IDS mailing list archives
RE: Question on resources needed to manage IDSes
From: "Kohlenberg, Toby" <toby.kohlenberg () intel com>
Date: Mon, 1 Dec 2003 13:02:54 -0800
The reason you hear about alerts/alarms is because it doesn't matter how many sensors you have, if they are really quiet, you need fewer people to deal with the data. If they are really noisy, you need more people. Note- that isn't talking about managing the sensors, just analyzing the data they generate. There really aren't good answers as far as I know. You would have to take into account the average complexity of the alerts, how effective the analysts' tools are, how much experience the analysts have.... Each of those is going to impact the amount of time required to disposition an alert or series of related alerts. t -----Original Message----- From: kgeorgiades () toplayer com [mailto:kgeorgiades () toplayer com] Sent: Monday, December 01, 2003 7:16 AM To: focus-ids () securityfocus com Subject: Question on resources needed to manage IDSes Everyone seems to be talking about the large volume of alarms and logs produced by IDSes. Managing IDSes and dealing with false alarms seems to be an issue that all IDS vendor are trying to address. Has any one of you seen any data on how many analysts (resources) are needed to manage IDSes in enterprises? I am looking for a rule of thumb, something like this: 1-5 IDS sensors - 1 Analyst 5-15 IDS sensors -2 Analysts 15-50 IDS sensors- 3 Analysts 1 Analyst for every 30 additional IDS sensors. I will appreciate any feedback that I can get. Thanks, Kyriacos (Ken) Georgiades Senior Director, Product Line Management Top Layer Networks, Inc Tel: 508 870 1300 x 231 Cell: 508 783 5988 Fax: 508 870 9797 Email: kgeorgiades () toplayer com www.toplayer.com ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Question on resources needed to manage IDSes kgeorgiades (Dec 01)
- Re: Question on resources needed to manage IDSes Peter Schawacker (Dec 01)
- Re: Question on resources needed to manage IDSes Andy Cuff [Talisker] (Dec 01)
- Re: Question on resources needed to manage IDSes Jack Whitsitt (jofny) (Dec 02)
- <Possible follow-ups>
- Re: Question on resources needed to manage IDSes simonis (Dec 02)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 02)
- Re: Question on resources needed to manage IDSes Anton A. Chuvakin (Dec 09)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 10)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 02)
- Re: Question on resources needed to manage IDSes Terence Runge (Dec 02)
- RE: Question on resources needed to manage IDSes Kohlenberg, Toby (Dec 03)
- RE: Question on resources needed to manage IDSes Teicher, Mark (Mark) (Dec 03)
- RE: Question on resources needed to manage IDSes Morse, Greg (Dec 03)
- RE: Question on resources needed to manage IDSes Teicher, Mark (Mark) (Dec 10)
- Re: Question on resources needed to manage IDSes Jimi Thompson (Dec 15)
- Re: Dream IDS was Q on resources needed to manage IDSes Andy Cuff [Talisker] (Dec 16)
- Re: Question on resources needed to manage IDSes Jimi Thompson (Dec 15)
- RE: Question on resources needed to manage IDSes Mike Disley (Dec 10)