IDS mailing list archives
Re: ROI on IDS/IPS products
From: Mark Stingley <infosec () altsec info>
Date: Sat, 28 Feb 2009 09:11:06 -0600
Sorry to say, but that big telecom company sounds like it may be the one that lets all the SQL Slammer, aspROX, PHP Includes, and many other attacks hit my IPS inbound, where they are stopped.
An IPS is a critical component of defense-in-depth. It's not a magic box that can be installed with default filters. It takes daily attention from a trained network security analyst who does threat analysis and tunes the device to protect against the attacks that it can best detect.
Anything beyond the capabilities of the firewall and IPS call for network traffic analysis and anomaly detection.
As far as ROI is concerned, I agree with the other writers about 'no such thing' and the fine writings of Mr. Betjlich. Let me ask you this; what's the ROI on flood insurance, hurricane insurance, insurance on company vehicles, or even vehicle inspections and registration?
Ask TJX, Heartland, and all the other victims of major intrusions about the ROI of looking like complete morons for not spending enough on trained, professional network security analysts and giving them the tools they need to do their job.
You want examples of attacks that any good IPS can block? Most SQL injection attacks. Most PHP attacks. Vulnerable PDF, activex, and document transmission. Bad network traffic. Many buffer overflow attacks. Many zero-day or emerging threats. Most cross-site scripting. Many, many platform specific vulnerabilities. They're not perfect, but I sure wouldn't want to do without mine. Ravi Chunduru wrote:
I was talking to a junior security administartor working for a big telecom company. He said something which is worrying. After few years of IPS deployment in particular department, they decided to remove IPS devices. It was felt that they did not find enough ROI to justify 2 dedicated personnel to monitor and analyze IDS/IPS logs and reports. It apperas that no major incidents were detected by network IPS devices. they felt that signature coverage is either poor or not timely. i also was told that these IPS devices are from industry leaders. Can you share your experiences? Any examples of successful detection and prevention of major attacks and penetration by IPS devices. Thanks Ravi
Current thread:
- Re: ROI on IDS/IPS products, (continued)
- Re: ROI on IDS/IPS products Scott (Mar 03)
- Re: ROI on IDS/IPS products Stefano Zanero (Mar 06)
- Re: ROI on IDS/IPS products Webmaster 003 (Mar 03)
- Re: ROI on IDS/IPS products Joel M Snyder (Mar 03)
- Re: ROI on IDS/IPS products Joel Jaeggli (Mar 05)
- Re: ROI on IDS/IPS products Webmaster 003 (Mar 05)
- Re: ROI on IDS/IPS products Joel M Snyder (Mar 05)
- Re: ROI on IDS/IPS products Ravi Chunduru (Mar 06)
- Re: ROI on IDS/IPS products Joel Jaeggli (Mar 06)
- RE: ROI on IDS/IPS products Kirk, James P. (Mar 05)