Prevent, Detect and Respond: Detection Systems
The Internet threat environment is critical—there are 30 to 40 new attacks posted to Web sites each month. Intrusion detection systems (IDS) are designed to prevent attacks on an enterprise infrastructure. There are three types of attacks commonly reported by an IDS:
- System scanning
- Denial of Service (DoS)
- System penetration
These attacks may be launched locally, on the attacked machine or remotely, using a network to access the target. Security professionals must understand these types of attacks and how to effectively use an IDS to make an enterprise more secure. These attacks can provide information to the attacker that includes:
- Topology of the target network.
- Types of network traffic allowed through a firewall.
- Active hosts on the network.
- Operating systems those hosts are running.
- Server software the hosts are running.
- List of hosts (IP addresses).
- Slowing or shutting down critical systems or segments.
In any enterprise, the key to perimeter security is to prevent, detect and respond to attacks. These capabilities are critical for an entity’s perimeter defense. This requires the development of procedures and the deployment of technologies for incident detection and response. Security incident procedures are formal documented instructions for reporting security breaches that include implementation features for report procedures and response procedures.
Security incident report procedures are formal mechanisms employed to document security incidents. Security incident response procedures are documented formal rules or instructions for actions to be taken as a result of the receipt of a security incident report.
The security incident procedures are formal, documented instructions for reporting security breaches so that security violations are reported and handled promptly.
Acquiring effective tools will offer little risk mitigation without a correspondingly effective incident response plan. Using intrusion detection platforms without goals and a plan may involve as much overall corporate risk as not having them at all. Too many false positives—each igniting an uncoordinated and unbridled response—can result in non-trivial expenses and waste of human resources. Too many false negatives, and the corporation may host an inappropriate level of confidence in its technical infrastructure and staff performance and, sooner or later, suffer a damaging attack. Efficiently responding to each security incident will generally save an entity time, money and possibly even its reputation.
The incident response plan establishes procedures to address attacks on the entity’s IT infrastructure. The incident response procedures must enable security personnel to identify, mitigate and recover from malicious computer incidents.
The incident response plan needs a policy foundation, and then a sufficiently detailed task list and decision tree. This plan need not be comprehensive at the outset. Required contents include:
- Who to inform (names and full contact information).
- When to inform each of them (often keyed to an estimate of the time that the incident began).
- When to get law enforcement personnel involved.
- How to handle evidence and what to keep.
After building a lean framework, focus on evolving the incident response plan over time. The list above is only an essential beginning—it does not represent a mature incident response plan.
One of the maxims of security is, “Prevention is ideal, but detection is a must.” As long as you allow traffic to flow between the enterprise network and the Internet, the opportunity for an attacker to sneak in and penetrate the network is there. New vulnerabilities are discovered every week, and there are very few ways to defend yourself against an attacker using a new vulnerability.
Once you are attacked, without logs from an intrusion detection and firewall system solution, you have little chance of discovering what the attackers did. Without that knowledge, your organization must choose between completely reloading the operating system from original media and then hoping the data backups were OK, or taking the risk that you are running a system that a hacker still controls.
You cannot detect an attack if you do not know what is occurring on your network. Firewall systems and intrusion detection technology are vital, required components of enterprise perimeter security today.
Note: The key objective here is to adopt and implement procedures for timely reporting of breaches of security.
Types of IDS
There are primarily two types of IDS solutions. They are:
- Network-based IDS
- Host-based IDS
The majority of commercial IDS solutions are network-based. These detect attacks by capturing and analyzing network packets. Listening on a network segment or switch, one network-based IDS can monitor network traffic affecting multiple hosts that are connected to the network segment, thus protecting those hosts. Network-based intrusion detection systems can monitor a large network. You may consider designing a solution that requires the deployment of network-based IDS on critical subnets.
Host-based IDS solutions operate on information collected within a single computer system. A host-based IDS can determine exactly which processes and users are involved in an attack. A host-based IDS can see the outcome of an attempted attack. This type of IDS should be installed on critical server systems in the enterprise.
We strongly recommend the deployment of an intrusion detection product on the enterprise network. Examples of such products/solutions include:
- Internet Security Systems’ (ISS) Internet Scanner
- Snort (public domain)
The Internet Scanner application, an integrated part of Internet Security Systems’ security management platform, provides comprehensive network vulnerability assessment for measuring online security risks. Internet Scanner performs scheduled and selective probes of communication services, operating systems, applications and routers to uncover and report vulnerabilities. These are essential components for securing any health-care entity. In addition to providing flexible risk management reports, Internet Scanner prepares remediation advice, trend analyses and comprehensive data sets to support sound, knowledge-based policy enforcement.
The strength of Snort as an IDS solution is the ability to create and use rule sets. Snort.org has a forum where rules can be found and discussed. To take Snort to a higher level, there is a GUI that can be implemented, called IDScenter. Snort is one example of an option for an enterprise to consider. The advantage, obviously, is cost; the disadvantage is support.
IDS components, such as agents, deployed inside the enterprise network backbone can be vital in detecting unauthorized activity by authorized users within the organization’s security perimeter. Each organization needs to integrate IDS as a necessary addition to the security infrastructure. Security professionals must acquire knowledge and skills to effectively deploy and manage IDS solutions. IDS deployment requires very careful planning, preparation, prototyping, testing and specialized training.
Uday O. Ali Pabrai, CEO of ecfirst.com, created the CIW program and is the co-creator of the Security Certified Program (www.securitycertified.net). Pabrai is also vice-chair of CompTIA’s Security+ and i-Net+ programs and recently launched the HIPAA Academy. E-mail him at firstname.lastname@example.org.