On Sat, Feb 28, 2009 at 2:03 PM, Ravi Chunduru <[email protected]> wrote: > Hi, > > I got many responses on my previous thread with subject ROI on IDS/IPS > devices. Looks like I gave wrong impression that all security > measures were taken off. I was specifically pointing out IDP devices. > I only wanted to gauge ROI (ROSI?) justification with respect to > IDPs specifically. With respect to that I was asking for specific > example positive experiences one had or having with IDP devices. > > I got two responses privately to my previous thread which seem to > question the value of IDP devices. One of the responses is interesting > and it seems to suggest that after they had chosen "Patch Management > Systems", they are hardly finding the use for IDP device. I have > taken permission from the responsee to give gist of explanation. It > is a Microsoft house, ie mostly Microsoft products are used in the > organization. IDP device vendor they went with provides protection > measures (rule updates) only when Microsoft releases patches. Some > times rules update with Microsoft vulnerabilities are being given > after 2 to 7 days by IPS vendor. Patch Management systems would have > patched the systems and software by that time rendering IPS protection > useless. Client side attack detection by IDP devices is not really > effective and anti virus software on desktops seems to do better job. > The responsee seems to feel that IDP devices are good only if legacy > software is used for which software vendor does not provide patches. > It appears that this house has some web applications. To protect from > web application attacks, they seem to use web application firewall. > With protection provided by "Patch Management System", "Web > application firewall" and traditional firewall devices, > justification for continuation of IDP devices seem to be on slippery > slope. At the end he mentioned that other types of deployments might > see value of IDP devices. > > Other response I got is vague on details and seem to suggest that many > buy these devices out of fear, but realize eventually that they are > not as effective as they thought. > > I hope I will get some responses with positive experiences of using > IDS/IPS devices. > > Thanks > Ravi >
Hello Ravi. I replied to your other thread but I agree it was drifting a bit from your original question. Personally I've had many positive experiences with IDS/IPS devices. On many occasions they were the first alerts on a number of worm outbreaks within the enterprise environment. The signatures were not specifically written for the worm in action but still alerted on noise created by the replication tactics it used. What contributed to the sensors' effectiveness was proper placement within the environment. We had eyes on most of the major switches via span ports so visibility was great. From there it was a question of the analysts properly identifying the alert traffic and escalating to the IR team to mitigate the problem. This was also the case for attacks against the corporate DB's. The sensors alerted on the attack traffic and we were able to provide specific data to the IR team. The flexibility we had to modify rules/signatures and alerts specifically for this traffic is what really helped us get in front of the attacks before they spread throughout the network. It's hard to quantify a dollar amount based on this but we estimated it saved us several days of clean up work. If you wanted to drill down, that metric can be explained with man hours and cost per hour. Keep in mind this was an IDS at the time (4 years ago). Now that IPS can also block traffic I believe the window of containment would have been much smaller (less time = less money spent on man hours). Scott
