Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

C. J. Kelly

A Day in the Life of an Information Security Officer

The problem with discovering intrusions

2 comments

IT TOPICS:Security

Spotting System Intrusions a Big Challenge for IT tells it like it is. When you read about how data security breaches are discovered after the fact, you might have a tendency to shake your head and wonder what idiot is responsible. It's just not that simple. There is no one idiot responsible. There are complex reasons why intrusions and data security breaches occur undetected. Be thankful you discover them and plug the holes.

I am not advocating letting anyone off the hook. I want to bring to IT Executive Management's attention that you need to fund the ability detect intrusions both with security technologies and security people.

We are talking about the necessity of log management and event correlation. Sounds simple. It's very complex. You need to divide and conquer. You may decide that securing the external services provided to vendors, customers, and business partners is the first priority. Once secured, you need to determine how you will know if a security device or access control has been violated. You may need to do that at the network level, the operating system level, application, and database levels. Heaven forbid you have a database sitting outside your firewalls.

Let's say you have put the logging in place and have been able to determine what constitutes a security event, will you have that alert emailed to an engineer or team of engineers? Do you have a process in place (incident response) that determines if anything should be done. Is there an escalation process? Who decides an event is serious enough to do something about? This kind of work is often left to security analysts. They are buried in log files and even with a serious event correlation engine there is plenty of work to do in weeding out false positives.

Remember that buying security devices and putting them in place, hardening operating systems, performing regular patches, and analyzing copious logfiles is not going to prevent an intrusion necessarily. It takes a concerted effort to monitor the systems in place. And it takes security engineers and analysts full attention to keep things safe. And serious management support.

Email this

Digg this

What People Are Saying

Add new comment

The difference between what

Submitted by Rob Lewis on February 10, 2007 - 8:42 P.M.

The difference between what you describe and what we do is that your actions are reactive.

By using multilevel security and trusted systems, we shut down unauthorized access attempts and enforce security policies. Much easier approach, since operating from a white list at the kernel level, there are no false positives.

Reply | Report this comment

As an incident responder, I

Submitted by Anonymous on January 30, 2007 - 12:57 P.M.

As an incident responder, I can tell you that while your article does point out some issues, most of the intrusions I've run across are due to weak or nonexistent passwords, and accounts that are just left on systems. Taking a minimalist approach means to not run services you don't need, and don't have accounts on systems if you're not using them.

Preventing and detecting incidents is much easier than you think.

Reply | Report this comment

Google Dashboard: Convenient, useful, but no big deal

Web filtering internationally, part 1: China

The fobbit

Unlock/jailbreak new iPhone 3G software with #blackra1n app

Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...

All White Papers | All Webcasts