Re: ROI on IDS/IPS products

[Joel M Snyder <Joel.Snyder () Opus1 COM>]

> Speaking to the roi, someone already observed that in at least one
> environment it was concluded that patch management was addressing an
> overlapping set of low hanging fruit and that therefore the ips was no
> longer earning it's keep. 

As an interesting coincidence, I advised a client on that last night: they were 
being told that their managed firewall on a 20 person branch office was being 
jacked up from $100/month to $400/month because of the IPS, and I told them that 
if they put that money into better patch discipline, that it would be better 
spent.

HOWEVER, I like to say in my lectures on IPS that focusing on the IPS as a way 
of preventing intrusion attacks tends to discount the huge value of the IPS. 
Personally, I have to agree with naysayers: sticking an IPS out near the 
firewall on a well managed network isn't going to catch much coming in.  But 
there are LOTS of other wonderful things that the IPS will help tell you about, 
including:
        - internally infected systems
        - misconfigured applications
        - misconfigured firewalls
        - misconfigured routing
        - misconfigured NAT boxes (I see this A LOT)
        - network usage
        - data leaks
        - inappropriate applications or unknown applications

And I see those as valuable and part of the IPS "earning its keep."  The notion 
that a properly managed IDS at TJX would have saved them the embarrassment of 
their data breach is a fiction promoted only by people who don't understand what 
IPS/IDS does but do want to sell you something.

I have some graphs which, in words, essentially say this:

- chances someone will break into your network: about 1%
- chances that an IPS would have caught it: about 20%
(in other words: with a firewall and good patch discipline, it probably won't 
happen to you, and if it does, the IPS probably won't catch it)
AND
- chances you have a security problem on your network: 100%
- chances an IPS will help you discover and fix these: 100%

When I tell clients they need/want/should have an IPS, it's not because of some 
motivated external attacker this will help, but it's because they need better 
security visibility in their network and they don't have it.

I have a long-standing bet which I have never lost that says if we put an IDS on 
your network, I can guarantee that it will tell you something about your 
security that you didn't know, but should.

jms
--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms () Opus1 COM                http://www.opus1.com/jms