IDS mailing list archives
RE: Question on resources needed to manage IDSes
From: "Teicher, Mark (Mark)" <teicher () avaya com>
Date: Tue, 9 Dec 2003 08:33:25 -0700
Anton, I disagree. If the event correlation engine is designed correctly. Human analysts should be rarely introduced into the equation of # of humans/ #of sensors. It is a big "IF". Most MSPs didn't understand that designing event correlation engines takes time and money. If the MSP would have focused more on event correlation then building nice SOC's to impress their potential customer base, this discussion would be irrelevant. Very few MSP have perfected their event correlation engine in a scaleable sense. Those who were almost there have been gobbled by much larger companies who just bought into the market or just wanted to eliminate the "barbarians at the gate" Compared to the number of MSP's in the market place over 5 years ago, compared to the number of MSP's left, it is fair to say, either a) Were acquired b) Massive layoffs/management re-organization c) Influenced a couple of analyst panels stating the have better technology, market share and beating their competition d) Have some guy with a pony tail as their CTO writing books and being quoted when a major security related news article is posted to the Internet and get a couple of trial customer e) Out of money Some of the options may apply to the current market.. /mark -----Original Message----- From: Anton A. Chuvakin [mailto:anton () chuvakin org] Sent: Friday, December 05, 2003 1:07 PM To: focus-ids () securityfocus com Subject: Re: Question on resources needed to manage IDSes
1-5 IDS sensors - 1 Analyst 5-15 IDS sensors -2 Analysts
being. It would be generous to assume a human could qualify a reasonably complex alert in 30 seconds. After that, it's simply a
The above also implies a certain usage scenario. One "complex alert in 30 seconds" implies that the analyst just sits there and stares at the console where alerts pop up - which might be neither the most common nor the most effective way. The tools available to analysts would also matter, namely, how much time it will take to collect the context info and to make a decision. I suspect the specific IDS usage details will heavilly affect the "analyst to sensor" ratios. -- Anton A. Chuvakin, Ph.D., GCI* http://www.chuvakin.org http://www.info-secure.org ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Re: Question on resources needed to manage IDSes, (continued)
- Re: Question on resources needed to manage IDSes Andy Cuff [Talisker] (Dec 01)
- Re: Question on resources needed to manage IDSes Jack Whitsitt (jofny) (Dec 02)
- Re: Question on resources needed to manage IDSes simonis (Dec 02)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 02)
- Re: Question on resources needed to manage IDSes Anton A. Chuvakin (Dec 09)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 10)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 02)
- Re: Question on resources needed to manage IDSes Terence Runge (Dec 02)
- RE: Question on resources needed to manage IDSes Kohlenberg, Toby (Dec 03)
- RE: Question on resources needed to manage IDSes Teicher, Mark (Mark) (Dec 03)
- RE: Question on resources needed to manage IDSes Morse, Greg (Dec 03)
- RE: Question on resources needed to manage IDSes Teicher, Mark (Mark) (Dec 10)
- Re: Question on resources needed to manage IDSes Jimi Thompson (Dec 15)
- Re: Dream IDS was Q on resources needed to manage IDSes Andy Cuff [Talisker] (Dec 16)
- Re: Question on resources needed to manage IDSes Jimi Thompson (Dec 15)
- RE: Question on resources needed to manage IDSes Mike Disley (Dec 10)