jaydeltathree

Bace Ch 5: Responses

Somehow I never got around to talking about chapter 5 yesterday despite the fact I finished it and started on chapter 6. Chapter 5 is a very small chapter, which is somewhat disappointing considering the fact that the focus of my thesis is the response part of intrusion detection.

The note on page 122 talks about the people who are the standard users of intrusion detection systems: network security specialists, who are generally experts in security, but maybe not in the underlying systems that are being protected; system administrators, who out of necessity have to be conversant in both security and underlying systems; and security investigators, who may not be conversant in either, but are experts in conducting investigations in general.

There's some general talk up front about how design comes into play. The environment, the purpose of the system and regulatory requirements all come into consideration when considering exactly what the response of the system will be and how the information is communicated to the user, if at all. Active responses fall into three categories: take action against the intruder, amend the environment and collect more information. Bace points out that the first is the one that captures people's imagination nowadays. Passive responses are: alarms and notification, and SNMP traps and plug-ins.

The point is made that while the intrusion detection system should be generating alerts, the alerts should not be visible to the intruder, and that the intruder will be looking to intercept and do away with the responses. Lastly the chapter talks about the actions a user should take after receiving a response, ordered by "time and criticality of the activities."