84-10-28 DATA SECURITY MANAGEMENT INTRUSION DETECTION: HOW TO UTILIZE A STILL IMMATURE TECHNOLOGY Eugene Schultz and Eugene Spafford INSIDE What Is Intrusion Detection? Why Use Intrusion Detection? How IDSs Work; Approaches to Intrusion Detection; Advantages and Limitations of Intrusion Detection Technology; Assessing Intrusion Detection Requirements; Developing an Intrusion Detection Architecture INTRODUCTION Defending one’s systems and networks is an arduous task indeed. The explosive growth of the Internet, combined with the ever-expanding nature of networks in and of itself, makes simply keeping track of change nearly an overwhelming challenge. Add the task of implementing proper security-related controls and the problem becomes of far greater magnitude than even the most visionary experts could have predicted 20 years ago. Although victories here and there in the war against cybercriminals occur, reality echos the irrefutable truth that “cyberspace” is simply too big a territory to adequately defend. Worse yet, security-related controls PAYOFF IDEA that work today will in all likelihood If your organization does not currently use intrufail tomorrow as the perpetrator sion detection technology, it is badly behind the community develops new ways to intrusion detection “power curve.” Furthermore, an organization that buys, then rolls out, a new defeat these controls. As well, the IDS product is by no means ready to reap the bencontinuing rush to market software efits immediately. A definite, steep learning curve with more new features is resulting for using intrusion detection technology exists. in poorly designed and poorly tested Even if you start deploying this technology now, it takes time to assimilate the mentality of intrusion software being deployed in critical detection and the technology associated with it situations. Thus, the usual installainto an organization’s culture. It is important, tion is based on poorly designed, therefore, to become familiar with and start using buggy software that is being used in this technology as soon as possible to avoid fallways unanticipated by the original ing behind even further. The alternative is to continue to function as the proverbial ostrich with its designers, and that is under continuhead beneath the sand. ing attack from all over. 10/99 Auerbach Publications © 1999 CRC Press LLC Schultz and Wack1 have argued that InfoSec professionals need to avoid relying on an approach that is overly reliant on security-related controls. Determining from a cost-benefit perspective the controls that most effectively reduce risk, then implementing and maintaining those controls is an essential part of the risk management process. Investing all of one’s resources in controls is, however, not wise because this strategy does not leave resources for detecting and responding to the security-related incidents that invariably occur. The so-called “fortress mentality” (implementing security barrier after security barrier but doing nothing else) in the InfoSec arena does not work any better than did castles in the United Kingdom when Oliver Cromwell’s armies aimed their cannons at them. It is far better to employ a layered, defense-in-depth strategy that includes protection, monitoring, and response.2,3 Merely accepting the viewpoint that it is important to achieve some degree of balance between deploying controls and responding to incidents that occur, unfortunately, does little to improve the effectiveness of an organization’s InfoSec practice. An inherent danger in the incident response arena is the implicit assumption that if no incidents surface, all is well. Superficially, this assumption seems logical. Studies by the U.S. Defense Information Systems Agency (DISA) in 1993 and again in 1997, however, provide statistics that prove it is badly flawed. Van Wyk4 found that of nearly 8800 intrusions into Department of Defense systems by a DISA tiger team, only about one in six was detected. Of the detected intrusions, approximately only 4 percent were reported to someone in the chain of command. This meant that of all successful attacks, less than 1 percent were both noticed and reported. A similar study by the same agency three years later produced nearly identical results. One could perhaps argue that perhaps many Department of Defense personnel do not possess as high a level of technical knowledge as do their counterparts in industry because industry (with its traditionally higher salaries) can attract top technical personnel who might more readily be able to recognize the symptoms of attacks. In industry, therefore, according to this line of reasoning, it would be much more likely that some technical “guru” would notice intrusions that occurred. This reasoning is at best only partially true, however, in that in the DISA studies little attempt was made to cover up the intrusions in the first place. In what might be called “more typical” intrusions, in contrast, attackers typically devote a large portion of their efforts to