Intrusion Management

ZISC – April 2003

Overview

Disclaimer

1 – Why Intrusion Detection ?

Experience shows that ...

A Tool for Everyone

Why Intrusion Detection?

Overall Security = Prevention + Detection

2 – Intrusion Detection System

Characteristics of IDSs

Characteristics - Audit Source I

Characteristics - Audit Source II

Characteristics - Method

Characteristics - Reaction

3 – Intrusion Prevention

The Transitions to Intrusion Prevention

Intrusion Prevention – Definition

Intrusion Prevention – Classification I

Intrusion Prevention – Classification II

4 – Security Information Management (SIM)

The Problem – Too Many Single Systems

The Problem – False Positives

The Problem – Alert Flooding

Transitions to Security Information Management

SIM – Event Sources

SIM Architecture

SIM Architecture

Event Correlation

Security Information Management – Examples

5 – Intrusion Management

Why Do Most IDS/SIM Projects Fail?

How Can Intrusion Management Help?

The Landscape

Intrusion Management – Process I

Intrusion Management – Process II

IM – Intrusion Detection Process

ID Process – Event Analysis

IM Process – Summary

IM Interfaces With IT Processes

IM – Roles and Responsibilities

6 – Conclusions

Conclusions

Future Directions (Raffy’s crystal ball)

For further information …

Folie 45