Intrusion detection in the age of compliance
While intrusion detection technologies are clearly not a "hot new thing" anymore, they are still the subject of active industry debate. Since the infamous "IDS is Dead" piece was published by Gartner in 2003, the discussion about IDS relevance to today's world of commercial malware and web exploits rages on. Further, the IDS relationship to newer technologies such as intrusion prevention systems (IPS) and network-behavior anomaly detection (NBA) systems is also commonly discussed in the security community.
At the same time, everybody who is even slightly involved with security knows that prevention technologies will fail at one point. It's necessary to have an additional layer to detect the consequences of a breach. Similarly, few question the need for comprehensive network monitoring aimed at increasing control over what should be "your" network, but is sometimes "owned" by the attackers as well.
No matter what technologies become fashionable, the need for intrusion detection is constant. Whether you choose to implement an intrusion detection technology is less important than having a process that enables you to know what is going on and to detect intrusions. Thus, enlightened companies will consider even their end users to be, metaphorically speaking, a kind of IDS, since users will sometimes serve as indicators of suspicious behavior. (On the opposite end of the spectrum are those less enlightened companies who will chose to go with "CNN is our IDS," and will only learn that their network was compromised when it shows up in the media. Don't be those guys.)
It's interesting to note that intrusion detection technologies are actually mandated by a few regulations. Organizations under such mandates should look at deploying such technologies independently of industry debate over the finer mechanical points. In my last two articles on incident management and log management, I described the way in which FISMA, HIPAA, and PCI-DSS affect incident response procedures and log management processes. It should come as no surprise, then, that these same regulations mandate intrusion detection capabilities.
To demonstrate the complexity of intrusion detection and prevention and the need for a multifaceted approach to the issue, note the common themes that run through these regulations: that intrusion detection mechanisms not only be in place, but that these systems also must be kept up to date and monitored for signals and alerts.
Federal Information Security Management Act of 2002 (FISMA)
NIST SP 800-53 lists a variety of security controls (including intrusion detection controls) that need to be in place to protect a Federal information system. "Intrusion detection controls" simply means that tools and techniques be used to monitor for and detect unauthorized information system activity and/or attacks, without specifying any specific method of doing so.
More specifically, 800-53 calls for an organization to:
- Network individual intrusion detection tools into a systemwide Intrusion Detection System using common protocols;
- Employ automated tools to support near-real-time analysis of events in support of detecting system-level attacks;
- Employ automated tools to integrate intrusion detection tools into access control and follow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.
Once these tools are in place, they (and all security controls) must be monitored continuously for unusual, unauthorized or illegal activities. In addition to observing outbound communications that might point to the presence of malicious code, spyware, adware, malware or the like, monitoring activities include ongoing assessment of security controls, status reporting, configuration management and control of information system components, and security impact analyses of system changes. Clearly one can deploy a wide range of technologies (IDS, IPS, NBA or others) to accommodate this requirement.
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
HIPAA requires that organizations detect and prevent reasonably foreseeable threats from malicious or criminal acts, system failures, and/or employee errors (among other sources). NIST SP 800-66 outlines the way in which intrusion detection functionality (an implied "technical safeguard") can protect against these threats. Appendix A of 800-66 provides a list of intrusion-detection-related questions that should be used to assess their intrusion detection policy:
- Are intrusion detection tools installed on the system?
- Are the intrusion detection reports routinely reviewed and suspected incidents handled accordingly?
- Is system performance monitoring used to analyze system performance logs in real time to look for availability problems, including active attacks? (This also ties into log collection and review, another key issue covered previously.)
The above implies that some kind of intrusion detection tool needs to be in use as per HIPAA, but again, no specific technology is recommended.
Payment Card Industry Data Security Standard (PCI-DSS)
Requirement 11 of PCI-DSS ("Regularly Test Security Systems and Processes"), mandates, in section 11.4, that an organization use and maintain network intrusion detection systems, host-based intrusion detection systems, and intrusion prevention systems in order to monitor network traffic and alert employees to potential breaches. It doesn't get much more clearly stated than that.
Further, Requirement 12 ("Maintain a Policy that Addresses Information Security for Employees and Contractors") mandates, in section 12.9.5, that incident response plans include alerts from intrusion detection and intrusion prevention systems (as well as file integrity monitoring systems). This implies the importance of monitoring the intrusion-related security systems, which is also called for in Requirement 10's ("Track and Monitor All Access to Network Resources and Cardholder Data") section 10.6 mandate to review daily if not more frequently logs for all system components (including those that perform intrusion detection functions).
In the case of PCI, the level of useful details is certainly higher; PCI DSS is pretty unambiguous that host and network IDS and IPS needs to be deployed and updated to satisfy the requirements and that their logs needs to be monitored and reviewed.
The aforementioned regulations imply that an organization needs to "do intrusion detection," but the amount of detail is usually not sufficient to make a technology choice. Still, the common theme is the need to deploy some technology for intrusion detection, keep it updated and monitor the logs that it produces. They also highlight that while technology fashions and regulations change, the need to maintain awareness of your environment and detect intrusions never "goes out of style."
Reproduced from an article published by Computerworld Inc
© Computerworld Inc
The original article can be viewed here:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&art...
Permalink Bookmark Digg this story
