Re: The value of detecting neutralized threats. (was RE: IDS blah blah)

[Roger Nebel <roger () homecom com>]

John, (Marc, Jim, Dominique, David, others)

Well stated, start with policy which is derived from your business goals
(selling socks -- ok, it's silly, but it's not too silly ;), shipping
diamonds, producing wonder drugs, whatever) and work from there.  Of
course it's a bit more complicated than that -- you need to identify
your information assets and assess the residual risk they are exposed
to, etc., etc., -- but you get the point.  Collect data where you can,
compare it to your policy thresholds, and take action as appropriate. 
We've lately been thinking about the concept of "door knock effect
detection" which is really what you want the the "IDS-like" things to
feed.  Gross signature checking and data capture at the outer layers and
correlation checking further in.  In my opinion, and I am often wrong,
Intrusion (as in breach) Detection is a poor choice of words to describe
the concept of listening for and recording the knocks on the door (and
thanks Dave LeBlanc for reminding us that logging those knocks can allow
us to learn about new threats) and may lead to misunderstanding -- just
like the term DMZ already does) -- which hinders our mutual
understanding.  We, including many members of this list, advise people
to have a computer security incident response capability and how to do
it, but have trouble among ourselves stating succinctly just what this
darn IDS thing is that we insist they do.

> From an audit perspective an "IDS-like" capability can be thought of as
a control and could then be evaluated for efficiency (is it economical?)
and effectiveness (does it measure the right thing?).  Your controls are
driven by the goals of the business and the policies you choose to
implement.  Your controls are tested and your security posture can be
described in a universally accepted language.  (www.isaca.org). 
Management typically decides to fund controls which are efficient,
effective, and *actionable* (with a tip of the hat to the countless IT
and audit folks that have helped coin that term over the years).  Where
you put the "IDS-like" control(s), and how it operates (what it
measures, how you react) would seem to be both controversial and
important.  

This has been one of most thought provoking, and civil, exchanges in
quite some time, especially the cross talk with the DMZ best practices
discussion, and deserves further exploration.  Clearly the language and
practice of IDS is evolving and still means many different things to
many different people.  

--roger

John Kozubik wrote:
> The points brought up by Dominique concerning plans of action (both
> human and automated) in response to a positive alert from an elaborate
> IDS are very valid.
>
> The list he gave of contingencies, although not complete, is a very good
> example of the points that should be covered by a business firms
> information security policy.
>
> Your first step in proviing consultation for a firm with very sensitive
> data to protect is to coach them in the creation of human and automated
> policies that will answer the types of questions that dominique brought
> up - who gets called, who responds to whom, what law enforcement is
> contacted, what (if any) tasks are delegated to the ISP (if you have
> one).
>
> Then, this information should be reviewed by the legal counsel and the
> CIO, and in some cases the board of directors and any insurance
> adjustors that the company works with - due diligence is key in avoiding
> problems down the road (such as shareholder lawsuits).
>
> And yes, although the system can be built for around $10,000, you do
> need (a) qualified operator(s).  $100,000 is probably the lowest range
> you can find qualified IDS people for that can handle this sort of
> advanced project.
>
> as was said in an earlier post, you need to make an equation of threats
> vs. value of data to determine if this is the right course of action.
>
> kozubik - John Kozubik - john_kozubik () hotmail com
> PGP DSS: 0EB8 4D07 D4D5 0C28 63FE  AD87 520F 57BE 850B E4C4
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com

Attachment: vcard.vcf
Description: Card for Roger Nebel