Unfortunately, there is a tendency to see IDS as one more check on a laundry list of controls that should be procured and implemented to have a "best practices" security solution. This is especially common where IT auditors identify the need for additional security controls in the enterprise. Companies simply select a product and deploy it, failing to determine what kind of product they need, and, more importantly, what they intend to do with the system once it is deployed.

This kind of IDS solution is ineffective, rarely used properly, and easily circumvented by attackers. Before heading down that path, companies should prepare using the following four steps.

1. Identify Assets

Of course, we’re really talking about information assets and the critical infrastructure they reside on here. This might include systems performing critical corporate processes or holding important data — such as billing, financials, marketing data, and intellectual property — or generating revenue for the enterprise. Ideally, security analysts should be able to identify the information that makes the company run, the processes that use that data, and tie it back to a physical portion of the infrastructure.

2. Assess Your Risk

Virtually everyone with an IP address is at risk from a certain perspective. You can see this by looking at the Honeynet Project, where systems are exposed on the Internet and compromised by automated attack tools literally within seconds of provisioning. We are all under attack at virtually every moment our systems are powered up and connected, and it is pretty much accepted wisdom that eventually an attack will be pressed home and your network compromised.

But the impact of a successful compromise varies widely by industry, and according to the data compromised by attackers. For instance, it would hurt Amazon.com significantly if their website were compromised, even if the back-end financial systems weren’t affected, simply because consumer confidence would suffer. But the impact of a website compromise on other companies might have very little impact if there were no tie to revenue generation.

3. Develop Security Policy

Everyone eventually suffers a compromise of some kind, and it is far less expensive, time-consuming, and more efficient to think through how you will respond in advance. Security policy sets the foundation for these decisions, establishes controls on the use of company infrastructure, information assets, and limits user behavior. It establishes the right to monitor, what kind of material you can examine and how you can use it. It doesn’t have to be complex or be thousands of pages long either.

Too many companies spend money on consultants to provide best-of-breed policies that comply with ISO 17799 or other standards, and don’t think about how they will implement them. Policy that doesn’t get implemented is worthless. On the other hand, without some idea of how you will operate your security program, it is difficult at best to effectively operate an IDS and get any real value out of it.

4. Know Your Enterprise

One of the biggest problems with deploying IDS in an enterprise context is the potential for data overload. Network IDS in particular can generate a large volume of event-data that analysts have to process. In fact, the most common complaint about IDS is the sheer volume of false-positives — alerts that have entirely benign explanations. While IDS technology gets a bit better every year, the reality is this problem will never go completely away.

That’s why sensor tuning is such an important part of the deployment plan. Unfortunately, it takes in-depth knowledge about an enterprise to really tune the IDS without completely desensitizing it. Prior to deploying and tuning the sensors, security architects should identify the major ports as well as services the network needs to support, protocols in use and those definitely prohibited, and document the known access paths to the enterprise.