Intrusion detection is failing: enter intrusion management. (Security).Intrusion detection systems This article is about the computing term. For other uses, see Burglar alarm. An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. (IDSs) are a hot topic these days for good reason. The sheer number of threats and intrusions to corporate ITsystems has grown phenomenally in the past few years--along with the sophistication so·phis·ti·cate v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates v.tr. 1. To cause to become less natural, especially to make less naive and more worldly. 2. of attacks that security managers are experiencing. What is causing this growth in unlawful intrusions? In a large part the Internet has opened the door by increasing business connectivity. This includes exposure to external business and non-business entities. This exposure has been magnified by recent world events that have increased the threat from terrorists and industrial spies spies n. Plural of spy. v. Third person singular present tense of spy. , not to mention electronic vandals and thieves List of Thieves. Famous
What's so wrong with current IDS technologies? Security events, and other information from numerous point products such as network-based intrusion detection systems, firewalls, and anti- virus products are overwhelming security managers and intrusion analysts. These point products also often fall to highlight the relationship of different registered events emanating from the same attack or policy violation. This has caused information overload A symptom of the high-tech age, which is too much information for one human being to absorb in an expanding world of people and technology. It comes from all sources including TV, newspapers, magazines as well as wanted and unwanted regular mail, e-mail and faxes. and a lack of business value from current intrusion detection systems, compounded by an overall shortage of qualified personnel to monitor and respond to events. It seems that while there are many IDS products available, many implementations have failed because there is a belief that it is these products alone that can solve the problem. In struggling to properly monitor their security environments, companies are beginning to realise that there must be a better way, and this belief has evolved into a concept called "intrusion management". What's so right about Intrusion Management? Pinkesh Shah, at PentaSafe Security Technologies, says of the move away from traditional IDS to the new concept of intrusion management, IDS must evolve beyond its point product tradition and encompass a new level of management capabilities. Companies have to focus on managing events, correlating them, and responding to them in real time. To put it bluntly-to manage risk in real time requires intrusion management. Giga Information Group defines the intrusion management process as incorporating several key areas: Vulnerability management -- The ability to understand to what an organisation is vulnerable and how these vulnerabilities would impact the business if they were exploited. Intrusion detection -- The process of identifying security incidents at specific points (e.g., network, host, application) in the enterprise. Security event management -- The ability to consolidate multiple sources of security incidents (e.g., firewall logs, host-based intrusion detection systems A host-based intrusion detection system (HIDS) is an intrusion detection system that monitors and analyzes the internals of a computing system rather than on its external interfaces (as a network-based intrusion detection system (NIDS) would do). (XDS XDS Cross-enterprise Document Sharing XDS Extended Data Service (television data transmission service) XDS X/Open Directory Services XDS Xerox Data Systems XDS X-Ray Spectrometer Detector System XDS Existing Data Study XDS Xml Data Synthesis ), network-based IDS, application logs, etc.) and relate security events together to identify the impact/scope of a security incident on business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets . Incident response -- The process of successfully responding to an incident whether the objective is to solely recover or bring the perpetrators to prosecution. To get the most out of security technologies and effectively manage risk in real-time, businesses need to integrate distinct security processes and technologies in a way that has not been achieved before. An effective intrusion management solution combines security event detection, event management, incident response and other technologies and processes to achieve measurable and practical real-time risk management. A look at each of these key points in turn shows how they form a vital link in the intrusion management process. Vulnerability Management Many businesses have deployed security technologies without properly understanding their vulnerabilities. Establishing a vulnerability management process facilitates successful intrusion management by enabling organisations to prioritise Verb 1. prioritise - assign a priority to; "we have too many things to do and must prioritize" prioritize grade, rate, rank, place, range, order - assign a rank or rating to; "how would you rank these students?"; "The restaurant is rated highly in the food their security monitoring and incident response. Knowledge of vulnerabilities such as software defects (i.e., bugs) and configuration flaws helps security professionals determine the attacks to which they should be most sensitive. This knowledge helps