RE: Value of IDS, ROI

["Eric Hines" <eric.hines () appliedwatch com>]

Visscher, I completely disagree with you. 

ROI can and should be calculated in the acquisition of any security
solution, INCLUDING IDS. Your very argument is contradictory to what you're
saying as the early warning of a compromise and making the IT security
department more efficient is the very definition of ROI. Let me define it
for you, Return on Investment is calculating returns on the investment made
in a particular item or person. ROI should be used when evaluating the
purchase of any solution.

My employees time is money, wasted time equals to loss in money. If they can
save 4-8 hours when investigating an incident at $250.00/hr == $2,000 and my
security solution cost $800, I've made $1,200 back in ROI.

There are many instances in which ROI has been realized. For example:

1) An IPS stopping a worm at the perimeter of a network, preventing
widespread infection. A company calculating the costs from a previous worm
outbreak can easily calculate ROI on the purchase of their IPS. 

2) A recent incident I was responding to whereupon a company was able to
begin shipping product after being down only a few hours rather than all
day. If they would have been down all day, this lab wouldn't have been able
to ship over $4 million in product. That solution only cost them $12K..
That's a $3.9 million realized ROI.

There are too many real world situations of ROI realized on the purchase of
security solutions rather than referencing an opinionated BLOG post made by
Richard on Tao Security. Why do you keep referencing it anyway, is it
because he reviewed Sguil in the Tao book?

Jason, one of the many answers to your question would be to find out how
much time the IDS has saved you in centralizing all of the alerts on your
network, sped up the response time to real incidents, and reduced wasted
time in investigating false positives. Take that time and multiply it by
your hourly rate, this is one of many formulas you can use in calculating
the ROI for the purchase of your IDS'.

Several ROI formulas exist out there. Just google some.. Here is one I just
found.

http://searchcio.techtarget.com/ateQuestionNResponse/0,289625,sid19_cid56833
5_tax292624,00.html
"Do you have any simple ROI formulas that utilize Excel?
This question posed on 20 January 2004

The base ROI formula, which can easily be plugged into Excel, is:

(benefits - cost) / benefits * 100 percent

The benefits and costs are the cumulative of all benefits over the analysis
period -- typically three to five years for any IT project, but no longer.
Of course, the details on exactly how to calculate the benefits and costs
for a particular project is the more difficult part as each company has
unique opportunity for benefits, costs and risks and each project's unique
costs and benefits need to be calculated at a detailed level.

To access ROI calculators for more complex initiatives, Alinean has samples
developed for several leading IT vendors including HP, SAP, EMC, Intel and
Sunguard available here.

In addition, more detail on the ROI calculation and other key financial
performance measurements can be found in my free e-book: IT Value Chain
Management (Alinean Press, 2003). "




Best Regards,

Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
1134 N. Main St.
Algonquin, IL 60102
Tel: (877) 262-7593 e:327
Fax: (877) 262-7593
Mob: (847) 456-6785
Web: http://www.appliedwatch.com
----------------------------------------------------------------------------
- 
Enterprise Snort Management at http://www.appliedwatch.com.
Security Information Management for the Open Source Enterprise.
----------------------------------------------------------------------------
-



-----Original Message-----
From: Bamm Visscher [mailto:bamm.visscher () gmail com] 
Sent: Wednesday, May 04, 2005 8:44 AM
To: Jason Patel
Cc: focus-ids () securityfocus com
Subject: Re: Value of IDS, ROI

There is no calculating ROI for security (including IDS) [0]. A CIO should
be able to understand that. Security is about mitigating loss, much like
insurance. You should focus on explaining how your IDS implementation will
help protect the investment your company has made in IT. An IDS should
provide early warnings of a compromise and other security events. It will
also help you quickly determine the scope of the event, escalate the
activity to the correct departments, and the data gathered will make the
remediation effort more efficient.

Bammkkkk

[0]
http://taosecurity.blogspot.com/2004/04/calculating-security-roi-is-waste-of
.html


On 3 May 2005 18:15:19 -0000, Jason Patel <patel1210 () yahoo com> wrote:
> I was wondering how big companies CIO show their executives Return of
investment on IDS. What is the monitoring strategy for IDS alerts. I am
trying to figure monitoring strategy and how to show my executive that how
important job this is, but cant come up with a convincing solution. Anyhelp
is highly appreciated.
> Thanks,
>
> Jason
>
> ----------------------------------------------------------------------
> ----
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from 
> CORE IMPACT.
> Go to 
> http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ----------------------------------------------------------------------
> ----


--
sguil - The Analyst Console for NSM
http://sguil.sf.net

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------