masquerade the activity they have initiated to avoid being noticed. This is further supported by the latest CSI/FBI survey5 that indicated that many firms are unable to determine the number or nature of intrusions and losses to their enterprise from IT system attacks, but that losses and number of incidents are continuing to increase. The main point here is that effective incident response is important and necessary, but it hardly does any good if people do not notice incidents that occur in the first place. Human efforts to notice incidents, as © 1999 CRC Press LLC 10/99 good as they may be, are in many if not most operational settings inadequate. InfoSec professionals often need something more: an automated capability that enables them to be able to discover incidents that are attempted or actually succeed. The solution is intrusion detection. This article covers the topic of intrusion detection, covering what it is, the types of requirements that apply to intrusion detection systems (ISDs), and ways that intrusion detection systems can be deployed. WHAT IS INTRUSION DETECTION? Intrusion detection refers to the process of discovering unauthorized use of computers and networks through the use of software designed for this purpose. Intrusion detection software in effect serves a vigilance function. An effective intrusion detection system both discovers and reports unauthorized activity, such as log-on attempts by someone who is not the legitimate user or an account, and unauthorized transfer of files to another system. Intrusion detection can also serve a role of helping to document the (attempt at) misuse so as to provide data for strengthening defenses, or for investigation and prosecution after the fact. Intrusion detection is misnamed. As a field, it originally started as a form of misuse detection for mainframe systems. The original idea behind automated intrusion detection systems is often credited to James P. Anderson for his 1980 paper on how to use accounting audit files to detect inappropriate use. Over time, systems have become more connected via networks; attention has shifted to penetration of systems by “outsiders,” thus including detection of “intrusion” as a goal. This discussion will use the common meaning of “intrusion detection” to include detection of both outsider misuse and insider misuse; users of ID systems should likewise keep in mind that insider misuse must also be detected. Why Utilize Intrusion Detection? One possible approach to intrusion detection would be to deploy thousands of specially trained personnel to continuously monitor systems and networks. This approach would in almost every setting be impossible to implement because it would be impractical. Few organizations would be willing to invest the necessary level of resources and the time required to train each “monitor” to obtain the needed level of technical expertise. Running one or more automated programs designed to effectively do the same thing, but without the involvement of thousands of people, is a more logical approach, provided of course that the program yields acceptable results in detecting unauthorized activity. Additionally, although many people with high levels of technical expertise could be deployed in such a monitoring role, it may not be desirable to do so from another perspective. Even the most elite among the experts might miss certain types of unauthorized actions given the typically gargantuan volume of activity that occurs within today’s systems © 1999 CRC Press LLC 10/99 and networks. A suitable intrusion detection program could thus uncover activity that experts miss. Detection per se is not, however, the only purpose of intrusion detection. Another very important reason to use IDSs is that they often provide a reporting capability. Again, the worst-case scenario would be relying on a substantial number of human beings to gather intrusion data when each person uses a different format to record the data in addition to terms and descriptions that are ambiguous to everyone but that person. Trying to combine each observer’s data and descriptions to derive patterns and trends would be virtually impossible; making sense out of any one observer’s data would at a minimum be very challenging. An effective intrusion detection system provides a reporting capability that not only produces human friendly information displays but also interfaces with a central database or other capability that allows efficient storage, retrieval, and analysis of data. How IDSs Work IDSs work in a large variety of ways related to the type of data they capture, as well as the types of analysis they perform. At the most elementary level, a program that runs on one or more machines receives audit log data from that machine. The program combs through each entry in the audit logs for signs of unauthorized activity. This type of program is part of a host or system-based IDS. At the other extreme, an IDS can be distributed in nature.6 Software (normally referred to as agent software) resides