Database Security within the General Security Landscape and a Defense-in-Depth Strategy - Implementing Database Security and Auditing

Databases Reference

In-Depth Information

approaches in the aim of collecting information that can be used for com-

prehensive analysis.

Once data is collected, it is analyzed and correlated. Analysis can be

done in batch mode (sometimes called interval-based) or in real time. Inter-

val-based IDSs periodically collect log files and event information from the

sensors and analyze these files for signs of intrusion or misuse. Real-time

IDSs collect and analyze information continuously and can (sometimes)

process the information quickly enough to detect an attack and possibly

have the information available to initiate a prevention process. The analysis

is based on signature analysis, statistical analysis, integrity analysis, or any

combination of these methods. Signature analysis is based on patterns cor-

responding to known attacks or misuse of systems—commonly known as

signatures

. They may be as simple as strings of characters (e.g., a command

or a term) that can be matched or as complex as a security state transition

that can only be expressed as a formal state machine. Signature analysis

involves matching system settings and user activities with a database of

known attacks. The database of signatures is critical in ensuring effective-

ness of the IDS, and this database needs to be continuously updated as new

attacks are discovered. Statistical analysis looks for deviation from normal

patterns of behavior, and possible intrusions are signaled when observed

values fall outside of the normal range. These systems must be turned off in

times when abnormal activity is normal (e.g., ecommerce sites in the holi-

day periods). Integrity analysis looks at whether some property of a file or

object has been altered.

IDSs monitor many things, and in doing so they can provide great ben-

efits if used correctly. In many ways they bring together many disciplines.

Some examples include the following:

IDSs monitor firewalls, PKI systems, and files that are used by other secu-

rity mechanisms

. In doing so they provide an additional layer of secu-

rity to other security systems. One of the attack techniques often

employed by hackers is to first attack the security layers (e.g., the fire-

wall) with the hope that this will make their lives easier. Good IDS

monitoring can help you learn of this type of attack and address it.

IDSs aggregate a lot of security information and logs and can make good

use of them

. Many of these log files are never inspected elsewhere, and

even if an attack is recorded, no one is alerted of this fact.

IDSs are broad and can address many areas

. For example, Tripwire is a

host-based IDS that can recognize and report alterations to data files

Search WWH ::

Custom Search

Home