Re: Intrusion Detection

From: emaiwaldat_private
Date: Thu Apr 16 1998 - 11:41:19 PDT

Next message: Bill_Roydsat_private: "Intrusion Detection and Secuirty Policy"

Previous message: Paul D. Robertson: "Re: High ranking lusers"
Maybe in reply to: shantanu bhattacharya: "Intrusion Detection"
Next in thread: John McDermott: "Re: Intrusion Detection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Marcus wrote:
<snip>
> 	I believe that the best way to do that is to be able to
> clearly define what should and should not happen, as a
> precondition to installing the IDS. An IDS that isn't "tuned"
> right is going to be a nuisance or a doorstop. My previous mail
> was not intended to be a slap at misuse detection "network grep"
> IDS'! After all, I build a product that can do that kind of thing
> very well. I just want to see people get the best results possible
> out of them. And the best way to do that is to be very cognizant
> of the environment into which they are installed, and its operating
> principles ("policy").

I think I finally figured out why this discussion  did not make
sense to me.  The above paragraph I take as a given.  If anyone
thinks that they can take an IDS, Firewall, or any other piece of
security software/hardware/whatever and slap it into their 
environment and expect to get useful information from it, they
are deluding themselves. 

I know that there are companies out their that buy firewalls, install
it and then call the vendor to complain about the attacks soming
through but I thought that the security industry (us) had come to
realize that there is more to it.  There is a process that must
be followed when we do security:

	assess<---
	policy   |
	implement|
	train    |
	audit ----

We need to assess the RISK to the business, develop a policy that
makes sense (i.e. it let's us get the job done), implement the
policy through configurations, new SW/HW, processes, etc., train
the users and the technical staff, then audit to make sure we
are doing what we said we must do.

Someone else mentioned that policy cannot be absolutely rigid, this
is absolutely true.  Whenever I help clients create a policy, I
advise them to include a waiver process to the policy.  I do
this for two reasons:  1 - When business needs conflict with security,
security always looses and 2 - this forces the company to examine
the risks invloved in noncompliance.

My point in all of this is that there is no silver bullet in
security.  We cannot buy anything that guarantees protection.  We
have to do this from a Risk reduction standpoint.  IDS, in whatever
form, is part of it.

Sorry for being long winded.

Eric

-- 
---------------------------------------------------------------------
Eric Maiwald, CISSP                                 emaiwaldat_private
Director Security Services                               301-977-6966
Fortrex Technologies, Inc.                          North Potomac, MD
---------------------------------------------------------------------

Next message: Bill_Roydsat_private: "Intrusion Detection and Secuirty Policy"
Previous message: Paul D. Robertson: "Re: High ranking lusers"
Maybe in reply to: shantanu bhattacharya: "Intrusion Detection"
Next in thread: John McDermott: "Re: Intrusion Detection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:12 PDT