plan the deployment of a successful intrusion management solution by focusing on those areas that are most vulnerable. Intrusion Detection Security event detection technologies must start to identify more than just attacks and intrusions - the traditional domain of intrusion detection systems that often rely on specific signatures for detection. Security event detection technologies must also identify precursors precursors, (prēkur´s  rz),n.pl particles or compounds that precede something. of attacks such as port scans, network browsing, and web site crawling. They need to identify policy violations such as configuration changes that deviate from security standards and user breaches of acceptable use policies. Successful intrusion management must rely on the detection of more than just attacks and intrusions. While these are very important events, intrusion management technologies and processes have to begin making sense of large volumes of information and using this information to highlight only those events or combination of events that are relevant to the organisation's security posture. Security Event Management To effectively manage risks from intrusions the management of events must play a much larger role than in the past. Here are the policies and processes that, must be put in place for successful security event management: Enterprise security event collection - The event management system must be able to collect events from numerous disparate technologies including security and network devices, business applications, infrastructure components and more. Data normalisation 1. (data processing) normalisation - A transformation applied uniformly to each element in a set of data so that the set has some specific statistical property. For example, monthly measurements of the rainfall in London might be normalised by dividing each one by the total - The event management system must also parse and normalise Verb 1. normalise - become normal or return to its normal state; "Let us hope that relations with this country will normalize soon" normalize change - undergo a change; become different in essence; losing one's or its original nature; "She changed completely event data. That means certain pieces of information must be gleaned from each event and inserted into specific fields in an event database. Event correlation Event Correlation is the processes involved with reducing a large number of incident alerts to a much smaller, more manageable number within automated monitoring and incident/problem management in a Support Management System. - Security event correlation is the process of relating several distinct security events that emanate em·a·nate intr. & tr.v. em·a·nat·ed, em·a·nat·ing, em·a·nates To come or send forth, as from a source: light that emanated from a lamp; a stove that emanated a steady heat. from the same attack and is vital to reducing the number of events that must be handled by an intrusion analyst. Alerting and Automation - Security event management technologies must provide flexible alerting mechanisms and be able to automate To turn a set of manual steps into an operation that goes by itself. See automation. responses to events. Incident Response intrusion management must include responding to attacks, intrusions, and policy violations. To accomplish this, an effective intrusion management solution must provide tools that enable an easy and effective response to critical events. Traditionally, event management systems have provided no ability to take action in response to an event. However, incident response capabilities are becoming more critical as quicker resolution of security events is needed. Only systems that provide integration of multiple tools for active incident response will be able to provide true intrusion management- The evolution of intrusion detection Intrusion management is a necessary next step in the evolution of intrusion detection technologies. Intrusion management solutions enable businesses to get more value from their current IDS investments and other security technologies. Most importantly Adv. 1. most importantly - above and beyond all other consideration; "above all, you must be independent" above all, most especially , intrusion management turns intrusion detection into a management discipline that goes beyond detection and logging to allow security professionals to manage and respond to attacks, intrusions and policy violations more efficiently and effectively. Intrusion management in the real world While intrusion management is something that undoubtedly looks good on paper, is it actually something that can work in the real world? The answer is most definitely yes. The first intrusion management system has already been developed and is successfully working in businesses around the world. PentaSafels VigilEnt Intrusion Manager (VIM (Vendor Independent Messaging Interface) A programming interface developed by Lotus, Novell, IBM and others. In order to enable an application to send and receive mail over a VIM-compliant messaging system such as cc:Mail, programmers write to the VIM interface. ), is the first enterprise intrusion management solution on the market. True to the intrusion management principles, it manages security risk in real-time, enabling organisations to manage high-volume security events, analyse an·a·lyse v. Chiefly British Variant of analyze. analyse or US -lyze Verb [-lysing, -lysed] or -lyzing, logs and respond to intrusions. www.pentasafe.com. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion