IDS mailing list archives

Re: ROI on IDS/IPS products

From: Mark Stingley <infosec () altsec info>
Date: Sat, 28 Feb 2009 09:11:06 -0600

Sorry to say, but that big telecom company sounds like it may be the one thatlets all the SQL Slammer, aspROX, PHP Includes, and many other attacks hit myIPS inbound, where they are stopped.

An IPS is a critical component of defense-in-depth. It's not a magic box thatcan be installed with default filters. It takes daily attention from atrained network security analyst who does threat analysis and tunes the deviceto protect against the attacks that it can best detect.

Anything beyond the capabilities of the firewall and IPS call for networktraffic analysis and anomaly detection.

As far as ROI is concerned, I agree with the other writers about 'no suchthing' and the fine writings of Mr. Betjlich. Let me ask you this; what's theROI on flood insurance, hurricane insurance, insurance on company vehicles, oreven vehicle inspections and registration?

Ask TJX, Heartland, and all the other victims of major intrusions about theROI of looking like complete morons for not spending enough on trained,professional network security analysts and giving them the tools they need todo their job.


You want examples of attacks that any good IPS can block?

Most SQL injection attacks.
Most PHP attacks.
Vulnerable PDF, activex, and document transmission.
Bad network traffic.
Many buffer overflow attacks.
Many zero-day or emerging threats.
Most cross-site scripting.
Many, many platform specific vulnerabilities.

They're not perfect, but I sure wouldn't want to do without mine.

Ravi Chunduru wrote:

I was talking to a junior security administartor working for a big
telecom company.  He said something which is worrying.  After few
years of IPS deployment in particular department, they  decided to
remove IPS devices.  It was felt that they did not find enough ROI to
justify 2 dedicated personnel to monitor and analyze IDS/IPS logs and
reports. It apperas that no major incidents were detected by network
IPS devices.  they felt that signature coverage is either poor or not
timely. i also was told that these IPS devices are from industry
leaders.

Can you share your experiences?  Any examples of successful detection
and prevention of major attacks and penetration by IPS devices.

Thanks
Ravi

Current thread:

Re: ROI on IDS/IPS products, (continued)
- - - Re: ROI on IDS/IPS products Scott (Mar 03)
    - Re: ROI on IDS/IPS products Stefano Zanero (Mar 06)
    - Re: ROI on IDS/IPS products Webmaster 003 (Mar 03)
    - Re: ROI on IDS/IPS products Joel M Snyder (Mar 03)
    - Re: ROI on IDS/IPS products Joel Jaeggli (Mar 05)
    - Re: ROI on IDS/IPS products Webmaster 003 (Mar 05)
    - Re: ROI on IDS/IPS products Joel M Snyder (Mar 05)
    - Re: ROI on IDS/IPS products Ravi Chunduru (Mar 06)
    - Re: ROI on IDS/IPS products Joel Jaeggli (Mar 06)
- Re: ROI on IDS/IPS products Joel Jaeggli (Mar 02)
- Re: ROI on IDS/IPS products Mark Stingley (Mar 02)
- Re: ROI on IDS/IPS products aditya mukadam (Mar 04)
  - RE: ROI on IDS/IPS products Kirk, James P. (Mar 05)