RE: How to measure 'status' of IDS Deployment
From: Mike Lyman (mlyman87-security@attbi.com)Date: 08/26/02
- Previous message: Frank Smith: "Re: How to measure 'status' of IDS Deployment"
- In reply to: idsquestions@hushmail.com: "RE: How to measure 'status' of IDS Deployment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 26 Aug 2002 09:39:34 -0700 From: "Mike Lyman" <mlyman87-security@attbi.com> To: focus-ids@securityfocus.com
On 8/26/2002 at 6:52 AM idsquestions@hushmail.com wrote:
>part of the answer). Rather, my company has IDS and various security
>products deployed. How can we baseline our stategy and progress against
>other citeria/companies/policies/whatever to say we do, or do not, have
>these products used in a way that is widely considered optimal. A 'best in
>class' deployment.
For us the answer has been how many "incidents" (quoted because they are not all real incidents) do we investigate based on reports into our team from outside the team vs how many we investigate based on what we are seeing in our monitoring systems. While we are still responding more to external reports of things than we do our own finding, at least in terms of raw numbers, we are finding more real incidents ourselves than are getting reported to us by others. We are able to find people poking and stopped before something happens. We are doing quite a bit of policy enforcement. We are doing more work now based on proactive discoveries than we ever did on the reactive side of things.
Along the way we are doing tremendous security awareness work as we work with our employees.
>We use the products in a certain way - but do other companies use them in
>a better way? I can report that we have a 'good' deployment, that cost us
>z$; we see X number of events, catch Y number of actual bad things. but
>how do we compare against other companies?
We tried to build a scorecard based on stats like that but it never really told a good story. The number of probes seen were just so high it was hard for people to get their minds to accept it. (Similar to the way saying it's going to cost $750 to repair your car has more impact and reality than saying an earthquake cause $3,000,000,000 in damages.)
We're still struggling with effective metrics but the only thing so far that is really making any sense is the number of cases we have open or the number of employees contacted in things like audits of remote access activity.
Trying to compare with other companies will be difficult since most will probably be reluctant to report numbers that would help you. It may not even be reluctance based on company policy; we security types tend to be paranoid and self censor ourselves and are reluctant to give up any data that could tell too much about the state of our networks.
Mike Lyman
mlyman@west-point.org
pgp keyid 0xD7BBADAD
- Previous message: Frank Smith: "Re: How to measure 'status' of IDS Deployment"
- In reply to: idsquestions@hushmail.com: "RE: How to measure 'status' of IDS Deployment"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
