Intrusion detection systems (IDS) are a vital part of any information security policy, but they do need careful management, writes Stuart Eaton from Centrinet.

IDS acceptance as a recognised component to security A common analogy applied to intrusion detection systems and firewalls is that of your home. Suppose that you move into a new home in an affluent area. After a year you pick up the local paper, the headline tells you of a spate of burglaries and vandalism in the area, targeting your prosperous well-advertised housing estate. Upon reading this you ensure that you have a strong front door and put a couple of extra locks on. A week later, entering the front room you are greeted by the sight of broken glass and no television. So what happened? Although the door was perfectly secure, the thieves simply smashed the kitchen window, climbed through and helped themselves. It is common practice for people to buy an alarm or even a dog to complement the locks and doors of a house. The reasoning behind this is obvious: they give you an early warning of an attack on your property and they also provide a deterrent to the would-be thief when their use is detected. How many times have we read stories of reformed criminals talking about targeting the ‘easy’ house without the alarm or dog? The contemporary internet security landscape is increasingly mirroring our domestic analogy.

IDS is not ‘fire and forget’ Intrusion detection, above perhaps any other security measure, cannot be thought of as ‘fire and forget’. The threats faced by security staff change day by day and the IDS should be updated correspondingly. There are two key points to remember regarding intrusion detection: 1. It does not assess and anticipate vulnerabilities in the network so much as monitor those areas of the network that administrators believe are vulnerable. 2. It does not automatically protect and secure a network once it detects an attack. These points illustrate the industry reasoning that a well-deployed IDS solution should have a fully trained security specialist administering the solution as a key component. An IDS solution is only as effective as the tuning and signature files. A solution that creates too many false alerts or false positives will undermine the credibility of the IDS within the business, and can often lead to staff simply switching it off or at least ignoring its output. A solution that creates too few alerts can lead to a false sense of security and ultimately should lead you to believe that your system is not detecting enough suspicious traffic. This is especially pertinent when coupled with the findings detailed within the Honeynet project. The Honeynet project involved servers attached to the Internet acting as decoys; this then lured potential hackers in order to monitor their activities and methods of gaining entry. The findings from this project were then documented and used to make people aware of the potential threats. One of the most startling facts was that the quickest time a system was compromised was 15 minutes; the average was 72 hours. The nature of the Internet and Internet-borne attacks is that of an ever-changing 24/7/365 evolving entity. Your IDS solution and the people that administer it should have the tools and the skills to ensure that you can keep pace and also evolve securely.

IDS should be part of your reaction to the threat Compaq estimate that the average financial trading house can lose £300,000–400,000 in an hour of downtime; further to this, the average large company loses US$20,000 per hour during the first 72 hours of its response to a security breach, according to a recent study by Gartner.1 These alarming figures should lead us to ensure that our companies at least adhere to minimum measures to help diminish the threat to business. These measures include the following:  Switch on audit logs for all key servers – when efficiently and effectively configured, these logs will provide adequate information to identify and investigate any problems.  Implement properly designed firewalls – these can track all traffic in and out of the site, logging and inspecting every packet of information to ensure its legitimacy.  Install intrusion detection software – if properly configured, this software will quickly identify known patterns of attack and immediately shut out the attacker only, while sounding the appropriate alarms.  Hire the right people – make sure your technical personnel completely understand the issues, the technologies and the solutions. Otherwise consider outsourcing.  Test defences regularly – the rapid rate of change in both the technology area and the hacking community means that you must test your own defences on a regular basis.  

Design the network to isolate attacks – if the worst happens and the hacker gets inside, appropriate network configuration, firewalls and other tools will ensure any damage the hacker could cause is isolated to a small area.  Have an incident response plan – identifying, reacting and resolving the problem immediately is the real business dilemma. Most organisations implement the right preventative measures but do not prepare and train for the worst.  Focus on preventative measures – swift, large-volume, automated attacks require sophisticated, automated defence mechanisms. Identifying a problem an hour after it occurs and then trying to trace and resolve it is not an option.  Keep all software up-to-date – implementing all security fixes and patches as they are released will go a long way to reducing your vulnerability to these attacks.

Management by specialists The nature of intrusion detection integrates with the ‘managed security’ model to a greater extent than perhaps any other security technology. Network Computing noted,2 ‘The case for outsourcing some of this IDS pain is getting more and more compelling.’ The characteristics of IDS output require skilled technicians around the clock to address the alerts. The infrastructure however must be in place to allow effective interpretation of the alerts and must be able to scale to the number of alerts generated during attacks. This is a point ratified by the Sysadmin, Audit, Network, Security (SANS) Institute: ‘It has become a middleware3 nightmare to manage the outputs from IDSs. Monitoring and analysing alerts from even a handful of IDSs can quickly overwhelm security staff.’ Intrusion detection should be a technology explored by any company that is serious about the threat inherent in today’s connected business world. The decision to outsource this function, whilst compelling, should not be taken lightly. Centrinet are a leading provider of Internet and network security solutions based on the innovative use of the best products and services. Our passion for customer service and technical excellence, combined with a no-nonsense approach to business, provides our clients with a refreshing and unique experience. For further information contact: Centrinet Limited, Witham Park House, Waterside South, Lincoln, Lincolnshire, LN5 7JN. Tel: +44 (0)1522 559 600; Fax: +44 (0)1522 533 745; Email: enquiries@centri.net; Webite: www.centri.net