∙Specific vulnerabilities of the systems that host the crown jewels.
This should exist as a written report as well as a view-graph presentation. If you are doing a PowerPoint presentation (which is recommended), expand each of the preceding bullets to be a PowerPoint slide with three to five bullets each.
Part Three: Tradeoffs and Recommended Solution
Finally, you get to pitch your intrusion-detection system! You can hardly wait to get behind the console of that shiny new intrusion.com special and smell that new IDS smell. Slow down a little longer.You need to offer some tradeoffs, and also remember, you are going forward with a package. Intrusion detection by itself is a hard sell. From a risk-assessment, textbook standpoint, the next thing you are supposed to do is establish risk-acceptance criteria. This approach is to put management on the spot and have it define what levels of risks it is willing to accept. Then, you go back and design comprehensive countermeasures for all risks greater than what management is willing to accept. Good luck!
Therefore, you should do the following:
●Define an information-assurance risk-management architecture.
●Identify what is already in place.
●Identify the immediate steps you recommend.
●Identify the options for these countermeasures.
●Produce a cost-benefit analysis.
●Implement a project schedule.
●Identify the follow-on steps illustrating where you want to go in the future.
Define an Information-Assurance Risk-Management Architecture
This sound like a hard chore, but it is really simple. You have defined the threats. You know the primary countermeasures. It could be as simple as implementing the following:
●Firewall from the Internet
●Network-based IDS outside the firewall
●Internal firewalls for crown jewels
●Network-based IDS covering crown jewels
●Host-based IDS on crown jewels' platforms
●Tagged honeypot files on crown jewels' platforms
●Basic hardening for all systems, antivirus programs, patches, and good configuration management to prevent silly file permission settings
●Organizational network-based backup with off-site storage
●Scanning of the internal network for vulnerabilities quarterly
●Certificate-based encryption for transmissions over the Internet with customers and suppliers as well as home and off-site workers
●Strong authentication for dial-ins
●Disk encryption and personal firewalls for laptops
This list might not be completely appropriate for your organization, but this is my view of the
big picture for information assurance.
Identify What Is in Place
Every briefing or report to senior management should include a status slide, something that
defines where you are now. If you follow your definition of your information-assurance
architecture with your current status, it is a nice set up for the things you want to do next.
Identify Your Recommendations
Finally, you get to pitch the intrusion-detection system of your dreams. You want the pitch to be balanced. It is perfectly reasonable to pitch an intrusion-detection system and a vulnerability scanner (or whatever is appropriate for your organization) at the same time. For the pitch to be solid, it should include options, cost, and schedule information.
I just cry when I see someone take an hour of a senior manager's time to brief him on a problem and possibly recommend a solution when the presenter doesn't have the cost and backup information. The senior executive doesn't think she has enough information to make a decision, so she puts the matter off. What happens, however, is a very subtle characteristic of human nature. When you first hear about a scary problem, you are shocked and might well be moved to action. If you do not act, however, you have been inoculated against the problem. The next time you hear about it, you are less scared and less moved to action. Therefore, you
need to be prepared to sell your project the first time!
Identify Options for Countermeasures
I hate doing this! I know what I want! I have done a market survey. Why should I have to justify the product I have selected? Well, if you didn't know this before, I'll let you in on a potential "gotcha." The commercial intrusion-detection system vendors aren't dumb! They are trying hard to reach the CIOs and other top executives of your organization with non-technical, high-level issues-oriented briefings. For instance, the host-based companies are pushing the insider threat really hard. Therefore, if you come marching into your CIO with your report and it doesn't mention the insider threat or consider host-based systems as options, you might be one down instantly.
Personal Firewalls
If you are facing management and the issue of the insider threat comes up, keep in mind that internal firewall and personal firewall data can come in very handy. In some sense, these serve as burglar alarms and can alert you to internal problems. Before asking senior management who is responsible for the organization's risk management, funding, and support, it is a good idea to know as much about the probable risks as possible.
Take the time to list at least one optional approach and to consider at least one alternative product for your recommended procurements. You don't have to pitch these slides; in fact, you shouldn't pitch these slides. But you do want them in case the issue comes up. While you are at this point, you need to take a second for an integrity check. Are you trying to buy a toy and help get the job skills to enhance your career or are you trying to secure your organization? Have you really taken the time to examine those firewall logs? If they have good fidelity, and you are honestly more concerned about your organization's security, perhaps you should consider spending the time and money on a different aspect of your information-assurance
architecture.
Cost-Benefit Analysis
The cost aspect of this section is more important than the benefit section. This is where you give management a warm, fuzzy feeling that you know how much the recommended countermeasures are going to cost. As a program manager, when I hear something that I know I want to do, I really don't need a lot more information—just tell me what it will cost and when I can have it. Earlier, we talked about the case of having to present the whole package in five minutes. In that situation, you would use three slides: the Executive Summary, the Cost Summary, and the Schedule.
