Intrusion detection in the age of compliance

Computerworld - While intrusion-detection technologies are clearly not a hot new thing anymore, they are still the subject of active industry debate. Since the infamous "IDS Is Dead" piece was published by Gartner Inc. in 2003, the discussion about the relevance of intrusion-detection systems to today's world of commercial malware and Web exploits rages on. Furthermore, the relationship of IDS to newer technologies such as intrusion-prevention systems (IPS) and network-behavior anomaly detection (NBA) systems is also commonly discussed in the security community.

At the same time, everybody who is even slightly involved with security knows that prevention technologies will fail at some point. It's necessary to have an additional layer to detect the consequences of a breach. (Note that detection will also fail at some point, leading us into incident response -- the subject of my previous article.) Similarly, few question the need for comprehensive network monitoring aimed at increasing control over what should be "your" network but is sometimes "owned" by the attackers as well.

No matter what technologies become fashionable, the need for intrusion detection is constant. Whether you choose to implement an IDS is less important than having a process that enables you to know what is going on and to detect intrusions. Thus, enlightened companies will consider even their end users to be, metaphorically speaking, a kind of IDS, since users will sometimes serve as indicators of suspicious behavior. On the opposite end of the spectrum are those less-enlightened companies that chose to go with "CNN is our IDS" and that only learn that their networks were compromised when the news shows up in the media. Don't be those guys.

It's interesting to note that intrusion-detection technologies are actually mandated by a few regulations. Organizations under such mandates should look at deploying such technologies independently of industry debate over the finer mechanical points. In my last two articles on incident management and log management, I described the way in which FISMA, HIPAA, and PCI-DSS affect incident-response procedures and log management processes. It should come as no surprise, then, that these same regulations mandate intrusion-detection capabilities.

To demonstrate the complexity of intrusion detection and prevention and the need for a multifaceted approach to the issue, note the common theme that runs through these regulations: Intrusion detection mechanisms must not only be in place, but must also be kept up to date and monitored for signals and alerts.

Federal Information Security Management Act of 2002 (FISMA)

NIST SP 800-53 lists a variety of security controls (including intrusion-detection controls) that need to be in place to protect a federal information system. "Intrusion-detection controls" simply means that tools and techniques be used to monitor for and detect unauthorized information system activity and/or attacks, without specifying any specific method of doing so.