Get a MacBook Air with Online Courses Now

Intrusion Detection FAQ: Getting Started

If someone from a large organization called and asked you for advice on what he or she should do first to get started on ID, what one thing would you recommend?

The first thing to do is think about what benefits the organization expects from the investment it will have to make. One good starting place is to look at the impact of past intrusions. If the company has been subject to recent intrusions and hacking activity, they will be cognizant of the risks out of necessity. Studying past intrusions and the company's response will be helpful in framing the business case for intrusion detection products. For example, intrusion detection products would have caught the intrusion sooner saving $X.XX and the embarrassment of the intrusion in the press.

The cost of prior intrusions will be beneficial in the preparation of a preliminary cost benefit analysis. The cost of an intrusion may include production downtime, negative public relations that may affect a company's stock price, sabotage of critical information leading to bad decisions, or unauthorized access or theft of confidential information leading to the loss of a competitive advantage. The cost also includes the expenses associated with investigation, legal, forensic and management reporting.

The understanding of the benefits of intrusion detection has to be developed with a general familiarity with the intrusion detection products currently in the market. The goals and objectives of the intrusion detection products need to be understood. Understanding the relation between the business case objectives and those of specific products helps articulate what is possible to achieve and will also pave the way for selecting products that meet company IDS needs. Unfortunately, there are not many textual reference books available on intrusion detection. Web sites, white papers, product brochures and intrusion detection conferences will provide a good starting point for assembling this information. Discussing intrusion detection with other organizations that have implemented intrusion detection may prove to be very helpful.

Intrusions and incidents is not the only potential benefit of an IDS. Another event of interest is sensitive information being sent in the clear. An IDS can allow you to test the waters for Data Loss Prevention (DLP) especially for the classic use cases such as social security numbers, credit cards and the like. A DLP solution is very expensive and requires adding staff to handle the number of events a large organization is likely to see. By using the open source Snort, it is possible to get an idea of how many events per month are occurring. Another potential event of interest is the case of employees sending sensitive or proprietary information out to the Internet in the clear by choosing technologies such as FTP or email that is not encrypted. It is possible to work with the business units to identify words and phrases that are likely to indicate sensitive information.

The next step is to translate this material for management. White papers and presentations are good mechanisms to increase management's awareness and understanding of intrusion detection. The objective is to establish a good business case for using intrusion detection. The costs of recent break-ins by intrusions into the company will help support the business case even if only at the anecdotal level. Certainly, recent related cases from the media would help reinforce the need for intrusion detection. Management will be more likely to take action when the business case is strongly articulated and clearly related to the benefits of intrusion detection products.

Intrusion detection is not going to be free, even if you use an open source product. Expect the time to research, acquire, configure and implement to be far less than the overall day to day management of the information. Also, think about your storage strategy in advance. Do you want to retain the events of interest that have been detected? There may be regulatory requirements to retain these for five or even seven years? Even if you use a lower cost software RAID five to maintain these alerts, the cost will be measurable. Also, organizations often wish to store the alerts in their SIEM. There are many advantages to that, but this too, comes at a cost. When you present the potential benefits to the organization, try to be as accurate as possible with respect to the cost.

Phil Bandy, Michael Money & Karen Worstell
SRI Consulting
Updated by Stephen Northcutt
SANS.edu