IDS mailing list archives

Re: IDS Security Metris

From: "Eric Hacker" <focus () erichacker com>
Date: Thu, 5 Apr 2007 16:13:44 -0400

On 4 Apr 2007 21:29:44 -0000, jlynnmonett () yahoo com
<jlynnmonett () yahoo com> wrote:

Could someone help me.  I need to create a list of 10 security metrics for a IDS.


10 seems rather arbitrary. Is this for some useful business purpose or a class?

1. For every incident investigated due to the detection of events from
the IDS, estimate the financial impact of not detecting the issue.
Track the total gross.

10. Track false positive incidents. That is the number of times the
pager went off due to an alert on something that was not that
critical. Because new signatures are always being added, this will
probably be flat in a mature IDS program.

11. Track false negatives that generate new pager rules. That is the
number of times the analysts were reviewing the non-paging events and
found something that you should have been paged on. This justifies the
time and cost for the constant review of events.

There I gave you an extra one.

Metrics are usually based on the specific needs of the IDS processes,
how they fit into the overall Security processes, the level of risk
tolerable to the business, and the threats. Without more details on
the particular situation, one might as well assume you're using
binary.

In general if one is asking for help on a mailing list, one should
provide at least as much information as one expects back in return. I
should have replied that I am sure someone out there could help you,
but I was feeling generous.

Regards
--
Eric Hacker, CISSP

aptronym (AP-troh-NIM) noun
A name that is especially suited to the profession of its owner

I _can_ leave well enough alone, but my criteria for well enough is
pretty darn high.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto learn more.

------------------------------------------------------------------------

Current thread:

IDS Security Metris jlynnmonett (Apr 05)
- Re: IDS Security Metris Jamie Riden (Apr 05)
  - Re: IDS Security Metris Stefano Zanero (Apr 09)
    - Re: IDS Security Metris Jamie Riden (Apr 09)
    - IDS/IPS evaluation (was Re: IDS Security Metris) Tremaine Lea (Apr 09)
- Re: IDS Security Metris Eric Hacker (Apr 05)
- Re: IDS Security Metris dpat (Apr 09)
- Re: IDS Security Metris tim_holman (Apr 10)