Practical Intrusion Detection Handbook, The

About

Features

• Real-world case studies and practical checklists.

  • Shows students not only what intrusion detection software can achieve, but how to implement it. Ex.___

• Coverage of host-based, network-based, and hybrid solutions.

  • Introduces students to each approach, and then offers practical selection criteria and a review of the key factors associated with successful development. Ex.___

• Detailed selection criteria and sample RFPs.

• Six myths of intrusion detection—And the realities.

  • Enables students to understand how the technology actually works, and rids them of common misconceptions. Ex.___

• Explanations of methods and toolsets.

  • Presents students with information on detecting, deterring, responding to, and recovering from computer security threats. Ex.___

• Emphasis on internal and external threats.

  • Offers complete information on company and corporate information protection. Ex.___



Description

• Copyright 2001
• Edition: 1st

• Book
• ISBN-10: 0-13-025960-8
• ISBN-13: 978-0-13-025960-8

Intrusion detection systems are increasingly recognized as a key weapon in the war against computer crime. In The Practical Intrusion Detection Handbook, one of the field's leading experts shows exactly how to use them to detect, deter, and respond to security threats. This is the only intrusion detection book to present practical advice for the entire lifecycle: choosing products, planning, deployment, operations, and beyond. Full of checklists and real-world case studies, The Practical Intrusion Detection Handbook demonstrates exactly how to integrate intrusion detection into a total strategy for protecting your information and e-commerce assets. Paul E. Proctor introduces each approach to intrusion detection, including host-based, network-based, and hybrid solutions; then offers practical selection criteria; and reviews the key factors associated with successful deployment. You'll watch today's best intrusion detection systems in action, through response, surveillance, damage assessment, and data forensics. Finally, Proctor addresses the future of intrusion detection -- from standards and interoperability to law and ethics.



Sample Content

Downloadable Sample Chapter

Click here for a sample chapter for this book: 0130259608.pdf

Table of Contents

1. Introduction.

Security versus Business. What Is Intrusion Detection? The Most Common Intrusion Detection. Network- vs. Host-based Intrusion Detection. Anatomy of an Intrusion Detection System. Command Console. Network Sensor. Alert Notification. Response Subsystem. Database. Network Tap. Anatomy of an Intrusion Detection Process. Traditional Audit versus Intrusion Detection. Integrity Checkers. A Conceptual View of Misuse Detection. Detecting Deviations from Acceptable Behavior. Detecting Adherence to Known Unacceptable Behavior. Summary.

2. A Historical Perspective.

A Timeline. The Early Systems. Early Capabilities Comparison. Effectiveness. SSO Support/SSO Interface. Adaptability/Flexibility. Historical Lessons. Summary.

3. Network-Based Intrusion Detection Systems.

Introduction. Network-based Detection. Unauthorized Access. Data/Resource Theft. Denial of Service. Architecture. Traditional Sensor-Based Architecture. Distributed Network-Node Architecture. The Network Intrusion Detection Engine. Network Signatures. Operational Concept. Tip-Off. Surveillance. Forensics Workbench. Benefits of Network-based Intrusion Detection. Outsider Deterrence. Detection. Automated Response and Notification. Challenges for Network-based Technologies. Packet Reassembly. High-Speed Networks. Sniffer Detection Programs. Switched Networks. Encryption. Summary.

4. Host-Based Intrusion Detection Systems.

Introduction. Host-based Detection. Abuse of Privilege Attack Scenarios. Critical Data Access and Modification. Changes in Security Configuration. Architecture. Centralized Host-Based Architecture. Distributed Real-Time Architecture. Target Agent. Agentless Host-Based Intrusion Detection. Raw Data Archive. Operational Concept. Tip-Off. Surveillance. Damage Assessment. Compliance. Policy Management. Audit Policy. Detection Policy. Audit and Detection Policy Dependencies. Data Sources. Operating System Event Logs. Middleware Application Audit Sources. Application Audit Sources. Benefits of Host-based Intrusion Detection. Insider Deterrence. Detection. Notification and Response. Damage Assessment. Attack Anticipation. Prosecution Support. Behavioral Data Forensics. Challenges for Host-based Technologies. Performance. Deployment/Maintenance. Compromise. Spoofing. Summary.

5. Detection Technology and Techniques.

Introduction. Network Detection Mechanisms. Packet Content Signatures. Packet Header (Traffic) Analysis. Host-based Signatures. Single Event Signatures. Multi-event Signatures. Multi-host Signatures. Enterprise Signatures. Compound (Network and Host) Signatures. Signature Detection Mechanisms. Embedded. Programmable. Expert System. Other Techniques. Statistical Analysis. Metalanguage. Artificial Intelligence (Artificial Neural Network). Summary.

