Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-ids > 03 > 050609.html (Request Expert securityfocus.com Support)

RE: Low cost HID based IDS system

From: Zach Forsyth <Zach.Forsyth(at)kiandra.com>
Date: Sun May 18 2003 - 20:21:01 EDT


Paul,

You seemed to of missed the point a little. Why do people bother developing snort when there are so many other commercial IDS's out there, it's free so therefore it can't be any good. Why do people bother with Nessus
Why do people bother with <insert free/cheap/open source solutions here>

Why would anyone try to build something lower cost that what is already out there? Silly developers/engineers.
Come on, give me a break, I would like to explore the possibility of implementing a low cost solution for my clients using relatively inexpensive solutions.

They realise that I can only offer them 8am-7pm full coverage during business hours, occasional after hours and weekend monitoring. They still get event analysis the next morning from any of the nights activities, and this is still valuable to them. Hopefully when we have enough clients to warrant the expense we can do 24x7. And that would be never trying to implement a high cost solution as the clients wouldn't pay.

What's better 8am-7pm monitoring and further analysis or nothing?

I believe I can roll out a better than nothing solution to small clients, say of 5 pc's and a server for a small monthly fee. Lets try and work through some ideas, this are pretty crazy so bear with me:

Let's assume they do not have US$1000 per month.

Buy a nice fat NID and sit it at an internet gateway. Lets say we have a 10mb connection to the internet. Lets say a Cisco 4210 for US$10,000
(just adding a rough figure here)

All clients then use you as an ISP for their internet/mail/etc. We now have a gateway IDS device protecting multiple clients for a shared cost to each client per month.
How many small clients could we connect? I would put it between 50-X clients depending on cost.
If we assumed all of them would of normally had an ISDN or modem connection to the internet then it could be very high. And there are still plenty of those clients around.
Would they all pay $50/100/150,200 a month? We could make it profitable as long as they realise it is better than nothing but not as good as a full 24x7 service. But then again what are they paying per month...

Do you need help?X

50 clients x$50 = $2500 per month
50 clients x$100 = $5000 per month

Seems to me like the NID will be payed off nice and quickly, then the cost is based on monitoring hours, reporting and incident response
(which could be charged separately)

What about a HID based solution?
Buy a central event monitoring and management console. Lets say Enterasys Dragon US$7000 or so
Deploy a server based HID agents to each clients critical server. Enterasys squire US$750 or so
Then once again we can protect how many HID's? Some event monitoring consoles will support 10,000's of remote agents. We now have a managed IDS for small clients, that can pay a small fee per month for 7am-8pm protection.

What about an IPS which still needs 24x7 monitoring in large corporate clients, but can still protect you 24x7 by itself if you don't have the monitoring.
I think you could build a relatively cheap IPS solution with monitoring and reporting for small clients.
This may even be the way I am headed as it offers more protection for the $ spent. Something like Cisco Secure Agent, or Entercept.

As long as clients realise what they are paying for and receiving for their money I think a simple yet small solution will work. Value for money is relative and I think usually as price goes up you get to a point of diminishing returns.
It is fine for large corporate clients to strive for that last 1% but small companies get no value out of doing that.

I appreciate your scepticism and it has helped me think through some aspects of this in more detail.

I guess it all depends on your viewpoint of what an IDS should be. I can see a big gap in the market and will continue to work on innovative ways to provide solutions for all the small fish out there.

Cheers

Do you need more help?X

Zach

-----Original Message-----
From: Schmehl, Paul L [mailto:pauls@utdallas.edu] Sent: Saturday, 17 May 2003 14:10 PM
To: Alan Shimel; Zach Forsyth; Focus-Ids Subject: RE: Low cost HID based IDS system

Nothing in life is free. Everything has a cost associated with it. For example, while he may be able to provide a similar service for much less money, what happens if he misses an attack that devastates one of his customer's networks? Will he indemnify them? Will they sue him and destroy *his* business in the process? Is he going to be watching the IDS 24/7 like an MSSP would? Is he knowledgeable enough of IDS to provide the same level of service to them that an MSSP would? Does he have the resources?

Everything has a cost. Sometimes the cost doesn't show up until you've already realized the decision you made was flawed. What's the value of the business lost while your network is down?

I just don't think it makes good business sense to cut corners on security to save a few dollars. In the end, you'll regret it. ISTM he would serve his customers better by negotiating a reasonable rate for the services of an MSSP *through* his company to each of his customers. With his higher bargaining power, he has the opportunity to provide them with real value at a reasonable cost that is much less than what they might be able to negotiate on their own. Especially now, when security companies are scrambling to find revenue.

In the final analysis the question he needs to answer is; is he trying to provide his customers with true value for their dollars? Or just throw together something cheap that will make them feel safer but won't really make them any more secure?

Paul Schmehl (pauls@utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

-----Original Message-----
From: Alan Shimel [mailto:alan@latis.com] Sent: Friday, May 16, 2003 10:00 PM
To: Schmehl, Paul L; Zach Forsyth; Focus-Ids Subject: RE: Low cost HID based IDS system

Can we help you?X

There are tools out there that would allow him to provide these services to customers at substantially below some of the MSSPs you mentioned charged. I think it is possible to provide this service sub-1000 dollars a month


INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention.

Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids2

Received on Tue May 20 12:35:48 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:12 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library