On Fri, 2009-02-27 at 09:08 -0800, Ravi Chunduru wrote: > I was talking to a junior security administartor working for a big > telecom company. He said something which is worrying. After few > years of IPS deployment in particular department, they decided to > remove IPS devices. It was felt that they did not find enough ROI to > justify 2 dedicated personnel to monitor and analyze IDS/IPS logs and > reports. It apperas that no major incidents were detected by network > IPS devices. they felt that signature coverage is either poor or not > timely. i also was told that these IPS devices are from industry
Discussion around the term ROI aside, your question should not have been about "ROI on IDS/IPS products", but rather about "IDS/IPS *deployments*". You can have a great product that works really well (Snort comes to mind), but deploy it completely wrong. While the "ROI" of the product exists, the deployment makes it a complete waste of funds. I'm not sure which product you are referring to (though I can make a good guess :), and yes, there are products that conform to their companies marketing material and get you a check-box on your compliance audits, but are actually worthless. Other products are great, but again, if they are not *deployed* correctly and/or *used* correctly, then these deployments are also a waste of time and money. I think too many people expect to buy an IDS/IPS off the shelf, read the manual, get it set up, and think the task is done. IDS/IPS boxes are tricky and require expertise to properly configure and use. If that expertise doesn't exist in your organization, hire someone that does have the expertise and can help not just implementing the IDS/IPS, but also assist creating a group that can actually manage and use it on a continuous basis. Cheers, Frank -- It is said that the Internet is a public utility. As such, it is best compared to a sewer. A big, fat pipe with a bunch of crap sloshing against your ports.
signature.asc
Description: This is a digitally signed message part