in one or more systems connected to a network. Manager software in one particular server receives data from the agents it knows about and analyzes the data.7 This second approach characterizes a network-based IDS (see Exhibit 1). Intrusion Detection Capability for Analysis Note that if the data that each agent sends to the manager has not been tampered with, the level of analysis possible is more powerful than with host or system-based IDSs for several reasons: 1. Although a host-based IDS may not be dependent on audit data (if it has its own data capturing service independent of auditing), audit and other types of data produced within single systems are very subject to tampering or deletion. An attacker who disables auditing or an intrusion data collection service on a given machine effectively disables that IDS that runs on that machine. This is not true, however, in the case of a network-based IDS, which can gather data not only from individual machines but also from passive devices (e.g., protocol analyzers) and other, more difficult to defeat machines such as © 1999 CRC Press LLC 10/99 EXHIBIT 1 — A Depolyment of an IDS in Which Agent Software Running on Hosts Sends Data to a Central Network firewalls. In other words, network-based IDSs are not as dependent on data from individual systems. 2. Network-based IDSs, furthermore, can utilize data that are not available in system-based IDSs.8 Consider, for example, an attacker who logs on to one system as user “BROWN,” then logs on to another system on the same network as “SMITH.” The manager software can assign a net ID to each user, thus enabling it to know that the user who has a log-on shell in both systems is the same user. This IDS can then generate an alarm based on the fact that the user in this example has logged on to different accounts with different names. This level of analysis is not possible if an IDS does not have data from multiple machines on the net. A third form of IDS, currently quite popular, involves one or more systems that observe network traffic (usually at a border location, such as near a firewall), and scan for packet traffic that indicates misbehavior. These “network intrusion detection systems” are easy to deploy to protect an enterprise from attack from the outside, but they have the drawback of missing internal behavior that may also be of interest. APPROACHES TO INTRUSION DETECTION Not only do different implementations of IDSs work using fundamentally different kinds of data and analysis methods, but they also differ in the types of approaches to intrusion detection that have been incorporated © 1999 CRC Press LLC 10/99 into their design. The correct question here is not, “do you want to deploy an intrusion detection system (IDS)?, but rather, “which type of IDS do you want to deploy?” The following are the major types of IDSs. Anomaly Detection Systems Anomaly detection systems are designed to discover anomalous behavior; that is, behavior that is unexpected and abnormal. At the most elementary level, anomaly detection systems look for use of a computer system during a time of the day or night in which the legitimate user hardly if ever uses the computer. Statistical profiles indicating percentiles of measurable behavior and what falls within one standard deviation of the norm, two standard deviations, etc., are often the basis for determining whether or not a given user action is anomalous. At a more sophisticated level, one might profile variables and processes such as types of usage by each specific user. One user, for example, might access a server mostly to read e-mail, another might balance usage time between e-mail and using spreadsheet-based applications, and a third might mostly write and compile programs. If the first user suddenly starts compiling programs, an anomaly detection system should flag this type of activity as suspicious. Misuse Detection Systems The main focus of misuse detection systems is on symptoms of misuse by authorized users. These symptoms include unauthorized log-ons or bad log-on attempts to systems, in addition to abuse of services (e.g., Web-based services, file system mounts, etc.) in which users do not need to authenticate themselves. In the latter case, therefore, good misuse detection systems will identify specific patterns (called signatures) of anomalous actions. If an anonymous FTP user, for example, repeatedly enters cd …, cd …, cd … from a command line, there is a good chance that the user is attempting a “dotdot” attack to reach a higher level directory than FTP access is supposed to allow. It is very unlikely that a legitimate user would repeatedly enter these keystrokes. Target Monitoring Systems Target monitoring systems represent a somewhat radical departure from the previously discussed systems in that target monitoring systems do not attempt to discover anomalies or misuse. Instead, they report whether certain target objects have been changed; if so, an attack may have occurred. In UNIX systems, for example, attackers