IDS mailing list archives
Re: Question on resources needed to manage IDSes
From: Jeff Nathan <jeff () snort org>
Date: Tue, 2 Dec 2003 12:15:38 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Dec 2, 2003, at 9:44 AM, simonis () att net wrote:
I am looking for a rule of thumb, something like this: 1-5 IDS sensors - 1 Analyst 5-15 IDS sensors -2 Analysts 15-50 IDS sensors- 3 Analysts 1 Analyst for every 30 additional IDS sensors.Are these the number of folks "at the screen" or the head count required? If the latter, remember folks get sick and take vacation. Also, consider the need for 24x7 monitoring. Such considerations really scale up the numberof bodies required.
[...]
Your numbers, however, don't make much sense. What about that 3rd analyst is so special that they enable the monitoring of an additional 35 sensors, when a single analyst alone can only monitor 5? Then, after 50 sensors, an add anaylst only enables the monitoring of an 30 more sensors. I suspect a morelinear scale is likely.
A more reasonable approach would probably be to consider the alert rates in question and how many of them need to be looked at by a human being. It would be generous to assume a human could qualify a reasonably complex alert in 30 seconds. After that, it's simply a matter of doing the math.
One analyst for 30 sensors might scale if those sensors had very low alert rates. I don't think this is a sufficient model for staffing analysts.
I'd determine what the alert rates are and of those alerts how many can be qualified in post processing automatically.
- -Jeff - -- The most technical single-track security conference in the West. Vancouver B.C., Canada April, 2004 http://cansecwest.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (Darwin) iD8DBQE/zMi+Eqr8+Gkj0/0RAp5nAKCMq6GEcP/PXK2cRLq1H4sogPXbgQCffrX2 zSbJLtF3SL17hDoIsInp4pU= =7Kjq -----END PGP SIGNATURE----- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Current thread:
- Question on resources needed to manage IDSes kgeorgiades (Dec 01)
- Re: Question on resources needed to manage IDSes Peter Schawacker (Dec 01)
- Re: Question on resources needed to manage IDSes Andy Cuff [Talisker] (Dec 01)
- Re: Question on resources needed to manage IDSes Jack Whitsitt (jofny) (Dec 02)
- <Possible follow-ups>
- Re: Question on resources needed to manage IDSes simonis (Dec 02)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 02)
- Re: Question on resources needed to manage IDSes Anton A. Chuvakin (Dec 09)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 10)
- Re: Question on resources needed to manage IDSes Jeff Nathan (Dec 02)
- Re: Question on resources needed to manage IDSes Terence Runge (Dec 02)
- RE: Question on resources needed to manage IDSes Kohlenberg, Toby (Dec 03)
- RE: Question on resources needed to manage IDSes Teicher, Mark (Mark) (Dec 03)
- RE: Question on resources needed to manage IDSes Morse, Greg (Dec 03)
- RE: Question on resources needed to manage IDSes Teicher, Mark (Mark) (Dec 10)
- Re: Question on resources needed to manage IDSes Jimi Thompson (Dec 15)
- Re: Dream IDS was Q on resources needed to manage IDSes Andy Cuff [Talisker] (Dec 16)
- Re: Question on resources needed to manage IDSes Jimi Thompson (Dec 15)
- RE: Question on resources needed to manage IDSes Mike Disley (Dec 10)