intrusion detection security

15. IDS Policy

In order to preserve the integrity of data that iDialogs stores, processes, or transmits for Customers, iDialogs implements strong intrusion detection tools and policies to proactively track and retroactively investigate unauthorized access. iDialogs currently utilizes OSSEC and SNORT to track file system integrity, monitor log data, and detect rootkit access. As well, iDialogs uses ARPWatch for network monitoring and Amazon CloudWatch for system health monitoring.

15.1 Applicable Standards

15.1.1 Applicable Standards from the HITRUST Common Security Framework

  • 09.ab - Monitoring System Use
  • 06.e - Prevention of Misuse of Information
  • 10.h - Control of Operational Software

15.1.2 Applicable Standards from the HIPAA Security Rule

  • CFR ยง 164.312(b) - Audit Controls

15.2 Intrusion Detection Policy

Daemons such as OSSEC, SNORT, IPTables, and ARPWatch monitor host and network level events. 

  1. OSSEC is used to monitor and correlate log data from different systems on an ongoing basis. Reports generated by OSSEC are reviewed by the Security Officer on a monthly basis.
  2. OSSEC generates alerts to analyze and investigate suspicious activity or suspected violations.
  3. OSSEC monitors file system integrity and sends real time alerts when suspicious changes are made to the file system.
  4. SNORT monitors network activity and generates logs which are analyzed by OSSEC.
  5. ARPWatch watches for changes in network hosts and logs them which are then analyzed and reported by OSSEC.
  6. Amazon CloudWatch monitors system and network health and performance data.
  7. Automatic monitoring is done to identify patterns that might signify the lack of availability of certain services and systems (DoS attacks).
    1. Cisco ASA Hardware firewalls operate as a first-line of defense with each host utilizing IPTables as host-based firewalls for intranet. 
    2. AWS Security Group firewall rules monitor all incoming traffic to detect potential denial of service attacks. Suspected attack sources are blocked automatically. Additionally, our hosting provider actively monitors its network to detect denial of services attacks.
    3. All new firewall rules and configuration changes are tested before being pushed into production. All firewall and router rules are reviewed every quarter.
    4. iDialogs handles both internal and external traffic shaping via security group rules.