Re: Value of IDS, ROI

Justin.Ross_at_signalsolutionsinc.com
Date: 06/02/05

  • Next message: Devdas Bhagat: "Re: IDS\IPS that can handle one Gig"
    To: ADT <synfinatic@gmail.com>
    Date: Wed, 1 Jun 2005 15:22:45 -0700
    
    

    I think you missed the forest by focusing too hard on one tree but... I
    definitely should have added disclaimers to my former message:

    1. I was not implying that an IDS/IPS could function as a burglar alarm.
    2. I was not implying that an IDS/IPS could function as a smoke alarm.
    3. I was not implying that any IPS company was currently working on
    integrated sprinkler technology.
    4. I was not implying that IDS/IPS is the SAME thing as a smoke or burglar
    alarm or that they shared the same costs (it was merely an analogy)
    5. I was not implying that the people monitoring your IDS should be
    monitoring your smoke/fire alarms, or vice-versa.
    6. I was not implying that a burglar alarm makes a good replacement for an
    IDS or an IPS product, in fact many do not even have good signature
    databases or places to plug in a network connection.
    7. I was not implying that ADT (or any other physical alarm company)
    should look at getting into the IPS/IDS market.

    O.K. I think I covered myself fairly well there... The point of my former
    statement was not that physical alarms=IDS/IPS, just that they share some
    similarities in regard to ROI and the point that things can have value
    regardless of whether or not they actively prevent something.

    My response also wasn't attacking IPS or the vendors, IPS is a great tool
    for a "defense in depth" information security strategy. However, I should
    point out it is merely one tool in the arsenal to use in an encompassing
    strategy, not the end all be all (i.e. magic bullet). I personally have
    never implemented IPS without implementing IDS as second "layer of
    defense" and I recommend both to anyone who asks.

    I didn't mean to imply that a fire alarm/burglar alarm is perfectly
    synonymous with physical alarms and apologize to those who were confused.

    *semi-off topic: I believe you'll find the physical false alarm costs
    extremely high. In fact, many states, counties, and cities have laws and
    levy fines for false alarms. It is obviously extremely costly for
    somebody. I have yet to see any laws on IDS/IPS false alarms. I therefore
    disagree with your statement "Also, when one of those alarms go off, the
    cost to respond is also very low." ;)

    Justin Ross
    MCP+I, MCSE, CCNA, CCSA, CCSE
    Senior Network Security Engineer
    Signal Solutions Inc. - http://www.signalcorp.com
    Email: Justin.Ross-at-signalsolutionsinc.com

    ADT <synfinatic@gmail.com>
    06/01/2005 01:38 PM
    Please respond to
    ADT <synfinatic@gmail.com>

    To
    Justin Ross/SIERRA_VISTA/SSI@Signal_Solutions
    cc
    focus-ids@securityfocus.com
    Subject
    Re: Value of IDS, ROI

    Hey Justin,

    The problem with your argument is that an IDS is not at all like a
    smoke, burglar or CO2 alarm.
    Here's why:

    All three of those alarms you mention are "set and forget". Meaning,
    there's no cost (in terms of management or monitoring) them (well
    other then the 9v battery you're supposed to replace every 6months).
    You don't have to check the smoke alarm logs to see if you've got a
    fire, it proactively lets you know you've got a problem. IDS's as
    you know have to be constantly monitored by trained people (preferably
    24x7) to be effective.

    I guess you could do the log->pager gateway thing, but I've yet to see
    anyone who doesn't turn it off after a few nights of being woken up at
    3am by the damned thing. These other alarms have enough perceived
    value and low rate of false positives that this happens far less
    often.

    Also, when one of those alarms go off, the cost to respond is also
    very low. Not only is it relatively obvious what the correct action
    is to take, the number of false positives involved with these alarms
    is also very low. Investigating a potential intrusion on your network
    however can be both costly in time/effort as well as $$$.

    Third, a burglar alarm isn't for letting you know someone has stolen
    your TV; when you walk into your home, it's quite obvious. Burglar
    alarms are means of giving a would be burglar incentive to go
    somewhere else. I've yet to see a company post on their website a
    sign which says "This network is protected by XXXX IDS." Doing so
    would also probably be counter productive since then they'd know what
    evasive action to take to avoid detection. Arguably the same could be
    said about burglar alarms, but there seems to be much more
    info/research which is publicly available on IDS evasion then burglar
    alarms.

    Of course most burglar alarms have a monthly fee, but that is often
    offset in terms of lower home owners insurance and piece of mind that
    it will reduce the likelihood of someone robbing you.

    -Aaron, who doesn't work for any IDS/IPS vendor.

