Re: ROI on IDS/IPS products

On Mon, Mar 2, 2009 at 3:09 PM, Jeremy Bennett <jeremyfb@xxxxxxx> wrote:

On Mar 2, 2009, at 11:21 AM, Stefano Zanero wrote:

You assert that the customer 'WILL need to know damn well what they are
doing.' I assert that if the customer knew what they were doing to the
degree that you imply they'd be writing their own snort rules. Sourcefire
has a good product based on this and it has its place in organizations that
can run it.
There are many customers that will never have that expertise. They have no
choice but to trust their vendor to have the expertise necessary to write
signatures and clearly communicate the efficacy of those signatures. This is
the bulk of the potential IPS market, those people that want something
better than a firewall but can't afford to digest 100,000 events per day.


I'm glad you mentioned Sourcefire directly. I've had to manage a few
different brands of IDS/IPS including ISS, Dragon, and Sourcefire now.
As pure IPS they all have the challenge of needing someone qualified
enough to accurately interpret event data and tune down the false
positives. IMO, what helps the Sourcefire product stand out is the
addition of RNA and similar features. The added intelligence RNA
provides dramatically decreases the time and effort and analyst needs
to make an informed decision on the validity of an alert. You still
have to deploy it correctly and employ qualified analysts but if
you're looking for a way to quantify ROI consider how much time (=
$$$) it saves an analyst to have most, if not all, the data they need
to qualify an alert right at their fingertips rather than having to go
and hunt it down or manually correlate it from other sources (ie VA
scans, system inventories, other sys admins). It's still a hard number
to pin down but I think it's worth mentioning.

Disclaimer - No, I don't work for Sourcefire (but if Mr. Roesch would
open a spot on the prof services team we could remedy that). ;-)