The business of utilizing an IDS

The mounting level of threat, such as the emergence of zero-day exploits, and the limitations of preventative measures have created new challenges for organizations that wish to mitigate the effects of malicious attack. In meeting this challenge, organizations are presented with a relatively small number of possible actions that they can take. These are summarized in the panel opposite, which also looks at the pros and cons of each possible action.

None of these actions in isolation is likely to provide an ideal solution to the problem of how to mitigate the increased risk that organizations face. In many cases, they will find it necessary to take a more holistic approach and introduce a broad range of controls in order to ensure the information risk is adequately managed.

While the controls that organizations require might take many forms, they are always preventative, detective or reactive in nature.

Detective controls operate to reduce the impact of a security breach once it has occurred, or is in the process of occurring. To be effective, these controls need to help identify each breach promptly and accurately and give adequate additional information for any subsequent activity, such as incident response, that might be required.

Intrusion detection and intrusion detection systems (IDSs) provide this essential detective control capability. An effective intrusion detection capability enables attacks that have circumvented preventative measures to be detected promptly and then tackled.

IDSs, which continuously monitor networks and host systems, ensure that alerts are generated whenever a recognized breach occurs. Analysis of attacks based upon information from the IDS then enables appropriate and timely action to be taken to minimize the impact of the intrusion.

Understanding that intrusion detection is one of many different types of control required to manage information risk is crucial to understanding how it should be deployed. It complements existing preventative measures, such as intrusion prevention systems (IPSs) and enables effective incident response.

All three categories of control are necessary to reduce information risk associated with malicious attacks. In this context, the argument that is peddled by some industry analysts that IPSs will replace IDSs could be seen as premature and misguided.

Signs of successful implementations

While intrusion detection is not a new information security practice, it has until relatively recently received little attention and, as a result, there has been a dearth of good practice and guidance for organizations to draw on.

In a field of information security that is dominated by product vendors and techies, it is easy to be seduced by the allure of new and exciting tools and to forget why intrusion detection is really required. Where IDSs are portrayed as a simple, tool-based solution to the threat of hacking, it is also easy to be misled about what needs to be done to establish an effective capability.

In a recent project undertaken by the Information Security Forum (ISF) detailed research, case studies and interviews with some of the world's leading organizations have revealed that where intrusion detection implementations are successful, this is due more to the application of sound business practice than the use of the latest tools and technology.

In summary, it found that successful implementations tend to meet a business need (for instance, reducing the impact of intrusions), focus on people rather than technology, and take a phased approach, rather than a big-bang implementation.

In truth, implementing an effective intrusion detection capability is a complex undertaking and there are no quick wins or easy technology solutions. A closer examination of the characteristics of successful implementations shows why organizations need to focus more on sound business practice and less on the technical aspects of intrusion detection technology if they wish to establish an effective capability.

Organizations that ensure the initiative is based upon meeting a valid business need are far more likely to build a successful business case and gain adequate funding and management support to implement a successful intrusion detection capability. This is particularly important in the case of intrusion detection, where there is a considerable temptation to rush through the procurement and installation of tools and technology that appear to offer a quick and easy fix to counter the apparent threat of cyber attack.

To qualify fully the need for intrusion detection it is first necessary to identify the business drivers for introducing the capability. In many cases, there is little or no historical information on the damaging impact of attacks, and the most common drivers to commence an intrusion detection initiative are:

- the effects of a single damaging attack (where incidents such as web defacements or unauthorized access by external attackers have had a serious impact upon the organization);

- the introduction of new business applications (where the impact of a breach could be very damaging to the organization);

- the re-evaluation of existing information security measures deployed within the organization (where there is concern about the adequacy of existing controls to mitigate information risk).

Validate the need for IDS

After identifying the key business drivers for the initiative, the business risks of each host system to be covered should then be examined to validate the apparent need for intrusion detection. This task should concentrate on identifying:

- the business impact of a serious intrusion by conducting a business impact assessment;

- the threats and vulnerabilities that are applicable (supported where appropriate by incident data such as the current number of incidents and their impact);

- the control requirement for intrusion detection (as opposed to other possible ways of dealing with attacks).

Information from these analyses helps to determine whether or not a valid need exists, and is essential in helping to shape a coherent business case.

