Intrusion Detection: Ain't No Flyswatter Big Enough

What do you do when somebody breaks into one of your organization's servers? When waving your hands wildly doesn't help, you'll need an intrusion detection plan.

Randy Barr has been running Tripwire on roughly 1,000 mission-critical servers at WebEx Communications for two years. Barr tries to run a tight ship. Every change to the servers has to be proposed, documented and finally approved by a change-control committee. But occasionally things slip through the cracks.

"There was a user who went in, outside of the change-control process, and made a change," Barr says. "He created a file in a directory to keep notes for himself."

You might not think a file with a few notes in it would be a problem—and in most cases it's not. But because the wrong file created in the wrong directory can potentially shut down a server, WebEx's policy is that unauthorized changes such as these should not happen.

Further investigation revealed that the employee wasn't supposed to be logged in to the system at all. "The policy states that this is a disciplinable action, so that's how we handled it," says Barr.

Tripwire isn't the only way that WebEx could have caught the employee infraction. A unified logging system with alert management would have caught the unauthorized log-in to the server in question. The creation of the file itself could have been caught with the use of C2-level audit logs. (The phrase "C2" comes from the U.S. government's "Orange Book" that defines requirements for different kinds of secure operating systems.) But each of these approaches has problems. A unified log system tends to generate a lot of false positives, since many log-ins are inconsequential. C2 logging, on the other hand, generates a tremendous amount of information and can put a significant drain on system resources.

Barak Engel, CSO at InStorecard, says his startup uses Tripwire to comply with Visa's Cardholder Information Security Program (CISP). The program, launched by Visa in June 2001, mandates security standards for merchants and service providers.

"We needed to have a data integrity solution as part of our Visa CISP," Engel says. He has Tripwire configured to watch, "critical operating system portions and our product directories—things that could actually affect or be affected by any kind of malicious adversary" of the company's Microsoft-based servers. Tripwire automatically e-mails regular reports and notifications whether or not it has detected unauthorized changes.

Unfortunately, there are certain attacks that can be very hard for Tripwire to detect. If an attacker breaks into a computer and is able to modify the operating system's kernel, the system can be programmed to fool Tripwire into thinking that files haven't been modified when in fact they have. This kind of attack, commonly built into programs, is called "root kits."