Elements of the Automated Intrusion Detection Capability
- By Diane Frank
- Oct 02, 2000
* Monitoring services — must continuously monitor messages or audit information
from a subscriber's network. This may include data indicating an active
breach or the vulnerability of a subscriber's network security. The system
may be able to filter security events for relevance.
* Device support — must be able to support multivendor intrusion-detection
systems, firewalls, routers and other security products.
* Communication services — must transport event data to a security
operations center through encrypted and authenticated methods, with no
other connections being permitted.
* Security operations center — will receive, process and analyze data.
* Event processing — performed by hardware, software and security analysts
supplied by the vendor. Analysts will monitor security data and quickly
identify instances of suspected attacks, violations, weaknesses or malicious
activity across an agency's information enterprise. The vendor must be able
to determine the severity of the attack, provide vulnerability analysis
and notify FedCIRC and the agency subscribing to the service, including
providing recommendations for action and resolution. If the analysts determine
that an incident can harm or penetrate the agency's systems, the contractor
must notify the agency and FedCIRC immediately.
Source: GSA draft request for proposals for AIDC