Adding to Bob's second paragraph - these regulations, require you to monitor
your audit logs for incidents - we know how long it used to take for one
person to review a basic audit log with thousands of entries every hour.
IDS can be used to monitor the logs and only alert on violations or
suspected violations - the savings in manpower to review them would be
pretty high - again do the math - no IDS, 10 people a day to review logs -
IDS 1-2 people to review logs
You can also use IDS, even though there are better tools, to monitor systems
that have not been patched with the latest security patch. New worm comes
out exploiting a new vulnerability, which systems need to be patch, right
away and which can be patched later
-----Original Message-----
From: Bob Huber [mailto:roberthuberjr@yahoo.com]
Sent: Tuesday, May 03, 2005 8:31 PM
To: focus-ids@securityfocus.com
Subject: Re: Value of IDS, ROI
The easiest approach would be to quantify the cost of
any worm outbreaks, outages, or compromises you have
already had if you have the data handy, or guesstimate
what the cost of an outage of one of your information
assets would be.
The second thing that is compelling is the fact that
most large companies, depending on their industry,
have legal requirements to have some form of IDS. For
example, healthcare, insurance have HIPAA, financial
institutions have Graham-Leach-Bliley, FDIC, SEC, OCC,
Sarbanes Oxley etc.. Some of these regulations levy a
fine for lack of controls.
As far as a monitoring strategy, that all depends on
the level of risk you are willing to accept and the
value of your assets/information. Are you processing
customer data, social security numbers, credit card
numbers, bank accounts, or just hosting a static web
site? There are a million factors here to contend
with, pick up your nearest CISSP cram book.
Supposing you have something worth protecting, at a
minimum, you should at least look for signs of a
compromise, rather than scans, sweeps and information
probes. While looking at probes, and reconnaissance
is fun for an IDS geek, if you don't have time, and no
dedicated security staff, just worry about the heavy
hitter events and log everything else so when you DO
have a compromise you at least have the data available
for review.
This is a quick and simplistic view..I'm certain there
are all sorts of articles on the web on such topics,
as well as books.
Bob
--- Jason Patel <patel1210@yahoo.com> wrote:
I was wondering how big companies CIO show their
executives Return of investment on IDS. What is the
monitoring strategy for IDS alerts. I am trying to
figure monitoring strategy and how to show my
executive that how important job this is, but cant
come up with a convincing solution. Anyhelp is
highly appreciated.
Thanks,
Jason
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