often change the /sbin/login program (to cause a pseudo-login to occur in which the password of a user attempting to log in is captured and stored in a hidden file) or the /etc/passwd file (which holds names of users, privilege levels, © 1999 CRC Press LLC 10/99 etc.). In Windows NT systems, someone may change .DLL (dynamically linked library) files to alter system behavior. Most target monitoring systems use a cryptographic algorithm to compute a cryptochecksum for each target file. Then, if the cryptochecksum is calculated later in time and the new cryptochecksum is different from the previous one, the IDS will report the change. Although this type of IDS superficially does not seem as sophisticated as the previous ones, it has several advantages over anomaly and misuse detection systems, including: 1. When intruders break into systems, they frequently make changes (sometimes accidentally, sometimes on purpose). Changed files, executables that are replaced with Trojan horse versions, etc., are therefore excellent potential indications that an attack has occurred. 2. Target monitoring systems are not based on statistical norms, signatures, and other indicators that may or may not be valid. These systems are, therefore, not as model dependent — they are instead simple and straightforward. Furthermore, they do not really need to be validated because the logic behind them is so obvious. 3. They do not have to be continuously run to be effective. All one has to do is run a target monitoring program at one point in time, then another. Target monitoring systems thus do not generally result in as much performance overhead as do other types of IDSs. Systems that Perform Wide-Area Correlation of Slow and “Stealth” Probes Not every attack that occurs is an all-out attack. A fairly typical attack pattern is one in which intruders first probe remote systems and network components such as routers for security-related vulnerabilities, and then actually launch attacks later. If attackers were to launch a massive number of probes all at once the likelihood of noticing the activity would increase dramatically. Many times, therefore, attackers probe one system, then another, then another at deliberately slow time interviews. The result is a substantial reduction in the probability that the probes will be noticed. A fourth type of IDS performs wide-area collection of slow and stealth probes to discover the type of attacks mentioned in this section. MAJOR ADVANTAGES AND LIMITATIONS OF INTRUSION DETECTION TECHNOLOGY Advantages Intrusion detection is potentially one of the most powerful capabilities that an InfoSec practice can deploy. Much of attackers’ ability to perpetrate computer crime and misuse depends on their ability to escape being noticed until it is too late. The implications of the DISA statistics cited earlier are potentially terrifying; in the light of these findings, it might therefore be more reasonable to ask how an InfoSec practice that claims to observe the principle of “due dilligence” could avoid using an © 1999 CRC Press LLC 10/99 IDS enterprisewide. It is strongly emphasized that any InfoSec practice that does not utilize IDS technology to at least some degree is not practicing due dilligence because it will necessarily overlook a large percentage of the incidents that occur. Any practice that remains unaware of incidents does not understand the real risk factor; sadly, it only mimics the behavior of an ostrich with its head under the sand. Simply put, an effective IDS can greatly improve the capability to discover and report security-related incidents. Also note that the complexity of configuration of most systems, and the poor quality of most commercial software, effectively guarantees that new flaws will be discovered and widely reported that can be used against most computing environments. Patches and defenses are often not as quickly available as attack tools, and defenses based on monitoring and response are the only way to mitigate such dangers. The failure to use such mechanisms is a failure to adequately provide comprehensive security controls. In addition to increasing an organization’s capability to notice and respond to incidents, ISDs offer several other major benefits. These include: 1. Cost reduction. Automated capabilities over time generally cost less than humans performing the same function. Once an organization has paid the cost of purchasing and installing one or more IDSs, the cost of an intrusion detection capability can be quite reasonable. 2. Increased detection capability. An effective IDS is, as mentioned earlier, able to perform more sophisticated analysis (e.g., by correlating data from a wide range of sources) than are humans. The epidemy of the problem of reading and interpreting data through human inspection is reading systems’ audit logs. These logs typically produce a volume of data that system administrators seldom have time to inspect at all or at least in any detail. Remember, too, that attackers often have the initial goal of disabling auditing once they compromise a system’s defenses. IDSs do not necessarily rely on audit logs. 3. Deterrent value. Attackers who know intrusion detection capabilities are in place are often more reluctant to continue unauthorized computer-related activity. IDSs thus, to some degree, serve to deter unauthorized activity. 