Intruder alert, raise the moat!

Information security: It`s the one vulnerable area that has the ability to paralyse organisations, expose their assets, drain capital resources, compromise users and frighten management. Some say it`s the corporate network`s Achilles heel - but it doesn`t have to be its downfall, says Karel Rode, a security specialist at Computer Associates Africa.

Rode examines the twin roles of intrusion detection and prevention players and urges them to collaborate and pool their resources for the benefit of the customer.

Securing an organisation`s corporate data is much the same as protecting a medieval castle from attack by knights from rival fiefdoms. It`s important to keep a good watch for approaching horsemen and, once identified as foe, have the necessary hot tar, bows and arrows and other defences at the ready.

The drawbridge should be continuously manned in order that it might be raised at a moment`s notice - before the moat is breached by enemy forces.

Often this is not enough though, as the enemy may have crept into the castle in the dead of night, disguised as a friend, and tainted the valuable food source before the first light of day..

It`s the same in business today. Companies are vulnerable to attack from a variety of sources.

Their vulnerability is increasing as they find themselves in an era in which grids, virtualisation, autonomic computing and other big changes bridge the traditional boundaries between applications and information.

Just like the days of old, intrusion detection and prevention strategies hold centre stage in this volatile and dangerous environment.

But while the concept of intrusion detection is more clearly defined, it is the area of intrusion prevention that is testing the technologists.

This is because there are two distinct camps within the security industry - one dealing with "detection" and the other with "prevention".

Many industry watchers believe the two groups, while individually advanced, are nevertheless divided by a gulf that must be bridged before they can unite to bring true benefits, satisfaction and peace-of-mind to the corporate customer - the king of the castle.

Until this happens - and despite the number of IT security products and services on the market - businesses are more exposed than ever to emerging threats.

Both camps are faced with a similar challenge: To assist organisations to maintain their goal of 99.999% availability for a variety of mission-critical systems, such as continuously running e-commerce applications.

While the security industry is still undecided over how it will bring the two camps together, some advice is needed for end users who are keen to see a start to this process.

Before intrusion detection and prevention strategies can be formulated - and then eventually brought together in cooperation - the nature of the threats to corporate data and system integrity must be clearly defined.

They should be defined in terms of corporate policy (documents) - or administrative control statements. Once so formalised, it is easier for companies to apply rules to the procedures and adopt policies associated with their identification and neutralisation.

For the architects of affability between detection and prevention solutions, the key to their work as match-makers is the precise definition of these rules and an effective strategic implementation outline.

These issues are at the heart of the matter. Once the corporate security strategy is formulated, the deployment and implementation of the necessary controls can be effected.

The positioning of detection and preventative controls on the network and allied systems is critical and must be engineered to work - if not together - in parallel with the corporate security strategy.

These technical controls should be divided into (1) network-based and (2) host-based controls.

It is a sad consequence of the diverse nature of many networks - often deploying both open source and proprietary platforms - that security strategies are less than precise and as a result, intrusion detection/prevention solutions are deployed in a fog of indecision and uncertainty.

The first steps towards a homogeneous intrusion/detection/security solution are to evaluate the various categories of vulnerabilities and then prepare detailed plans of action for their individual remediation.

Protecting and preventing threats to the corporate computer network, with its widely differing categories of vulnerability, will require a series of very specialised controls, both administrative and technical in nature.

For example, when reviewing deep access by employees to company confidential and classified data, a sound policy surrounding data classification should be supplemented by a role-based access control solution.

While the emphasis is on intrusion prevention in this common example, its effectiveness would be greatly enhanced if it was complemented by - and integrated with - an intrusion detection solution.

In this way the true value of the alerting, trouble ticket opening, call escalation, notification, reporting and remediation controls that would be in place could be enhanced. More importantly, the complete intrusion detection/prevention process could be completely automated.

There are many other, similar, scenarios that play out daily within the corporate environment.

Companies looking to integrate and automate intrusion prevention and detection solutions should first implement strong data classification policies, complemented by access control and authentication rules, allowing the organisation to be aware of its resources, from where they are accessed and by whom.

From this platform, the polices can be extended beyond the network to the Internet and extranet, allowing partners and customers to safely access data based on their roles within the organisation and the required levels of security - as defined in the policy document.