intrusion_16
ICSA, Inc.
For more information, call 888-396-8348 16
An Introduction to Intrusion Detection and Assessment
Figure 3 A process view of system security management
Prevention covers those proactive measures taken
by organizations to mitigate risks to their system
security. Much of the classic, government-sponsored
work in computer security addresses this area by
focusing on the design and implementation of
more secure operating systems and applications
software. Also covered in Prevention includes
security policy formation, encryption, strong
identification and authentication, and firewalls.
Functions in the detection phase are primarily
provided by intrusion detection systems, although
virus scanners also fall into this category. As pic-
tured in the diagram, detection involves monitoring
the targeted system(s), analyzing the information
gathered for problems, then, based on the system
settings, responding to the problems, reporting the
problems, or both.
The results of the detection process drive the other
two stages of managing security, investigating
problems that are discovered, documenting the
cause of the problem, and either correcting the
problem or devising a means of dealing with it
should it occur again. A common vision for future
intrusion detection systems is that of performing
these last two stages automatically, or else per-
forming the functions internal to detection so
well that the need for the last two stages is virtu-
ally eliminated.
The combination of investigation and diagnosis/
resolution phases is often called Incident Response
or Incident Handling. Organizations should specify
policies, procedures, and practices to address this
area, as it does the rest of security.
DEBUNKING MARKETING HYPE
WHAT INTRUSION DETECTION
SYSTEMS AND RELATED TECHNO-
LOGIES CAN AND CANNOT DO
Every new market suffers from exaggeration and
misconception. Some of the claims made in mar-
keting materials are reasonable and others are
misleading. Herewith, a primer on how to read
intrusion detection marketing literature.
Realistic benefits
They CAN lend a greater degree of
integrity to the rest of your security
infrastructure.
Intrusion detection systems, because they monitor
the operation of firewalls, encrypting routers, key
management servers and files critical to other
security mechanisms, provide additional layers of
protection to a secured system. The strategy of a
system attacker will often include attacking or
otherwise nullifying security devices protecting
the intended target. Intrusion detection systems
can recognize these first hallmarks of attack, and
potentially respond to them, mitigating damage.
In addition, when these devices fail, due to configu-
ration, attack, or user error, intrusion detection
systems can recognize the problem and notify the
right people.
Prevention
Investigation
Diagnosis &
Resolution
IncidentHandling/
Response
Detection
s
s
Analyze
s
s
Report
s
Respond
s
Monitor
s