RE: Is IDS/IPS worthless?

["Bob Walder" <bwalder () spamcop net>]

This has always happened in IT (I used to be an IT Manager so have
suffered through exactly this type of situation) - unfortunately, IT is
often seen as a pure overhead, adding nothing to the bottom line.
Sometimes that is demonstrably untrue (we installed a computerised stock
system that provided improved customer service - somewhat intangible -
and reduced stock take from 3 months to 3 days - VERY tangible) but most
of the time IT plods along with very expensive personnel (often earning
a lot more than equivalent positions elsewhere in the organisation) and
very expensive equipment that is not actually seen as being used to
produce the product/service being sold.

Very often we were faced with trying to prove how much something like
"an improvement in customer service" added to the bottom line - very
difficult. Likewise, it is impossible to show how much an IPS/IDS system
adds to the bottom line. However, you could probably come up with a
scenario where the corporate network is infected/attacked with something
Slammer-like - something that will bring the network to its knees and
take days to clean up. 

How much production time is lost as a result? THAT one translates
directly to the bottom line!
How much will it cost to reconstitute the sales order/customer databases
if they are damaged? That also affects the bottom line directly
How many days are the computers down - what does that cost in loss of
customer confidence?
Etc, etc....

Come up with some real figures, and then point out that at THAT point,
when management asks why it happened and what we could do to stop it
happening again, you would be back to suggesting exactly the measures
you are attempting to propose NOW, BEFORE it actually happens (i.e.
IPS/IDS)

And before someone jumps down my throat to point out that IDS would not
have STOPPED Slammer and how ineffective IPS systems are, etc, etc I
would state that I am offering the above as a very quick EXAMPLE only,
not a detailed consultant's report! There is a lot of work to do to
convert the above arguments, or something similar and more appropriate
to your environment, into some realistic figures - but you get the idea
;o)

Regards,

Bob Walder




> > -----Original Message-----
> > From: Andrew Plato [mailto:aplato () anitian com] 
> > Sent: 20 February 2004 17:32
> > To: focus-ids () securityfocus com
> > Subject: Is IDS/IPS worthless? 
> >
> >
> >
> > I've noticed something lately and I wonder if anybody else 
> > has experienced this. At a meeting recently, I was told by a 
> > number of people that IDS/IPS is a "worthless waste of IT 
> > resources" and "providing no real value to an organization." 
> >  The speaker at this particular meeting challenged me to say 
> > "what business goals did the implementation of an IDS/IPS 
> > achieve?"  I responded that an IDS gives insight to what is 
> > happening on a network and provides critical data to more 
> > effectively focus resources on real problems. An IPS builds 
> > a level of trust and protection from intrusions as well as 
> > insight into the function and behavior of a network. (Okay, 
> > it was a vanilla answer, I
> > admit.)
> >  
> > So this speaker then challenged me to come up with 
> > verifiable metrics. I replied that he would have to define 
> > what metrics he wants? What does he consider a "viable 
> > metric" for performance.  He said "did they sell more 
> > products, make more money?"  I replied "why is that the only 
> > metric that businesses can understand?  A lot of complex 
> > things go into 'making money' and IT operations is a small 
> > part of that. Marketing, strategic vision, and many other 
> > factors have a much more profound impact on 'making money' 
> > than a single IT security solution. However, insight into 
> > operations and security is a critical component of IT. How 
> > do you know you have been broken into if you don't have any 
> > mechanisms to detect those intrusions? There is clear value 
> > in investment in locks and security cameras, why not have 
> > similar investments into the digital equivalents."  
> >  
> > This shut him up, for a while, but it highlighted a growing 
> > trend I am noticing. It seems like there are a lot of people 
> > with an agenda right now to shoot down the value of IPS/IDS 
> > technologies. IPS in particular seems to be painted as a 
> > "marketing ploy."  I also hear the story "they bought and 
> > IDS and it just sat in a rack and did nothing"  a lot 
> > (usually from people who don't even know what an IDS does.) 
> >  
> > What is happening here?  Anybody have any idea why there is 
> > a growing "anti-IDS" attitude. Is it the failure of IDS to 
> > produce value in an organization? Is the Gartner "IDS is 
> > dead" report having THAT much affect on the industry?  Are 
> > the IDS vendors victims of their own over-marketing?  Am I a 
> > paranoid moron? 
> >  
> > I am curious to hear other people's ideas on and strategies 
> > for dealing with these objections. 
> >  
> >  
> > ___________________________________
> > Andrew Plato, CISSP
> > President/Principal Consultant
> > ANITIAN  ENTERPRISE  SECURITY
> >
> > 3800 SW Cedar Hills Blvd, Suite 298
> > Beaverton, OR 97005
> > 503-644-5656 Office
> > 503-214-8069 Fax
> > 503-201-0821 Mobile
> > www.anitian.com
> > ___________________________________
> >
> > GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 
> > 3582 633D GPG public key available at: 
> > http://www.anitian.com/corp/keys.htm 
> >
> >
> > -------------------------------------------------------------
> > --------------
> > Free trial: Astaro Security Linux -- firewall with 
> > Spam/Virus Protection
> >
> > Protect your network with the comprehensive security 
> > solution that integrates 
> > six applications for ease of use and lower TCO.
> >
> > Firewall - Virus protection - Spam protection - URL blocking - VPN
> > - Wireless security.
> >
> > Download 30-day evaluation at: 
> > > > http://www.securityfocus.com/sponsor/Astaro_focu>> s-ids_040219
> >
> >
> >
> > -------------------------------------------------------------
> > --------------



---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that integrates 
six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.securityfocus.com/sponsor/Astaro_focus-ids_040219
---------------------------------------------------------------------------