4. Reporting. An effective IDS incorporates a reporting capability that utilizes standard, easy-to-read and understand formats and database management capabilities. 5. Forensics. A few IDSs incorporate forensics capabilities. Forensics involves the proper handling of evidence that can be used in court. A major goal of forensics in fact is to collect and preserve evidence about computer crime and misuse that will be admissible in a court of law. © 1999 CRC Press LLC 10/99 6. Failure detection and recovery. Many failures exhibit features similar to misuse or intrusion. Deployment of good IDs can result in advance notice of these symptoms before they result in full failures. Furthermore, some IDs can provide audit data about changes, thus allowing failed components to be restored or verified more quickly. Disadvantages On the other hand, intrusion detection is beset with numerous limitations. Some of the most critical of these drawbacks include: 1. Immaturity. Most (but not all) IDSs available today have significant limitations regarding the quality of functionality they provide. Some are, in reality, little more than prototypes with a sophisticated user interface. Others purport to compare signatures from a signature library to events that occur in systems or networks, but the vendors or developers refuse to allow potential customers to learn how complete and how relevant these libraries are. Equally troubling is the fact that new types of attacks occur all the time; unless someone updates the signature library accordingly, detection efficiency will fall over time. Still other IDSs rely on statistical indicators such as “normal usage patterns” for each user. A clever perpetrator can, however, patiently and continuously engage in activity that does not fall out of the normal range but comes close to doing so. The perpetrator thus can adjust the statistical criteria over time. Someone who normally uses a system between 8 a.m. and 8 p.m. may, for example, want to attack the system at midnight. If the perpetrator were to simply attack the system at midnight, alarms might go off because the IDS may not consider midnight usage within the normal range of usage for that user. But if the perpetrator keeps using the system from, say, 11 a.m. to 11 p.m. every day for one week, usage at midnight might now no longer be considered statistically deviant. 2. False positives. Another serious limitation of today’s IDSs is false positives (Type I errors). A false positive occurs when an IDS signals that an event constitutes a security breach, but that event in reality does not involve such a breach. An example is multiple, failed log-ins by users who have forgotten their passwords. Most of the IDS customer community today is concerned about false alarms because they are often so disruptive and because they sidetrack the people who investigate the false intrusions from other, legitimately important tasks. 3. Performance decrements. Deploying IDSs results in system or network performance hits. The actual amount of decrement depends on the particular IDS; some are very disruptive to performance. Anomaly-based systems are often the most disruptive because of the complexity of matching required. © 1999 CRC Press LLC 10/99 4. Initial cost. The initial cost of deploying IDSs can be prohibitive. When vendors of IDS products market their products, they often mention only the purchase cost. The cost to deploy these systems may require many hours of consultancy support, resulting in a much higher cost than originally anticipated. 5. Vulnerability to attack. IDSs themselves can be attacked to disable the capabilities they deliver. The most obvious case is when a trusted employee turns off every IDS, engages in a series of illegal actions, and then turns every IDS on again. Any attacker can flood a system used by an IDS capability with superfluous events to exceed the disk space allocated for the IDS data, thereby causing legitimate data to be overwritten, system crashes, and a range of other undesirable outcomes. 6. Applicability. IDSs are, by definition, designed to uncover intrusions — unauthorized access to systems; yet a large proportion of the attacks reported recently (at the time this article was written) were either probes (e.g., use of scanning programs to discover vulnerabilities in systems) or denial-of-service attacks. Suppose that an attacker wants to cause as many systems in an organization’s network to crash as possible. Any IDSs in place may not be capable of discovering and reporting many denial-of-service attacks in the first place. Even if they are capable of doing so, knowing that “yes, there was a denial of service attack” hardly does any good if the attacked systems are already down. Additionally, many (if not most) of today’s IDSs do a far better job of discovering externally initiated attacks than ones that originate from inside. This is unfortunate, given that expected loss for insider attacks is far higher than for externally originated attacks. 