pilot_5
August 28, 1998
Intrusion Detection Pilot Program Guide
2
Phase 1 Requirements Definition
Goal
The goal is to identify and enumerate your intrusion detection requirements so that there is a
clear understanding of what the issues are and whats important before the evaluation begins.
Requirements definition is important for two reasons:
1. It provides the necessary mapping between your organizations security and operational
requirements and product capabilities. This will help you explain and support the business
need for a product purchase.
2. It allows you to better perform an apples-to-apples comparison across two or more
products.
Suggested Duration
One work day.
Procedure
The following steps should be performed in order, possibly with vendor or consultant support:
Understand your environment.
A clear understanding of your network architecture, including protocols, topologies,
geographical distribution, and other aspects is important for successful requirements
definition. Network diagrams, map output from network management systems, and lists of
critical hosts and their business functions are all helpful here.
Analyze your needs.
Identify key points where intrusion detection might be essential or appropriate. This gives a
sense of what you want to protect and where you see the threat coming from. Are you
concerned with potential attacks via incoming Internet traffic? Is network misuse a high
priority? Are there network resources, such as application servers, web servers, or routers,
that need special protection or monitoring?
Thinking about these questions will help you keep product features in their proper context.
List your expectations.
What problems are you trying to solve ? What negative occurrence are you trying to avoid?
Can you afford to spend significant time understanding, implementing, and managing an
intrusion detection product, or do you need it to be mostly self-managing? Do you have
personnel limitations? How must the product meet the skill sets of your available
personnel?
Establish criteria for measuring success or failure.
Use the product requirements attached as a starting point. Add (or delete) items as they
apply (or don't apply) to your environment.