IDS mailing list archives
Re: Value of IDS, ROI
From: ADT <synfinatic () gmail com>
Date: Wed, 1 Jun 2005 13:38:17 -0700
Hey Justin, The problem with your argument is that an IDS is not at all like a smoke, burglar or CO2 alarm. Here's why: All three of those alarms you mention are "set and forget". Meaning, there's no cost (in terms of management or monitoring) them (well other then the 9v battery you're supposed to replace every 6months). You don't have to check the smoke alarm logs to see if you've got a fire, it proactively lets you know you've got a problem. IDS's as you know have to be constantly monitored by trained people (preferably 24x7) to be effective. I guess you could do the log->pager gateway thing, but I've yet to see anyone who doesn't turn it off after a few nights of being woken up at 3am by the damned thing. These other alarms have enough perceived value and low rate of false positives that this happens far less often. Also, when one of those alarms go off, the cost to respond is also very low. Not only is it relatively obvious what the correct action is to take, the number of false positives involved with these alarms is also very low. Investigating a potential intrusion on your network however can be both costly in time/effort as well as $$$. Third, a burglar alarm isn't for letting you know someone has stolen your TV; when you walk into your home, it's quite obvious. Burglar alarms are means of giving a would be burglar incentive to go somewhere else. I've yet to see a company post on their website a sign which says "This network is protected by XXXX IDS." Doing so would also probably be counter productive since then they'd know what evasive action to take to avoid detection. Arguably the same could be said about burglar alarms, but there seems to be much more info/research which is publicly available on IDS evasion then burglar alarms. Of course most burglar alarms have a monthly fee, but that is often offset in terms of lower home owners insurance and piece of mind that it will reduce the likelihood of someone robbing you. -Aaron, who doesn't work for any IDS/IPS vendor. On 5/24/05, Justin.Ross () signalsolutionsinc com <Justin.Ross () signalsolutionsinc com> wrote:
Tim, great marketing response :) I'll will do my best not to dissect it, as a reply like that could only be expected from someone who works for an IPS company hehe While I agree that a good IPS (such as Top Layer) is a great investment and possibly capable of showing a positive ROI, I wouldn't say that an IDS is incapable of also providing the same. What is the ROI of a burglar alarm? What is the ROI of a carbon monoxide alarm? What is the ROI of a smoke/fire alarm? None of those automatically prevent you from burning to death in a fire, so why even purchase them? They clearly have no worth in your line of reasoning. If anyone has ever written an ROI for one of those things I would like to see it. Is it even necessary to write an ROI for such things (including IDS/IPS)? Equating an IDS with a smoke alarm, and an IPS to a smoke alarm with sprinklers, I really don't see how either of them could show a negative ROI. What's the ROI for a burglar alarm? It doesn't capture the burglar or keep the burglar from entering the building, does that negate its value or its benefit? A CIO may ignore having an IDS/IPS or even a firewall, they can claim ignorance to any problems, the same way a building manager can claim ignorance not knowing there was a fire and never having thought to spend the money for a smoke alarm. Could that building manager get sued for gross incompetence/negligence? Could a CIO/CSO get sued for gross incompetence/negligence if a certain attack had devastating consequences? Perhaps we can all go crash some liability attorney forum to ask, but my bet would be that yes a company could get sued big time for not knowing (or at least trying to know) an attack was taking place. How does the avoidance of consequential litigation factor into an ROI? O day exploits are typically not alerted on (IDS) or prevented (IPS), does that then negate a positive ROI for either of those two solutions? I personally don't know why a ROI would be necessary in any of those scenarios. I've never had to write one, anywhere; simply because when you demonstrate attacks are taking place to or from your resources and the associated risks, an IDS/IPS sells itself; much like a smoke/burglar alarm. I think the question isn't whether they bring value (positive ROI), but whether or not one needs or can afford the model with integrated sprinklers. YMMV Justin Ross MCP+I, MCSE, CCNA, CCSA, CCSE Senior Network Security Engineer Signal Solutions Inc. - http://www.signalcorp.com Email: Justin.Ross-at-signalsolutionsinc.com THolman () toplayer com 05/19/2005 04:38 PM To patel1210 () yahoo com, focus-ids () securityfocus com cc Subject RE: Value of IDS, ROI Hi Jason, This is one of the big problems with IDS. Being detection-based technology, IDS is only capable of detecting intrusions\worm\virus outbreaks, rather than PREVENTING them. What is the ROI of a detection-based system that alerts you to the fact you're completely overrun by worm activity? Absolutely nothing. In fact, if you are relying on IDS to protect you, you will face a negative ROI, as by the time a zero-day attack gets past it, you will be losing money, even more so if you've an online presence to protect. Your CIO should ultimately be concerned in preventing attacks, rather than detecting them, and you should steer his/her investments toward a good IPS to compliment (and protect) existing IDS technology, and in some cases, do away with IDS devices altogether, as they are simply not relevant in terms of protection. Regards, Tim -----Original Message----- From: Jason Patel [mailto:patel1210 () yahoo com] Sent: 03 May 2005 19:15 To: focus-ids () securityfocus com Subject: Value of IDS, ROI I was wondering how big companies CIO show their executives Return of investment on IDS. What is the monitoring strategy for IDS alerts. I am trying to figure monitoring strategy and how to show my executive that how important job this is, but cant come up with a convincing solution. Anyhelp is highly appreciated. Thanks, Jason -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. -------------------------------------------------------------------------- -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
-- http://synfin.net/ -------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Value of IDS, ROI Fergus Brooks (Jun 01)
- <Possible follow-ups>
- Re: Value of IDS, ROI ADT (Jun 04)
- Re: Value of IDS, ROI Justin . Ross (Jun 04)