The issue may also be the analyst/administrators. Were they of sufficient skill to admin the IDS/IPS products (really Aditya's items 2 through 4) and were they knowledgeable enough to actually "monitor and analyze IDS/IPS logs and reports"? If an analyst is not sure of the impact of a possible event the likelihood that it would be reported up the food chain is nill. Should it actually be reported up the food chain, if the analyst is not able to verbalize the impact, the report will only make it one level up and nothing will be done with it.

All too often an org will minimize cost at the personnel level by leveraging staff already on board but maybe not qualified for the role. I would also make the conjecture that there was limited buy in of the need for IDS/IPS in the environment. But, Aditya makes the point, "what are you protecting"? The President or ... the junior analyst =) Maybe they did not need it in that environment. I am assuming a "large telecom" has many segments in their network, some of which would absolutely need IDS/IPS. Others... maybe not so much.

jk

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of aditya mukadam
Sent: Wednesday, March 04, 2009 7:55 AM
To: focus-ids (at) securityfocus (dot) com [email concealed]
Cc: Ravi Chunduru
Subject: Re: ROI on IDS/IPS products

It was felt that they did not find enough ROI to
> justify 2 dedicated personnel to monitor and analyze IDS/IPS logs and
> reports. It apperas that no major incidents were detected by network
> IPS devices. i also was told that these IPS devices are from industry
> leaders.

I read the above with below example :
A residential building has a gate,wall and few security personnel for
safety against theft etc. In two years, there was no major theft or
issues and hence the residents decided to remove the building gate,
security personnel ! Oh yes, the security guards were black cat
commandos !

Your discussion with the security administrator was very interesting
however it would be good to know:
1) How and were are the IPSs placed in the network ?
2) What Signature profile are they using for these IPSs ? Many IPSs
comes with default settings for low detection.
3) Did they tune the IPSs as per their own requirement ?
4) How often they patched the IPSs ?
Lastly, are the IPSs purchased because they were needed *or* the
company was fooled to buy it or had budget/ policies/ vendor
commitment to buy it ?

It all depends what are you safe guarding !

For example: A common man's residential building will have 1 security
guard however the President's residence will have range of security
gadgets, various check points, many many security guards !!!

Thanks,
Aditya Govind Mukadam

On Fri, Feb 27, 2009 at 10:38 PM, Ravi Chunduru
<ravi.is.chunduru (at) gmail (dot) com [email concealed]> wrote:
> I was talking to a junior security administartor working for a big
> telecom company.  He said something which is worrying.  After few
> years of IPS deployment in particular department, they  decided to
> remove IPS devices.  It was felt that they did not find enough ROI to
> justify 2 dedicated personnel to monitor and analyze IDS/IPS logs and
> reports. It apperas that no major incidents were detected by network
> IPS devices.  they felt that signature coverage is either poor or not
> timely. i also was told that these IPS devices are from industry
> leaders.
>
> Can you share your experiences?  Any examples of successful detection
> and prevention of major attacks and penetration by IPS devices.
>
> Thanks
> Ravi
>
>
>

[ reply ]