6. Intrusion Detection Myths.

Introduction. Myth 1: The Network Intrusion Detection Myth. The Network Intrusion Detection Revolution. Network Intrusion Detection Is Not Sufficient. What's the Difference Between Network- and Host-Based Detection? Comparing Host- and Network-Based Benefits. The Bottom Line. Myth 2: The False-Positive Myth. True/False Positive/Negative. Noisy Systems? There Is No Such Thing as a False-Positive. Bottom Line. Myth 3: The Automated Anomaly Detection Myth. Behavior Models. You Just Said There Are No False-Positives. The Training Problem (A Mini Myth). Anomaly Detection as Decision Support. Bottom Line. Myth 4: The Real-time Requirement Myth. Why Real-Time? The Costs of Real-Time. Real-Time versus In-Time. The Bottom Line. Myth 5: Inside the Firewall equals Insider Threat Detection. Insider Threats. Paradigm Shift. Bottom Line. Myth 6: The Automated Response Myth. Advertising. Automated Response = Risk. Characteristics of a Good Real-Time Automated Response. Bottom Line. Myth 7: The Artificial Intelligence Myth. New Attacks and AI. Root-Cause Analysis to Detect New Attacks. Bottom Line. Summary.

7. Effective Use.

Detecting Outsider Misuse (Hackers). Real-Life Misuse Example 1: Anomalous Outbound Traffic. Real-Life Misuse Example 2: Help! We're Being Swept! Detecting Insider Misuse. Real-Life Misuse Example 3: Unauthorized Access to Mission-Critical Data. Real-Life Misuse Example 4: Abuse of Privilege. Attack Anticipation (Extended Attacks). Real-Life Misuse Example 5: Embezzlement. Real-Life Misuse Example 6: Intellectual Property Theft. Surveillance. Real-Life Misuse Example 7: Surveillance. Policy Compliance Monitoring. Real-Life Misuse Example 8: User Logout at Night. Damage Assessment. Real-life Misuse Example 9: Corporate Espionage. Summary.

8. Behavioral Data Forensics in Intrusion Detection.

Introduction. Benefits of Behavioral Data Forensics. Data Mining. Forms and Formats. Data Volume. User-Centric versus Target-Centric Monitoring. Real-World Examples of Behavioral Data Forensics. Performance Improvement. Security. Workload Reduction. Security Policy. Data Mining Techniques. Data Presentation Refinement. Contextual Interpretation. Drill Down. Combining Data from Heterogeneous Sources. Combining Data from All-Band Resources. Behavioral data forensics Tutorial Examples. Example 1: Trending and Drill Down. Example 2: Target Browsing. Example 3: Critical File Browsing Trends. Example 4: Attack Anticipation (Tip-Off). Example 5: Target Overloaded. Other Examples. Summary.

9. Operational Use.

Introduction. Background Operation. On-demand Operation. Scheduled Operation. Real-time Operation. 2437 Monitoring. Incident Response. Escalation Procedures. Incident Triage. Incident Volume. Summary.

10. Intrusion Detection Project Lifecycle.

Introduction. Project Phases. Overlap. Resource Estimates. Calculating Total Cost of Ownership. Hidden Costs of Intrusion Detection. Project Planning/requirements Analysis. Acquisition. Pilot Phase. Deployment Phase. Policy Implementation. Promiscuous Network Sensor Deployments. Distributed Sensor Deployments. Tuning. Deployment Issues. Cultural. Legal. Politics. Target Ownership. Policy Management. Maintenance. Software Updates. Signature Updates. Summary.

11. Justifying Intrusion Detection.

Importance of Intrusion Detection in Security. Time-Based Security. Relaxing Access Controls. Threat Briefing. 1. CSI/FBI Study. A Recap of Misuse Examples. Insider Threats. Quantifying Risk. Problems with Quantitative Risk Assessment. Return on Investment. ROI and Risk Calculator. Behind the Scenes. Summary.

12. Requirements Definition.

Introduction. Tracking Nonrequirements. Developing a Requirements Document. What Are Your Goals For Intrusion Detection? Information Risk Management. Detection Requirements. Perimeter Threat Detection Requirements. Insider Threat Detection requirements. Compliance Monitoring Requirements. Response Requirements. Resource Classification. Using Intrusion Detection to Define Mission-Critical Data. Operations Requirements. Background Operations. On-Demand Operation. Scheduled Operation. Real-Time Operation. 24. ´ 7 Monitoring. Platform Coverage Requirements. Audit Source Requirements. Performance Requirements. Intrusion Detection System Performance. Network Resource Requirements. Scalability Requirements. Prosecution Requirements. Damage Assessment Requirements. Summary.

13. Tool Selection and Acquisition Process.

Introduction. Selection and Evaluation Process. Define Requirements. Conduct Research. Online Research. Conferences. Magazines. Request for Information. Establish Selection Criteria. Translate Environment-Specific Criteria. Criteria Weighting. Scoring. Evaluation. Conduct Evaluation. Request for Proposal. Cover Letter. RFP Example. Pilot Program. Speaking to References. Words of Wisdom. Summary.

