Organizational Issues of Implementing Intrusion Detection Systems (IDS) Shayne Pitcock, CISSP First Data Corporation

Transcription

1 Organizational Issues of Implementing Intrusion Detection Systems (IDS) Shayne Pitcock, CISSP First Data Corporation

2 Agenda Problem Description Issues for Consideration Mitigation of the Issues Options for Implementation of IDS Tools Quantifiable Metrics Conclusion 2

3 Problem Description Security/Network Operations Center Alert Monitoring Sensors Computing Systems Data Notify Training Identify tools & Procedures IDS Administrators Change as Required On Call SME for Alert Analysis Staffing & Expertise Escalate Activate Facilitation Response Team to Identify and Mitigate Risk Security Legal HW experts Application experts Operations PR HR 3

4 Issues for Consideration Security Policy Development Business Requirements for Using IDS Impacts to Computing Environment Security Alerts Integration and Management Resolution Incident Response 4

5 Security Policy Development Establishes corporate level need for IDS Approval Guidance Direction Establishes responsible organization for implementation and control of the IDS tools Establishes expected output of the IDS implementation Reports Incident Response Attack Mitigation 5

6 Business Requirements for IDS Federal mandate by GLBA and HIPAA Business partner connections Distributed business units within the company Specialized security alerting and analysis of suspicious activity 6

7 1. Electronic Sensing: NIDS Network Impacts to Computing Raw alarms HIDS Hosts Environment 2. Electronic Triage: Realtime alerting 4. Off-line analysis Off-Line Analysis Tools Database Filtered alarms Incident alerts 3. Correlation SOC: Incident alerts 5. Computing Emergency Response Team Technical monitoring & improvement Incident communication & coordination 8. Vulnerability Management: 7. IDS Team: 6. Virtual Incident Response Teams 7

8 Alert Integration and Mgt. Consolidating security alerts from multiple sources (firewalls, IDS, and network gear) Actively monitoring and responding to all alerts Managing the volume of security alerts Normalizing the alert data for common points of integration 8

9 Alert Resolution Correlating the various alerts from multiple security sources Evaluating the risk of suspicious activity Determining the level of vulnerability Determining what is within normal activity for the monitored environment Mitigating false positive alerts Communications with security, network, or operating system (OS) administrators Documentation 9

10 Alert Incident Response 10

11 Mitigation of the Issues - Program Management Approach Define Plan Fund Implement Test Deliver Maintain 11

12 Mitigation of the Issues - System Engineering Approach Define the requirements System design Build the pieces Test the pieces Integration testing System delivery Maintenance 12

13 Options for IDS Implementation Company Resources Out-Sourcing to Consultants or Managed Security Service Providers Utilizing Vendor Professional Services 13

14 Use Company Resources When Top Secret or Highly Sensitive Information (e.g. military, financial, or international). Company is diversified across geographical continents. Company has appropriate staff to support the implementation. Company is diversified across multiple business disciplines. An example is a company with both Government and Commercial business customers. 14

15 Use Out-Sourcing When Consultants Temporary addition to current staff Expertise beyond the current level of staff Jump-Start for an IDS deployment or alert monitoring operations Managed Security Service Providers 24 x 7 x 52 alert monitoring operations staff Alert consolidation and correlation Expertise for risk awareness and analysis False positive mitigation Alert resolution and incident escalation 15

16 Use Vendor Services When Single vendor approach to deployment of IDS tools. Single vendor providing a majority of the computing systems used by the company. To augment the expertise of company personnel. To provide indirect training of the product during implementation. 16

17 Reports Quantifiable Metrics Actions grouped according to company risk Suspicious Activity Attempted Intrusion Escalated Events Incidents for Resolution Top 10 suspicious IP addresses Numbers of high, medium, and low alerts System status of IDS tools 17

18 Conclusion IDS tools are good for specialized security alerting and analysis of suspicious activity. Implementing an IDS solution requires that a company address how they will monitor and resolve the associated alerts. Considerations for the 80% of the solution will greatly enhance the security posture. 18