RE: IDS Incident Escalation Procedure

["Simon Taylor" <Simon.Taylor () boxingorange com>]

All,

As Khushbu points out below, there is certainly a structure to conduct a
meaningful IDS service, the other option (as opposed to allocating
resource internally within an organisation) is a managed service. 

I work for a company in the UK who delivers managed IDS/IPS services -
this is very much a core competency of ours (in addition to WAN, LAN &
associated security) & hence have delivered to some of the well-known
financials and organisations handling credit card payments.

Below is an outline of what constitutes the service we provide - if
anyone would like to know more then please drop me an email.

Thanks
Simon

Installation process:

1.      Understand IDS requirement - traffic flow, recommend appropriate
hardware to accommodate for throughput and performance
2.      Configuration of sensor, including software & signature update
3.      Installation of devices
4.      Implement management VPN tunnel 
5.      Move sensor into baseline mode, including capture of alert
information
6.      4 week baseline period
7.      Three day IDS report
8.      Review & acceptance by customer
9.      Implementation of filter policy
10.     1-2 week baseline
11.     1-2 day baseline report
12.     Review & acceptance by customer
13.     Implementation of filter policy
14.     Documentation of solution (for support purposes)
15.     Support handover
16.     Go-live

Continual service:

24 hour monitoring by helpdesk, with alerting set on parameters defined
by successful baseline. Alerts sent to customer and allocated a severity
rating, engineer resource input into threat analysis. Report on alerts
generated per month. Signature update, changes to alerts & device
support to adhere to SLA. Optional integration with firewall & ISP &
DDoS - joining these together to allow other devices to react to IDS
alerts accordingly.






-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of khushbu.jithra () gmail com
Sent: 17 September 2007 06:02
To: focus-ids () securityfocus com
Subject: Re: IDS Incident Escalation Procedure

Hi Jim,


Usually, an Incident Escalation procedure for an IDS stems from

1. The structure of the core Incident Response Team

2. Adherence to any higher level policy, if required (in line with
escalation matrices defined in the business continuity plans)

3. SLAs signed with clients - internal and external


One suggested team structure is

1. Computer Incident Response Team (CIRT) leader

2. Incident Handler

3. Database Administrators

4. Legal Counsel


Now depending on the nature and category of alerts coming from the IDS,
an incident can be escalated from the incident handler to CIRT leader to
database admin to Legal Counsel. Also, the escalation may vary depending
on the severity of alerts.


As Vijay rightly pointed, you can refer to the NIST SP 800-61
publication, the Incident Notification section. This provides a sample
list of parties which are usually notified.


HTH,

Khushbu Jithra

Information Security Consultant

NII Consulting

Web: http://www.niiconsulting.com

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw 
to learn more.
------------------------------------------------------------------------ 
--









Simon Taylor
Strategic Account Manager
Boxing Orange Ltd 
t: 0871 871 0067
f: 0871 871 0068 
m: 

Simon.Taylor () boxingorange com
http://www.boxingorange.com/ 

This message (and any associated files) is intended only for the 
use of the individual or entity to which it is addressed and may 
contain information that is confidential, subject to copyright or
constitutes a trade secret. If you are not the intended recipient 
you are hereby notified that any dissemination, copying or 
distribution of this message, or files associated with this message, 
is strictly prohibited. If you have received this message in error, 
please notify us immediately by replying to the message and deleting 
it from your computer. Messages sent to and from us may be monitored. 

Internet communications cannot be guaranteed to be secure or error-free 
as information could be intercepted, corrupted, lost, destroyed, arrive 
late or incomplete, or contain viruses. Therefore, we do not accept 
responsibility for any errors or omissions that are present in this 
message, or any attachment, that have arisen as a result of e-mail 
transmission. If verification is required, please request a hard-copy 
version. Any views or opinions presented are solely those of the author 
and do not necessarily represent those of the company.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------