RE: How to measure 'status' of IDS Deployment

From: idsquestions@hushmail.com
Date: 08/26/02 

Date: Mon, 26 Aug 2002 06:52:44 -0700
To: focus-ids@securityfocus.com, toby.kohlenberg@intel.com
From: idsquestions@hushmail.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks everyone, I received some great responses. I belive i phrased my question rather poorly though, my focus is not on ROI per se (but it is a part of the answer). Rather, my company has IDS and various security products deployed. How can we baseline our stategy and progress against other citeria/companies/policies/whatever to say we do, or do not, have these products used in a way that is widely considered optimal. A 'best in class' deployment.

We use the products in a certain way - but do other companies use them in a better way? I can report that we have a 'good' deployment, that cost us z$; we see X number of events, catch Y number of actual bad things. but how do we compare against other companies?

- -Bob

>The comparing to other companies can be hard- getting most comp
>anies to
>actually talk in detail about what they are doing is damn hard.
> I believe
>Gartner has a forum that you can pay a lot to join to be able t
>o ask other
>companies about this sort of thing under NDA but other than tha
>t you are
>stuck doing lots of public research.
>
>For the ROI question, that I can offer a little more help with.
> I'm
>attaching
>a paper I wrote as part of my SANS GCIAA practical on making a
>business case
>for IDS. It might help you with that.
>
>All opinions are my own and in no way reflect the views of my e
>mployer
>
>Toby
>
>
>
>> -----Original Message-----
>> From: idsquestions@hushmail.com [mailto:idsquestions@hushmail
>.com]
>> Sent: Friday, August 23, 2002 9:23 AM
>> To: focus-ids@securityfocus.com
>> Subject: How to measure 'status' of IDS Deployment
>>
>>
>>
>> I have been tasked with comparing my IDS deployment at work
>> to determine if it is 'world class'/'best in class' quality'.
>
>> This is rather vague as it is hard to quantify and compare
>> placement issues and success. I wonder how others are
>> approaching this? This more than 'we saw 500,000 things this
>
>> week and 100 were real things we investigated'..
>>
>> How do you, perhaps as a ROI issue, justify the money spent
>> and compare your deployment to established(?) benchmarks?
>>
>> -Bob
>>
>>
>>
>> Get your free encrypted email at https://www.hushmail.com
>>
>

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wmEEARECACEFAj1qMqsaHGlkc3F1ZXN0aW9uc0BodXNobWFpbC5jb20ACgkQKhAkMk6S
kfYRjQCfW3AJLt3OxHUY0jWI7JIMWiNtsBMAnRXMaI7hBSGChv/Uemz2LfsWFG1Z
=KC8W
-----END PGP SIGNATURE-----

Get your free encrypted email at https://www.hushmail.com