Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 64
Detective Controls
ОглавлениеDetective (or detection) controls look for any out-of-limits conditions, such as signatures associated with an intrusion attempt, and then take two fundamental and important actions. First, the detection controls notify operations personnel or higher- level supervisory systems that a problem exists; this is absolutely critical if you are to have any command and control over your systems or any ability to manage an effective response to incidents as and when they occur. Second, the detection controls can (if desired) signal an attacker that you've noticed what they're doing, which leads them to believe you'll be responding to their attack. This may deter them from continuing their efforts.
All intrusion or incident detection systems are subject to error rates. Getting the crossover point set so that your risk of harm or loss due to false acceptance errors is balanced by your ongoing costs of investigating and resolving false rejections (and their concomitant “sky is falling” feeling) is a never-ending process. In fact, the smarter these controls get—and the more that they employ machine learning and predictive analytic capabilities—the more time you'll have to invest in understanding their behavior and tuning it to fit your constantly changing threat landscape and the dynamic nature of your routine business activities.
Physical detection systems can include motion detectors, motion switches on doors and windows, and continuity circuits embedded or built into walls, fences, and other landscaping features. Many such systems can support change detection as well, which can highlight suspicious portions of the systems they surveil to human security monitors for analysis and possible action. Physical systems such as power conditioning, air and environmental conditioning systems, and other aspects of your data center or network operations facilities should be primary sources of alarms that indicate a potential disruption, possibly due to an intrusion, is underway.
Don't forget the end-user element! Properly motivated and trained, having a cadre of end users who can spot something that's not quite right and appreciate that management wants to hear about it sooner rather than later can often stymie an attack before it gets too far.