Re: How does and IDS help to save money??

From: Mike Shaw (mshaw@wwisp.com)
Date: 04/15/02 

Date: Mon, 15 Apr 2002 13:52:00 -0500
To: Shripal Meghani <maegabyte@yahoo.com>, focus-ids@securityfocus.com
From: Mike Shaw <mshaw@wwisp.com>

>1) how does one judge the value of an IDS in the
>network?
>2) How does it help in saving money? (over say
>something like a firewall)
>3) What is the ROI on purchasing an IDS
>4) And what is the TCO for the same

They are looking at an IDS in the wrong manner. Security software is used
for risk management, not generally for production (unless you're providing
risk management services).

To help put it in perspective for the company, re-ask questions 2 3 and 4
about:

-Insurance policies held by the company
-Tapes and tape drives (and other disaster recovery functions)
-Attorneys on retainer or otherwise maintained "just in case"
-Door locks
-Evacuation plans
-Camera systems
-Burglar alarms
-Fire sprinkler systems, etc.

The answers *should* be something like:

2) IDS (depending on the answer in #1) minimizes risk to information/data
by catching an attack before the bad guys hit paydirt, or before
significant damage is done. It also provides critical audit data that will
minimize investigation costs, and increase the chances of recouping costs
via legal means. So it doesn't save money unless you're compromized, which
is a risk analysis question.
3) ROI is closely related to #2. What is the ROI of fire
insurance? Nothing, unless you have a fire. (or you have a regulatory
requirement of some sort that requires insurance and you'll be shut down
w/o it)
4) TCO is pretty easy to calculate: Hardware+Software+[total salary of
egineers per hour*total engineer-hours spent on system]. Again, though
this is a matter of risk analysis. TCO must be weighed against the TC of
getting Owned and evaluated accordingly.

It sounds like the beancounters are trying to pare down budgets, which is
good in this post-dot-com world. HOWEVER, it is critically important that
you put security in the context of "risk management" and not "production
overhead". If you don't then security almost *always* is seen as an
unnecessary expense because they don't understand what a UDP port is, much
less the risks to their systems.

-Mike

Relevant Pages

  • Re: [Full-disclosure] Could InfoSec be Worse than Death?
    ... One aspect of saving money is indeed risk avoidance. ... Senior Security Consultant ...
    (Full-Disclosure)
  • RE: How does and IDS help to save money??
    ... So rather than look for some magic numbers, I say do the analysis, and base your decision on those factors, not what other companies with completely different need bases and levels of security. ... >2) How does it help in saving money? ... >3) What is the ROI on purchasing an IDS ... >Do You Yahoo!? ...
    (Focus-IDS)
  • How does and IDS help to save money??
    ... We have seen some vendors' IDSes. ... How does it help in saving money? ... What is the ROI on purchasing an IDS ... Do You Yahoo!? ...
    (Focus-IDS)
  • Re: How does an IDS help to save money??
    ... One other point - IDS should ... augment the firewall - network IDS to intercept unwanted ... >>2) How does it help in saving money? ... >>Do You Yahoo!? ...
    (Focus-IDS)
  • ya cant get fired for buying Cisco
    ... yep I only order cisco cause I want to keep my job, its not worth taking the ... risk even if it means saving money etc.. ... boss always like those blue colored ...
    (comp.security.firewalls)