Re: Value of IDS, ROI

[Bamm Visscher <bamm.visscher () gmail com>]

Loki,

On 5/5/05, Eric Hines <eric.hines () appliedwatch com> wrote:
> Visscher, I completely disagree with you.

That's fine. Everyone has a right to their opinion, but did you even
read the article that Rich referenced in his blog?

> ROI can and should be calculated in the acquisition of any security
> solution, INCLUDING IDS. Your very argument is contradictory to what you're
> saying as the early warning of a compromise and making the IT security
> department more efficient is the very definition of ROI. Let me define it
> for you, Return on Investment is calculating returns on the investment made
> in a particular item or person. ROI should be used when evaluating the
> purchase of any solution.
>
> My employees time is money, wasted time equals to loss in money. If they can
> save 4-8 hours when investigating an incident at $250.00/hr == $2,000 and my
> security solution cost $800, I've made $1,200 back in ROI. 

No, actually you've shown how your security solution reduced a loss.
Don't misunderstand me, this is a GOOD THING, but you cannot define an
ROI based on the expectation of a loss and you also cannot define ROI
as the savings from a loss that has already occured. Pete Lindstrom
gave a good example of showing ROI with replacing expensive leased
lines with VPNs. That is a tangible benefit. By spending X dollars
now, you 'gain' Y dollars in the future.  The difference being with
IDS you spend X dollars now in order to reduce a POTENTIAL loss in the
future.

> There are many instances in which ROI has been realized. For example:
>
> 1) An IPS stopping a worm at the perimeter of a network, preventing
> widespread infection. A company calculating the costs from a previous worm
> outbreak can easily calculate ROI on the purchase of their IPS.
>
> 2) A recent incident I was responding to whereupon a company was able to
> begin shipping product after being down only a few hours rather than all
> day. If they would have been down all day, this lab wouldn't have been able
> to ship over $4 million in product. That solution only cost them $12K..
> That's a $3.9 million realized ROI.
>
> There are too many real world situations of ROI realized on the purchase of
> security solutions rather than referencing an opinionated BLOG post made by
> Richard on Tao Security. Why do you keep referencing it anyway, is it
> because he reviewed Sguil in the Tao book?

I referenced Rich's blog because it's where I originally saw the link
to the story and because I thought his comments were insightful. Rich
is a very good friend of mine and someone whose "opinions" I have
great respect for.  Yes, I reference his blog a lot, I suppose that
says a lot about how much I respect him and his opinion.  I expect
it's also because Rich and I tend to share the same opinions and have
had numerous discussion on many of the topics posted in his blog.
Rich's blog is wildly popular, and I am not the only one in the
community who has this respect for Rich's opinion.  For the record, I
wouldn't call the chapter on Sguil a "review". NSM is a process that
Rich and I spent a lot of time discussing and defining together. Out
those discussions came Sguil and "The Tao NSM".  It only makes sense
that in the book, Rich covers Sguil and why when I am expaining the
"how" of Sguil I would ref Rich's blog and TAO.

Back on the topic of IDS, ROI, and why I linked to that particular
blog entry. Read the actual article that Rich references. Take a look
at who wrote the freaking thing. I'll make it easy:

LAWRENCE A. GORDON is Ernst & Young Alumni Professor of Managerial
Accounting and Information Assurance at the Robert H. Smith School of
Business, University of Maryland. Write to him at
lgordon () rhsmith umd edu.

ROBERT RICHARDSON is editorial director at the Computer Security
Institute (CSI). Write to him at rrichardson () cmp com.

So, even if you don't agree with Rich or my opinion, here are two guys
whose qualifications that far exceed yours or ours, explaining how and
why ROI cannot be applied to information security (the big blanket IDS
falls under).
 
> Jason, one of the many answers to your question would be to find out how
> much time the IDS has saved you in centralizing all of the alerts on your
> network, sped up the response time to real incidents, and reduced wasted
> time in investigating false positives. Take that time and multiply it by
> your hourly rate, this is one of many formulas you can use in calculating
> the ROI for the purchase of your IDS'.
>
> Several ROI formulas exist out there. Just google some.. Here is one I just
> found.
>
> http://searchcio.techtarget.com/ateQuestionNResponse/0,289625,sid19_cid56833
> 5_tax292624,00.html
> "Do you have any simple ROI formulas that utilize Excel?
> This question posed on 20 January 2004
>
> The base ROI formula, which can easily be plugged into Excel, is:
>
> (benefits - cost) / benefits * 100 percent
>
> The benefits and costs are the cumulative of all benefits over the analysis
> period -- typically three to five years for any IT project, but no longer.
> Of course, the details on exactly how to calculate the benefits and costs
> for a particular project is the more difficult part as each company has
> unique opportunity for benefits, costs and risks and each project's unique
> costs and benefits need to be calculated at a detailed level.
>
> To access ROI calculators for more complex initiatives, Alinean has samples
> developed for several leading IT vendors including HP, SAP, EMC, Intel and
> Sunguard available here.
>
> In addition, more detail on the ROI calculation and other key financial
> performance measurements can be found in my free e-book: IT Value Chain
> Management (Alinean Press, 2003). "
>
> Best Regards,
>
> Eric Hines

ROI is not the only way to show value, so don't think just because you
can't show ROI, that IDS has no value. If that were true, no one would
buy insurance. Read the article referenced in Rich's blog. It provides
an alternative measurement of an IDS's value and one that CFOs, CIOs,
and CEOs will better understand and except.

Bammkkkk

-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------