pilot_10
August 28, 1998
Intrusion Detection Pilot Program Guide
7
· Product acquisition Provided by the vendor on CD-ROM or via web site following
purchase
· Preparation of host(s) Based on product technical requirements, select and prepare the
intrusion detection hosts, including any security hardening activities as recommended
by the product vendor
· Notification Affected parties, including network users and management, should be
made aware that intrusion detection/misuse protection technology is being deployed.
Corporate counsel and/or Human Resources may be consulted if monitoring activities are
not already publicized as part of your overall security policy.
· Installation and Configuration Install product components, along with any required
license components or keys; configure as needed for your environment
· Customization Develop and test templates and reports, select/activate filters and attack
signatures, tune attack thresholds (i.e., SYN Flood packets per second), set database
parameters, and customize any other product attributes as appropriate for your
environment
Operation
Once the product has been installed, configured, and customized, ongoing operations
begins. This will include:
· Managing the health and well-being of the product and its host systems;
· Fine-tuning the system so that it adapts to the status of the network environment;
· Establishing a policy for incident response;
· Managing the data generated by the product;
· Generating, evaluating, and modifying reports on network security status for key security
decision makers;
· Assigning personnel to learn and use the system;
· Making the IDS Product a new part of your operational structure.
As is the case with any mission-critical application, the host systems security, availability,
data backup, and other day-to-day systems management functions should be carefully
monitored.
Feedback
Intrusion detection products are dynamic, as reflects the dynamic nature of system and
network vulnerabilities and threats. Reports should be used to continually monitor and
improve your organizations security posture. On a tactical level, report output (and that of
complementary products, such as vulnerability scanning tools), should be used to feed back
information for product configuration and customization.
For example if reports indicate that attacks are being targeted at certain critical hosts, the
intrusion detection system should be adjusted to more closely monitor those host addresses
(as well as increasing the security of the hosts themselves, of course!).