Re: How to measure 'status' of IDS Deployment

From: Mike Lyman (mlyman87-security@attbi.com)
Date: 08/26/02

• Previous message: Gianpiero Porchia: "R: IDS evaluation"
• In reply to: idsquestions@hushmail.com: "How to measure 'status' of IDS Deployment"
• Next in thread: Frank Smith: "Re: How to measure 'status' of IDS Deployment"
• Next in thread: idsquestions@hushmail.com: "RE: How to measure 'status' of IDS Deployment"
• Reply: Frank Smith: "Re: How to measure 'status' of IDS Deployment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 25 Aug 2002 18:16:41 -0700
From: "Mike Lyman" <mlyman87-security@attbi.com>
To: focus-ids@securityfocus.com

On 8/23/2002 at 9:23 AM idsquestions@hushmail.com wrote:

>I have been tasked with comparing my IDS deployment at work to determine
>if it is 'world class'/'best in class' quality'. This is rather vague as
>it is hard to quantify and compare placement issues and success. I wonder
>how others are approaching this? This more than 'we saw 500,000 things
>this week and 100 were real things we investigated'..

Are you aware of things you were not aware of before the deployment? Are you just using IDS to support an investigation started by other means or are you proactively discovering things in the IDS data? Are you able to proactively investigate possible hacks rather than reactively investigate after a defacement was discovered or a some other compromise discovered?

If you can investigate things faster with the IDS, you are already moderately successful. If you are proactively discovering things based on the IDS data, you are in better shape.

>How do you, perhaps as a ROI issue, justify the money spent and compare
>your deployment to established(?) benchmarks?

Since you are not making any money with IDS, can you really get a return on your investment?

Mike Lyman
mlyman@west-point.org
pgp keyid 0xD7BBADAD

---

• Previous message: Gianpiero Porchia: "R: IDS evaluation"
• In reply to: idsquestions@hushmail.com: "How to measure 'status' of IDS Deployment"
• Next in thread: Frank Smith: "Re: How to measure 'status' of IDS Deployment"
• Next in thread: idsquestions@hushmail.com: "RE: How to measure 'status' of IDS Deployment"
• Reply: Frank Smith: "Re: How to measure 'status' of IDS Deployment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Okena StormWatch ... > How does it compare to Snort w/ ACID? ... Okena's Stormwatch product is less of an IDS, ... \winnt\system32\*) the Okena product could actually BLOCK those requests. ... application behavior "policies" for each and every app you plan on ... (Focus-IDS) Re: Comparing the performance of two IDS products with different architectures ... Comparing the performance of two IDS products with different architectures ... > Does anyone know if there is justification to compare the performance of IDS ... (Focus-IDS) Re: Possible to select and delete multiple items ... then that is basically what you would need to do - compare ... Tom Ogilvy "Annette" wrote in message ... > If I had a spreadsheet with worker ids in column F and I wanted to select> and delete a couple different ids at the same time, ... (microsoft.public.excel.programming) Re: Possible to select and delete multiple items ... let me start with this as I'm thinking the first code ... > to compare each row to a list of IDs you want to delete? ... >> If I had a spreadsheet with worker ids in column F and I wanted to ... (microsoft.public.excel.programming)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-ids  > 2002-08