The topic of internal attacks is an extremely sensitive one. Both determining the risks from bad colleagues and employees and communicating this to them is a rather undesirable task and also legally difficult. No wonder the term “intrusion detection” has developed such a biased connotation in the last years. Intrusion detection systems (IDS) have been “reduced” to focusing network-based and external attacks.
However, the practice has shown that the main danger really does lie in internal attacks. Insider knowledge considerably reduces the effort and hurdles required for a successful “attack”. Without a doubt, it is essentially more difficult for an outsider to penetrate the system, then find and reach the data sources. That compared to an insider, who can easily transport the data to the outside – from the known location.
The relatively new term “extrusion detection” expands on the idea of this reduced “IDS” definition. The purpose of an “extrusion detection system” (EDS) is to keep track of procedures and events within the company in order to combat internal attacks. A close relationship between auditing and revision is obvious.
Automatically executed technical reactions are especially associated with “prevention”. No doubt actual prevention takes place in the awareness of the staff. And in general, there is high respect for technical prevention and an automatic reaction to incidents. This goes along with the “false positive” problem and erroneous decisions that could endanger production processes and their availability.
From the very beginning, SF-Sherlock’s “logical trap” concept was linked to the detection aspects of both intrusion and extrusion, combined with an optional reaction. Altogether, system attacks are detected as well as the “escape” of important data to the “outside”, e.g. by way of FTP.
The SF-Sherlock technology for security and quality automation is
• both an intrusion and extrusion detection and prevention system,
• host-based, but network activities are also monitored, such as Firewall and TCP/IP,
• z/OS-specific, while also monitoring the operating system, applications and subsystems (e.g. DB2, LDAP, etc.),
• able to evaluate SMF or any log data,
• equipped with necessary pre-defined attack patterns (“logical traps”) and
• can be supplemented with installation-defined attack patterns and installation-specific monitoring characteristics.
This comprehensive approach to our security technology guarantees a maximum return on investment and maximum security.