BN.com Gift Guide

The Practical Intrusion Detection Handbook / Edition 1

Paperback (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $1.99
Usually ships in 1-2 business days
(Save 96%)
Other sellers (Paperback)
  • All (18) from $1.99   
  • New (5) from $11.88   
  • Used (13) from $1.99   

Overview

The definitive guide to understanding, selecting, and deploying intrusion detection in the enterprise!

  • Product selection, planning, and operations
  • Filled with real-life cases and stories of intrusion detection systems in action
  • Covers host-based and network-based intrusion detection

Foreword by Dorothy Denning, author of Cryptography and Data Security and Information Warfare and Security

Technical Edit by Ira Winkler, author of Corporate Espionage

In The Practical Intrusion Detection Handbook, one of the field's leading experts shows exactly how to detect, deter, and respond to security threats using intrusion detection systems. Using real-world case studies and practical checklists, Paul E. Proctor shows what intrusion detection software can achieve, and how to integrate it into a comprehensive strategy for protecting information and e-commerce assets. No other guide to intrusion detection offers all this:

  • Practical coverage of host-based, network-based, and hybrid solutions
  • Detailed selection criteria and sample RFPs
  • Key factors associated with successful deployment
  • Intrusion detection in action: response, surveillance, damage assessment, data forensics, and beyond
  • Six myths of intrusion detection — and the realities

Whether you're a senior IT decision-maker, system administrator, or infosecurity specialist, intrusion detection is a key weapon in your security arsenal. Now, there's a start-to-finish guide to making the most of it: The Practical Intrusion Detection Handbook by Paul E. Proctor.

"Intrusion detection has gone from a theoretical concept to a practical solution, from a research dream to a major product area, from an idea worthy of study to a key element of the national plan for cyber defense. . . Nobody brought that about more than Paul Proctor. . . Paul brings his considerable knowledge and experience with commercial intrusion detection products to this first-of-a-kind book."
—From the Foreword by Dorothy Denning
Read More Show Less

Editorial Reviews

Booknews
Using examples from business this book shows what intrusion detection software can achieve and how to integrate it into a total strategy for information protection. Coverage includes host-based, network-based, and hybrid solutions, selection criteria and sample RFPs, and examples of intrusion detection in action in response, surveillance, damage assessment, and data forensics. Proctor has worked in intrusion detection for 15 years. Annotation c. Book News, Inc., Portland, OR (booknews.com)
Read More Show Less

Product Details

  • ISBN-13: 9780130259608
  • Publisher: Prentice Hall
  • Publication date: 8/9/2000
  • Edition description: New Edition
  • Edition number: 1
  • Pages: 384
  • Product dimensions: 6.77 (w) x 9.05 (h) x 1.10 (d)

Meet the Author

PAUL E. PROCTOR is the Director of Technology at Cybersafe Corporation and Chief Technology Officer of the firm's Centrax Division. Proctor has worked in intrusion detection for nearly 15 years and developed many commercial intrusion detection technologies. He sat on the Intrusion Detection Subgroup of the President's National Security Telecommunications Advisory Committee (NSTAC), has been an invited speaker at the CIA, and has been personally involved in several of the world's most significant intruder "take-downs." Sorry, but he can't tell you which ones!

Read More Show Less

Read an Excerpt

Preface

In the mid 1990s, Neil was an auditor for a major government agency in Canada. An inside embezzler had taken his agency for several million dollars and Neil was asked to help pick up the pieces. For over 6 months, Neil poured over transaction logs to trace the money, and figure out how it was done. A substantial amount of the money was never recovered.

On February 9, 2000 Amazon.com, E-Trade, and other pioneering ecommerce companies got hit with a distributed denial of service attack that collectively cost several million dollars. This electronic "Waterloo" changed the face of electronic commerce forever by highlighting the importance of effective detection and response in any successful on-line business.

In 1986, Dorothy Denning wrote a paper that set the stage for the development of commercial technologies that would provide detection, response, deterrence, and damage assessment. Intrusion detection, often misunderstood, provides the best chance for peace in an otherwise turbulent on-line world.

I've spent my career trying to get intrusion detection out of the research lab and into operational environments. I worked in intrusion detection research in 1988 to do a state of the art study for the U.S. Navy with the intent of deploying a system in an operational Navy environment. Then in 1990, I started work on generic testing paradigms to quantify the value of intrusion detection. In 1992, I designed the Computer Misuse Detection System (CMDS) at SAIC, one of the first commercial intrusion detection systems. CMDS saw real action and enjoyed some very large deployments starting in the mid 1990s. In 1997, I left SAIC to co-found Centrax Corporation and bring Intrusion Detection to the Windows NT masses. At Cybersafe I helped develop one of the first hybrid intrusion detection systems combining both network and host-based technologies.

