HostedDB - Dedicated UNIX Servers
pilot_5 August 28, 1998 Intrusion Detection Pilot Program Guide 2 Phase 1 – Requirements Definition Goal The goal is to identify and enumerate your intrusion detection requirements so that there is a clear understanding of what the issues are and what’s important before the evaluation begins. Requirements definition is important for two reasons: 1.   It provides the necessary “mapping” between your organization’s security and operational requirements and product capabilities. This will help you explain and support the business need for a product purchase. 2.   It allows you to better perform an “apples-to-apples” comparison across two or more products. Suggested Duration One work day. Procedure The following steps should be performed in order, possibly with vendor or consultant support: Understand your environment. A clear understanding of your network architecture, including protocols, topologies, geographical distribution, and other aspects is important for successful requirements definition. Network diagrams, map output from network management systems, and lists of critical hosts and their business functions are all helpful here. Analyze your needs. Identify key points where intrusion detection might be essential or appropriate. This gives a sense of what you want to protect and where you see the threat coming from. Are you concerned with potential attacks via incoming Internet traffic? Is network misuse a high priority? Are there network resources, such as application servers, web servers, or routers, that need special protection or monitoring? Thinking about these questions will help you keep product features in their proper context. List your expectations. What problems are you trying to solve ? What negative occurrence are you trying to avoid? Can you afford to spend significant time understanding, implementing, and managing an intrusion detection product, or do you need it to be mostly “self-managing”? Do you have personnel limitations? How must the product meet the skill sets of your available personnel? Establish criteria for measuring success or failure. Use the product requirements attached as a starting point. Add (or delete) items as they apply (or don't apply) to your environment.