RE: Value of IDS, ROI

["Ed Gibbs" <ed () digitalconclave com>]

Jason,

Positioning IDS/IPS to the CxO level if very difficult, because the return
is basically not realized until the product actually proves itself by
preventing or detecting something significant.  Things to bring up include:

*       Capital Cost: sensor(s), management software, additional hardware,
maintenance
*       Operational Cost: installation, policy implementation,
tuning/analysis, software/hardware updates, monitoring, remote management,
personal, etc.
*       Business Benefit
        - Cost of not detecting/preventing attacks (risk)
        - Cost of downtime including manpower and disruption in
business/productivity
        - Attack recovery cost

 Risk, in this case, is defined as a measurement of uncertainty around a
given investment in technology.  Uncertainty is measured from several
perspectives: one is the likelihood that he technoogy will not perform as
expected.  This impacts cost and benefit estimates by potentially reducing
the benefits that will ultimately be achieved as well as increasing the
costs of the investment.  Second, lack of accountability and incentive to
measure the success of the investment, particularly enterprise wide
benefits, will ultimately result in lack of a demonstrated return.  

 I like to use the auto insurance scenario, because it's something that we
don't see any return on unless something happens, then we ultimately need
it.  

I have more information and example spreadsheets on how to calculate capital
cost, operational cost, and benefits if you would like a copy.  You also may
want to consider investing your money in IPS, rather than IDS.  The majority
of IPS products today can still be used as an IDS, however, you have the
option of going in-line and blocking attacks rather than just detecting,
which will go further.  McAfee IntruShield, TippingPoint UnityOne, ISS
RealSecure, NitroSecurity, and others are well worth the investment.

-Ed
760-687-6768
ed () digitalconclave com
IPS Experts

 

-----Original Message-----
From: Jason Patel [mailto:patel1210 () yahoo com]
Sent: Tuesday, May 03, 2005 11:15 AM
To: focus-ids () securityfocus com
Subject: Value of IDS, ROI



I was wondering how big companies CIO show their executives Return of
investment on IDS. What is the monitoring strategy for IDS alerts. I am
trying to figure monitoring strategy and how to show my executive that how
important job this is, but cant come up with a convincing solution. Anyhelp
is highly appreciated.

Thanks,

Jason

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------





--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------