7. Vulnerability to tampering. IDSs are vulnerable to tampering by unauthorized as well as authorized persons. Many ways to defeat IDSs are widely known, within both the InfoSec and perpetrator communities. In a highly entertaining article, Cohen9 describes 50 of these ways. 8. Changing technology. Depending on a particular technology can result in loss of protection as the overall computing infrastructure changes. For example, network-based intrusion detection is often foiled by switch-based IP networks, ATM-like networks, VPNs, encryption, and alternate routing of messages. All of these technologies are becoming more widely deployed as time goes on. The advantages and disadvantages of intrusion detection technology are summarized in Exhibit 2. ASSESSING INTRUSION DETECTION REQUIREMENTS The relationship of intrusion detection to risk. A large number of organizations go about the process of risk management by periodically performing risk assessments, determining the amount of resources available, © 1999 CRC Press LLC 10/99 Exhibit 2 — Summary of Advantages and Disadvantages of Intrusion Detection Technology • Cost reduction (at least over time) resulting from automation • Increased efficiency in detecting incidents • Can deter unauthorized activity • Built-in reporting, data management, and other functions • Built-in forensics capabilities • Many IDSs do not deliver the functionality that is needed • Unacceptably high false alarm rates • Generally produce performance decrements • Initial cost may be prohibitive • May yield superfluous data • IDSs themselves are vulnerable to attack and then allocating resources according to some method of prioritybased risk mitigation strategy (i.e., introducing one or more controls that counter the risk with the greatest potential for negative impact, then implementing one or more measures that address the risk with the second greatest negative impact, until the resources are spent). Regardless of whether or not one agrees with this mode of operation, it tends to guarantee that intrusion detection needs will be overlooked. In simple terms, intrusion detection does not address any specific risk as directly as measures such as encryption and third-party authentication solutions. Developing Business-Related Requirements Developing specific, business-related requirements concerning intrusion detection is anything but an easy process. The difficulty of doing so is in all likelihood one of the major detractors in organizations’ struggles in dealing with intrusion detection capabilities. Business units, furthermore, may be the most reluctant to utilize intrusion detection technology because of the typical level of resources (personnel and monetary) required and because this technology may superficially seem irrelevant to the needs of fast-paced business units in today’s commercial environments. On the other hand, obtaining buy-in from business units and developing business requirements for intrusion detection at the level of business units is probably not, in most cases, the primary goal anyway. In most organizations, if intrusion detection technology is to be infused successfully, it must be introduced as a central capability. Business requirements and the business rationale for intrusion detection technology are likely to be closely related to the requirements for an organization’s audit function. The ultimate goal of intrusion detection technology in business terms is the need to independently evaluate the impact of system and network usage patterns in terms of the organization’s financial interests. As such, it is often easiest to put intrusion detection technology in the hands of an organization’s audit function. © 1999 CRC Press LLC 10/99 Decision Criteria Suppose that an organization decides to introduce intrusion detection technology. After deriving the business requirements that apply to the organization, the next logical step is to determine whether the organization will build a custom IDS or buy a commercial, off-the-shelf version. The latter is generally a much wiser strategy — building a custom IDS generally requires far more time and resources than one might ever imagine. Additionally, maintenance of custom-built IDSs is generally a stumbling block in terms of long-term operations and cost. The exception to the rule is deploying very simple intrusion detection technology. Setting up and deploying “honey pot” servers, for example, is one such strategy. “Honey pot” servers are, in essence, alarm servers connected to a local network. Normally, nobody uses a “honey pot” server, but this host is assigned an interesting but bogus name (e.g., patents.corp.com). If anyone logs in or even attempts to log in, software