Security Business Issues

Overview

Your organization has worked hard to ensure that the correct security measures are in place. Intrusion detection and prevention is a method of identifying and mitigating the impact of attacks that can breach existing security measures. Therefore, it can be used by an organization to ensure that it is showing due care.

A successful intrusion detection and prevention program hinges critically on many business issues. An organization may have the technically best intrusion prevention technology in place, but if the cost, planning, processes, and operations are not dealt with properly, the entire initiative can result in failure. Management support of the initiative is vital, and a clear and concise business case needs to be clearly demonstrated. Implementation should be accomplished in a phased manner to help manage the risks of the initiative.

This chapter sets out to explain why you need intrusion detection, how to justify the cost of such a program, and how to determine the return on investment (ROI) of implementation and the acquisition process. If you are prepared to determine and deal with these issues, your chances of implementing a successful intrusion detection and prevention program will improve significantly. We will also discuss managing a successful intrusion detection and prevention program with deployment issues.

The Business Case for Intrusion Detection and Prevention

The first place to start is by understanding the need for intrusion detection and prevention for your organization. Establishing the need is critical for management buy-in and for the program to be effective. An intrusion detection and prevention program needs to be implemented for the following reasons:

Overall Security Strategy

Can implementing an intrusion detection and prevention program help better manage risk in your organization’s environment without impacting business processes? Is an intrusion detection and prevention program a part of your overall business strategy? These are important questions that need to be addressed. The organization’s business goals need to be examined and discussed with executive management. In addition, it is important to determine what type of compliance the organization may be subject to. For example, if the company deals with personal health information, it may need to comply with HIPAA privacy requirements; if it’s a financial institution, it will need to deal with the Office of Thrift Supervision (OTS). These regulatory bodies are likely to be a part of the organization’s strategy and will have an impact on your intrusion detection and

prevention strategy. Many of these regulatory issues are discussed in Chapter 15.

After gaining a solid understanding of business strategy, the organization must determine whether this strategy fits with its security strategy. Typically, some sort of risk assessment sets the strategy for an organization and allows it to determine what security controls can be put in place to mitigate defined risks. IDS/IPS can be used to help manage an organization’s risk in environments where insecure services are needed to allow the business to operate. The following questions need to be asked: Are sufficient security controls currently in place? What are the risks? How are the risks being measured? After answering these questions, the organization can determined whether intrusion detection and prevention fits into the plan.

Cost is also an issue. What has the organization budgeted for the security strategy, and will the cost of implementing an intrusion detection and prevention program fit this budget? Later in this chapter, we will deal with determining the ROI of an intrusion detection system (IDS) and the value to the organization, but at this point it is important to understand the initial outlay in cost, including not only the hardware and software, but also the staff, training, and time involved.

Finally, as discussed in Chapter 1, an organization needs to have defense-in-depth. Multiple layers of security must be present. An intrusion detection and prevention program can be a successful part of this program; it will allow detection and automated prevention capability that other technologies may not have. Network intrusion-prevention systems (IPSs) allow an organization to enforce the security policy.

  Note

An important, and often overlooked, use for an intrusion detection and prevention system is to monitor continuously the effectiveness of the current security infrastructure. The system can be set up to monitor and notify you when, for example, unexpected traffic is found on the “wrong” side of the firewall.

Attack Metrics

One of the most powerful aspects of implementing an intrusion detection and prevention program is that you can obtain measurable metrics of actual attacks against your organization’s network. You have quantitative data to measure what your network is dealing with, which will help you put other compensating security controls in place to mitigate these threats. Following are examples of some quantitative data that can be useful:

Proactive vs Reactive Technology

Much of the technology deployed on a network is reactive in nature. For example, firewalls will react and block a port after an unauthorized attempt, but with intrusion prevention and some intrusion detection capabilities, you are able to be proactive in attack situations. Being proactive means you actively look for anomalies of what may be the start of an attack before it happens. Proactive response methods are still in their infancy, but technology is progressing. By being proactive, you can better manage risk in your organization’s environment without impacting the business processes.

IDS Deployment Cossts

When considering costs, it is important that you evaluate three areas: the infrastructure cost, the residual costs, and the support costs (see Table 16-1). This section will look at each of these in more details to help you determine the cost of implementing a successful IDS/IPS system.

Table 16-1: IDS Deployment Cost Estimates

Infrastructure Expenses

Item

 

Cost

Units

Total

Hardware

Sensors

 

$250

10

$2500

 

Taps

 

$100

10

$1000

 

Software

 

$7500

1

$7500

 

Server

 

$2000

1

$2500

Service Hours

Internal

 

$35

1000

$35,000

 

External

 

$125

100

$12,500

Subtotal

       

$61,000

Residual Expenses

         

Hardware

Bandwidth

 

$5000

1

$5000

 

Cabling

 

$1250

1

$1250

 

Switches

 

$900

3

$1800

 

Other

       

Service Hours

Internal

 

$35

200

$7000

 

External

 

Subtotal

       

$15,050

Support Expenses

         

Hardware

Upgrades

 

Service Hours

Internal (yearly)

Analysis

$35

1000

$35,000

   

Response

$35

500

$17,500

   

Admin

$35

3000

$105,000

 

External

Consult

$125

200

$25,000

Subtotal

       

$182,000

Total

       

$258,550

Infrastructure costs are the costs in setting up the actual IDS/IPS system. You will need to determine what hardware and software you will need, what consulting services you may need, and the number of hours needed to install the hardware and software and deal with network connectivity issues. Another important factor to consider is the cost of educating the technical staff on the proper use of the product. Even if staff members educate themselves, a non-trivial cost can affect the company because some other project is not getting done while the staff is learning to use the product.