I've researched systems, developed systems, deployed systems, sold systems, given seminars, and assisted investigations. This book was the next logical step. It was simple in concept: Write down everything I know about intrusion detection, make it understandable, and help businesses deploy operational systems.

You hold the results in your hands. This book will explain intrusion detection, dispel common myths, provide guidance on requirements and even help you acquire an intrusion detection system and operate it effectively throughout the entire project lifecycle. The format is designed to be readable. Anecdotes appear throughout to connect the information with the real world. Important points are punctuated and called out separately for emphasis and to make it easy to scan the text.

The book is divided roughly into thirds. The first third describes technology, the second effective operation, and the third project lifecycle. Near the end I provide a chapter on commercial products because this book is about using intrusion detection. These are your tools. This book is your manual.

Paul E. Proctor February 12, 2000
35,000 Feet, Somewhere Over the Pacific Ocean

Read More Show Less

Table of Contents

1. Introduction.

Security versus Business. What Is Intrusion Detection? The Most Common Intrusion Detection. Network- vs. Host-based Intrusion Detection. Anatomy of an Intrusion Detection System. Command Console. Network Sensor. Alert Notification. Response Subsystem. Database. Network Tap. Anatomy of an Intrusion Detection Process. Traditional Audit versus Intrusion Detection. Integrity Checkers. A Conceptual View of Misuse Detection. Detecting Deviations from Acceptable Behavior. Detecting Adherence to Known Unacceptable Behavior. Summary.

2. A Historical Perspective.

A Timeline. The Early Systems. Early Capabilities Comparison. Effectiveness. SSO Support/SSO Interface. Adaptability/Flexibility. Historical Lessons. Summary.

3. Network-Based Intrusion Detection Systems.

Introduction. Network-based Detection. Unauthorized Access. Data/Resource Theft. Denial of Service. Architecture. Traditional Sensor-Based Architecture. Distributed Network-Node Architecture. The Network Intrusion Detection Engine. Network Signatures. Operational Concept. Tip-Off. Surveillance. Forensics Workbench. Benefits of Network-based Intrusion Detection. Outsider Deterrence. Detection. Automated Response and Notification. Challenges for Network-based Technologies. Packet Reassembly. High-Speed Networks. Sniffer Detection Programs. Switched Networks. Encryption. Summary.

4. Host-Based Intrusion Detection Systems.

Introduction. Host-based Detection. Abuse of Privilege Attack Scenarios. Critical Data Access and Modification. Changes in Security Configuration. Architecture. Centralized Host-Based Architecture. Distributed Real-Time Architecture. Target Agent. Agentless Host-Based Intrusion Detection. Raw Data Archive. Operational Concept. Tip-Off. Surveillance. Damage Assessment. Compliance. Policy Management. Audit Policy. Detection Policy. Audit and Detection Policy Dependencies. Data Sources. Operating System Event Logs. Middleware Application Audit Sources. Application Audit Sources. Benefits of Host-based Intrusion Detection. Insider Deterrence. Detection. Notification and Response. Damage Assessment. Attack Anticipation. Prosecution Support. Behavioral Data Forensics. Challenges for Host-based Technologies. Performance. Deployment/Maintenance. Compromise. Spoofing. Summary.

5. Detection Technology and Techniques.

Introduction. Network Detection Mechanisms. Packet Content Signatures. Packet Header (Traffic) Analysis. Host-based Signatures. Single Event Signatures. Multi-event Signatures. Multi-host Signatures. Enterprise Signatures. Compound (Network and Host) Signatures. Signature Detection Mechanisms. Embedded. Programmable. Expert System. Other Techniques. Statistical Analysis. Metalanguage. Artificial Intelligence (Artificial Neural Network). Summary.

6. Intrusion Detection Myths.

Introduction. Myth 1: The Network Intrusion Detection Myth. The Network Intrusion Detection Revolution. Network Intrusion Detection Is Not Sufficient. What's the Difference Between Network- and Host-Based Detection? Comparing Host- and Network-Based Benefits. The Bottom Line. Myth 2: The False-Positive Myth. True/False Positive/Negative. Noisy Systems? There Is No Such Thing as a False-Positive. Bottom Line. Myth 3: The Automated Anomaly Detection Myth. Behavior Models. You Just Said There Are No False-Positives. The Training Problem (A Mini Myth). Anomaly Detection as Decision Support. Bottom Line. Myth 4: The Real-time Requirement Myth. Why Real-Time? The Costs of Real-Time. Real-Time versus In-Time. The Bottom Line. Myth 5: Inside the Firewall equals Insider Threat Detection. Insider Threats. Paradigm Shift. Bottom Line. Myth 6: The Automated Response Myth. Advertising. Automated Response = Risk. Characteristics of a Good Real-Time Automated Response. Bottom Line. Myth 7: The Artificial Intelligence Myth. New Attacks and AI. Root-Cause Analysis to Detect New Attacks. Bottom Line. Summary.

