What is the cost?
- CPU and disk
- maintain and operate
- time to review and monitor
- false positives
What are the benifits?
- reduction in false negatives
- improved response time
What is the value of the system
- data
- leap frogging to other systems stopped
If (benifit - cost) is less than a weighted value of the system, there
is a net return on using the product.
This return needs to be calculated as an IRR (internal rate of return)
for the firm (see the treasury ppl). If the return is equal to or
greater than the IRR, the expense is of benifits.
Regards,
Dr Craig Wright GSE-Malware LLM, etc
On 27/10/2009, at 7:09 AM, krymson (at) gmail (dot) com [email concealed] wrote:
> I don't think it would be overkill unless this is a completely
> useless office that has access to nothing. As Jason responded
> earlier, it depends on the data value. Snort will also have less
> value if the VPN is client-to-site, rather than site-to-site, since
> it won't be able to see the encrypted traffic, but that won't
> eliminate the value since you can still see if something evul is
> getting into or out of your office/desktops.
>
> I think if you can get quality information about your environment, a
> monitoring tool is worthwhile effort. The Snort sensor can probably
> be tuned nicely to give very few alerts and far less false positives
> than a complex environment, depending on the web browsing habits.
>
> Part of me really wants to say you can get good value out of netflow
> statistics for that office (ferrets out strange destinations or
> hours of activity), or making sure the desktops are behind a nicely
> hardened firewall (egress and ingress accounted for) along with a
> web proxy or filter, and some sort of ability to sense rogue (new)
> systems. But Snort is a great piece as well.
>
> Regarding the 30 day lag time, I don't think that should be a huge
> problem, but yes it can be a small concern. It wouldn't kill my
> adoption of Snort in most environments, however, most likely because
> Snort is an alert mechanism and not necessarily a prevention
> mechanism. For prevention, I'd still rely on endpoint AV/security. I
> fall on the side of using IDS less as an active tool like an IPS,
> and more in the traditional detection/monitoring sense.
>
>
>
> ---------- Forwarded message ----------
> From: martin <martiniscool (at) gmail (dot) com [email concealed]>
> Date: 2009/10/22
> Subject: Is snort an overkill for desktop only environment ?
> To: security-basics (at) securityfocus (dot) com [email concealed]
>
> Hi all
>
> I've been reading up on IDP recently, and particularly started looking
> at snort. I'm considering suggesting to my boss that we install it at
> a small branch office I'm based at. However, all that we have at the
> branch office are a few desktop PC's, a firewall, switch, and a
> printer. Our DC, file server etc, is at head office and accessed
> using a VPN.
>
> Is it worth installing IDP in simplified environment such as this ?
> Or is it designed for more "complex" environments which have more
> resources such as file servers, web servers etc ??
>
> Also, currently we wouldn't have anything in the budget to pay for the
> $500 rule subscription for one sensor - so all the rules we would be
> getting would be 30 days old. Is it worth having an IDP with rules
> that are this old ? Are they still of any value ? I'm thinking back
> to the conflicker threat last year - I know there was a Snort rule for
> it, but without the subscription, we wouldn't have gotten it for 30
> days. So it would have been pretty much too late in that case.
>
> I know that we can write our own rules, but I don't think anybody
> would have time to do that. So we'd be relying on what rules get
> downloaded
>
> Any feedback would be greatly appreciated
>
> thanks in advance
> M
>
> ---
> ---------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs
> an SSL certificate. We look at how SSL works, how it benefits your
> company and how your customers can tell if a site is secure. You
> will find out how to test, purchase, install and use a thawte
> Digital Certificate on your Apache web server. Throughout, best
> practices for set-up are highlighted to help you ensure efficient
> ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ---
> ---------------------------------------------------------------------
>
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
- CPU and disk
- maintain and operate
- time to review and monitor
- false positives
What are the benifits?
- reduction in false negatives
- improved response time
What is the value of the system
- data
- leap frogging to other systems stopped
If (benifit - cost) is less than a weighted value of the system, there
is a net return on using the product.
This return needs to be calculated as an IRR (internal rate of return)
for the firm (see the treasury ppl). If the return is equal to or
greater than the IRR, the expense is of benifits.
Regards,
Dr Craig Wright GSE-Malware LLM, etc
On 27/10/2009, at 7:09 AM, krymson (at) gmail (dot) com [email concealed] wrote:
> I don't think it would be overkill unless this is a completely
> useless office that has access to nothing. As Jason responded
> earlier, it depends on the data value. Snort will also have less
> value if the VPN is client-to-site, rather than site-to-site, since
> it won't be able to see the encrypted traffic, but that won't
> eliminate the value since you can still see if something evul is
> getting into or out of your office/desktops.
>
> I think if you can get quality information about your environment, a
> monitoring tool is worthwhile effort. The Snort sensor can probably
> be tuned nicely to give very few alerts and far less false positives
> than a complex environment, depending on the web browsing habits.
>
> Part of me really wants to say you can get good value out of netflow
> statistics for that office (ferrets out strange destinations or
> hours of activity), or making sure the desktops are behind a nicely
> hardened firewall (egress and ingress accounted for) along with a
> web proxy or filter, and some sort of ability to sense rogue (new)
> systems. But Snort is a great piece as well.
>
> Regarding the 30 day lag time, I don't think that should be a huge
> problem, but yes it can be a small concern. It wouldn't kill my
> adoption of Snort in most environments, however, most likely because
> Snort is an alert mechanism and not necessarily a prevention
> mechanism. For prevention, I'd still rely on endpoint AV/security. I
> fall on the side of using IDS less as an active tool like an IPS,
> and more in the traditional detection/monitoring sense.
>
>
>
> ---------- Forwarded message ----------
> From: martin <martiniscool (at) gmail (dot) com [email concealed]>
> Date: 2009/10/22
> Subject: Is snort an overkill for desktop only environment ?
> To: security-basics (at) securityfocus (dot) com [email concealed]
>
> Hi all
>
> I've been reading up on IDP recently, and particularly started looking
> at snort. I'm considering suggesting to my boss that we install it at
> a small branch office I'm based at. However, all that we have at the
> branch office are a few desktop PC's, a firewall, switch, and a
> printer. Our DC, file server etc, is at head office and accessed
> using a VPN.
>
> Is it worth installing IDP in simplified environment such as this ?
> Or is it designed for more "complex" environments which have more
> resources such as file servers, web servers etc ??
>
> Also, currently we wouldn't have anything in the budget to pay for the
> $500 rule subscription for one sensor - so all the rules we would be
> getting would be 30 days old. Is it worth having an IDP with rules
> that are this old ? Are they still of any value ? I'm thinking back
> to the conflicker threat last year - I know there was a Snort rule for
> it, but without the subscription, we wouldn't have gotten it for 30
> days. So it would have been pretty much too late in that case.
>
> I know that we can write our own rules, but I don't think anybody
> would have time to do that. So we'd be relying on what rules get
> downloaded
>
> Any feedback would be greatly appreciated
>
> thanks in advance
> M
>
> ---
> ---------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs
> an SSL certificate. We look at how SSL works, how it benefits your
> company and how your customers can tell if a site is secure. You
> will find out how to test, purchase, install and use a thawte
> Digital Certificate on your Apache web server. Throughout, best
> practices for set-up are highlighted to help you ensure efficient
> ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ---
> ---------------------------------------------------------------------
>
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]