More and more security professionals succeed in convincing people that security is more than putting countermeasures in place. A structured analysis of the environment in which a security system is to be implemented is needed to identify weaknesses and select the most effective solutions that provide cost-efficient protection.
Quite a lot of research has been done over the past couple of years on what is called intrusion detection systems (IDSs). The models that have been proposed so far usually concentrate on network monitoring and event analysis. Some systems are able to generate warnings in real-time or even to dynamically take some sort of action to stop attacks on the network.
As the name ``intrusion detection system'' suggests, most of this research focused on intrusion of a computer network solely. As a consequence of this approach, many systems show fundamental shortcomings in design and subsequent implementation.
In the commercial world, the first products are emerging that try to take a comprehensive approach to computer security, with attention for the preceding analysis process and encompassing various aspects of security, mainly network and computer security. One can say that they not only concentrate on intrusion detection, but rather on security management. They could therefore be called adaptive security management systems (ASMSs).
As these systems are starting to emerge, they show a lot of similarities but are however not able to interoperate. Now seems the moment to think about the consequences of these shortcomings for the future, both for the developers of the products as for the users.
Problems of interoperability and cost management are commonly tackled by trying to define standards for development and operation. Such standards require frameworks to streamline the efforts and create understanding of used terminology. In this work, we try to find how such a model for standardization could look like and what its benefits -- and drawbacks -- might be.