Of the commercial intrusion-detection systems available, I believe that Sourcefire's product is the NIDS best positioned to collect the event, session and full content data needed to validate security incidents. While session data is not yet explicitly offered, it should be some time during 2003.
Of the HIDS [host intrusion detection systems) products, I believe a data integrity verification package like Tripwire can be useful. It gives system administrators a level of trust in their servers. Beyond Tripwire, I recommend sending host-based logs (Unix syslog and Windows Event Logs) to a dedicated logging host. Once this is done, employ software to monitor those centralized logs for anomalies. I prefer this strategy because deploying HIDS agents creates difficult management issues. Server owners tend to blame the HIDS for any problems with the server. However, sending those servers' logs to a central log host is a less intrusive means to monitor host security.
What are the security hazards of using an open source IDS like Snort?
It is important to recognize that Snort is mainly a detection engine. Snort alone should not be compared with commercial offerings like ISS RealSecure or Cisco Secure IDS, which are enterprise suites. Effective deployment of a Snort-based network security monitoring operation requires effective user interfaces, back-end databases, sensor platforms and so on.
As far as hazards go, the security of a Snort solution depends on the underlying security of its host operating system and the security of the Snort code itself. Certain operating systems are simply easier to
secure than others. I can build a fully functional, Internet-ready, FreeBSD-based Snort platform, offering no services other than Secure Shell, in less than one hour. Building a comparable Windows-based Snort platform requires fairly extreme measures. It can be done, but you've got to remove a fair amount of Windows' inherent functionality. (See a book like "Securing Windows NT/2000 Servers for the Internet," by Stefan Norberg.) Regarding the Snort code, you can judge the security of it by reviewing the source yourself, or by hiring a programmer to do so. You can't do that with any commercial offering.
What percentage of PCs should have HIDS?
If you do decide to deploy HIDS after reading my earlier answer, I recommend you first prioritize your assets into categories of high, medium and low criticality. You would then deploy HIDS on as many of the 'high' criticality machines as you can manage. If you can deploy more without overloading your capacity to manage them and not adversely affect those servers' functionality, then try deploying others. You can never have too much data ready for analysis once you've found your enterprise to be compromised. What portion (if any) of network security monitoring is it safe to outsource?
I am not comfortable with the sort of monitoring done by any of the commercial managed network security services companies. I don't believe they provide enough value for the amount of money they charge. I am not saying this for personal reasons, since my company does not compete in this space and has no plans to do so. I just believe that most, if not all, managed monitoring companies are more concerned with "managing devices" than detecting intrusions. None of them seem to understand the principles of network security monitoring we described in our webcast. I would be very happy to be approached by a commercial company who could prove their level of service meets the standards of network security monitoring. What should be included in a security policy on the topic of network security monitoring?
Probably the most important element of any policy involving network security monitoring is avoiding the Wiretap Act. 18 U.S.C. 2511(2)(a)(i) offers the Provider Protection Exception, which in part states:
"Interception is allowed "while engaged in any activity which is a necessary incident to the rendition of service or the protection of the rights or property of the provider of the service."
See http://www.cybercrime.gov/usc2511.htm for the entire statute. You should include language that reflects that monitoring is done for this purpose. You should also include language that guarantees your employees provide their consent. The Wiretap Act's "Consent Exception," typically implemented through banners, gives more explicit legal cover for full collection of network traffic.
Should network security monitoring be handled by my networking admins or my security team?
I believe NSM should be implemented by the security team. Networking admins are usually more concerned with the health and performance of the network and do not have enough time or energy to devote to security issues. Security is best centralized in a single computer security and incident response team (CSIRT) which performs the planning, prevention, detection and response steps necessary to protect an enterprise.