host-based ids llifecycle

Symantec Security Services’ Lifecycle Deployment

Methodology for Host-Based Intrusion Detection

For <Company Name>

April 10, 2001

A Deployment Methodology With Product

Lifecycle Considerations Will Enable Success

While Enhancing an Organization’s Security

Architecture!

Host-Based Intrusion Detection

Lifecycle Deployment Methodology

Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

Phase 6

Phase 7

Phase 8

Phase 9

Define

Install

Level I Configure

Monitor

Level II Configure

Monitor

Level III Configure

Monitor

Maintain



Phase 1 Define

• Phase One - Project Definition

Define a mutually acceptable “Mission Statement” outlining

Client’s project goals

Acquire an operational understanding of the Client’s environment

and security needs:

Review Client’s documentation

Review Environment characteristics

Fill out applicable worksheets

Conduct personnel interviews

Identify Client’s personnel roles and responsibilities



• Phase One - Project Definition (Cont.)

Develop a comprehensive plan for integrating the product within the

Client’s environment:

Develop a Project Work Plan to detail required resources

Develop an Acceptance Test Plan

Address Intruder Alert (IA) product scalability requirements

Work with Client to design a deployment strategy that is

scalable, which meets existing and future business

requirements




Develop a comprehensive plan for integrating the product within the

Client’s environment:

Provide specifics on hardware recommendations consistent

with product architecture and design issues relevant to the

Client’s environment

Perform detailed analysis of Client’s recommended IA policy

for pertinent Operating Systems and segment into three

security levels to construct Level I, II and III Baseline

configurations




Develop a comprehensive plan for integrating the products within

the Client’s environment:

Identify the scope of the IA Implementation:

• Determine Number of Managers to be installed/patched

• Determine Number of Consoles to be installed/patched

• Determine Number of Agents to be installed/patched




Deliverables:

Mission Statement – Clearly defined and mutually acceptable

goals for Project scope

Project Plan - Illustrates schedule of events, resources

required and major milestones

Acceptance Test Plan - Offers a mutually agreed upon test to

prove soundness and reliability of the deployed technology




Deliverables:

Server Inventory - Documented List of servers to be

installed

with predetermined IA components

Documented Level I, II and III Baseline policies –

Evaluate

Client’s recommended IA policy and segment into Level

I,

II and III Baseline policy





Phase 1

Phase 2

Define

Install

• Phase Two - Installation

Deploy IA components identified in Server Inventory and

implement based upon Project Work Plan:

Number of Managers to be installed/patched

Number of Consoles to be installed/patched

Number of Agents to be installed/patched



• Phase Two - Installation (Cont.)

Deliverables:

Updated Project Plan (if applicable) - Updates sections of

this

document to show current state of the Project

Fully-functional IA deployment – Demonstrates, through

use of the Acceptance Test Plan, that all software

components

are functioning properly





Phase 1

Phase 2

Phase 3

Define

Install

Level I Configure

• Phase Three - Level I Baseline Configuration

Import recommended Level I Baseline policy for IA focusing

on

High-Level Event Criteria

Create an agreed upon domain architecture for managing the

products

Work with Client to provide “Separation of Duties”

considerations

to determine access levels for approved personnel



• Phase Three - Level I Baseline Configuration (Cont.)

Add notification features for Level I Baseline policy

Configure reporting to highlight event data and fulfill Client

expectations



• Phase Three - Level I Baseline Configuration (Cont.)

Deliverables:

IA Level I Baseline Configuration Guide – Describes

Client’s IA security architecture, system configurations

and implemented policy through Level I Baseline





Phase 1

Phase 2

Phase 3

Phase 4

Define

Install

Level I Configure

Monitor

• Phase Four - Data Analysis / Monitoring

Utilize Level I Baseline policy activated on the IA Agents to

gather

data against the target environment

Analyze the data collected by the Agents

Address False Positives and False Negatives and document

any deviations or exceptions

Offer guidance in the correction of discovered vulnerabilities

in order to verify the validity of the deployed Level I

Baseline policy (Client is responsible for fixing discovered

vulnerabilities)



• Phase Four - Data Analysis / Monitoring (Cont.)

Deliverables:

IA Level I Vulnerability Report - Illustrates discovered

vulnerabilities from Agent data collection utilizing Level I

Baseline policy recommendations





Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

Define

Install

Level I Configure

Monitor

Level II Configure

• Phase Five - Level II Baseline Configuration

Import recommended Level II Baseline policy for IA focusing

on

Medium-Level Event Criteria

Add notification features for Level II Baseline policy


expectations



• Phase Five - Level II Baseline Configuration (Cont.)

Deliverables:

IA Level II Baseline Configuration Guide – Describes


and implemented policy through Level II Baseline





Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

Phase 6

Define

Install

Level I Configure

Monitor

Level II Configure

Monitor

• Phase Six - Data Analysis / Monitoring

Utilize Level II Baseline policy activated on the IA Agents to

gather

data against the target environment





in order to verify the validity of the deployed Level II


vulnerabilities)



• Phase Six - Data Analysis / Monitoring (Cont.)

Deliverables:

IA Level II Vulnerability Report - Illustrates discovered

vulnerabilities from Agent data collection utilizing Level

II






Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

Phase 6

Phase 7

Define

Install

Level I Configure

Monitor

Level II Configure

Monitor

Level III Configure

• Phase Seven - Level III Baseline Configuration

Import recommended Level III Baseline policy for IA focusing

on

Low-Level Event Criteria

Add notification features for Level III Baseline policy


expectations



• Phase Seven - Level III Baseline Configuration (Cont.)

Deliverables:

IA Level III Baseline Configuration Guide – Describes


and implemented policy through Level III Baseline





Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

Phase 6

Phase 7

Phase 8

Define

Install

Level I Configure

Monitor

Level II Configure

Monitor

Level III Configure

Monitor

• Phase Eight - Data Analysis / Monitoring

Utilize Level III Baseline policy activated on the IA Agents to

gather data against the target environment





in order to verify the validity of the deployed Level III


vulnerabilities)



• Phase Eight - Data Analysis / Monitoring (Cont.)

Deliverables:

IA Level III Vulnerability Report - Illustrates discovered

vulnerabilities from Agent data collection utilizing Level

III






Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

Phase 6

Phase 7

Phase 8

Phase 9

Define

Install

Level I Configure

Monitor

Level II Configure

Monitor

Level III Configure

Monitor

Maintain

• Phase Nine - Maintain

Enable the Client to maintain IA by implementing daily

operations

and procedures for keeping the technology functional and up-

to-

date

Document the entire Lifecycle Deployment Methodology for

future Client reference

Instruct Client on the value of reevaluation and the benefit of

revisiting the aforementioned phases as product updates are

released and/or the Client’s architecture changes



• Phase Nine - Maintain (Cont.)

Provide extensive product knowledge transfer, for designated

Client personnel, on the day-to-day operations relative to the

deployed technology




Deliverables:

Product Update Procedures Guide for IA – Offers

recommendations and knowledge specific to product

updates and upgrades

Change Control Guide for IA - Offers recommendations

and knowledge specific to implementing a successful

Change Control Program




Deliverables:

Daily Operations Guide for IA - Offers recommendations

and knowledge specific to daily product maintenance

and

management issues





Phase 1

Phase 2

Phase 3

Phase 4

Phase 5

Phase 6

Phase 7

Phase 8

Phase 9

Define

Install

Level I Configure

Monitor

Level II Configure

Monitor

Level III Configure

Monitor

Maintain

• Questions ???



host-based ids llifecycle

Documents