IDS v's MSM
Results 1 to 4 of 4

Thread: IDS v's MSM

  1. #1
    Member
    Join Date
    Oct 2001
    Posts
    59

    IDS v's MSM

    Thought im a newbie to security compared to alot of people on this site i have what id call a Mid-Level knowledge and competance. Having being reading alot on IDS systems and MSM (managed security monitoring ) solutions my question is what are the disadvantages aswell as advantages of outsourcing out to MSM (such as Counterpane) companies rather than simply installing an IDS solution like Sourcefire which are cheaper.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Hmmm,


    Having being reading alot on IDS systems and MSM (managed security monitoring ) solutions my question is what are the disadvantages aswell as advantages of outsourcing out to MSM (such as Counterpane) companies rather than simply installing an IDS solution like Sourcefire which are cheaper.
    If you have read a lot, I would imagine that you would have come across this information. Where did you look for info on this?
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    Junior Member
    Join Date
    Feb 2003
    Posts
    5

    Question Thoughts...

    You post an interesting question esi1,

    Let me ask you this.

    Do you have anyone in your organization who is competent enough to install, configure, and then understand the IDS Alerts, Logs and other outputs?

    Will that person be able to quickly (a relative term I know) interpret and analyze the IDS logs/alerts? Will they be able to identify a "false positive" among all of the alerts generated?

    If you do have someone in your organization with these capabilities, will they be monitoring your network 24/7?

    How much will you be paying that person? $70K, $80K, or more? Chances are you'll need at least 3 to 5 people at a minimum to watch your IDS 24/7/365. Remember, the nefarious are working against our networks all the time...

    If you figure you're going to pay these talented people (let's LOWBALL here... ) $60K * 5 FTE's (Full Time Employees) that equals = $300K/Year, just in salary, not including benefits and such... I know that most of the MSM solutions watching your/our networks (routers, firewalls, IDS's) are providing 24/7/365 monitoring for MUCH less then that.


    Now the disadvantages:

    How much information, or trust about your organization do you want to place in your MSM?

    Will they be in business next Week? Next Month? Next Year?

    How competent are the Staff monitoring your network?

    What are their "escalation" procedures?

    Are they "Proactively" monitoring your network, or "Reactively" watching?


    Just some of my quick thoughts...

    Hope this helps you.

    BTW
    Snort RULES

    Kerberos

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    I have been asked to explain via PM what the advantages and disadvantages are by some folks here. Here is what I can come up with in 5 minutes or less:

    DISADVANTAGES: MSM
    1) Your IDS is out of your physical control
    2) You can't be sure who is applying the rules and who is responsible for your account (trust me on this one).
    3) Turn around time for changes/updates may be longer than acceptable to users/management
    4) Cost
    5) Reporting tends to be less customizable
    6) Long contracts usually are involved
    7) Even if you are skilled enough, you may not be able to craft your own signatures (algorythums) because of licensing restrictions/management restrictions by your MSM provider

    ADVANTAGES:
    1) If you don't have the skillset in house, this is a better way to get immediate satisfaction
    2) If you have the bling bling, this may free up more of your time to focus on other projects
    3) If something goes wrong, you can point the finger at the MSM provider
    4) The equipment usually is installed and maintained by the MSM thus again, freeing more of your time for other purposes.


    YOUR OWN IDS ADVANTAGES:
    1) You are in control and have the ability to update signatures the minute the manufacturer releases them (as I do with mine)
    2) If the unit turns out to be a dud, you can rip it out of your rack and pursue another manufacturer
    3) You can be SURE that it is filtering the appropriate segments because you know your network infrastructure
    4) You can easily move the sensor should your WAN/LAN group decide to make physical changes to the network room/network setup
    5) You can change the behavior of the IDS on the fly without calling your MSM to get involved

    DISADVANTAGES YOUR OWN IDS
    1) If it breaks down, and you didn't purchase a failover box, you are more than likely waiting 24 hours at best before a new one arrives. This assumes that you have purchased support.
    2) If you hose up the configs, YOU have to rebuild the box.
    3) If you suddenly find that the IDS company has decided to move into another segment, you're stuck with the box until you can test and purchase a new solution.
    4) If something goes wrong, everyone looks at you because ultimately, you are the admin of the IDS.


    Hope this helps all those who are curious.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •