IDS mailing list archives
Re: Value of IDS, ROI
From: Bamm Visscher <bamm.visscher () gmail com>
Date: Thu, 5 May 2005 10:51:02 -0500
Loki, On 5/5/05, Eric Hines <eric.hines () appliedwatch com> wrote:
Visscher, I completely disagree with you.
That's fine. Everyone has a right to their opinion, but did you even read the article that Rich referenced in his blog?
ROI can and should be calculated in the acquisition of any security solution, INCLUDING IDS. Your very argument is contradictory to what you're saying as the early warning of a compromise and making the IT security department more efficient is the very definition of ROI. Let me define it for you, Return on Investment is calculating returns on the investment made in a particular item or person. ROI should be used when evaluating the purchase of any solution. My employees time is money, wasted time equals to loss in money. If they can save 4-8 hours when investigating an incident at $250.00/hr == $2,000 and my security solution cost $800, I've made $1,200 back in ROI.
No, actually you've shown how your security solution reduced a loss. Don't misunderstand me, this is a GOOD THING, but you cannot define an ROI based on the expectation of a loss and you also cannot define ROI as the savings from a loss that has already occured. Pete Lindstrom gave a good example of showing ROI with replacing expensive leased lines with VPNs. That is a tangible benefit. By spending X dollars now, you 'gain' Y dollars in the future. The difference being with IDS you spend X dollars now in order to reduce a POTENTIAL loss in the future.
There are many instances in which ROI has been realized. For example: 1) An IPS stopping a worm at the perimeter of a network, preventing widespread infection. A company calculating the costs from a previous worm outbreak can easily calculate ROI on the purchase of their IPS. 2) A recent incident I was responding to whereupon a company was able to begin shipping product after being down only a few hours rather than all day. If they would have been down all day, this lab wouldn't have been able to ship over $4 million in product. That solution only cost them $12K.. That's a $3.9 million realized ROI. There are too many real world situations of ROI realized on the purchase of security solutions rather than referencing an opinionated BLOG post made by Richard on Tao Security. Why do you keep referencing it anyway, is it because he reviewed Sguil in the Tao book?
I referenced Rich's blog because it's where I originally saw the link to the story and because I thought his comments were insightful. Rich is a very good friend of mine and someone whose "opinions" I have great respect for. Yes, I reference his blog a lot, I suppose that says a lot about how much I respect him and his opinion. I expect it's also because Rich and I tend to share the same opinions and have had numerous discussion on many of the topics posted in his blog. Rich's blog is wildly popular, and I am not the only one in the community who has this respect for Rich's opinion. For the record, I wouldn't call the chapter on Sguil a "review". NSM is a process that Rich and I spent a lot of time discussing and defining together. Out those discussions came Sguil and "The Tao NSM". It only makes sense that in the book, Rich covers Sguil and why when I am expaining the "how" of Sguil I would ref Rich's blog and TAO. Back on the topic of IDS, ROI, and why I linked to that particular blog entry. Read the actual article that Rich references. Take a look at who wrote the freaking thing. I'll make it easy: LAWRENCE A. GORDON is Ernst & Young Alumni Professor of Managerial Accounting and Information Assurance at the Robert H. Smith School of Business, University of Maryland. Write to him at lgordon () rhsmith umd edu. ROBERT RICHARDSON is editorial director at the Computer Security Institute (CSI). Write to him at rrichardson () cmp com. So, even if you don't agree with Rich or my opinion, here are two guys whose qualifications that far exceed yours or ours, explaining how and why ROI cannot be applied to information security (the big blanket IDS falls under).
Jason, one of the many answers to your question would be to find out how much time the IDS has saved you in centralizing all of the alerts on your network, sped up the response time to real incidents, and reduced wasted time in investigating false positives. Take that time and multiply it by your hourly rate, this is one of many formulas you can use in calculating the ROI for the purchase of your IDS'. Several ROI formulas exist out there. Just google some.. Here is one I just found. http://searchcio.techtarget.com/ateQuestionNResponse/0,289625,sid19_cid56833 5_tax292624,00.html "Do you have any simple ROI formulas that utilize Excel? This question posed on 20 January 2004 The base ROI formula, which can easily be plugged into Excel, is: (benefits - cost) / benefits * 100 percent The benefits and costs are the cumulative of all benefits over the analysis period -- typically three to five years for any IT project, but no longer. Of course, the details on exactly how to calculate the benefits and costs for a particular project is the more difficult part as each company has unique opportunity for benefits, costs and risks and each project's unique costs and benefits need to be calculated at a detailed level. To access ROI calculators for more complex initiatives, Alinean has samples developed for several leading IT vendors including HP, SAP, EMC, Intel and Sunguard available here. In addition, more detail on the ROI calculation and other key financial performance measurements can be found in my free e-book: IT Value Chain Management (Alinean Press, 2003). " Best Regards, Eric Hines
ROI is not the only way to show value, so don't think just because you can't show ROI, that IDS has no value. If that were true, no one would buy insurance. Read the article referenced in Rich's blog. It provides an alternative measurement of an IDS's value and one that CFOs, CIOs, and CEOs will better understand and except. Bammkkkk -- sguil - The Analyst Console for NSM http://sguil.sf.net -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Value of IDS, ROI Jason Patel (May 03)
- RE: Value of IDS, ROI Ed Gibbs (May 03)
- Re: Value of IDS, ROI Vladimir Vuksan (May 03)
- Re: Value of IDS, ROI Bamm Visscher (May 04)
- RE: Value of IDS, ROI Eric Hines (May 06)
- Re: Value of IDS, ROI Bamm Visscher (May 06)
- RE: Value of IDS, ROI Pete Lindstrom (May 06)
- RE: Value of IDS, ROI Eric Hines (May 06)
- <Possible follow-ups>
- Re: Value of IDS, ROI Bob Huber (May 03)
- RE: Value of IDS, ROI Angel L Rivera (May 04)
- Re: Value of IDS, ROI Jason Patel (May 06)
- RE: Value of IDS, ROI John Forristel (SunGard-Chico) (May 06)
- Re: Value of IDS, ROI Chris Byrd (May 06)
- RE: Value of IDS, ROI Federico Lombardo (May 11)
- RE: Value of IDS, ROI THolman (May 19)
- RE: Value of IDS, ROI Justin . Ross (May 28)
- Re: Value of IDS, ROI Jonathan Glass (May 31)
- RE: Value of IDS, ROI Justin . Ross (May 28)