Re: Value of IDS, ROI

[Fergus Brooks <fergwa () gmail com>]

We looked at this some time ago and one of my colleagues came across this:

Google ALE (Annual Loss Expectancy) - a way of quantifying risk and calculating
ROI in the operational risk arena.

ALE: calculate the cost of a threat being realized (e.g. house
burning down, US$500,000). Estimate the probability of this event
happening in a 12-month period (e.g. 1 in 1,000). Multiply cost by
probability (in this example, US$500). This provides you with the
maximum amount you should put aside to mitigate the risk each year
(to pay for insurance, sprinklers, whatever).  ALE allows you to
calculate the ROI precisely, to the cent.

There are some very interesting sites dealing with this, specifically
for IS, out there

Rgds.



On 5/30/05, Jonathan Glass <jonathan.glass () gmail com> wrote:
> One of my colleagues has come up with another strategy for answering the
> ROI question:  Security investments should be lumped into the insurance
> category.  The first year you purchase a piece of equipment, you outlay
> a large amount of cash, and receive some benefit, so there's some sort
> of ROI, but after that, it's all maintenance, and you have to shift the
> focus.  The new formula has to include the cost of NOT having this
> protection in place, and how much it would cost to have a major
> incident, which the Security solution would prevent.
>
> Right now we're still haggling over this repositioning of security
> investments, so we don't have any good formulas, but I'm sure they could
> be created.
>
> Jonathan
>
> Justin.Ross () signalsolutionsinc com wrote:
>
> > Tim, great marketing response :) I'll will do my best not to dissect it,
> > as a reply like that could only be expected from someone who works for an
> > IPS company hehe
> >
> > While I agree that a good IPS (such as Top Layer) is a great investment
> > and possibly capable of showing a positive ROI, I wouldn't say that an IDS
> > is incapable of also providing the same. What is the ROI of a burglar
> > alarm? What is the ROI of a carbon monoxide alarm? What is the ROI of a
> > smoke/fire alarm? None of those automatically prevent you from burning to
> > death in a fire, so why even purchase them? They clearly have no worth in
> > your line of reasoning.
> >
> > If anyone has ever written an ROI for one of those things I would like to
> > see it. Is it even necessary to write an ROI for such things (including
> > IDS/IPS)? Equating an IDS with a smoke alarm, and an IPS to a smoke alarm
> > with sprinklers, I really don't see how either of them could show a
> > negative ROI. What's the ROI for a burglar alarm? It doesn't capture the
> > burglar or keep the burglar from entering the building, does that negate
> > its value or its benefit?
> >
> > A CIO may ignore having an IDS/IPS or even a firewall, they can claim
> > ignorance to any problems, the same way a building manager can claim
> > ignorance not knowing there was a fire and never having thought to spend
> > the money for a smoke alarm. Could that building manager get sued for
> > gross incompetence/negligence? Could a CIO/CSO get sued for gross
> > incompetence/negligence if a certain attack had devastating consequences?
> >
> > Perhaps we can all go crash some liability attorney forum to ask, but my
> > bet would be that yes a company could get sued big time for not knowing
> > (or at least trying to know) an attack was taking place. How does the
> > avoidance of consequential litigation factor into an ROI?
> >
> > O day exploits are typically not alerted on (IDS) or prevented (IPS), does
> > that then negate a positive ROI for either of those two solutions?
> >
> > I personally don't know why a ROI would be necessary in any of those
> > scenarios. I've never had to write one, anywhere; simply because when you
> > demonstrate attacks are taking place to or from your resources and the
> > associated risks, an IDS/IPS sells itself; much like a smoke/burglar
> > alarm. I think the question isn't whether they bring value (positive ROI),
> > but whether or not one needs or can afford the model with integrated
> > sprinklers.
> >
> > YMMV
> >
> > Justin Ross
> > MCP+I, MCSE, CCNA, CCSA, CCSE
> > Senior Network Security Engineer
> > Signal Solutions Inc.    -   http://www.signalcorp.com
> > Email: Justin.Ross-at-signalsolutionsinc.com
> >
> >
> >
> >
> >
> > THolman () toplayer com
> > 05/19/2005 04:38 PM
> >
> > To
> > patel1210 () yahoo com, focus-ids () securityfocus com
> > cc
> >
> > Subject
> > RE: Value of IDS, ROI
> >
> >
> >
> >
> >
> >
> > Hi Jason,
> >
> > This is one of the big problems with IDS.  Being detection-based
> > technology,
> > IDS is only capable of detecting intrusions\worm\virus outbreaks, rather
> > than PREVENTING them.
> > What is the ROI of a detection-based system that alerts you to the fact
> > you're completely overrun by worm activity?  Absolutely nothing.  In fact,
> > if you are relying on IDS to protect you, you will face a negative ROI, as
> > by the time a zero-day attack gets past it, you will be losing money, even
> > more so if you've an online presence to protect.
> > Your CIO should ultimately be concerned in preventing attacks, rather than
> > detecting them, and you should steer his/her investments toward a good IPS
> > to compliment (and protect) existing IDS technology, and in some cases, do
> > away with IDS devices altogether, as they are simply not relevant in terms
> > of protection.
> >
> > Regards,
> >
> > Tim
> >
> >
> > -----Original Message-----
> > From: Jason Patel [mailto:patel1210 () yahoo com]
> > Sent: 03 May 2005 19:15
> > To: focus-ids () securityfocus com
> > Subject: Value of IDS, ROI
> >
> >
> >
> > I was wondering how big companies CIO show their executives Return of
> > investment on IDS. What is the monitoring strategy for IDS alerts. I am
> > trying to figure monitoring strategy and how to show my executive that how
> > important job this is, but cant come up with a convincing solution.
> > Anyhelp
> > is highly appreciated.
> >
> > Thanks,
> >
> > Jason
> >
> > --------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from
> > CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > --------------------------------------------------------------------------
> >
> > --------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from
> > CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > --------------------------------------------------------------------------
> >
> >
> >
> >
> > --------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks from
> > CORE IMPACT.
> > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> > to learn more.
> > --------------------------------------------------------------------------
>
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------