in this type of server alerts the administrator, perhaps by having the administrator paged. The major function of “honey pot” servers is to indicate whether an unauthorized user is “loose on the Net,” so that one or more individuals can initiate suitable incident response measures. This strategy is not elegant in terms of the intrusion detection capability that it provides; it is, however, not only simple, but is also very cost-effective. Better yet, an older, reasonably low-ended platform (e.g., a Sparcstation 5) is generally more than sufficient for this type of deployment. Buying a commercial IDS product is easier when one systematically evaluates the functionality and characteristics of each candidate product against meaningful criteria. At a minimum, one should apply the following criteria: 1. Cost. This includes both short- and long-term costs. As mentioned previously, some products may appear to cost little because their purchase price is low; but life-cycle deployment costs may be intolerable. 2. Functionality. The difference between a system- versus a networkbased IDS is very important here. Many intrusion detection experts assert that system-based IDSs are in general better for detecting insider activity, whereas network-based IDSs more often better for detecting externally originated attacks. This consideration is, however, only a beginning point with respect to determining whether or not a product’s functionality is suitable. The presence or absence of functions such as reporting capabilities, data correlation from multiple systems, and near realtime alerting is also important to consider. 3. Scalability. Each candidate tool should scale not only to business requirements but also to the environments in which it is to be deployed. In general, it is best to assume that whatever product one buys will have to scale upward in time, so obtaining a product that © 1999 CRC Press LLC 10/99 4. 5. 6. 7. 8. can scale not only to the current environment, but also later to more complex environments, is frequently a good idea. Degree of automation. The more features of an IDS product that are automated, the less human intervention is necessary. Accuracy. An IDS product should not only identify any bona fide intrusion that occurs but should also minimize the false alarm rate. Interoperability. Effective IDSs can interoperate with each other to make data widely available to the various hosts that perform intrusion detection management and database management. Ease of operation. An IDS that is easy to deploy and maintain is more desirable than one that is not. Impact on ongoing operations. An effective IDS causes little disruption in the environment in which it exists. DEVELOPING AN INTRUSION DETECTION ARCHITECTURE After requirements are in place and the type of IDS to be used is selected, the next logical phase is to develop an architecture for intrusion detection. In the current context, the term “architecture” is defined as a highlevel characterization of how different components within a security practice are organized and how they relate to each focus within that practice. Consider, for example, the following components of an InfoSec practice (see Exhibit 3). To develop an intrusion detection architecture, one should start at the highest level, ensuring that the policies include the appropriate provisions for deploying, managing, and accessing intrusion detection technology. For example, some policy statement should include the provision that no employee or contractor will access or alter in any way any IDS that is deployed. Another policy statement should specify how much intrusion detection data are at a minimum to be captured and how it must be archived. It is also important to ensure that an organization’s EXHIBIT 3 — A Simple Framework for a Security Architecture © 1999 CRC Press LLC 10/99 InfoSec policy clearly demarcates what “unauthorized activity” constitutes if the output of the IDS is to have any real meaning. At the next level down, one might write specific standards appropriate to each type of IDS deployed. For IDSs with signature libraries, for example, it is important to specify how often the libraries should be upgraded. At the lowest level, one might include recommendations such as how much disk space to allocate for each particular IDS installation. It is important to realize that an intrusion detection capability does not work well in isolation; it needs to be part of the inner fabric of an organization’s culture. As such, developing an intrusion detection architecture is a very important step in successfully deploying intrusion detection technology. Note also that developing such an architecture is not as simple as diagrams such as Exhibit 3 might imply; it requires carefully analyzing for each component of the architecture exactly what intrusion detection requires and how to embody the solution for each need within that component. Equally importantly, it requires consensus among organizations that will or might be affected by the rollout