RE: Question on resources needed to manage IDSes

["Kohlenberg, Toby" <toby.kohlenberg () intel com>]

The reason you hear about alerts/alarms is because it doesn't
matter how many sensors you have, if they are really quiet, you
need fewer people to deal with the data. If they are really noisy,
you need more people.
Note- that isn't talking about managing the sensors, just analyzing
the data they generate.
There really aren't good answers as far as I know. You would have to
take into account the average complexity of the alerts, how effective
the analysts' tools are, how much experience the analysts have....
Each of those is going to impact the amount of time required to
disposition
an alert or series of related alerts.

t

-----Original Message-----
From: kgeorgiades () toplayer com [mailto:kgeorgiades () toplayer com] 
Sent: Monday, December 01, 2003 7:16 AM
To: focus-ids () securityfocus com
Subject: Question on resources needed to manage IDSes



Everyone seems to be talking about the large volume of alarms and logs
produced by IDSes.
Managing IDSes and dealing with false alarms seems to be an issue that
all
IDS vendor are trying to address.

Has any one of you seen any data on how many analysts (resources) are
needed
to manage IDSes in enterprises?

I am looking for a rule of thumb, something like this:
1-5 IDS sensors - 1 Analyst
5-15 IDS sensors -2 Analysts
15-50 IDS sensors- 3 Analysts
1 Analyst for every 30 additional IDS sensors.

I will appreciate any feedback that I can get.

Thanks,

Kyriacos (Ken) Georgiades
Senior Director, Product Line Management
Top Layer Networks, Inc
Tel: 508 870 1300 x 231
Cell: 508 783 5988
Fax: 508 870 9797
Email: kgeorgiades () toplayer com
www.toplayer.com


------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------