicious behavior. On the opposite end of the spectrum are those less-enlightened companies that chose to go with “CNN is our IDS” and that learn that their networks were compromised only when the news shows up in the media. Don’t be those guys.
It’s interesting to note that intrusion-detection technologies are actually mandated by a few regulations. Organizations under such mandates should look at deploying such technologies independently of industry debate over the finer mechanical points. Elsewhere I’ve described the way in which FISMA, HIPAA and PCI-DSS affect incident-response procedures and log management processes. It should come as no surprise, then, that these same regulations mandate intrusion-detection capabilities.
To demonstrate the complexity of intrusion detection and prevention, and the need for a multifaceted approach to the issue, note the common theme that runs through these regulations: Intrusion-detection mechanisms must not only be in place, but must also be kept up to date and monitored for signals and alerts.
the federal information security Management Act of 2002 (fisMA): NIST SP 800-53 lists a variety of security controls (including intrusion-detection controls) that need to be in place to protect a federal information system. “Intrusion-detection controls” simply means that tools and techniques must be used to monitor for and detect unauthorized information system activity and/or attacks, without specifying any particular method of doing so.
network access control
55%
56%
E-mail encryption
47%
37%
indentity management
44%
27%
client firewall
42%
54%
security configuration management
42%
30%
security information management
40%
39%
Enterprises sMB
Ba SE: 175 European SMB and 132 enterprise platform soft ware, infrastructure soft ware or application architecture decision-makers who are upgrading or making a first-time purchase of security software; multiple responses accepted
SOurCE: FOrr ESt Er rESEar Ch InC., 2007
References:
Archives