RE: Recent anti-NIDS Gartner article

["Jim Butterworth" <res0qh1m () verizon net>]

I think an IDS is a lot like an insurance policy.  Think of it like
this, it in theory, is a great solution to the growing information
security threats and trends.  But an IDS is not a panacea.  It is not
something that can fairly be measured for ROI.  How do you justify ROI
every month when you pay auto insurance and never ever have an accident?
What about the deductible that you have to pay anyway when you need to
make a claim?   All's I can say to that is, when you need it, it'd
better be good coverage!

How will you find out what is going on internal to your network if you
don't use an IDS?  A firewall will only stop a packet it knows of, and
that is at the border of your network.  What about the insider threat?
What about the a concept that watches those with the "keys" to the
company?  Wouldn't it be better to park an IDS on the company's "crown
jewels" server that try and design a firewall solution to protect the
machine?  Sure, you can do both, but wouldn't it be really cool to be
able to tell the CEO who internally was trying to gain access to the
corporate secrets?  That is money, to me...

r/Jim Butterworth

-----Original Message-----
From: Reverman, Peter C [mailto:peter.c.reverman () intel com] 
Sent: Tuesday, June 17, 2003 10:42 AM
To: Mike Blomgren; focus-ids () securityfocus com
Subject: RE: Recent anti-NIDS Gartner article

Disclaimer:  My views are not the views of my company, etc., etc.
==================================================================
Because not everyone wants to spend the money on NIDS as they don't
understand the value (loss prevented).  

This is the typical money allocation question, just like everyone has
locks on their doors but far fewer have cameras, there will be only
cameras installed (IDS's) where there is money budgeted (Unclear loss
prevention - IDS have an unclear perception of value due to complexity)
allocated but there will always be locks (firewalls - clear perception
of loss prevention) because of perception they prevent loss.

IDS's provide proof of attack (proof of loss=$) which provides forensics
for investigations which leads to actions in some cases that stop a
problem (eliminated loss to the business.   

It is all about loss prevention and proof that attacks are happening now
which now can be prevented (loss prevention).  

        ROI = (Loss Prevented) - (Cost of IDS system).

This formula indicates you better not spend more on IDS than the loss
prevented to get positive ROI.

Calculating loss prevention is fairly easy using the many available
examples (FBI study 2002) to show current losses being incurred around
the globe.

Thanks, Peter


-----Original Message-----
From: Mike Blomgren [mailto:mike.blomgren () secode com]
Sent: Tuesday, June 17, 2003 9:27 AM
To: focus-ids () securityfocus com
Subject: RE: Recent anti-NIDS Gartner article


If IDS is the looser, and a firewall is the solution - then why do we
have surveillance cameras when we would be better off with good locks on
our doors? 



------------------------------------------------------------------------
-------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from
CSO's to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
-------

------------------------------------------------------------------------
-------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from
CSO's to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
-------


-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------