There are also technical issues that make an ASMS vulnerable. The first and most obvious point of attack is the event generation capability of an intrusion detection system. A monitor under stress will drop further incoming data: there exist trade-offs between performance and residual risk and between accuracy and completeness.
In order to detect attacks in a stream of packets over the network, the monitor needs to keep state of the existing network connections. This may require a lot of memory and disk space. To discard too much data constitutes a vulnerability, not to filter enough leaves an opportunity for swamping the analysing engine. A computer monitoring system that is implemented on a user workstation may effectively bring the entire system down. Undue stress may prevent a monitor or security engine from reacting in real-time, and therefore from reacting altogether.
Monitors and security engines should be implemented on high-performance machines with sufficient resources. One has to decide what to monitor, based on what events are perceived to be the most important ones. False positives -- alarm when no intrusion has taken place -- and false negatives -- no alarm when in fact there should have been one -- may play a role in making this decision. Quite probably, some events contain more information and a higher degree of certainty than others as to whether an attack is taking place. Clearly, these should be the ones to monitor more closely. Next, the ranking of threats according to their likelihood and impact -- or a weighed average of both -- will give some advice concerning the priority of an event to be monitored and analysed.
The granularity of the monitoring and analysis is also important: part of packet headers, the full headers, or also packet payload? All accesses to a particular resource, only specific types of access that require special privileges, only failed accesses or all of them? At what level do you want to analyse? At the physical, datalink, network, transport or application level? At the level of the OS kernel, the operating system services, the applications? Another question is the amount of information that is retained for further analysis by each of the security engines and the eventual correlation engine.
Stress factors may also have impact on the local and the central monitoring systems and the communication channels. Decent practices should be in place for managing logfiles. This should cover the media of the logs (prevent from swamping), access to the logs, backup and disposal of logged information. Ideally, there would exist a separate dedicated communication infrastructure for the components of the framework.