Intrusion detection systems are overhyped and underdelivered

Hardly a day goes by when IT security - or more to the point, an IT security scare of some description - doesn't make the...

Hardly a day goes by when IT security - or more to the point, an IT security scare of some description - doesn't make the headlines. Not surprisingly, the hype and scaremongering surrounding many of these stories frequently hides the real issues, and sometimes also leads companies into taking action that does not in fact address all of the underlying security vulnerabilities.

One of these issues is intrusion detection. It is overhyped and frequently results in unsuccessful implementations. Typically, there are two main underlying reasons for such failures: companies not wanting to acknowledge that technology is in fact only a small component in a management framework supported by people, processes and education; and unrealistic expectations of what that technology component can actually deliver (which is intrusion detection, not prevention).

The following is a summary of the recommendations made by Michael Rasmussen, a renowned security specialist with many years of practical experience.

Successful intrusion detection involves what Giga Information Group refers to as the "intrusion management process". This consists of four functional areas, all of which need the proper personnel, policies, education/awareness and technology assigned to them:

  • Vulnerability assessment. The ability to understand what an organisation is vulnerable to and how those vulnerabilities would impact the business if they were to be exploited
  • Intrusion detection. The process of identifying security incidents at specific points (eg, network, host, application) in the enterprise
  • Security event management. The ability to consolidate multiple sources of security incidents (eg, firewall logs, host-based intrusion detection systems (IDS), network-based IDS, application logs) and to relate security events together to identify the impact/scope of an incident on business operations.
  • Incident response The process of successfully responding to an incident, whether the objective is solely to recover, or to bring the perpetrators to prosecution.

In a successful intrusion management process, all of these functions build upon one another. But it cannot be stressed enough that knowledge, expertise and process need to be leveraged in all of these areas to ensure companies are successful at identifying, prioritising and responding to security incidents.

In addition to Rasmussen's advice, there is another point worth touching upon in this context: media training and media relations.

Many of the security incidents we have seen in the UK have had a worse effect on a company's reputation than the incidents themselves warranted, simply because of how the company reacted to press inquiries. Contradictory, frequently careless statements, often from people in different parts of the organisation, are the most common problem, as they can easily make an organisation seem disorganised, incompetent, not in control or uncaring - or indeed all of the above.

You should nominate and name those people who will talk to the press in the event of an incident, and prohibit anybody else from doing so. Ensure that these nominees receive appropriate media training - it will be well worth the money, because it not only helps to safeguard your company's image, but also reduces the risk of potential law suits.

Martha Bennett is vice-president at Giga Information Group.

Read more on Antivirus, firewall and IDS products