Detection Step 3The best place for a detection plan is a quiet conference room with a big whiteboard and every IT manager in attendance. Make a rough map showing the entire network. List every supplier, partner and customer in the margin. By the end of this exercise, you should knowintimatelyhow, where and when each of these networks connect and is secured. To detect attacks, managers also must know what normal behavior looks like. Examine network protocol analyzer captures and log files from applications and servers. Hardware and software probes are useful, but much more expensive to deploy in areas where long-term monitoring of high-volume nets is required. Products that rely on log data to track user activity are good additions to a detection tool kit. They can quickly reveal what consititutes normal behavior and often just as quickly highlight potential problems. Intrusion-detection systems can be programmed to look for a limited range of anomalous behavior to identify attacks. The intent of many of these tools is to probe for weaknesses, and, in the process, they can block access to needed ports on a Web server or can cause applications to break. It almost goes without saying that these tools should not be used on a production network during business hours. An alternative is to set up a lab that mimics your organizations IT environment. Practice using the intrusion-detection system and fine-tune it so that it sends as few false-positive alerts as possible.
Next Page: Step 4: Response
To detect a breach, there are tools and services ranging from firewalls to intrusion-detection systems to log-analysis programs to managed-service providers. Thats the science. But detecting the actions of a motivated, inventive attacker takes human detectives who are just as ingenious and relentless as their opponents.