IDS mailing list archives

Re: ROI on IDS/IPS products

From: Joel M Snyder <Joel.Snyder () Opus1 COM>
Date: Tue, 03 Mar 2009 10:11:04 -0700



Webmaster 003 wrote:

I think the easiest way would be to buy a device with a consultingcompany doing the backend stuff. Then the "user" can stay fat andhappy, with a set monthly cost.

In my opinion, and in my experience, this doesn't work. Or, more importantly,it works for people who want to have an IPS/IDS, but don't actually care what itsays.

The reason is simple: the "hard work" of an IPS/IDS is putting the alerts incontext to your own network.

If you go to a MSSP, they are very good at understanding what "smtp: attemptedcommand buffer overflow" means. However, they have no concept of what it meansTO YOU. They don't know if you're patched. They don't know if that server isvulnerable. And they don't know the relative value of that server to you. Theyalso don't have access to the server, so they can't easily check things likepatch levels, tripwire logs, etc.

If you consider that operating an IPS/IDS is half knowing network security, andhalf knowing your network, the problem is that an MSSP only knows half of whatthey should.

Yes, I'm sure lots of MSSPs will pass this around, outraged at my suggestionthat they aren't doing people much good.

But my experience is that most people with MSSP-monitored IDS/IPS only getalerted for the absolute most egregious horrible problems; they do NOT get acontinuous security improvement program that will help them avoid such problems.

The IPS/IDS is NOT an intrusion prevention tool; it is a network securityvisibility and risk management tool. Someone who sticks an IPS at the edge oftheir network expecting that this will somehow help them from being cracked intois going to be spending a LOT of money for little benefit; they have read waaaaytoo many white papers by vendors trying to sell IPS and waaaay too littleinformation about what it means to secure a network.

I am fond of saying that an IPS/IDS is a protocol analyzer for the securityteam, much as a Sniffer or Ethereal box is a protocol analyzer for the networkteam. If you use it as such to continuously identify and mitigate risks in yournetwork, you'll get value.

If you treat it as a refrigerator, then you don't understand (or, more likely,have been misled) what an IPS/IDS does and where it brings value. If you ONLYwant to treat it as a refrigerator, then you're better off doing something elsewith your dollars.


jms

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms () Opus1 COM                http://www.opus1.com/jms

Current thread:

RE: Re: ROI on IDS/IPS products, (continued)
- RE: Re: ROI on IDS/IPS products Brandon Louder (Mar 02)
  - Re: Re: ROI on IDS/IPS products Ray (Mar 03)
- Re: ROI on IDS/IPS products Frank Knobbe (Mar 02)
  - Re: ROI on IDS/IPS products Jeremy Bennett (Mar 02)
    - Re: ROI on IDS/IPS products Stefano Zanero (Mar 02)
    - Re: ROI on IDS/IPS products Jeremy Bennett (Mar 02)
    - Message not available
    - Re: ROI on IDS/IPS products Jeremy Bennett (Mar 03)
    - Re: ROI on IDS/IPS products Scott (Mar 03)
    - Re: ROI on IDS/IPS products Stefano Zanero (Mar 06)
    - Re: ROI on IDS/IPS products Webmaster 003 (Mar 03)
    - Re: ROI on IDS/IPS products Joel M Snyder (Mar 03)
    - Re: ROI on IDS/IPS products Joel Jaeggli (Mar 05)
    - Re: ROI on IDS/IPS products Webmaster 003 (Mar 05)
    - Re: ROI on IDS/IPS products Joel M Snyder (Mar 05)
    - Re: ROI on IDS/IPS products Ravi Chunduru (Mar 06)
    - Re: ROI on IDS/IPS products Joel Jaeggli (Mar 06)
- Re: ROI on IDS/IPS products Joel Jaeggli (Mar 02)
- Re: ROI on IDS/IPS products Mark Stingley (Mar 02)
- Re: ROI on IDS/IPS products aditya mukadam (Mar 04)
  - RE: ROI on IDS/IPS products Kirk, James P. (Mar 05)