RE: Value of IDS, ROI

["Angel L Rivera" <arivera () mitre org>]

Adding to Bob's second paragraph - these regulations, require you to monitor
your audit logs for incidents - we know how long it used to take for one
person to review a basic audit log with thousands of entries every hour.
IDS can be used to monitor the logs and only alert on violations or
suspected violations - the savings in manpower to review them would be
pretty high - again do the math - no IDS, 10 people a day to review logs -
IDS 1-2 people to review logs

You can also use IDS, even though there are better tools, to monitor systems
that have not been patched with the latest security patch. New worm comes
out exploiting a new vulnerability, which systems need to be patch, right
away and which can be patched later 

-----Original Message-----
From: Bob Huber [mailto:roberthuberjr () yahoo com] 
Sent: Tuesday, May 03, 2005 8:31 PM
To: focus-ids () securityfocus com
Subject: Re: Value of IDS, ROI

The easiest approach would be to quantify the cost of
any worm outbreaks, outages, or compromises you have
already had if you have the data handy, or guesstimate
what the cost of an outage of one of your information
assets would be.

The second thing that is compelling is the fact that
most large companies, depending on their industry,
have legal requirements to have some form of IDS.  For
example, healthcare, insurance have HIPAA, financial
institutions have Graham-Leach-Bliley, FDIC, SEC, OCC,
Sarbanes Oxley etc..  Some of these regulations levy a
fine for lack of controls.

As far as a monitoring strategy, that all depends on
the level of risk you are willing to accept and the
value of your assets/information.  Are you processing
customer data, social security numbers, credit card
numbers, bank accounts, or just hosting a static web
site?  There are a million factors here to contend
with, pick up your nearest CISSP cram book.

Supposing you have something worth protecting, at a
minimum, you should at least look for signs of a
compromise, rather than scans, sweeps and information
probes.  While looking at probes, and reconnaissance
is fun for an IDS geek, if you don't have time, and no
dedicated security staff, just worry about the heavy
hitter events and log everything else so when you DO
have a compromise you at least have the data available
for review.

This is a quick and simplistic view..I'm certain there
are all sorts of articles on the web on such topics,
as well as books.

Bob
--- Jason Patel <patel1210 () yahoo com> wrote:
> I was wondering how big companies CIO show their
> executives Return of investment on IDS. What is the
> monitoring strategy for IDS alerts. I am trying to
> figure monitoring strategy and how to show my
> executive that how important job this is, but cant
> come up with a convincing solution. Anyhelp is
> highly appreciated. 
>
> Thanks,
>
> Jason

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------





--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------