RE: Value of IDS, ROI

Justin.Ross_at_signalsolutionsinc.com
Date: 05/24/05

  • Next message: THolman_at_toplayer.com: "RE: IDS\IPS that can handle one Gig"
    To: focus-ids@securityfocus.com
    Date: Tue, 24 May 2005 09:06:43 -0700
    
    

    Tim, great marketing response :) I'll will do my best not to dissect it,
    as a reply like that could only be expected from someone who works for an
    IPS company hehe

    While I agree that a good IPS (such as Top Layer) is a great investment
    and possibly capable of showing a positive ROI, I wouldn't say that an IDS
    is incapable of also providing the same. What is the ROI of a burglar
    alarm? What is the ROI of a carbon monoxide alarm? What is the ROI of a
    smoke/fire alarm? None of those automatically prevent you from burning to
    death in a fire, so why even purchase them? They clearly have no worth in
    your line of reasoning.

    If anyone has ever written an ROI for one of those things I would like to
    see it. Is it even necessary to write an ROI for such things (including
    IDS/IPS)? Equating an IDS with a smoke alarm, and an IPS to a smoke alarm
    with sprinklers, I really don't see how either of them could show a
    negative ROI. What's the ROI for a burglar alarm? It doesn't capture the
    burglar or keep the burglar from entering the building, does that negate
    its value or its benefit?

    A CIO may ignore having an IDS/IPS or even a firewall, they can claim
    ignorance to any problems, the same way a building manager can claim
    ignorance not knowing there was a fire and never having thought to spend
    the money for a smoke alarm. Could that building manager get sued for
    gross incompetence/negligence? Could a CIO/CSO get sued for gross
    incompetence/negligence if a certain attack had devastating consequences?

    Perhaps we can all go crash some liability attorney forum to ask, but my
    bet would be that yes a company could get sued big time for not knowing
    (or at least trying to know) an attack was taking place. How does the
    avoidance of consequential litigation factor into an ROI?

    O day exploits are typically not alerted on (IDS) or prevented (IPS), does
    that then negate a positive ROI for either of those two solutions?
     
    I personally don't know why a ROI would be necessary in any of those
    scenarios. I've never had to write one, anywhere; simply because when you
    demonstrate attacks are taking place to or from your resources and the
    associated risks, an IDS/IPS sells itself; much like a smoke/burglar
    alarm. I think the question isn't whether they bring value (positive ROI),
    but whether or not one needs or can afford the model with integrated
    sprinklers.

     YMMV

    Justin Ross
    MCP+I, MCSE, CCNA, CCSA, CCSE
    Senior Network Security Engineer
    Signal Solutions Inc. - http://www.signalcorp.com
    Email: Justin.Ross-at-signalsolutionsinc.com

    THolman@toplayer.com
    05/19/2005 04:38 PM

    To
    patel1210@yahoo.com, focus-ids@securityfocus.com
    cc

    Subject
    RE: Value of IDS, ROI

    Hi Jason,

    This is one of the big problems with IDS. Being detection-based
    technology,
    IDS is only capable of detecting intrusions\worm\virus outbreaks, rather
    than PREVENTING them.
    What is the ROI of a detection-based system that alerts you to the fact
    you're completely overrun by worm activity? Absolutely nothing. In fact,
    if you are relying on IDS to protect you, you will face a negative ROI, as
    by the time a zero-day attack gets past it, you will be losing money, even
    more so if you've an online presence to protect.
    Your CIO should ultimately be concerned in preventing attacks, rather than
    detecting them, and you should steer his/her investments toward a good IPS
    to compliment (and protect) existing IDS technology, and in some cases, do
    away with IDS devices altogether, as they are simply not relevant in terms
    of protection.

    Regards,

    Tim

    -----Original Message-----
    From: Jason Patel [mailto:patel1210@yahoo.com]
    Sent: 03 May 2005 19:15
    To: focus-ids@securityfocus.com
    Subject: Value of IDS, ROI

    I was wondering how big companies CIO show their executives Return of
    investment on IDS. What is the monitoring strategy for IDS alerts. I am
    trying to figure monitoring strategy and how to show my executive that how
    important job this is, but cant come up with a convincing solution.
    Anyhelp
    is highly appreciated.

    Thanks,

    Jason

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------


  • Next message: THolman_at_toplayer.com: "RE: IDS\IPS that can handle one Gig"