204 ◾ Security Strategy: From Requirements to Reality
Passive Detection Control Objectives
Today most detection functionality in applications is passive: the patrolling guard scenario. Every
so often, someone comes by and looks at the door. ey may note some damages to the door and
investigate how it got there, or even worse they may fi nd that the door has been broken down!
Periodic application log review is the same scenario (assuming application logging is turned on
and subject to periodical review). Occasionally, some abnormal activity may be noted, investi-
gated, and result in the discovery of a breach. e eff ectiveness of this scenario depends largely on
the quality of the information recorded in the logs. Developers are interested in catching problems
with code execution, not detecting malicious activity. Sometimes, these are one and the same
(the malicious activity is the cause of the problem), but more often, this isn’t the case. Audit trails
designed for debugging seldom contain the quality of information required to identify malicious
activity. Error codes are frequently used to identify where the fault took place rather than why
it took place. Determining the why requires parsing the text—not a trivial activity for unstruc-
tured data. Quantity is another issue; reviewers are forced to wade through hundreds of irrelevant
events to fi nd security-related information, and when it is found, it is often insuffi cient to detect
malicious activity or to facilitate investigation, not to mention provide evidence for compliance
reporting. is situation is completely unacceptable. Audit trails must contain quality informa-
tion suffi cient for the detection and investigation of malicious activity, as well as the prosecution
of the perpetrator.
Table 11.2 maps audit trail attributes to specifi c baselines. e type (hard or soft) is used to
denote how the metric for each control objective is collected. Soft indicates a procedure-based
control, while hard denotes a technology-based (i.e., automated) control.
ese requirements are essentially the same as the audit control objectives for accountability.
For a detailed description of these control objects, see the Audit Requirements for Accountability
section of Chapter 10.
Active Detection Control Objectives
From a response perceptive, passive detection is an ineff ective security control because the detec-
tion takes place after the fact. As the interval of time between the event and its review increases,
the potential damage the attacker can do also increases. Passive detection alone is not suffi cient to
meet strategic security objectives; real-time (active) detection is required. Active detection enhances
the detection process by generating an alert when the event takes place. ere are two possible
scenarios; the audit trail can be reviewed in real time or the application can generate the alerts.
e fi rst scenario is the current approach the industry has taken; audit records are forwarded to a
central collection point and evaluated (reviewed) against a set of predefi ned rules, and alerts are
generated for activities that violate one or more rules. e eff ectiveness of the control depends on
the quality of the information in the record, the accuracy of the rules, and the processing effi ciency
of the evaluation system. One advantage of this approach is the ability to collate records from
multiple systems to get a broader understanding of the event, thus facilitating the accuracy of the
response. e downsides of this approach are a propensity for false detections (false positives) and
processing lag under high record volumes.
e application-based intrusion detection system (AIDS) doesn’t suff er from these short-
comings because detection is based on programmatic security functionality; not on the inter-
pretation of a recorded event. At a security conference in 1991, Bill presented the concept of
TAF-K11348-10-0301-C011.indd 204TAF-K11348-10-0301-C011.indd 204 8/18/10 3:11:03 PM8/18/10 3:11:03 PM