IDS mailing list archives

ROI (ROSI?) on IDP devices

From: Ravi Chunduru <ravi.is.chunduru () gmail com>
Date: Sat, 28 Feb 2009 11:03:44 -0800

Hi,

I got many responses on my previous thread with subject ROI on IDS/IPS
devices.  Looks like I gave wrong impression that all security
measures were taken off. I was specifically pointing out IDP devices.
 I only wanted to gauge  ROI (ROSI?) justification with respect to
IDPs specifically. With respect to that I was asking for specific
example positive experiences one had or having with IDP devices.

I got two responses privately to my previous thread which seem to
question the value of IDP devices. One of the responses is interesting
and it seems to suggest that after they had chosen "Patch Management
Systems", they are hardly finding the use for IDP device.  I have
taken permission from the responsee to give gist of explanation.  It
is a Microsoft house, ie mostly Microsoft products are used in the
organization. IDP device vendor they went with provides protection
measures (rule updates) only when Microsoft releases patches.  Some
times rules update with Microsoft vulnerabilities are being given
after 2 to 7 days by IPS vendor.   Patch Management systems would have
patched the systems and software by that time rendering IPS protection
useless. Client side attack detection by IDP devices is not really
effective and anti virus software on desktops seems to do better job.
The responsee seems to feel that IDP devices are good only if legacy
software is used for which software vendor does not provide patches.
It appears that this house has some web applications.  To protect from
web application attacks, they seem to use web application firewall.
With protection  provided by "Patch Management System", "Web
application firewall"  and traditional firewall devices,
justification for continuation of IDP devices seem to be on slippery
slope. At the end he mentioned that other types of  deployments might
see value of IDP devices.

Other response I got is vague on details and seem to suggest that many
buy these devices out of fear, but realize eventually that they are
not as effective as they thought.

I hope I will get some responses with positive experiences of using
IDS/IPS devices.

Thanks
Ravi

Current thread:

ROI (ROSI?) on IDP devices Ravi Chunduru (Mar 02)
- Re: ROI (ROSI?) on IDP devices Scott (Mar 03)
- Re: ROI (ROSI?) on IDP devices "Zow" Terry Brugger (Mar 06)