7. Effective Use.

Detecting Outsider Misuse (Hackers). Real-Life Misuse Example 1: Anomalous Outbound Traffic. Real-Life Misuse Example 2: Help! We're Being Swept! Detecting Insider Misuse. Real-Life Misuse Example 3: Unauthorized Access to Mission-Critical Data. Real-Life Misuse Example 4: Abuse of Privilege. Attack Anticipation (Extended Attacks). Real-Life Misuse Example 5: Embezzlement. Real-Life Misuse Example 6: Intellectual Property Theft. Surveillance. Real-Life Misuse Example 7: Surveillance. Policy Compliance Monitoring. Real-Life Misuse Example 8: User Logout at Night. Damage Assessment. Real-life Misuse Example 9: Corporate Espionage. Summary.

8. Behavioral Data Forensics in Intrusion Detection.

Introduction. Benefits of Behavioral Data Forensics. Data Mining. Forms and Formats. Data Volume. User-Centric versus Target-Centric Monitoring. Real-World Examples of Behavioral Data Forensics. Performance Improvement. Security. Workload Reduction. Security Policy. Data Mining Techniques. Data Presentation Refinement. Contextual Interpretation. Drill Down. Combining Data from Heterogeneous Sources. Combining Data from All-Band Resources. Behavioral data forensics Tutorial Examples. Example 1: Trending and Drill Down. Example 2: Target Browsing. Example 3: Critical File Browsing Trends. Example 4: Attack Anticipation (Tip-Off). Example 5: Target Overloaded. Other Examples. Summary.

9. Operational Use.

Introduction. Background Operation. On-demand Operation. Scheduled Operation. Real-time Operation. 2437 Monitoring. Incident Response. Escalation Procedures. Incident Triage. Incident Volume. Summary.

10. Intrusion Detection Project Lifecycle.

Introduction. Project Phases. Overlap. Resource Estimates. Calculating Total Cost of Ownership. Hidden Costs of Intrusion Detection. Project Planning/requirements Analysis. Acquisition. Pilot Phase. Deployment Phase. Policy Implementation. Promiscuous Network Sensor Deployments. Distributed Sensor Deployments. Tuning. Deployment Issues. Cultural. Legal. Politics. Target Ownership. Policy Management. Maintenance. Software Updates. Signature Updates. Summary.

11. Justifying Intrusion Detection.

Importance of Intrusion Detection in Security. Time-Based Security. Relaxing Access Controls. Threat Briefing. 1. CSI/FBI Study. A Recap of Misuse Examples. Insider Threats. Quantifying Risk. Problems with Quantitative Risk Assessment. Return on Investment. ROI and Risk Calculator. Behind the Scenes. Summary.

12. Requirements Definition.

Introduction. Tracking Nonrequirements. Developing a Requirements Document. What Are Your Goals For Intrusion Detection? Information Risk Management. Detection Requirements. Perimeter Threat Detection Requirements. Insider Threat Detection requirements. Compliance Monitoring Requirements. Response Requirements. Resource Classification. Using Intrusion Detection to Define Mission-Critical Data. Operations Requirements. Background Operations. On-Demand Operation. Scheduled Operation. Real-Time Operation. 24. ´ 7 Monitoring. Platform Coverage Requirements. Audit Source Requirements. Performance Requirements. Intrusion Detection System Performance. Network Resource Requirements. Scalability Requirements. Prosecution Requirements. Damage Assessment Requirements. Summary.

13. Tool Selection and Acquisition Process.

Introduction. Selection and Evaluation Process. Define Requirements. Conduct Research. Online Research. Conferences. Magazines. Request for Information. Establish Selection Criteria. Translate Environment-Specific Criteria. Criteria Weighting. Scoring. Evaluation. Conduct Evaluation. Request for Proposal. Cover Letter. RFP Example. Pilot Program. Speaking to References. Words of Wisdom. Summary.