Residual costs include extra cabling, more bandwidth, and new networking hardware. Finally, you must consider the support costs related to keeping the IDS/IPS up and running. This will include hardware and software upgrades and time spent on analysis and responding to events, upgrading and tuning the systems, and basic administration. In determining these costs, you may find it helpful to talk with organizations of similar size and with similar security needs.

Justifying the Cost

Once you have determined a solid need to implement an intrusion detection and prevention program, you will need to justify the cost. This is typically accomplished in one of two ways:

Determination of the HROI can be accomplished by finding the annual loss expectancy (ALE), which can be figured by first looking at the single loss expectancy (SLE)—the expected impact of a specific one-time event in some terms, usually monetary, on the organization. An SLE is usually derived from formal documentation on business impact or a business impact analysis (BIA). The SLE is not a precise number but and estimate. Once the SLE has been determined, the annual rate of occurrence (ARO) of an event should be determined. The ARO is done on an annualized basis in which the frequency of an event is to occur. This data can be derived from industry research or your own attack metrics. For example, if a threat occurs once every three years, it has an ARO of 1/3 or 0.33, while a threat happening five times in a year has an ARO of 5/1 or 5.0. To arrive at the ALE, use the following formula: Single Loss Expectancy (SLE) X Annual Rate of Occurrence (ARO) = ALE

TheALEcan be used to justify the need for intrusion detection and prevention. For example,-let’s say you want to protect a mission-critical server that holds customer data. If damaged or destroyed, the server itself is valued at $5000, but the loss of information and reputation could be valued at $10,000,000. You have determined that the SLE for this asset is 70 percent and theAROis once in every three years or 0.33. Using the formula, we would determine the ALE to be $2,310,000. From this information, management can determine whether it is justifiable to implement a $500,000 IDS or IPS system for protection of this asset.

  Note

The determination of the ALE can be accomplished for the entire IT infrastructure or for specific mission-critical technologies, such as proprietary systems or payroll servers. The determination of how this should be done lies within the practicality of obtaining the data. In a smaller organization, determining the ALE for the entire enterprise can be effective, but as the organization grows, this can become an insurmountable task, and it may be more practical to determine the ALE only for mission-critical technologies or areas. This format becomes less and less useful as resources become less and less centralized.

Acquisition

After you have determined the need for the technology and the ROI, you can start the acquisition process. Most organizations have their own process in place to acquire new products. Thus, discussing the detailed acquisition processes of writing a request for information (RFI), request for proposal (RFP), and request for quotes (RFQ) won’t add value to this book. But because providing specific information relating to the acquisition of intrusion detection and prevention will prove valuable, we will look at the basic acquisition steps and then examine what to look for that’s specifically related to IDS or IPS. The steps are

  1. Define your organization’s requirements.
  2. Research the IDS/IPS products.
  3. Select a vendor’s product to test.
  4. Test the product.
  5. Select the product.

Requirements

When defining the requirements for your organization, consider the cost and purpose. In a perfect world, money would not be an issue and you would just implement the “best of breed”—but this is not a perfect world. Therefore, you need to consider what an IDS or IPS costs. Cost is one of the many advantages to open-source (free) applications such as SNORT. But there are also some financial advantages to going with a commercial product, such as liability for the product and better support. You also need to determine what it is you are trying to accomplish by implementing this technology. Do you want to be more reactive to intrusions? Maybe you want to be more proactive because you are aware of intrusions that exist on your network? Or maybe it is both of these. You also want to identify specific objectives, including the ability to

You may find it useful to put all of your requirements, monetary considerations, goals, and objectives into a matrix for each product. The matrix can be created based on the requirements you define and then filled in with your research and testing results, as exemplified in Table 16-2. (Rate each product 1–5; 1 being the lowest rating and 5 the highest.)

Table 16-2: Example of a Requirements Matrix

Requirement

Product A

Product B

Product C

Cost

4

5

3

Host Log analysis

5

3

4

Detect DoS attacks

3

4

2

Detect attacks against your web server

3

3

4

Detecting attacks against firewalls

3

3

5

Detecting attacks against routers

2

2

3

Forensic capabilities

3

3

4

Ability to handle evasion techniques

5

4

5

Scalability

4

4

4

Log analysis

2

3

3

Reporting

5

4

5

Attack detection

4

5

5

False alert handling

5

4

5

OS support

Windows

Linux

HPUX

AIX

Solaris

5

4

4

5

5

5

5

4

5

5

Target monitoring

3

4

3

Total

68

61

73

Research

When researching an IDS/IPS product, you can collect data from three main sources: peer-reviews, third-party analysis, and testing materials. Testing will be covered in detail a little later in the chapter. Peer review would entail gathering information from other companies about the product and getting their input on what has and has not worked for them. This can be done at industry conferences, via message boards, and at other security-related events where security administrators can share their experiences. Third-party analysis is done by groups that test IDS capabilities. One such group is Open Security Evaluation Criteria (OSEC), a trademark of Neohapsis, which provides a framework for evaluating the security functionality of networked products. OSEC is currently testing various IDS systems for the following:

Results for OSEC’s most recent finding can be found at http://osec.neohapsis.com/ results/.

