IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Question on resources needed to manage IDSes

From: simonis () att net
Date: Tue, 02 Dec 2003 14:44:57 +0000
I am looking for a rule of thumb, something like this:
1-5 IDS sensors - 1 Analyst
5-15 IDS sensors -2 Analysts
15-50 IDS sensors- 3 Analysts
1 Analyst for every 30 additional IDS sensors.


Are these the number of folks "at the screen" or the head count required?
If the latter, remember folks get sick and take vacation.  Also, consider
the need for 24x7 monitoring.  Such considerations really scale up the number
of bodies required.  

Another "hidden" cost is training and retention.  How likely are you to be 
able to find and maintain the staff needed to monitor your systems?  As to 
the numbers of eyes on the screens, this is heavily dependant on the location
of the the sensors, the number of systems on the monitored segments, the 
response methodology in place, etc.  

Your numbers, however, don't make much sense.  What about that 3rd analyst is 
so special that they enable the monitoring of an additional 35 sensors, when
a single analyst alone can only monitor 5?  Then, after 50 sensors, an add
anaylst only enables the monitoring of an 30 more sensors.  I suspect a more
linear scale is likely.  

---------------------------------------------------------------------------
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: