152 ◾ Security Strategy: From Requirements to Reality
from multiple devices, they can match events from across the environment and identify activities
that might otherwise go unnoticed. For example, collating physical access logs with logical access
records can identify compromised or shared accounts. If someone isn’t in the offi ce but is logged
on to the network locally, either he tailgated through an entrance or his account has been com-
promised; both events constitute unauthorized activity. Automated log analysis can be done in-
house or outsourced as a Managed Security Solution Provider (MSSP). While this is not the best
overall solution, it does provide both near real-time detection and a good stopgap measure until
application- and data-intrusion detection solutions become available. (For additional information
on these technologies see Chapter 11.)
Improving IT event detection involves people, processes, and technology. Intrusion detection
systems, intrusion prevention, and antimalware are examples of commonly used real-time IT
detection technologies. Automated log processing is another alternative that provides near real-
time detection. Process-based periodic log and audit trail review is another option that provides
after-the-fact detection. All these techniques have their advantages and disadvantages. e closer
the detection is to the protected asset, the more eff ective and accurate it will be. It is best to employ
technologies that have commonality with other security controls to make alert processing, data
transfers, and reporting more eff ective. No matter which technologies you decide on, remember
that a well-trained and skilled staff is essential to achieving the best operational results.
Alarming
us far we have concentrated on the fi rst two components of observation: monitoring and detec-
tion. is section addresses the third component: alarming.
Whether our reconnaissance and sentry is human or electronic, the purpose is the same: to
monitor the scene, note changes, and raise an alarm when malicious or potentially malicious
activity is detected. Alarming is based on the severity of the event. Severity is determined from
a number of diff erent classes that are environment-dependent. For example, events that pose an
imminent (or manifest) danger to safety or security are considered critical events. Events that aff ect
a large number of systems or users are also critical events, as are events aff ecting high-value assets.
ese events require an immediate response, so alarms are sent directly to response personnel.
In larger organizations, the response agency would typically be the security operations center; in
smaller organizations, alerts may be sent to a text pager, cell phone, or other alerting device. For
critical events it is best to have more than one communications channel for alerts and a positive
acknowledgment system to verify the alert has been received. Critical events call for an immediate
activation of the emergency or incident response function.
e second class of events is important events—events that pose an immediate danger to
safety or security. Because these also require an immediate response, they are also sent directly to
response personnel. Important events may require a partial activation of the emergency or incident
response function. e diff erence between critical and important is the impact (loss potential)
of the attack—such as an attack against a limited number of systems or lower value assets. An
attack against systems in the DMZ is a good example. e attack may have the potential of com-
promising or defacing a Web server, but it will not impact the business operations of the internal
network.
Moderate-level events are the third class of alarms. ese events apply to attacks that are
detected but have a limited potential of success or represent no signifi cant impact to safety or
security. Moderate events are forwarded to response personnel but do not require an immediate
response. For example, the connection of an unauthorized system to the network is a violation
TAF-K11348-10-0301-C009.indd 152TAF-K11348-10-0301-C009.indd 152 8/18/10 3:09:29 PM8/18/10 3:09:29 PM