Intrusion detection in the age of compliance
FISMA, HIPAA and PCI-DSS tell you what to do ... but not how
September 16, 2007 12:00 PM ETComputerworld - While intrusion-detection technologies are clearly not a hot new thing anymore, they are still the subject of active industry debate. Since the infamous "IDS Is Dead" piece was published by Gartner Inc. in 2003, the discussion about the relevance of intrusion-detection systems to today's world of commercial malware and Web exploits rages on. Furthermore, the relationship of IDS to newer technologies such as intrusion-prevention systems (IPS) and network-behavior anomaly detection (NBA) systems is also commonly discussed in the security community.
At the same time, everybody who is even slightly involved with security knows that prevention technologies will fail at some point. It's necessary to have an additional layer to detect the consequences of a breach. (Note that detection will also fail at some point, leading us into incident response -- the subject of my previous article.) Similarly, few question the need for comprehensive network monitoring aimed at increasing control over what should be "your" network but is sometimes "owned" by the attackers as well.
No matter what technologies become fashionable, the need for intrusion detection is constant. Whether you choose to implement an IDS is less important than having a process that enables you to know what is going on and to detect intrusions. Thus, enlightened companies will consider even their end users to be, metaphorically speaking, a kind of IDS, since users will sometimes serve as indicators of suspicious behavior. On the opposite end of the spectrum are those less-enlightened companies that chose to go with "CNN is our IDS" and that only learn that their networks were compromised when the news shows up in the media. Don't be those guys.
It's interesting to note that intrusion-detection technologies are actually mandated by a few regulations. Organizations under such mandates should look at deploying such technologies independently of industry debate over the finer mechanical points. In my last two articles on incident management and log management, I described the way in which FISMA, HIPAA, and PCI-DSS affect incident-response procedures and log management processes. It should come as no surprise, then, that these same regulations mandate intrusion-detection capabilities.
To demonstrate the complexity of intrusion detection and prevention and the need for a multifaceted approach to the issue, note the common theme that runs through these regulations: Intrusion detection mechanisms must not only be in place, but must also be kept up to date and monitored for signals and alerts.
Federal Information Security Management Act of 2002 (FISMA)
NIST SP 800-53 lists a variety of security controls (including intrusion-detection controls) that need to be in place to protect a federal information system. "Intrusion-detection controls" simply means that tools and techniques be used to monitor for and detect unauthorized information system activity and/or attacks, without specifying any specific method of doing so.
anton chuvakin
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Enterprise 2.0 Applications - Block or Not?
Learn what your organization should do to control Enterprise 2.0 Applications.
Data in Action: Making the Planet Smarter
Register Now
Product Overview Brochure
Learn how to deliver secure data and applications wherever and whenever they're needed.
How to Secure and Accelerate Your Oracle Applications
Learn about the escalating application performance and security challenges facing corporations, today!
The Workday User Experience Video
Watch Workday's Creative Director, Scott Lietzke, discuss the business-centered design philosophy at Workday.
Enterprise Application Delivery: No User Left Behind
Gain the ability to deliver applications to all users, using any device, across any network.
Business Process Framework Demo
Learn about Configurable Business Processes and Calculated Fields. Watch Now!
Accelerate SSL Encrypted Applications
Gain complete visibility into SSL application sessions, making it easy to apply appropriate acceleration and security controls to all SSL traffic.
Manager Experience Demo
Go beyond self-service solutions to perform more effectively. Watch Now.

