host-based ids llifecycle
TRANSCRIPT
Symantec Security Services’ Lifecycle Deployment
Methodology for Host-Based Intrusion Detection
For <Company Name>
April 10, 2001
A Deployment Methodology With Product
Lifecycle Considerations Will Enable Success
While Enhancing an Organization’s Security
Architecture!
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
Phase 6
Phase 7
Phase 8
Phase 9
Define
Install
Level I Configure
Monitor
Level II Configure
Monitor
Level III Configure
Monitor
Maintain
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Phase 1 Define
• Phase One - Project Definition
Define a mutually acceptable “Mission Statement” outlining
Client’s project goals
Acquire an operational understanding of the Client’s environment
and security needs:
Review Client’s documentation
Review Environment characteristics
Fill out applicable worksheets
Conduct personnel interviews
Identify Client’s personnel roles and responsibilities
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase One - Project Definition (Cont.)
Develop a comprehensive plan for integrating the product within the
Client’s environment:
Develop a Project Work Plan to detail required resources
Develop an Acceptance Test Plan
Address Intruder Alert (IA) product scalability requirements
Work with Client to design a deployment strategy that is
scalable, which meets existing and future business
requirements
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase One - Project Definition (Cont.)
Develop a comprehensive plan for integrating the product within the
Client’s environment:
Provide specifics on hardware recommendations consistent
with product architecture and design issues relevant to the
Client’s environment
Perform detailed analysis of Client’s recommended IA policy
for pertinent Operating Systems and segment into three
security levels to construct Level I, II and III Baseline
configurations
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase One - Project Definition (Cont.)
Develop a comprehensive plan for integrating the products within
the Client’s environment:
Identify the scope of the IA Implementation:
• Determine Number of Managers to be installed/patched
• Determine Number of Consoles to be installed/patched
• Determine Number of Agents to be installed/patched
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase One - Project Definition (Cont.)
Deliverables:
Mission Statement – Clearly defined and mutually acceptable
goals for Project scope
Project Plan - Illustrates schedule of events, resources
required and major milestones
Acceptance Test Plan - Offers a mutually agreed upon test to
prove soundness and reliability of the deployed technology
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase One - Project Definition (Cont.)
Deliverables:
Server Inventory - Documented List of servers to be
installed
with predetermined IA components
Documented Level I, II and III Baseline policies –
Evaluate
Client’s recommended IA policy and segment into Level
I,
II and III Baseline policy
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Phase 1
Phase 2
Define
Install
• Phase Two - Installation
Deploy IA components identified in Server Inventory and
implement based upon Project Work Plan:
Number of Managers to be installed/patched
Number of Consoles to be installed/patched
Number of Agents to be installed/patched
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase Two - Installation (Cont.)
Deliverables:
Updated Project Plan (if applicable) - Updates sections of
this
document to show current state of the Project
Fully-functional IA deployment – Demonstrates, through
use of the Acceptance Test Plan, that all software
components
are functioning properly
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Phase 1
Phase 2
Phase 3
Define
Install
Level I Configure
• Phase Three - Level I Baseline Configuration
Import recommended Level I Baseline policy for IA focusing
on
High-Level Event Criteria
Create an agreed upon domain architecture for managing the
products
Work with Client to provide “Separation of Duties”
considerations
to determine access levels for approved personnel
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase Three - Level I Baseline Configuration (Cont.)
Add notification features for Level I Baseline policy
Configure reporting to highlight event data and fulfill Client
expectations
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase Three - Level I Baseline Configuration (Cont.)
Deliverables:
IA Level I Baseline Configuration Guide – Describes
Client’s IA security architecture, system configurations
and implemented policy through Level I Baseline
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Phase 1
Phase 2
Phase 3
Phase 4
Define
Install
Level I Configure
Monitor
• Phase Four - Data Analysis / Monitoring
Utilize Level I Baseline policy activated on the IA Agents to
gather
data against the target environment
Analyze the data collected by the Agents
Address False Positives and False Negatives and document
any deviations or exceptions
Offer guidance in the correction of discovered vulnerabilities
in order to verify the validity of the deployed Level I
Baseline policy (Client is responsible for fixing discovered
vulnerabilities)
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase Four - Data Analysis / Monitoring (Cont.)
