Information Technology Reference
In-Depth Information
9.8.1
Applied IA
2
: IDS
Intrusion detection systems (IDSs) are an integral part of the defense-in-depth
philosophy. Defense-in-depth uses preventive, detective, and reactive measures to
safeguard information and information technology. While a firewall is a preven-
tive security mechanism that filters traffic between network segments, an IDS is a
detective/reactive security mechanism. If an intruder makes it past the firewall, the
IDS may detect this host or network activity outside normal operating parameters
and send a notification to the security operations center (SOC) or invoke an auto-
mated reactive procedure (e.g., shut down Internet access).
A business driver behind IDS is to protect mission integrity with respect
to confidentiality, integrity, and availability. A technical driver behind IDS is
defense-in-depth.
Examples of compliance requirements
and guidelines that cover IDS are:
n
NIST SP 800-18:
Security Plan Guide
, p. 34; SP 800-18 includes intrusion
detection tools as part of data integrity/validation controls, audit trails (p.
45), and incident response capability (p. 57).
DISA Network Infrastructure Security Checklist v. 5 r. 2.1 specifies intru-
sion detection.
ISO 17799 mentions intrusion detection as part of monitoring system use.
COBIT mentions intrusion testing and reporting in access control
objectives.
DoD Instruction 8500.2 addresses the need for host-based and network
intrusion detection systems.
n
n
n
n
9.8.2
Policy
NIST SP 800-31:
Intrusion Detection Systems
provides guidance on the need and
content of IDS policy:
n
n
n
−
−
−
n
−
Define the functional goals of the enterprise.
Consider how formal the system management and operations structure is.
Organizational security goals and objectives
Outside threat focus
Inside threat focus
Balance
IDS as a pure security tool or operations management tool
For example, IDS may point out performance degradations.
Remember, compliance requirements include externally imposed requirements (legislation) as
well as internally imposed requirements (a security standard like ISO 27001 or ISO 27002).
NIST SP 800-31:
Intrusion Detection Systems
, pp. 28-30.