14. Commercial Intrusion Detection Tools.

Introduction. Network (TCP/IP) Only. BlackICE/ICEcap—Network ICE. Dragon—Network Security Wizards. NFR ID Appliance—Network Flight Recorder. Secure Intrusion Detection System (NetRanger)—Cisco. Net Prowler—Axent. eTrust ID (Abirnet Sessionwall 23)— Computer Associates. Host-only Products. Computer Misuse Detection System (CMDS)—ODS Networks. Kane Security Monitor (KSM)—ODS Networks, Inc. SecureCom 8001 Internet Appliance (Hardware)— ODS Networks, Inc.? Intruder Alert (ITA)—Axent. PS Audit—Pentasafe. Operations Manager—Mission Critical. Hybrid Systems. Centrax—CyberSafe Corporation. Cyber Cop Monitor—Network Associates, Inc. RealSecure—Internet Security Systems. Summary.

15. Legal Issues.

Introduction. Law Enforcement/Criminal Prosecutions. Tort Litigation. Negligence Litigation. Better Technology. Y2K. Corporate Reluctance to Prosecute. Standard of Due Care. Responsibilities. One-Sided Liability. Evidentiary Issues. Rules of Evidence. Accuracy. Chain of Custody. Transparency. Case Study. Improving Evidentiary Veracity. Organizations. National White Collar Crime Center. National Cybercrime Training Partnership (NCTP). High Technology Crime Investigators Association (HTCIA). Summary.

16. Organizations, Standards, and Government Initiatives.

Introduction. Organizations. ICSA.net. SANS. Standards Bodies (Interoperability). What Should Be Standardized? Interoperability. Common Intrusion Detection Framework (CIDF). IETF Intrusion Detection Working Group (IDWG). Common Vulnerability and Exposures (CVE). U.S. Federal Government Initiatives. The National Security Telecommunications Advisory Committee (NSTAC). The Presidential Commission on Critical Infrastructure Protection (PCCIP). Presidential Decision Directive 63 (PDD-63). Summary.

17. Practical Intrusion Detection.

The Current State of Technology. The Future of Intrusion Detection. Network Intrusion Detection. Host-Based Intrusion Detection. Managed Services. Enterprise On-Demand Detection. Application Intrusion Detection. Standards for Interoperability. Prosecution Support. Real-Time versus In Time. Advice to Security Officers. Advice to Intrusion Detection Developers. My last Advice: Avoiding Confusion. Summary. After All.

Appendix A: Sample RFP.

Appendix B: Commercial Intrusion Detection Vendors.

Appendix C: Resources.

Index.

Read More Show Less

Preface

Preface

In the mid 1990s, Neil was an auditor for a major government agency in Canada. An inside embezzler had taken his agency for several million dollars and Neil was asked to help pick up the pieces. For over 6 months, Neil poured over transaction logs to trace the money, and figure out how it was done. A substantial amount of the money was never recovered.

On February 9, 2000 Amazon.com, E-Trade, and other pioneering ecommerce companies got hit with a distributed denial of service attack that collectively cost several million dollars. This electronic "Waterloo" changed the face of electronic commerce forever by highlighting the importance of effective detection and response in any successful on-line business.

In 1986, Dorothy Denning wrote a paper that set the stage for the development of commercial technologies that would provide detection, response, deterrence, and damage assessment. Intrusion detection, often misunderstood, provides the best chance for peace in an otherwise turbulent on-line world.

I've spent my career trying to get intrusion detection out of the research lab and into operational environments. I worked in intrusion detection research in 1988 to do a state of the art study for the U.S. Navy with the intent of deploying a system in an operational Navy environment. Then in 1990, I started work on generic testing paradigms to quantify the value of intrusion detection. In 1992, I designed the Computer Misuse Detection System (CMDS) at SAIC, one of the first commercial intrusion detection systems. CMDS saw real action and enjoyed some very large deployments starting in the mid 1990s. In 1997, I left SAIC to co-found Centrax Corporation and bring Intrusion Detection to the Windows NT masses. At Cybersafe I helped develop one of the first hybrid intrusion detection systems combining both network and host-based technologies.

I've researched systems, developed systems, deployed systems, sold systems, given seminars, and assisted investigations. This book was the next logical step. It was simple in concept: Write down everything I know about intrusion detection, make it understandable, and help businesses deploy operational systems.

You hold the results in your hands. This book will explain intrusion detection, dispel common myths, provide guidance on requirements and even help you acquire an intrusion detection system and operate it effectively throughout the entire project lifecycle. The format is designed to be readable. Anecdotes appear throughout to connect the information with the real world. Important points are punctuated and called out separately for emphasis and to make it easy to scan the text.

The book is divided roughly into thirds. The first third describes technology, the second effective operation, and the third project lifecycle. Near the end I provide a chapter on commercial products because this book is about using intrusion detection. These are your tools. This book is your manual.

Paul E. Proctor
February 12, 2000
35,000 Feet, Somewhere Over the Pacific Ocean

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted May 4, 2008

    very good

    very good

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)