HostedDB - Dedicated UNIX Servers
intrusion_36 ICSA, Inc. For more information, call 888-396-8348                 36 An Introduction to Intrusion Detection and Assessment Developments in Other Security Product Lines will Increase the Importance of Intrusion Detection Encryption is growing in popularity and products including encryption features are becoming ubiq- uitous. As more organizations utilize these prod- ucts to secure their data as it travels over public networks, adversaries will adapt their attack strat- egies to accommodate this. The predictable out- come is that attacks will shift to those areas in which data is not encrypted: the internal network. At the same time, corporate employment practices will continue to focus on outsourcing, strategic partnerships with other organizations, and tele- commuting. All of these typically involve remote access to the internal network, thereby expanding the security perimeter of the organization to areas not physically protected. Intrusion detection systems are the only part of the IDS/Firewall protection infrastructure privy to the traffic on the internal network. Therefore, they will become even more important as security infrastructures evolve. Capabilities for Intrusion Detection Products are improving The capabilities for intrusion detection are grow- ing, as new products enter the marketplace, and existing organizations expand their product offer- ings to allow additional sensor inputs, improved analysis techniques, and more extensive signature databases. Thanks to government and military interest in Information Warfare, of which Intrusion Detection is a vital defensive component, funding of research efforts has skyrocketed, with no end in sight. This increased activity will result in enhanced under- standing of the intrusion detection process and new features in future products. Plans are afoot to embed intrusion detection products as standard components of major governmental and financial networks. As intrusion detection remains an active research area, look for future products to implement new techniques for managing data and detecting sce- narios of interest. Also look for additional prod- ucts that function at application level and that interoperate with network management plat- forms. Finally, look for product features that are integrated into a bevy of special purpose devices, ranging from bandwidth management products to “black box” plug-ins for targeted environments. GLOSSARY ACTIVITY - Instantiations of the data source that are identified by the analyzer as being of interest to the security administrator. Examples of this in- clude (but are not limited to) network sessions, user activity, and application events. Activity can range from extremely serious occurrences (such as an unequivocally malicious attack) to less serious occurrences (such as unusual user activity that’s worth a further look). AGENT - The ID component that periodically collects data from the data source, sometimes performing some analysis or organization of the data. Also known as SENSOR. ANALYZER - The ID component that analyzes the data collected by the sensor for signs of unautho- rized or undesired activity or for events that might be of interest to the security administrator.* AUDIT LOG - The log of system events and activi- ties generated by the operating system. DATA SOURCE - The raw information that an intru- sion detection system uses to detect unauthorized