RE: Value of IDS, ROI

From: Angel L Rivera (arivera_at_mitre.org)
Date: 05/04/05

  • Next message: Bamm Visscher: "Re: Value of IDS, ROI" 
    To: "'Bob Huber'" <roberthuberjr@yahoo.com>, <focus-ids@securityfocus.com>
Date: Wed, 4 May 2005 09:02:57 -0400

    Adding to Bob's second paragraph - these regulations, require you to monitor
    your audit logs for incidents - we know how long it used to take for one
    person to review a basic audit log with thousands of entries every hour.
    IDS can be used to monitor the logs and only alert on violations or
    suspected violations - the savings in manpower to review them would be
    pretty high - again do the math - no IDS, 10 people a day to review logs -
    IDS 1-2 people to review logs

    You can also use IDS, even though there are better tools, to monitor systems
    that have not been patched with the latest security patch. New worm comes
    out exploiting a new vulnerability, which systems need to be patch, right
    away and which can be patched later

    -----Original Message-----
    From: Bob Huber [mailto:roberthuberjr@yahoo.com]
    Sent: Tuesday, May 03, 2005 8:31 PM
    To: focus-ids@securityfocus.com
    Subject: Re: Value of IDS, ROI

    The easiest approach would be to quantify the cost of
    any worm outbreaks, outages, or compromises you have
    already had if you have the data handy, or guesstimate
    what the cost of an outage of one of your information
    assets would be.

    The second thing that is compelling is the fact that
    most large companies, depending on their industry,
    have legal requirements to have some form of IDS. For
    example, healthcare, insurance have HIPAA, financial
    institutions have Graham-Leach-Bliley, FDIC, SEC, OCC,
    Sarbanes Oxley etc.. Some of these regulations levy a
    fine for lack of controls.

    As far as a monitoring strategy, that all depends on
    the level of risk you are willing to accept and the
    value of your assets/information. Are you processing
    customer data, social security numbers, credit card
    numbers, bank accounts, or just hosting a static web
    site? There are a million factors here to contend
    with, pick up your nearest CISSP cram book.

    Supposing you have something worth protecting, at a
    minimum, you should at least look for signs of a
    compromise, rather than scans, sweeps and information
    probes. While looking at probes, and reconnaissance
    is fun for an IDS geek, if you don't have time, and no
    dedicated security staff, just worry about the heavy
    hitter events and log everything else so when you DO
    have a compromise you at least have the data available
    for review.

    This is a quick and simplistic view..I'm certain there
    are all sorts of articles on the web on such topics,
    as well as books.

    Bob
    --- Jason Patel <patel1210@yahoo.com> wrote:
    >
    >
    > I was wondering how big companies CIO show their
    > executives Return of investment on IDS. What is the
    > monitoring strategy for IDS alerts. I am trying to
    > figure monitoring strategy and how to show my
    > executive that how important job this is, but cant
    > come up with a convincing solution. Anyhelp is
    > highly appreciated.
    >
    > Thanks,
    >
    > Jason

    __________________________________________________
    Do You Yahoo!?
    Tired of spam? Yahoo! Mail has the best spam protection around
    http://mail.yahoo.com

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Bamm Visscher: "Re: Value of IDS, ROI"

    Relevant Pages

    • Processing time and IDS traffic
      ... (forensics, anti-virus, IDS, firewalls, etc.) ... What I did was parse the logs into XML records and arranged them into a nice ... strategically placed IDS system and what people get from a IDS system ... - Automatically Control P2P, IM and Spam Traffic ...
      (Focus-IDS)
    • Re: Random IDS Thoughts [WAS: Re: IDS thoughts]
      ... to allow one to use a SQL syntax to select which logs to convert, ... Subject: Random IDS Thoughts ... IntruShield now offers unprecedented Intrusion IntelligenceTM ... Download the latest white paper "Intrusion Prevention: ...
      (Focus-IDS)
    • Re: Random IDS Thoughts [WAS: Re: IDS thoughts]
      ... Commodotization of the IDS space, in general: ... by flooding a network with "anomalous" traffic so it eventually gets ... I understand that analysing logs take ... Lousy interface design: Most IDS products or log analyzer products I've ...
      (Focus-IDS)
    • RE: IDS deployment on a Cat6500 series & which Snort box?
      ... As for the monitor session command, I use the command with my 3550's, ... IDS deployment on a Cat6500 series & which Snort box? ... that span port remotely and also that IDS connected to ...
      (Focus-IDS)
    • Re: PLEASE HELP - USENET/Proxy Security Question
      ... I spent hours reviewing the logs and it appears ... I know there is a higher tier of administrators off-site that monitor ... > then they will determine where you are connecting to. ... > you are connecting to a third-party news server, ...
      (alt.computer.security)