Deliverables:
IA Level I Vulnerability Report - Illustrates discovered
vulnerabilities from Agent data collection utilizing Level I
Baseline policy recommendations
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
Define
Install
Level I Configure
Monitor
Level II Configure
• Phase Five - Level II Baseline Configuration
Import recommended Level II Baseline policy for IA focusing
on
Medium-Level Event Criteria
Add notification features for Level II Baseline policy
Configure reporting to highlight event data and fulfill Client
expectations
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase Five - Level II Baseline Configuration (Cont.)
Deliverables:
IA Level II Baseline Configuration Guide – Describes
Client’s IA security architecture, system configurations
and implemented policy through Level II Baseline
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
Phase 6
Define
Install
Level I Configure
Monitor
Level II Configure
Monitor
• Phase Six - Data Analysis / Monitoring
Utilize Level II Baseline policy activated on the IA Agents to
gather
data against the target environment
Analyze the data collected by the Agents
Address False Positives and False Negatives and document
any deviations or exceptions
Offer guidance in the correction of discovered vulnerabilities
in order to verify the validity of the deployed Level II
Baseline policy (Client is responsible for fixing discovered
vulnerabilities)
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase Six - Data Analysis / Monitoring (Cont.)
Deliverables:
IA Level II Vulnerability Report - Illustrates discovered
vulnerabilities from Agent data collection utilizing Level
II
Baseline policy recommendations
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
Phase 6
Phase 7
Define
Install
Level I Configure
Monitor
Level II Configure
Monitor
Level III Configure
• Phase Seven - Level III Baseline Configuration
Import recommended Level III Baseline policy for IA focusing
on
Low-Level Event Criteria
Add notification features for Level III Baseline policy
Configure reporting to highlight event data and fulfill Client
expectations
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase Seven - Level III Baseline Configuration (Cont.)
Deliverables:
IA Level III Baseline Configuration Guide – Describes
Client’s IA security architecture, system configurations
and implemented policy through Level III Baseline
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
Phase 6
Phase 7
Phase 8
Define
Install
Level I Configure
Monitor
Level II Configure
Monitor
Level III Configure
Monitor
• Phase Eight - Data Analysis / Monitoring
Utilize Level III Baseline policy activated on the IA Agents to
gather data against the target environment
Analyze the data collected by the Agents
Address False Positives and False Negatives and document
any deviations or exceptions
Offer guidance in the correction of discovered vulnerabilities
in order to verify the validity of the deployed Level III
Baseline policy (Client is responsible for fixing discovered
vulnerabilities)
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase Eight - Data Analysis / Monitoring (Cont.)
Deliverables:
IA Level III Vulnerability Report - Illustrates discovered
vulnerabilities from Agent data collection utilizing Level
III
Baseline policy recommendations
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
Phase 6
Phase 7
Phase 8
Phase 9
Define
Install
Level I Configure
Monitor
Level II Configure
Monitor
Level III Configure
Monitor
Maintain
• Phase Nine - Maintain
Enable the Client to maintain IA by implementing daily
operations
and procedures for keeping the technology functional and up-
to-
date
Document the entire Lifecycle Deployment Methodology for
future Client reference
Instruct Client on the value of reevaluation and the benefit of
revisiting the aforementioned phases as product updates are
released and/or the Client’s architecture changes
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase Nine - Maintain (Cont.)
Provide extensive product knowledge transfer, for designated
Client personnel, on the day-to-day operations relative to the
deployed technology
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase Nine - Maintain (Cont.)
Deliverables:
Product Update Procedures Guide for IA – Offers
recommendations and knowledge specific to product
updates and upgrades
Change Control Guide for IA - Offers recommendations
and knowledge specific to implementing a successful
Change Control Program
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
• Phase Nine - Maintain (Cont.)
Deliverables:
Daily Operations Guide for IA - Offers recommendations
and knowledge specific to daily product maintenance
and
management issues
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Host-Based Intrusion Detection
Lifecycle Deployment Methodology
Phase 1
Phase 2
Phase 3
Phase 4
Phase 5
Phase 6
Phase 7
Phase 8
Phase 9
Define
Install
Level I Configure
Monitor
Level II Configure
Monitor
Level III Configure
Monitor
Maintain
• Questions ???
Host-Based Intrusion Detection
Lifecycle Deployment Methodology