IDS mailing list archives
RE: Value of IDS, ROI
From: "Angel L Rivera" <arivera () mitre org>
Date: Wed, 4 May 2005 09:02:57 -0400
Adding to Bob's second paragraph - these regulations, require you to monitor your audit logs for incidents - we know how long it used to take for one person to review a basic audit log with thousands of entries every hour. IDS can be used to monitor the logs and only alert on violations or suspected violations - the savings in manpower to review them would be pretty high - again do the math - no IDS, 10 people a day to review logs - IDS 1-2 people to review logs You can also use IDS, even though there are better tools, to monitor systems that have not been patched with the latest security patch. New worm comes out exploiting a new vulnerability, which systems need to be patch, right away and which can be patched later -----Original Message----- From: Bob Huber [mailto:roberthuberjr () yahoo com] Sent: Tuesday, May 03, 2005 8:31 PM To: focus-ids () securityfocus com Subject: Re: Value of IDS, ROI The easiest approach would be to quantify the cost of any worm outbreaks, outages, or compromises you have already had if you have the data handy, or guesstimate what the cost of an outage of one of your information assets would be. The second thing that is compelling is the fact that most large companies, depending on their industry, have legal requirements to have some form of IDS. For example, healthcare, insurance have HIPAA, financial institutions have Graham-Leach-Bliley, FDIC, SEC, OCC, Sarbanes Oxley etc.. Some of these regulations levy a fine for lack of controls. As far as a monitoring strategy, that all depends on the level of risk you are willing to accept and the value of your assets/information. Are you processing customer data, social security numbers, credit card numbers, bank accounts, or just hosting a static web site? There are a million factors here to contend with, pick up your nearest CISSP cram book. Supposing you have something worth protecting, at a minimum, you should at least look for signs of a compromise, rather than scans, sweeps and information probes. While looking at probes, and reconnaissance is fun for an IDS geek, if you don't have time, and no dedicated security staff, just worry about the heavy hitter events and log everything else so when you DO have a compromise you at least have the data available for review. This is a quick and simplistic view..I'm certain there are all sorts of articles on the web on such topics, as well as books. Bob --- Jason Patel <patel1210 () yahoo com> wrote:
I was wondering how big companies CIO show their executives Return of investment on IDS. What is the monitoring strategy for IDS alerts. I am trying to figure monitoring strategy and how to show my executive that how important job this is, but cant come up with a convincing solution. Anyhelp is highly appreciated. Thanks, Jason
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Value of IDS, ROI Jason Patel (May 03)
- RE: Value of IDS, ROI Ed Gibbs (May 03)
- Re: Value of IDS, ROI Vladimir Vuksan (May 03)
- Re: Value of IDS, ROI Bamm Visscher (May 04)
- RE: Value of IDS, ROI Eric Hines (May 06)
- Re: Value of IDS, ROI Bamm Visscher (May 06)
- RE: Value of IDS, ROI Pete Lindstrom (May 06)
- RE: Value of IDS, ROI Eric Hines (May 06)
- <Possible follow-ups>
- Re: Value of IDS, ROI Bob Huber (May 03)
- RE: Value of IDS, ROI Angel L Rivera (May 04)
- Re: Value of IDS, ROI Jason Patel (May 06)
- RE: Value of IDS, ROI John Forristel (SunGard-Chico) (May 06)
- Re: Value of IDS, ROI Chris Byrd (May 06)
- RE: Value of IDS, ROI Federico Lombardo (May 11)
- RE: Value of IDS, ROI THolman (May 19)
- RE: Value of IDS, ROI Justin . Ross (May 28)
- Re: Value of IDS, ROI Jonathan Glass (May 31)
- RE: Value of IDS, ROI Justin . Ross (May 28)