Re: Value of IDS, ROI

From: Chris Byrd (cbyrd01_at_yahoo.com)
Date: 05/06/05

  • Next message: Wolfpaw - Dale Corse: "RE: Router/Switches and viruses" 
    Date: Thu, 5 May 2005 20:38:39 -0700 (PDT)
To: Jason Patel <patel1210@yahoo.com>, focus-ids@securityfocus.com

    In my opinion, the best way to sell IDS is on the
    number of real, actionable alerts you receive. Get in
    a vendor's demo appliance or software, tune it to
    filter out the noise, and deliver a list of alerts
    that were not otherwise detected to your boss. You'd
    be amazed how much stuff you'll find, especially at
    first. Policy violations, spyware, even compromized
    machines often go otherwise unnoticed.

    There are methods to calculate the ROI of an IDS
    system, but in my experience the above was all that
    was necessary.

    As far as monitoring, remove as much noise as
    possible. If you recieve 100+ alerts a day, the
    important ones will slip by unnoticed. Event
    correlation, security context, and tuning can reduce
    the volume of actionable alerts. Look for IDS
    products that have this built in, or buy a SIM too.

    - Chris
    --- Jason Patel <patel1210@yahoo.com> wrote:
    >
    >
    > I was wondering how big companies CIO show their
    > executives Return of investment on IDS. What is the
    > monitoring strategy for IDS alerts. I am trying to
    > figure monitoring strategy and how to show my
    > executive that how important job this is, but cant
    > come up with a convincing solution. Anyhelp is
    > highly appreciated.
    >
    > Thanks,
    >
    > Jason
    >
    >
    --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with
    > real-world attacks from
    > CORE IMPACT.
    > Go to
    >
    http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    >
    > to learn more.
    >
    --------------------------------------------------------------------------
    >
    >

                    
    __________________________________
    Do you Yahoo!?
    Yahoo! Small Business - Try our new resources site!
    http://smallbusiness.yahoo.com/resources/

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

  • Next message: Wolfpaw - Dale Corse: "RE: Router/Switches and viruses"

    Relevant Pages

    • Re: Target based IDS review and discussion in Information Security
      ... This all began in 2000 when Marty lead the IDS development effort at ... > describes alerts as they pop out of IDS consoles. ... > Roesch names two other components as integral to target based NIDS: ... > an attack on a system that cannot succeed should be demoted. ...
      (Focus-IDS)
    • Re: which attacks will generate false positive or false negative?
      ... addresses of the servers on your network that are allowed to do DNS Zone ... you first install a Network IDS, snmpwalks may trigger from your network ... Matt brings up the point of alerts to things that didn't have any ... you're not sure of the best way to tune out false positives during your ...
      (Focus-IDS)
    • Re: Recommended IPS signature set
      ... The most important factor in choosing IPS and IDS events is understanding what you are protecting and what it could cost you if one of your systems is compromised. ... an expert staff with available time may be able to process protocol anomaly alerts while a novice staff or one strapped for time may only have time to concentrate on vulnerability or exploit alerts. ... Then based on the criticality of the service and the severity of the event decide whether it should be enabled as blocking or not. ...
      (Focus-IDS)
    • Re: After getting the alerts generated by IDS how we distinguish true positive.false positive and fa
      ... After getting the alerts generated by IDS how we distinguish true ... And What we do with True Positive alerts. ... If it's a false positive for an attack to which your environment is ... False negatives are troublesome. ...
      (Pen-Test)
    • RE: IDS event filtering
      ... I think there are a few ways to filter; ... at in over a year so not sure if any backend IDS correlation. ... Deprioritize alerts on ... > Find out quickly and easily by testing it with real-world attacks ...
      (Focus-IDS)