112 ◾ Security Strategy: From Requirements to Reality
Let’s take Network Intrusion Detection (NID), Host Intrusion Detection (HID), Application
Intrusion Detection (AID), and Data Intrusion Detection (DID) as examples. Security profes-
sionals understand that the closer the control is to the target, the more eff ective it will be; yet,
enterprises insist on investing huge amounts of money in Network and Host Intrusion Detection
systems (NIDS and HIDS). Why? We all understand that the primary target of an attacker is
data. We have also seen a major shift of attacks from operating system (OS) and network to
applications. Why aren’t we focusing on data and application intrusion detection systems (DIDS
and AIDS)? ese are much more valuable, especially in cloud-based scenarios where an attacker
with a stolen credit card can bypass all the network and host security controls and directly attack
the application and its data sources. NIDS and HIDS have very limited value in this scenario;
however, AID and DID systems would not only work, but would be far more accurate (have fewer
false positives) than their host and network counterparts. If we apply the principle of economy
of force, we can eliminate NID and HID systems, rid ourselves of tons of near worthless data,
and substantially reduce the time and/or computing power it takes to identify and respond to an
attack. Is this what the industry is emphasizing? No! Instead, the industry is saying that the way
to economize is to outsource the monitoring and analysis of all this worthless data to a managed
security service provider (MSSP). at may be cost reduction, but it’s not economy of force.
If you’re a security professional reading this, you’re probably thinking the authors are heretics,
and if you’re an executive manager you’re probably thinking we’re saviors. Actually, neither label
is correct. All we are trying to say is that our tactics need to focus on what really matters and on
what produces the best results. If you are sure your systems are well confi gured and are resistant to
attack, why do you care if there are malformed or attack packets on your network (provided they
aren’t impacting system performance)? Again, please don’t misinterpret what we’re saying: We are
not saying these packets should be ignored (the source should be tracked down and eliminated
if possible), but as long as they are not a threat to your data, they do not warrant an immediate
response. If our force is suffi ciently equipped to defend our prize possession (i.e., data), expending
resources on these other forms of intrusion detection is a complete waste.
Intrusion prevention has similar issues: It is looking for specifi c abnormal behaviors, but the
kinds of behaviors that put data at risk such as query return size aren’t within the scope of net-
work or host intrusion prevention systems. A good AIDS or DIDS would recognize and limit the
response or salt the response with bogus records (which could be used to detect and repel further
attacks). e obvious question is, “Where do you get AIDS and DIDS systems?” at’s a good
question: At this writing, a small number of companies off er Web application intrusion detection
solutions, and no one off ers DIDS solutions. at’s bad news for people looking for off -the-shelf
solutions. If you build software in-house, there is a decent body of research to help you add these
features to your software and data management solutions (see Chapter 11).
e economy principle focuses resources on the most eff ective and effi cient tactics and control
objectives. e principle balances technological costs with process and force economy to simplify
data protection tasks and reduce operational overhead.
Maintenance of Reserves (Coverage) Principle
Maintaining an adequate reserve force allows the respondent to react quickly to attacks and unex-
pected developments. In the military it is customary to keep about a quarter of the forces in
reserve. In a corporate context it’s easier to think of this principle as the coverage principle—
having suffi cient resources to eff ectively manage security operations, respond to attacks, and deal
with other unexpected events. Coverage begins with people. Nothing trumps a well-trained staff
TAF-K11348-10-0301-C007.indd 112TAF-K11348-10-0301-C007.indd 112 8/18/10 3:08:06 PM8/18/10 3:08:06 PM