Re: IDS Security Metris

On 4 Apr 2007 21:29:44 -0000, jlynnmonett@xxxxxxxxx
<jlynnmonett@xxxxxxxxx> wrote:
Could someone help me. I need to create a list of 10 security metrics for a IDS.

10 seems rather arbitrary. Is this for some useful business purpose or a class?

1. For every incident investigated due to the detection of events from
the IDS, estimate the financial impact of not detecting the issue.
Track the total gross.

10. Track false positive incidents. That is the number of times the
pager went off due to an alert on something that was not that
critical. Because new signatures are always being added, this will
probably be flat in a mature IDS program.

11. Track false negatives that generate new pager rules. That is the
number of times the analysts were reviewing the non-paging events and
found something that you should have been paged on. This justifies the
time and cost for the constant review of events.

There I gave you an extra one.

Metrics are usually based on the specific needs of the IDS processes,
how they fit into the overall Security processes, the level of risk
tolerable to the business, and the threats. Without more details on
the particular situation, one might as well assume you're using

In general if one is asking for help on a mailing list, one should
provide at least as much information as one expects back in return. I
should have replied that I am sure someone out there could help you,
but I was feeling generous.

Eric Hacker, CISSP

aptronym (AP-troh-NIM) noun
A name that is especially suited to the profession of its owner

I _can_ leave well enough alone, but my criteria for well enough is
pretty darn high.

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to to learn more.