intrusion_36
ICSA, Inc.
For more information, call 888-396-8348 36
An Introduction to Intrusion Detection and Assessment
Developments in Other Security
Product Lines will Increase the
Importance of Intrusion Detection
Encryption is growing in popularity and products
including encryption features are becoming ubiq-
uitous. As more organizations utilize these prod-
ucts to secure their data as it travels over public
networks, adversaries will adapt their attack strat-
egies to accommodate this. The predictable out-
come is that attacks will shift to those areas in
which data is not encrypted: the internal network.
At the same time, corporate employment practices
will continue to focus on outsourcing, strategic
partnerships with other organizations, and tele-
commuting. All of these typically involve remote
access to the internal network, thereby expanding
the security perimeter of the organization to areas
not physically protected.
Intrusion detection systems are the only part of
the IDS/Firewall protection infrastructure privy
to the traffic on the internal network. Therefore,
they will become even more important as security
infrastructures evolve.
Capabilities for Intrusion Detection
Products are improving
The capabilities for intrusion detection are grow-
ing, as new products enter the marketplace, and
existing organizations expand their product offer-
ings to allow additional sensor inputs, improved
analysis techniques, and more extensive signature
databases.
Thanks to government and military interest in
Information Warfare, of which Intrusion Detection
is a vital defensive component, funding of research
efforts has skyrocketed, with no end in sight. This
increased activity will result in enhanced under-
standing of the intrusion detection process and
new features in future products. Plans are afoot to
embed intrusion detection products as standard
components of major governmental and financial
networks.
As intrusion detection remains an active research
area, look for future products to implement new
techniques for managing data and detecting sce-
narios of interest. Also look for additional prod-
ucts that function at application level and that
interoperate with network management plat-
forms. Finally, look for product features that are
integrated into a bevy of special purpose devices,
ranging from bandwidth management products
to black box plug-ins for targeted environments.
GLOSSARY
ACTIVITY - Instantiations of the data source that
are identified by the analyzer as being of interest
to the security administrator. Examples of this in-
clude (but are not limited to) network sessions,
user activity, and application events. Activity can
range from extremely serious occurrences (such as
an unequivocally malicious attack) to less serious
occurrences (such as unusual user activity thats
worth a further look).
AGENT - The ID component that periodically
collects data from the data source, sometimes
performing some analysis or organization of the
data. Also known as SENSOR.
ANALYZER - The ID component that analyzes the
data collected by the sensor for signs of unautho-
rized or undesired activity or for events that
might be of interest to the security administrator.*
AUDIT LOG - The log of system events and activi-
ties generated by the operating system.
DATA SOURCE - The raw information that an intru-
sion detection system uses to detect unauthorized