Where this is not performed and the implementation is based on a weak value proposition, then typically the deployed systems fall into disuse or are ineffective within 12 to 18 months.

A balanced approach

Analysis of information from both case studies and work groups undertaken as part of the ISF's project on intrusion detection has shown that there are four key elements that must be addressed to develop a successful capability:

- people – the personnel responsible for developing and operating the intrusion detection capability;

- policies and procedures – the directives and guidelines for running the intrusion detection capability;

- services – the facilities and capabilities provided by key third parties that are necessary to run an effective intrusion detection capability;

- technology – the tools and technology required to detect and analyze unauthorized activity. These elements are summarized in the diagram above. Finding the right people and establishing a high-quality project team and sound organizational structure are crucial to ensuring the success of intrusion detection initiatives.

Intrusion detection is a complex technical field characterized by technology that is immature and by procedures and practices that are evolving. Inherently, an intrusion detection capability requires technical expertise to design, develop and run effectively.

Clear policies and procedures are critical to ensure the smooth operation of the intrusion detection capability. An intrusion detection policy needs to specify information such as where events will be detected, what events will be detected, what event records will be retained and for how long.

Services are also important in intrusion detection. In most organizations, a variety of specialist services will be required to develop and maintain an effective intrusion detection capability. Services that might be required include day-to-day system operation (including alert management), system support, specialist security monitoring or specialist forensic analysis capabilities.

Technology is another component of intrusion detection. With the multitude of events that occur in most IT infrastructures, intrusion detection cannot realistically be performed without the use of technology to monitor and then identify any unauthorized activity.

The technology that is required to create an effective intrusion detection capability in a complex, geographically dispersed IT infrastructure can be significant and, in large organizations, it might involve the deployment of many hundreds of sensors with many management consoles and alerting mechanisms.

To establish an effective intrusion detection capability it is necessary to take a balanced approach and address all four of these elements. Organizations that fail to recognize this from the outset, or which take a technology-oriented approach to implementation, are more likely to deploy systems that cannot be relied upon within the operational infrastructure.

Phased implementation

Implementing an intrusion detection capability is a complex undertaking that requires many project risks to be managed. As well as the demands of managing cost, quality and time, some of the more notable risks that organizations have to deal with include:

- the complexity of implementation environments;

- the relative immaturity of intrusion detection technology;

- the scarcity of skilled intrusion detection specialists.

In an environment of high risk and high potential for failure, it is important to adopt a rigorous and structured approach that affords the best possible opportunity for management control. Successful organizations have achieved this by using a phased approach to implementation that is solidly based upon a well-understood system development process.

A phased approach builds incrementally on the previous phases that have already been undertaken, progressively extending either, or both, the scale and reach of the deployed solution.

In a phased approach, the first (pilot) phase, while meeting a valid business need, is also often used to examine the effectiveness of intrusion detection measures and to gain operational experience of the technology and working practices that make up the solution. Typically, this can be achieved using a relatively small deployment.

Based upon the outcome of the pilot phase, subsequent phases might or might not be initiated. The decision on whether to proceed with any phase depends on whether a coherent and plausible business case can be made for the proposed work. The main objective of the business case stage, therefore, is to ensure that each phase delivers capability that:

- meets a real requirement within the organization;

- is based on a sound technical solution;

- is cost effective, achievable and manageable;

- delivers clear benefits.

Organizations that fail to recognize the inherent risks in intrusion detection initiatives and treat implementations as little more than the installation of some neat tools often end up stumbling from issue to issue and seldom develop an effective capability in the required timescales.

In these circumstances, senior management might call into question the wisdom of pursuing an intrusion detection initiative in the first place.

Providing real benefits

Despite significant issues, intrusion detection capabilities can provide real benefits. Early adopters of intrusion detection technology that have managed to overcome its deployment and operational issues are able to testify to its value as an enabling technology, especially in areas such as e-commerce and collaborative commerce.

Determining whether an organization will benefit from the introduction of an intrusion detection capability is a business decision that is influenced by the level of risk that an organization is prepared to tolerate and the level of investment that is required to reduce it to acceptable levels.

However, the experience of many large organizations is that successful intrusion detection initiatives depend more upon sound business practice than the use of the latest intrusion detection technology.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.