IDS mailing list archives

Re: ROI on IDS/IPS products

From: Frank Knobbe <frank () knobbe us>
Date: Fri, 27 Feb 2009 18:17:13 -0600

On Fri, 2009-02-27 at 09:08 -0800, Ravi Chunduru wrote:

I was talking to a junior security administartor working for a big
telecom company.  He said something which is worrying.  After few
years of IPS deployment in particular department, they  decided to
remove IPS devices.  It was felt that they did not find enough ROI to
justify 2 dedicated personnel to monitor and analyze IDS/IPS logs and
reports. It apperas that no major incidents were detected by network
IPS devices.  they felt that signature coverage is either poor or not
timely. i also was told that these IPS devices are from industry



Discussion around the term ROI aside, your question should not have been
about "ROI on IDS/IPS products", but rather about "IDS/IPS
*deployments*". 

You can have a great product that works really well (Snort comes to
mind), but deploy it completely wrong. While the "ROI" of the product
exists, the deployment makes it a complete waste of funds.

I'm not sure which product you are referring to (though I can make a
good guess :), and yes, there are products that conform to their
companies marketing material and get you a check-box on your compliance
audits, but are actually worthless. Other products are great, but again,
if they are not *deployed* correctly and/or *used* correctly, then these
deployments are also a waste of time and money.

I think too many people expect to buy an IDS/IPS off the shelf, read the
manual, get it set up, and think the task is done. IDS/IPS boxes are
tricky and require expertise to properly configure and use. If that
expertise doesn't exist in your organization, hire someone that does
have the expertise and can help not just implementing the IDS/IPS, but
also assist creating a group that can actually manage and use it on a
continuous basis.

Cheers,
Frank


-- 
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.

Attachment: signature.asc
Description: This is a digitally signed message part

Current thread:

Re: ROI on IDS/IPS products Ray (Mar 02)
- RE: Re: ROI on IDS/IPS products Brandon Louder (Mar 02)
  - Re: Re: ROI on IDS/IPS products Ray (Mar 03)
- <Possible follow-ups>
- Re: ROI on IDS/IPS products Frank Knobbe (Mar 02)
  - Re: ROI on IDS/IPS products Jeremy Bennett (Mar 02)
    - Re: ROI on IDS/IPS products Stefano Zanero (Mar 02)
    - Re: ROI on IDS/IPS products Jeremy Bennett (Mar 02)
    - Message not available
    - Re: ROI on IDS/IPS products Jeremy Bennett (Mar 03)
    - Re: ROI on IDS/IPS products Scott (Mar 03)
    - Re: ROI on IDS/IPS products Stefano Zanero (Mar 06)
    - Re: ROI on IDS/IPS products Webmaster 003 (Mar 03)
    - Re: ROI on IDS/IPS products Joel M Snyder (Mar 03)
    - Re: ROI on IDS/IPS products Joel Jaeggli (Mar 05)
    - Re: ROI on IDS/IPS products Webmaster 003 (Mar 05)

(Thread continues...)