|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Simon Taylor (Simon.Taylor
boxingorange.com)
Date: Tue Sep 18 2007 - 04:00:45 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
All,
As Khushbu points out below, there is certainly a structure to conduct a
meaningful IDS service, the other option (as opposed to allocating
resource internally within an organisation) is a managed service.
I work for a company in the UK who delivers managed IDS/IPS services -
this is very much a core competency of ours (in addition to WAN, LAN &
associated security) & hence have delivered to some of the well-known
financials and organisations handling credit card payments.
Below is an outline of what constitutes the service we provide - if
anyone would like to know more then please drop me an email.
Thanks
Simon
Installation process:
1. Understand IDS requirement - traffic flow, recommend appropriate
hardware to accommodate for throughput and performance
2. Configuration of sensor, including software & signature update
3. Installation of devices
4. Implement management VPN tunnel
5. Move sensor into baseline mode, including capture of alert
information
6. 4 week baseline period
7. Three day IDS report
8. Review & acceptance by customer
9. Implementation of filter policy
10. 1-2 week baseline
11. 1-2 day baseline report
12. Review & acceptance by customer
13. Implementation of filter policy
14. Documentation of solution (for support purposes)
15. Support handover
16. Go-live
Continual service:
24 hour monitoring by helpdesk, with alerting set on parameters defined
by successful baseline. Alerts sent to customer and allocated a severity
rating, engineer resource input into threat analysis. Report on alerts
generated per month. Signature update, changes to alerts & device
support to adhere to SLA. Optional integration with firewall & ISP &
DDoS - joining these together to allow other devices to react to IDS
alerts accordingly.
-----Original Message-----
From: listbouncesecurityfocus.com [mailto:listbouncesecurityfocus.com]
On Behalf Of khushbu.jithragmail.com
Sent: 17 September 2007 06:02
To: focus-idssecurityfocus.com
Subject: Re: IDS Incident Escalation Procedure
Hi Jim,
Usually, an Incident Escalation procedure for an IDS stems from
1. The structure of the core Incident Response Team
2. Adherence to any higher level policy, if required (in line with
escalation matrices defined in the business continuity plans)
3. SLAs signed with clients - internal and external
One suggested team structure is
1. Computer Incident Response Team (CIRT) leader
2. Incident Handler
3. Database Administrators
4. Legal Counsel
Now depending on the nature and category of alerts coming from the IDS,
an incident can be escalated from the incident handler to CIRT leader to
database admin to Legal Counsel. Also, the escalation may vary depending
on the severity of alerts.
As Vijay rightly pointed, you can refer to the NIST SP 800-61
publication, the Incident Notification section. This provides a sample
list of parties which are usually notified.
HTH,
Khushbu Jithra
Information Security Consultant
NII Consulting
Web: http://www.niiconsulting.com
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------
--
Simon Taylor
Strategic Account Manager
Boxing Orange Ltd
t: 0871 871 0067
f: 0871 871 0068
m:
Simon.Taylorboxingorange.com
http://www.boxingorange.com/
This message (and any associated files) is intended only for the
use of the individual or entity to which it is addressed and may
contain information that is confidential, subject to copyright or
constitutes a trade secret. If you are not the intended recipient
you are hereby notified that any dissemination, copying or
distribution of this message, or files associated with this message,
is strictly prohibited. If you have received this message in error,
please notify us immediately by replying to the message and deleting
it from your computer. Messages sent to and from us may be monitored.
Internet communications cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed, arrive
late or incomplete, or contain viruses. Therefore, we do not accept
responsibility for any errors or omissions that are present in this
message, or any attachment, that have arisen as a result of e-mail
transmission. If verification is required, please request a hard-copy
version. Any views or opinions presented are solely those of the author
and do not necessarily represent those of the company.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]