14. Commercial Intrusion Detection Tools.

Introduction. Network (TCP/IP) Only. BlackICE/ICEcap—Network ICE. Dragon—Network Security Wizards. NFR ID Appliance—Network Flight Recorder. Secure Intrusion Detection System (NetRanger)—Cisco. Net Prowler—Axent. eTrust ID (Abirnet Sessionwall 23)— Computer Associates. Host-only Products. Computer Misuse Detection System (CMDS)—ODS Networks. Kane Security Monitor (KSM)—ODS Networks, Inc. SecureCom 8001 Internet Appliance (Hardware)— ODS Networks, Inc.? Intruder Alert (ITA)—Axent. PS Audit—Pentasafe. Operations Manager—Mission Critical. Hybrid Systems. Centrax—CyberSafe Corporation. Cyber Cop Monitor—Network Associates, Inc. RealSecure—Internet Security Systems. Summary.

15. Legal Issues.

Introduction. Law Enforcement/Criminal Prosecutions. Tort Litigation. Negligence Litigation. Better Technology. Y2K. Corporate Reluctance to Prosecute. Standard of Due Care. Responsibilities. One-Sided Liability. Evidentiary Issues. Rules of Evidence. Accuracy. Chain of Custody. Transparency. Case Study. Improving Evidentiary Veracity. Organizations. National White Collar Crime Center. National Cybercrime Training Partnership (NCTP). High Technology Crime Investigators Association (HTCIA). Summary.

16. Organizations, Standards, and Government Initiatives.

Introduction. Organizations. ICSA.net. SANS. Standards Bodies (Interoperability). What Should Be Standardized? Interoperability. Common Intrusion Detection Framework (CIDF). IETF Intrusion Detection Working Group (IDWG). Common Vulnerability and Exposures (CVE). U.S. Federal Government Initiatives. The National Security Telecommunications Advisory Committee (NSTAC). The Presidential Commission on Critical Infrastructure Protection (PCCIP). Presidential Decision Directive 63 (PDD-63). Summary.

17. Practical Intrusion Detection.

The Current State of Technology. The Future of Intrusion Detection. Network Intrusion Detection. Host-Based Intrusion Detection. Managed Services. Enterprise On-Demand Detection. Application Intrusion Detection. Standards for Interoperability. Prosecution Support. Real-Time versus In Time. Advice to Security Officers. Advice to Intrusion Detection Developers. My last Advice: Avoiding Confusion. Summary. After All.

Appendix A: Sample RFP.


Appendix B: Commercial Intrusion Detection Vendors.


Appendix C: Resources.


Index.

Preface

Preface

In the mid 1990s, Neil was an auditor for a major government agency in Canada. An inside embezzler had taken his agency for several million dollars and Neil was asked to help pick up the pieces. For over 6 months, Neil poured over transaction logs to trace the money, and figure out how it was done. A substantial amount of the money was never recovered.

On February 9, 2000 Amazon.com, E-Trade, and other pioneering ecommerce companies got hit with a distributed denial of service attack that collectively cost several million dollars. This electronic "Waterloo" changed the face of electronic commerce forever by highlighting the importance of effective detection and response in any successful on-line business.

In 1986, Dorothy Denning wrote a paper that set the stage for the development of commercial technologies that would provide detection, response, deterrence, and damage assessment. Intrusion detection, often misunderstood, provides the best chance for peace in an otherwise turbulent on-line world.

I've spent my career trying to get intrusion detection out of the research lab and into operational environments. I worked in intrusion detection research in 1988 to do a state of the art study for the U.S. Navy with the intent of deploying a system in an operational Navy environment. Then in 1990, I started work on generic testing paradigms to quantify the value of intrusion detection. In 1992, I designed the Computer Misuse Detection System (CMDS) at SAIC, one of the first commercial intrusion detection systems. CMDS saw real action and enjoyed some very large deployments starting in the mid 1990s. In 1997, I left SAIC to co-found Centrax Corporation and bring Intrusion Detection to the Windows NT masses. At Cybersafe I helped develop one of the first hybrid intrusion detection systems combining both network and host-based technologies.

I've researched systems, developed systems, deployed systems, sold systems, given seminars, and assisted investigations. This book was the next logical step. It was simple in concept: Write down everything I know about intrusion detection, make it understandable, and help businesses deploy operational systems.

You hold the results in your hands. This book will explain intrusion detection, dispel common myths, provide guidance on requirements and even help you acquire an intrusion detection system and operate it effectively throughout the entire project lifecycle. The format is designed to be readable. Anecdotes appear throughout to connect the information with the real world. Important points are punctuated and called out separately for emphasis and to make it easy to scan the text.

The book is divided roughly into thirds. The first third describes technology, the second effective operation, and the third project lifecycle. Near the end I provide a chapter on commercial products because this book is about using intrusion detection. These are your tools. This book is your manual.

Paul E. Proctor
February 12, 2000
35,000 Feet, Somewhere Over the Pacific Ocean



Updates

Submit Errata

