Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Value of IDS, ROI

from [Bamm Visscher] Network Security [Permanent Link]
Subject: Re: Value of IDS, ROI
Date: Thu, 5 May 2005 10:51:02 -0500 
Loki,

On 5/5/05, Eric Hines <eric.hines@appliedwatch.com> wrote:

Visscher, I completely disagree with you.


That's fine. Everyone has a right to their opinion, but did you even
read the article that Rich referenced in his blog?



ROI can and should be calculated in the acquisition of any security
solution, INCLUDING IDS. Your very argument is contradictory to what you're
saying as the early warning of a compromise and making the IT security
department more efficient is the very definition of ROI. Let me define it
for you, Return on Investment is calculating returns on the investment made
in a particular item or person. ROI should be used when evaluating the
purchase of any solution.

My employees time is money, wasted time equals to loss in money. If they can
save 4-8 hours when investigating an incident at $250.00/hr == $2,000 and my
security solution cost $800, I've made $1,200 back in ROI. 


No, actually you've shown how your security solution reduced a loss.
Don't misunderstand me, this is a GOOD THING, but you cannot define an
ROI based on the expectation of a loss and you also cannot define ROI
as the savings from a loss that has already occured. Pete Lindstrom
gave a good example of showing ROI with replacing expensive leased
lines with VPNs. That is a tangible benefit. By spending X dollars
now, you 'gain' Y dollars in the future.  The difference being with
IDS you spend X dollars now in order to reduce a POTENTIAL loss in the
future.



There are many instances in which ROI has been realized. For example:

1) An IPS stopping a worm at the perimeter of a network, preventing
widespread infection. A company calculating the costs from a previous worm
outbreak can easily calculate ROI on the purchase of their IPS.

2) A recent incident I was responding to whereupon a company was able to
begin shipping product after being down only a few hours rather than all
day. If they would have been down all day, this lab wouldn't have been able
to ship over $4 million in product. That solution only cost them $12K..
That's a $3.9 million realized ROI.

There are too many real world situations of ROI realized on the purchase of
security solutions rather than referencing an opinionated BLOG post made by
Richard on Tao Security. Why do you keep referencing it anyway, is it
because he reviewed Sguil in the Tao book?


I referenced Rich's blog because it's where I originally saw the link
to the story and because I thought his comments were insightful. Rich
is a very good friend of mine and someone whose "opinions" I have
great respect for.  Yes, I reference his blog a lot, I suppose that
says a lot about how much I respect him and his opinion.  I expect
it's also because Rich and I tend to share the same opinions and have
had numerous discussion on many of the topics posted in his blog.
Rich's blog is wildly popular, and I am not the only one in the
community who has this respect for Rich's opinion.  For the record, I
wouldn't call the chapter on Sguil a "review". NSM is a process that
Rich and I spent a lot of time discussing and defining together. Out
those discussions came Sguil and "The Tao NSM".  It only makes sense
that in the book, Rich covers Sguil and why when I am expaining the
"how" of Sguil I would ref Rich's blog and TAO.

Back on the topic of IDS, ROI, and why I linked to that particular
blog entry. Read the actual article that Rich references. Take a look
at who wrote the freaking thing. I'll make it easy:

LAWRENCE A. GORDON is Ernst & Young Alumni Professor of Managerial
Accounting and Information Assurance at the Robert H. Smith School of
Business, University of Maryland. Write to him at
lgordon@rhsmith.umd.edu.

ROBERT RICHARDSON is editorial director at the Computer Security
Institute (CSI). Write to him at rrichardson@cmp.com.

So, even if you don't agree with Rich or my opinion, here are two guys
whose qualifications that far exceed yours or ours, explaining how and
why ROI cannot be applied to information security (the big blanket IDS
falls under).
 


Jason, one of the many answers to your question would be to find out how
much time the IDS has saved you in centralizing all of the alerts on your
network, sped up the response time to real incidents, and reduced wasted
time in investigating false positives. Take that time and multiply it by
your hourly rate, this is one of many formulas you can use in calculating
the ROI for the purchase of your IDS'.

Several ROI formulas exist out there. Just google some.. Here is one I just
found.

http://searchcio.techtarget.com/ateQuestionNResponse/0,289625,sid19_cid56833
5_tax292624,00.html
"Do you have any simple ROI formulas that utilize Excel?
This question posed on 20 January 2004

The base ROI formula, which can easily be plugged into Excel, is:

(benefits - cost) / benefits * 100 percent

The benefits and costs are the cumulative of all benefits over the analysis
period -- typically three to five years for any IT project, but no longer.
Of course, the details on exactly how to calculate the benefits and costs
for a particular project is the more difficult part as each company has
unique opportunity for benefits, costs and risks and each project's unique
costs and benefits need to be calculated at a detailed level.

To access ROI calculators for more complex initiatives, Alinean has samples
developed for several leading IT vendors including HP, SAP, EMC, Intel and
Sunguard available here.

In addition, more detail on the ROI calculation and other key financial
performance measurements can be found in my free e-book: IT Value Chain
Management (Alinean Press, 2003). "

Best Regards,

Eric Hines


ROI is not the only way to show value, so don't think just because you
can't show ROI, that IDS has no value. If that were true, no one would
buy insurance. Read the article referenced in Rich's blog. It provides
an alternative measurement of an IDS's value and one that CFOs, CIOs,
and CEOs will better understand and except.

Bammkkkk

-- 
sguil - The Analyst Console for NSM
http://sguil.sf.net

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Router/Switches and viruses, Robert Holtz
Next by Date:  Re: Router/Switches and viruses, Kevin
Previous by Thread:  RE: Value of IDS, ROI, Eric Hines
Next by Thread:  RE: Value of IDS, ROI, Pete Lindstrom
Indexes:  [Date] [Thread] [Top] [All Lists]