IDS mailing list archives
Re: Question on resources needed to manage IDSes
From: "Peter Schawacker" <peter () schawacker com>
Date: Mon, 1 Dec 2003 12:54:35 -0800
Ken, The number of sensors isn't as important as the organization's required alert response time. One FTE can handle dozens of sensors if the customer is willing tolerate pager-based monitoring after hours. Some shops don't mind waiting until 9:00 to respond to alerts. One I once worked for required that someone always be watching the scope. That meant that at least two individuals had to be scheduled in the NOC 2/47 in case somebody had to take nature break. In that particular NOC there were about a dozen IDS sensors and more than 100 firewalls, plus various other infrastructure monitoring going on. Also consider that in medium and large companies, there is going to more than one type of analyst. Even understaffed IDS teams tend to have multiple tiers of engineers. Bottom line is covering office and on-call schedules, vacations, training, sick days, attrition (how many good analysts want to work nights?) and special circumstances is a much more important problem than how many sensors one has. Sorry there's no easy formula. For most companies IDS staffing comes down to loading the analysis function on top of already overworked engineers. Peter ----- Original Message ----- From: <kgeorgiades () toplayer com> To: <focus-ids () securityfocus com> Sent: Monday, December 01, 2003 7:16 AM Subject: Question on resources needed to manage IDSes
Everyone seems to be talking about the large volume of alarms and logs produced by IDSes. Managing IDSes and dealing with false alarms seems to be an issue that all IDS vendor are trying to address. Has any one of you seen any data on how many analysts (resources) are
needed
to manage IDSes in enterprises? I am looking for a rule of thumb, something like this: 1-5 IDS sensors - 1 Analyst 5-15 IDS sensors -2 Analysts 15-50 IDS sensors- 3 Analysts 1 Analyst for every 30 additional IDS sensors. I will appreciate any feedback that I can get. Thanks, Kyriacos (Ken) Georgiades Senior Director, Product Line Management Top Layer Networks, Inc Tel: 508 870 1300 x 231 Cell: 508 783 5988 Fax: 508 870 9797 Email: kgeorgiades () toplayer com www.toplayer.com --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
-
--------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Question on resources needed to manage IDSes kgeorgiades (Dec 01)
- Re: Question on resources needed to manage IDSes Peter Schawacker (Dec 01)
- Re: Question on resources needed to manage IDSes Andy Cuff [Talisker] (Dec 01)
- Re: Question on resources needed to manage IDSes Jack Whitsitt (jofny) (Dec 02)
- <Possible follow-ups>
- Re: Question on resources needed to manage IDSes simonis (Dec 02)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 02)
- Re: Question on resources needed to manage IDSes Anton A. Chuvakin (Dec 09)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 10)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 02)
- Re: Question on resources needed to manage IDSes Terence Runge (Dec 02)
- RE: Question on resources needed to manage IDSes Kohlenberg, Toby (Dec 03)
- RE: Question on resources needed to manage IDSes Teicher, Mark (Mark) (Dec 03)
- RE: Question on resources needed to manage IDSes Morse, Greg (Dec 03)