IDS mailing list archives
Re: ROI on IDS/IPS products
From: Frank Knobbe <frank () knobbe us>
Date: Fri, 27 Feb 2009 18:17:13 -0600
On Fri, 2009-02-27 at 09:08 -0800, Ravi Chunduru wrote:
I was talking to a junior security administartor working for a big telecom company. He said something which is worrying. After few years of IPS deployment in particular department, they decided to remove IPS devices. It was felt that they did not find enough ROI to justify 2 dedicated personnel to monitor and analyze IDS/IPS logs and reports. It apperas that no major incidents were detected by network IPS devices. they felt that signature coverage is either poor or not timely. i also was told that these IPS devices are from industry
Discussion around the term ROI aside, your question should not have been about "ROI on IDS/IPS products", but rather about "IDS/IPS *deployments*". You can have a great product that works really well (Snort comes to mind), but deploy it completely wrong. While the "ROI" of the product exists, the deployment makes it a complete waste of funds. I'm not sure which product you are referring to (though I can make a good guess :), and yes, there are products that conform to their companies marketing material and get you a check-box on your compliance audits, but are actually worthless. Other products are great, but again, if they are not *deployed* correctly and/or *used* correctly, then these deployments are also a waste of time and money. I think too many people expect to buy an IDS/IPS off the shelf, read the manual, get it set up, and think the task is done. IDS/IPS boxes are tricky and require expertise to properly configure and use. If that expertise doesn't exist in your organization, hire someone that does have the expertise and can help not just implementing the IDS/IPS, but also assist creating a group that can actually manage and use it on a continuous basis. Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: ROI on IDS/IPS products Ray (Mar 02)
- RE: Re: ROI on IDS/IPS products Brandon Louder (Mar 02)
- Re: Re: ROI on IDS/IPS products Ray (Mar 03)
- <Possible follow-ups>
- Re: ROI on IDS/IPS products Frank Knobbe (Mar 02)
- Re: ROI on IDS/IPS products Jeremy Bennett (Mar 02)
- Re: ROI on IDS/IPS products Stefano Zanero (Mar 02)
- Re: ROI on IDS/IPS products Jeremy Bennett (Mar 02)
- Message not available
- Re: ROI on IDS/IPS products Jeremy Bennett (Mar 03)
- Re: ROI on IDS/IPS products Scott (Mar 03)
- Re: ROI on IDS/IPS products Stefano Zanero (Mar 06)
- Re: ROI on IDS/IPS products Jeremy Bennett (Mar 02)
- Re: ROI on IDS/IPS products Webmaster 003 (Mar 03)
- Re: ROI on IDS/IPS products Joel M Snyder (Mar 03)
- Re: ROI on IDS/IPS products Joel Jaeggli (Mar 05)
- Re: ROI on IDS/IPS products Webmaster 003 (Mar 05)
- RE: Re: ROI on IDS/IPS products Brandon Louder (Mar 02)