RE: How to measure 'status' of IDS Deployment

From: Kohlenberg, Toby (toby.kohlenberg@intel.com)
Date: 08/23/02 

From: "Kohlenberg, Toby" <toby.kohlenberg@intel.com>
To: "'idsquestions@hushmail.com'" <idsquestions@hushmail.com>, focus-ids@securityfocus.com
Date: Fri, 23 Aug 2002 10:37:00 -0700

The comparing to other companies can be hard- getting most companies to
actually talk in detail about what they are doing is damn hard. I believe
Gartner has a forum that you can pay a lot to join to be able to ask other
companies about this sort of thing under NDA but other than that you are
stuck doing lots of public research.

For the ROI question, that I can offer a little more help with. I'm
attaching
a paper I wrote as part of my SANS GCIAA practical on making a business case
for IDS. It might help you with that.

All opinions are my own and in no way reflect the views of my employer

Toby

> -----Original Message-----
> From: idsquestions@hushmail.com [mailto:idsquestions@hushmail.com]
> Sent: Friday, August 23, 2002 9:23 AM
> To: focus-ids@securityfocus.com
> Subject: How to measure 'status' of IDS Deployment
>
>
>
> I have been tasked with comparing my IDS deployment at work
> to determine if it is 'world class'/'best in class' quality'.
> This is rather vague as it is hard to quantify and compare
> placement issues and success. I wonder how others are
> approaching this? This more than 'we saw 500,000 things this
> week and 100 were real things we investigated'..
>
> How do you, perhaps as a ROI issue, justify the money spent
> and compare your deployment to established(?) benchmarks?
>
> -Bob
>
>
>
> Get your free encrypted email at https://www.hushmail.com
>