HostedDB - Dedicated UNIX Servers

intrusion_11 ICSA, Inc. For more information, call 888-396-8348                 11 An Introduction to Intrusion Detection and Assessment About This White Paper Series This is the first of a series of white papers on topics relating to intrusion detection products. These documents will help users and potential users to become familiar with intrusion detection and vulnerability assessment so that they can select those products that best meet their needs. INTRUSION DETECTION OVERVIEW Intrusion detection is an important security tech- nology market. According to industry estimates, the market for intrusion detection products has grown from $40 million in 19972 to $100 million in 19983 . This market growth is driven by reports of steadily increasing computer security breaches (22% rise from 1996 to 1998, with $136 million in associated losses, according to a leading survey4). Intrusion detection is considered by many to be the logical complement to network firewalls, ex- tending the security management capabilities of system administrators to include security audit, monitoring, attack recognition, and response. In this paper, we provide an overview of this secu- rity technology, expanding the traditional view of intrusion detection systems to include vulnerabil- ity assessment. These technologies play a vital role in modern system security management. What Is Intrusion Detection? Intrusion detection systems help computer systems prepare for and deal with attacks. They accomplish this goal by collecting information from a variety of system and network sources, then analyzing the information for symptoms of security prob- lems. In some cases, intrusion detection systems allow the user to specify real-time responses to the violations. Intrusion detection systems perform a variety of functions: •  Monitoring and analysis of user and system activity •  Auditing of system configurations and vulnerabilities •  Assessing the integrity of critical system and data files •  Recognition of activity patterns reflecting known attacks •  Statistical analysis for abnormal activity patterns •  Operating system audit trail management, with recognition of user activity reflecting policy violations Some systems provide additional features, including: •  Automatic installation of vendor-provided software patches •  Installation and operation of decoy servers to record information about intruders. The combination of these features allows system managers to more easily handle the monitoring, audit, and assessment of their systems and net- works. This ongoing assessment and audit activity is a necessary part of sound security management practice. 1 Source: Yankee Group 2 Source: Aberdeen Group 3 Source: “Third Annual CSI/FBI Computer Crime and Security Survey”, Computer Security Institute, March, 1998.