of intrusion detection technology in addition to buy-in from senior-level management. CONCLUSION This article examined intrusion detection and its potential role in an InfoSec practice, arguing against the “fortress mentality” that results in implementation of security control measures such as password hackers without realizing that no defense measure is 100 percent effective anyway. It is important, therefore, to devote a reasonable portion of an organization’s resources to detecting incidents that occur and effectively responding to them. This article took a look at its advantages and disadvantages, and then discussed how one can effectively introduce intrusion detection technology into an organization. Finally, considerations related to deploying IDSs were discussed. Intrusion detection in many ways stands at the same crossroads that firewall technology did nearly a decade ago. The early firewalls were really rather crude, and most organizations viewed them as interesting but impractical. Intrusion detection technology was available before the first firewall was ever implemented, but the former has always faced more of an uphill battle. The problem to a large extent can be characterized as due to the mystery and evasiveness that has surrounded IDSs. Firewalls are more straightforward — the simplest firewalls simply block or allow traffic destined for specific hosts. One can be reasonably sure when buying a firewall product how this product will work. The same has not been true in the intrusion detection arena. Yet at the same time, intrusion detection is rapidly gaining acceptance among major organizations around the world. Although the technology surrounding this area is far less than perfect, it is now for the © 1999 CRC Press LLC 10/99 most part sufficiently reliable and sophisticated to warrant its deployment. To ignore and avoid deploying this technology now, in the authors’ judgment, constitutes a failure to adopt the types of measures responsible organizations are now putting in place, which in simple terms is a failure to observe “due care” standards. The good news is that intrusion detection technology is becoming increasingly sophisticated every year. Also encouraging is the fact that performance-related problems associated with IDSs are becoming relatively less important because operating systems and the hardware platforms on which they run are constantly improving with respect to performance characteristics. The research community, additionally, is doing a better job in pioneering the way for the next generation of intrusion detection technology. Some current advances in intrusion detection research include areas such as interoperability of IDSs, automatic reporting, and automated response (in which the IDS takes evasive action when it determines that an attack is in progress). The bad news is that if an organization does not currently use intrusion detection technology, it is badly behind the intrusion detection “power curve.” Consider, furthermore, that an organization that buys, then rolls out a new IDS product is by no means ready to reap the benefits immediately. A definite, steep learning curve for using intrusion detection technology exists. Even if one starts deploying this technology now, it takes time to assimilate the mentality of intrusion detection and the technology associated with it into an organization’s culture. It is important, therefore, to become familiar with and start using this technology as soon as possible to avoid falling behind even further. The alternative is to continue to function as the proverbial ostrich with its head beneath the sand. REFERENCES 1. Schultz, E.E. and Wack, J., Responding to Computer Security Incidents, in M. Krause and H.F. Tipton (Eds.), Handbook of Information Security, Boston: Auerbach, p. 53–68, 1996. 2. Garfinkel, S. and Spafford, G., Practical UNIX and Internet Security, O’Reilly & Associates, Inc., 1996. 3. Garfinkel, S. and Spafford, G., Web Security and Commerce, O’Reilly & Associates, Inc., 1997. 4. Van Wyk, K.R., Threats to DoD Computer Systems, paper presented at 23rd Information Integrity Institute Forum, (cited with author’s permission). 5. Power, Richard, Issues and Trends: 1999 CSI/FBI Computer Crime and Security Survey, Computer Security Journal, XV(2), Spring 1999 6. Mukherjee, B., Heberlein, L.T., and Levitt, K.N., Network Intrusion Detection, IEEE Network, 8(3), 26–41, 1994. 7. Crosbie, M. and Spafford, E.H., Defending a Computer System using Autonomous Agents, Proceedings of 18th National Information Systems Security Conference, p. 549–558, 1995. 8. Herringshaw, C., Detecting Attacks on Networks, IEEE Computer, 30(12), 16–17, 1997. 9. Cohen, F., Managing Network Security. Part 14: 50 Ways to Defeat Your Intrusion Detection System, Network Security, December, p. 11–14, 1997. Eugene Schultz can be contacted through both Global Integrity Corporation and Purdue University. Eugene Spafford can be contacted through Purdue University. © 1999 CRC Press LLC 10/99
© Copyright 2025