Why Cost-Benefit Matters
Cost-benefit analysis doesn't sound sexy to an intrusion analyst, but going through the exercise for even a one-page financial analysis is really worth the time. I used to have an employee who was very bright, but she had an uncanny knack for coming up with the projects guaranteed to fail. Because she was so smart, when she would suggest that we ought to do something, I would think, "Yeah, that makes sense, let's do it." The next thing I knew, it was crash and burn time, and I would look silly again in front of senior management. Then what do you suppose happened? She came up with one of those, "I think we should…." My heart started pounding, my brain racing. I could feel my stress level go up. A wiser manager would have sat down with her and taught her to calculate the cost, the risk, and the potential benefits of a course of action. It is easy after you have done it once. Not me, though. I just reminded her of the failures, and in so doing, probably lost any chance of hearing another idea from a brilliant software engineer.
Not all benefits are tangible and that is important, but this is where you want to support your bang-for-the-bucks slide. This is the point where you list the costs. In the written report, you should list all the costs; in a presentation, you should present only the summary costs. If there are questions, refer management to the written report.
Have you ever given a pitch and had a member of the management team challenge you? And just out of the blue, they say, "I don't think that is going to work." They don't even give a reason. They might have a double-digit IQ, but the spotlight is on you! This is where it really helps to be prepared. Let me make it plain for you: There is a better-than-even chance management will ask the following questions, and you will have to give the answers shown. Will an intrusion-detection system:
●Actually stop attacks? No.
●Detect everything? No.
●Cost a significant amount of money in equipment and salary? Yes.
So you see, you really do want to be prepared! As backup material, I strongly recommend you have at least one ALE (annualized loss expectancy) or SLE (single loss expectancy, as explained in Chapter 12, "Writing TCPdump Filters") calculation for what you think is the biggest general threat against the organization. You should also have a couple examples of specific threats against crown jewels if possible. Select your cases carefully so that they support your choice of countermeasures. If you end up needing these slides, your pitch is in trouble; so do a good job on them.
Business Plan
I am a passionate, vision-driven person and I need to be honest with you about something. I am physically incapable of labeling anything I write a "cost-benefit analysis." Let's be careful here, 9 out of 10 consultants would agree that is the correct title and form for what you should take to management for a final approval of a project. It is probably what decision-making management expects. So, after telling you plainly that I am outside the normal and customary in this regard, please let me share what I do. I produce a business plan, often it is only a couple of pages long, but it helps me focus on the issues. It has the same basic content as a cost-benefit analysis. I deal with costs, advantages, tangibles, and intangibles, but there is one added factor: It will help advance the business. It seems to me that anything you do should serve two purposes: It should solve the problem at hand, and it should advance the business. The energy and capital you invest should help your organization achieve or maintain the lead in your field. "Oh come on Stephen," you might say, "intrusion detection is an overhead function; you can't make money on it!" Wanna bet? Baseball, I mean intrusion detection, has been very, very, good to me,
and to many of my friends as well. Don't shortchange yourself and skip learning the material in this chapter. Learn to write a business plan or a cost-benefit analysis. This skill might literally pay off for you.
Project Schedule
I have written software (badly) for 15 years or so, but I have also managed some pretty skilled coders. I try to get estimates from them so that I can pass up milestone information on future deliverables. Depending on the person, I either double or triple their estimates. Software people invariably think something is a simple matter of a few lines of code until they get into the problem.
The point I am trying to make is that managers develop a radar, a sixth sense for bogus schedules. You are on the next-to-last slide of your presentation, or next-to-last section in your report. You do not want to blow it here.
If you are not experienced at project management, here are some gotchas with fudge factors of items that will take longer than you probably estimated:
●Procure anything and everything (2x)
●Compile and run any free software (2x)
●Get management approval for any policy (5x)
●Install the software and test it (2x)
●Get the sensor to work on a switched network (5x)
●Get the analysis station to connect to the sensor through the firewall (3x)
●Get clearance to install host-based intrusion-detection software on production systems (5x)
●Sweep your phone lines for vulnerabilities (5x)
●Fix problems you find with a network vulnerability sweep (5x)
The preceding list was partly done in fun, but I also am serious. If these items are part of your
critical path, you might want to give your schedule a second look.
Follow-On Steps
At this point, you have finished everything we need to do to pitch your solution. We have defined and quantified both the problem and the solution with options. What could possibly be lacking? Will installing this solution solve all the organization's problems? If not, you should identify some of the next steps. If you are recommending a network-based intrusion-detection system, for instance, your next steps might be as follows:
●Host-based perimeter defenses for critical systems
●Database for trend analysis, especially with the emergence of enterprise security modules that allow you to consider data from NID, HID, firewall, router, and system log files
●Internal network-based IDSs for high-value locations
●Organization-wide host-based perimeter defense deployment
Each of these steps should include a high-level estimate for timeframe and cost. Taking the time to show the next steps helps management in two important ways. It shows you have technical vision—that there really is a well thought out plan. Also the budget planning cycle for capital purchases at many organizations is done several years in advance. By presenting the follow-on steps, financial planners can use your information as budget "wedges" for future years.