Re: IPS, alternative solutions

[Kyle Maxwell <krmaxwell () gmail com>]

As 


On Fri, 17 Sep 2004 17:11:38 -0400, Jason <security () brvenik com> wrote:
> Cure, Samuel J wrote:
> > I do agree however with the resource requirements necessary for testing and
> > rolling out each patch or hotfix.

> I think we can all agree that IPS is no replacement for Patch
> Management. My point is that there is no demonstrable ROI that I have
> seen for IPS yet there appears to be a perception that it is a more cost
> effective way of dealing with the problem. This is likely a result of
> the parroting by some IPS vendors of a virtual patching concept. I am
> open to the case if it can be shown, this is why I asked anyone to
> provide an actual ROI.

Actually, I think what Samuel posted is the ROI: with shorter cycle
times between vulnerability disclosure to patch availability to
attacks (including worms), having IPS helps you protect servers during
that period between signature availability (hopefully very close to
vulnerability disclosure) and patch rollout. Not that I advocate
quarterly updates, but organizations do need some time to test the
patch and roll it out. That can range from a few days to a few weeks
(if problems arise) and reducing your exposure, even if it's not
totally eliminated, is valuable.

-- 
Kyle Maxwell
[krmaxwell () gmail com]

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------