    On 5/24/05, Justin.Ross@signalsolutionsinc.com
    <Justin.Ross@signalsolutionsinc.com> wrote:
    > Tim, great marketing response :) I'll will do my best not to dissect it,
    > as a reply like that could only be expected from someone who works for
    an
    > IPS company hehe
    >
    > While I agree that a good IPS (such as Top Layer) is a great investment
    > and possibly capable of showing a positive ROI, I wouldn't say that an
    IDS
    > is incapable of also providing the same. What is the ROI of a burglar
    > alarm? What is the ROI of a carbon monoxide alarm? What is the ROI of a
    > smoke/fire alarm? None of those automatically prevent you from burning
    to
    > death in a fire, so why even purchase them? They clearly have no worth
    in
    > your line of reasoning.
    >
    > If anyone has ever written an ROI for one of those things I would like
    to
    > see it. Is it even necessary to write an ROI for such things (including
    > IDS/IPS)? Equating an IDS with a smoke alarm, and an IPS to a smoke
    alarm
    > with sprinklers, I really don't see how either of them could show a
    > negative ROI. What's the ROI for a burglar alarm? It doesn't capture the
    > burglar or keep the burglar from entering the building, does that negate
    > its value or its benefit?
    >
    > A CIO may ignore having an IDS/IPS or even a firewall, they can claim
    > ignorance to any problems, the same way a building manager can claim
    > ignorance not knowing there was a fire and never having thought to spend
    > the money for a smoke alarm. Could that building manager get sued for
    > gross incompetence/negligence? Could a CIO/CSO get sued for gross
    > incompetence/negligence if a certain attack had devastating
    consequences?
    >
    > Perhaps we can all go crash some liability attorney forum to ask, but my
    > bet would be that yes a company could get sued big time for not knowing
    > (or at least trying to know) an attack was taking place. How does the
    > avoidance of consequential litigation factor into an ROI?
    >
    > O day exploits are typically not alerted on (IDS) or prevented (IPS),
    does
    > that then negate a positive ROI for either of those two solutions?
    >
    > I personally don't know why a ROI would be necessary in any of those
    > scenarios. I've never had to write one, anywhere; simply because when
    you
    > demonstrate attacks are taking place to or from your resources and the
    > associated risks, an IDS/IPS sells itself; much like a smoke/burglar
    > alarm. I think the question isn't whether they bring value (positive
    ROI),
    > but whether or not one needs or can afford the model with integrated
    > sprinklers.
    >
    > YMMV
    >
    > Justin Ross
    > MCP+I, MCSE, CCNA, CCSA, CCSE
    > Senior Network Security Engineer
    > Signal Solutions Inc. - http://www.signalcorp.com
    > Email: Justin.Ross-at-signalsolutionsinc.com
    >
    >
    >
    >
    >
    > THolman@toplayer.com
    > 05/19/2005 04:38 PM
    >
    > To
    > patel1210@yahoo.com, focus-ids@securityfocus.com
    > cc
    >
    > Subject
    > RE: Value of IDS, ROI
    >
    >
    >
    >
    >
    >
    > Hi Jason,
    >
    > This is one of the big problems with IDS. Being detection-based
    > technology,
    > IDS is only capable of detecting intrusions\worm\virus outbreaks, rather
    > than PREVENTING them.
    > What is the ROI of a detection-based system that alerts you to the fact
    > you're completely overrun by worm activity? Absolutely nothing. In
    fact,
    > if you are relying on IDS to protect you, you will face a negative ROI,
    as
    > by the time a zero-day attack gets past it, you will be losing money,
    even
    > more so if you've an online presence to protect.
    > Your CIO should ultimately be concerned in preventing attacks, rather
    than
    > detecting them, and you should steer his/her investments toward a good
    IPS
    > to compliment (and protect) existing IDS technology, and in some cases,
    do
    > away with IDS devices altogether, as they are simply not relevant in
    terms
    > of protection.
    >
    > Regards,
    >
    > Tim
    >
    >
    > -----Original Message-----
    > From: Jason Patel [mailto:patel1210@yahoo.com]
    > Sent: 03 May 2005 19:15
    > To: focus-ids@securityfocus.com
    > Subject: Value of IDS, ROI
    >
    >
    >
    > I was wondering how big companies CIO show their executives Return of
    > investment on IDS. What is the monitoring strategy for IDS alerts. I am
    > trying to figure monitoring strategy and how to show my executive that
    how
    > important job this is, but cant come up with a convincing solution.
    > Anyhelp
    > is highly appreciated.
    >
    > Thanks,
    >
    > Jason
    >
    >
    --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    >
    --------------------------------------------------------------------------
    >
    >
    --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    >
    --------------------------------------------------------------------------
    >
    >
    >
    >
    >
    --------------------------------------------------------------------------
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from
    > CORE IMPACT.
    > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    >
    --------------------------------------------------------------------------
    >
    >

    -- 
    http://synfin.net/
    --------------------------------------------------------------------------
    Test Your IDS
    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from 
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
    to learn more.
    --------------------------------------------------------------------------
    

  • Next message: Devdas Bhagat: "Re: IDS\IPS that can handle one Gig"

    Relevant Pages

    • Re: Value of IDS, ROI
      ... smoke, burglar or CO2 alarm. ... a burglar alarm isn't for letting you know someone has stolen ... IDS." ... > and possibly capable of showing a positive ROI, I wouldn't say that an IDS ...
      (Focus-IDS)
    • RE: Value of IDS, ROI
      ... and possibly capable of showing a positive ROI, I wouldn't say that an IDS ... What is the ROI of a carbon monoxide alarm? ... Your CIO should ultimately be concerned in preventing attacks, ...
      (Focus-IDS)
    • : What is false alarm rate and false positive rate?
      ... number of false negatives divided by total number of alarms. ... If we want to know the rate of missed detection of an IDS, ... : Re: What is false alarm rate and false positive rate? ... In a typical deployment of Intrusion Detection System, ...
      (Focus-IDS)
    • Re: IDS CISCO alarm
      ... is possible to configure Cisco IDS, ... filter out some events -> not create alarm events (its called Event ... someone knows if is configurable for send alarms the IDS CISCO? ... > As it is possible that a IDS does not have form to alarm? ...
      (Focus-IDS)
    • Re: Newbie questions
      ... Monitoring has several benefits... ... Someone hears burglar break in when alarm is off- ... As far as phone lines are concerned- Yes, most burglar are smart enough to ... the sirens in a properly engineered system, ...
      (alt.security.alarms)