Vendor Selection

Vendor selection is the evaluation of the vendor after you have decided that the vendor’s product is worthy of testing. It is important that you take a look at the following qualities in a company:

In addition, the questions that you ask are important, such as the following:

Testing

Testing allows you to evaluate the product’s performance on your network. This process can help you to

Generally, testing can be done quantitatively or comparatively. In quantitative testing, multiple IDS/IPS applications are tested against the same exact traffic or a baseline. In comparative testing, the IDS/IPS applications are tested against each other. While quantitative tests are scientifically valid, they can be more complex to implement. Comparative tests will allow you to see which IDS/IPS performs best against the others.

At the beginning of this process, you should determine what you want to measure. The following is a common list of measurable attributes, which may vary depending on your organization’s circumstances:

It is important that you have someone with expertise with IDS/IPS evaluate the results for these tests. This may mean you will need to hire a consultant. Measuring the differences between Network Intrusion Detection Systems (NIDS) and host-based intrusion-detection system (HIDS) can be difficult and beyond the basics of attacks detected versus attacks launched. Also important to note is that it is best if real network traffic is used for the tests, because synthetic load generators are designed more for testing routers than IDS/IPS. Most synthetic load generators will provide pseudo-random traffic, which is rarely seen on a production network unless it’s under attack. Another important issue to consider is the presence or absence of network devices such as routers and firewalls, as in a production environment you are likely to see them both.

Selection

The final step is to make a selection based on the requirements, research, and testing that has occurred. This information can be put into a matrix similar to the requirements matrix discussed earlier.

Managing Intrusion Detection

This section will cover some other important issues in managing a successful intrusion detection and prevention program: deployment and managing in a distributed environment.

Deployment

Once an intrusion detection or prevention technology has been selected, it is time for implementation of the technology. The basic steps to a successful implementation are

  1. Having a well-planned policy
  2. Installing the software
  3. Planning for and hiring staff resources

We will briefly provide a high-level overview of what policy planning needs to occur. Each IDS or IPS will have its own specific issues that will need to be dealt with on an individual basis. In Chapter 15, we discussed policies and procedures; during the implementation process, you need to use your organization’s policies as a guide to what needs to be considered at this stage. You must also consider how IDS will fit into your organization’s incident response plan.

Once the policy is determined, the next logical step is to install the software, which usually involves an installation of the IDS manager. Once the manager is installed, you will be able to install agents. This step is often the point at which problems arise as you may deal with trust relationships between agents and managers and communication issues. If you do not have experienced staff, it is highly suggested that you obtain outside assistance from the vendor.

  Note

Most successful implementations have taken place in small steps rather than by trying to get everything working correctly on the first try with the whole complex rule set.

Once a successful implementation plan is in place, it is important that you plan for resources. The first resource to plan for is staffing. It is important to have trained individuals who understand your unique network. While some organizations have monitoring done by a third party, resident experts are still necessary to help with issues that arise. In some cases, if you do not have the experienced staff, you will need to provide training, and staff will need ongoing training to keep them abreast of new threats and issues.

Managing in a Distributed Environment

Managing IDS in a distributed environment offers many challenges. This section will discuss some of the issues that occur in dealing with a distributed environment. You can handle your setup in two ways: use a decentralized setup where each location manages its own agents (sensors), or use a decentralized environment that is managed from one location.

Managing a decentralized environment has the advantage of a less complicated setup that can be managed locally, and information can be communicated with the other locations as needed. However, in a decentralized environment, the cost of more equipment, difficulties in data correlation, inconsistent management across the enterprise, and operational inefficiencies may prove to be disadvantages. Managing on a centralized basis, in most cases, is a better solution in a distributed environment.

Another issue to consider is the communication across a distributed environment. With one location in Lisbon, Spain, and another in Chicago, how do you send large amounts of highly sensitive data, such as agent activity with IP addresses and server names, across securely and efficiently? One way to do this is to use the native communications built into the IDS. It may be possible to transmit this information over a private line, such as a T1 line, depending on your company’s capabilities. When a private line is not available, you can use a virtual private network (VPN).

Summary

This chapter examines the various business cases for implementing an intrusion detection and prevention program. These include the being proactive, building to one’s security strategy and having measurable metrics to validate your security measures. In addition, it discusses justification of an IDS/IPS program and being able to determine the ROI of the implementation. The chapter also reviews issues dealing with selecting and implementing the correct product for your particular organization.

Категории