Firewall Wizards mailing list archives
Re: The value of detecting neutralized threats. (was RE: IDS blah blah)
From: Roger Nebel <roger () homecom com>
Date: Thu, 28 Jan 1999 18:05:54 -0500
John, (Marc, Jim, Dominique, David, others) Well stated, start with policy which is derived from your business goals (selling socks -- ok, it's silly, but it's not too silly ;), shipping diamonds, producing wonder drugs, whatever) and work from there. Of course it's a bit more complicated than that -- you need to identify your information assets and assess the residual risk they are exposed to, etc., etc., -- but you get the point. Collect data where you can, compare it to your policy thresholds, and take action as appropriate. We've lately been thinking about the concept of "door knock effect detection" which is really what you want the the "IDS-like" things to feed. Gross signature checking and data capture at the outer layers and correlation checking further in. In my opinion, and I am often wrong, Intrusion (as in breach) Detection is a poor choice of words to describe the concept of listening for and recording the knocks on the door (and thanks Dave LeBlanc for reminding us that logging those knocks can allow us to learn about new threats) and may lead to misunderstanding -- just like the term DMZ already does) -- which hinders our mutual understanding. We, including many members of this list, advise people to have a computer security incident response capability and how to do it, but have trouble among ourselves stating succinctly just what this darn IDS thing is that we insist they do.
From an audit perspective an "IDS-like" capability can be thought of as
a control and could then be evaluated for efficiency (is it economical?) and effectiveness (does it measure the right thing?). Your controls are driven by the goals of the business and the policies you choose to implement. Your controls are tested and your security posture can be described in a universally accepted language. (www.isaca.org). Management typically decides to fund controls which are efficient, effective, and *actionable* (with a tip of the hat to the countless IT and audit folks that have helped coin that term over the years). Where you put the "IDS-like" control(s), and how it operates (what it measures, how you react) would seem to be both controversial and important. This has been one of most thought provoking, and civil, exchanges in quite some time, especially the cross talk with the DMZ best practices discussion, and deserves further exploration. Clearly the language and practice of IDS is evolving and still means many different things to many different people. --roger John Kozubik wrote:
The points brought up by Dominique concerning plans of action (both human and automated) in response to a positive alert from an elaborate IDS are very valid. The list he gave of contingencies, although not complete, is a very good example of the points that should be covered by a business firms information security policy. Your first step in proviing consultation for a firm with very sensitive data to protect is to coach them in the creation of human and automated policies that will answer the types of questions that dominique brought up - who gets called, who responds to whom, what law enforcement is contacted, what (if any) tasks are delegated to the ISP (if you have one). Then, this information should be reviewed by the legal counsel and the CIO, and in some cases the board of directors and any insurance adjustors that the company works with - due diligence is key in avoiding problems down the road (such as shareholder lawsuits). And yes, although the system can be built for around $10,000, you do need (a) qualified operator(s). $100,000 is probably the lowest range you can find qualified IDS people for that can handle this sort of advanced project. as was said in an earlier post, you need to make an equation of threats vs. value of data to determine if this is the right course of action. kozubik - John Kozubik - john_kozubik () hotmail com PGP DSS: 0EB8 4D07 D4D5 0C28 63FE AD87 520F 57BE 850B E4C4 ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com
Attachment:
vcard.vcf
Description: Card for Roger Nebel
Current thread:
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) John Kozubik (Jan 28)
- Re: The value of detecting neutralized threats. (was RE: IDS blah blah) Roger Nebel (Jan 29)