166 ◾ Security Strategy: From Requirements to Reality
of detectors is largely related to the controller to which they are attached. e controller must
be able to properly interpret the detector signals and take the proper action. Written opera-
tional guides and procedures for responding to events is key to timely and eff ective response;
people dealing with events must take the right actions and escalate alarms when necessary.
Just like surveillance, a trained observant staff capable of correctly interpreting detector events
is essential.
Logical event detectors come in two forms: malicious pattern detection and abnormal behav-
ior detection. Pattern detection compares activity or content against a set of predefi ned signatures.
A signature match indicates malfeasance. ere are four diff erent types of signature matching:
misuse, pattern, protocol, and heuristics. With the exception of heuristics, pattern matching is
only eff ective at identifying known malicious code. Heuristics can detect some types of unknown
attacks if they have similar characteristics to other malware. e accuracy of pattern matching
depends on the quality of the signatures that are produced. Poor signatures can result in false
positives, which can be problematic when they halt legitimate work eff orts. Pattern matching is
commonly used in antivirus/malware solutions and network- or host-based intrusion detection
systems (NIDS, HIDS).
Anomaly detectors are often referred to as profi le detectors because they use a statistical profi le
of normal system activity to detect behavior that is abnormal. e initial profi le is usually created
during a learning period and is tuned over a period of time to resolve false positives. Anomaly
detectors look for inordinate protocol, service, application, and statistical behaviors. Anomalies
may be combined to detect additional conditions. e eff ectiveness of this tactic is based on how
well the profi le is able to characterize what is a “normal” system operation and what is not. One
advantage of this approach is the ability to monitor applications. e downside is a high rate of
false positives and the maintenance that goes with it. Anomaly matching is commonly used in
network- and host-based intrusion detection systems (NIDS, HIDS).
Host and network intrusion prevention systems (IPSs) extend intrusion detection to include
proactive methods that stop malicious activity or content before it can do any damage. A key ben-
efi t of IPSs is their ability to stop unknown attacks, but to accomplish this objective the IPS agent
must be tightly integrated with the operating system kernel making it more susceptible to failure
from OS patches and upgrades. In order for Network IPS to block malicious actions, all traffi c
has to pass through the device. e advantage of this confi guration over IDS is that the malicious
traffi c never gets delivered to the target; the downside is that the NIPS becomes a potential choke
point and a single point of failure. Intrusion Prevention Systems use signature-based detection, so
eff ectiveness is based on the quality of the signatures provided. False positives and false negatives
are used to determine the eff ectiveness of pattern and anomaly detection solutions. Each match-
ing method has its good and bad points. Statistically, heuristics analysis is the best, but it can be
very resource intensive. e closer these technologies are located to the asset they are protecting,
the more eff ective they are. Commonality is another issue to consider; solutions based on pro-
prietary monitoring and management consoles add complexity to the monitoring and response
process; fi nding products that work with your existing management environment is the better
overall strategy.
e processing of log or audit trail records is another method of detecting malicious activ-
ity. When done in real time using an automated collection and analysis system, it does improve
detection of malicious activity. e accuracy depends on the quality of the information in the
log or audit trail; false positives can be an issue. One advantage is collation; logs from multiple
devices are collected so that events can be matched from across the environment. is can result in
activities being identifi ed that might otherwise have gone unnoticed. Automated log analysis is the
TAF-K11348-10-0301-C009.indd 166TAF-K11348-10-0301-C009.indd 166 8/18/10 3:09:30 PM8/18/10 3:09:30 PM