On Mon, Mar 2, 2009 at 3:09 PM, Jeremy Bennett <[email protected]> wrote: > > On Mar 2, 2009, at 11:21 AM, Stefano Zanero wrote: > > > You assert that the customer 'WILL need to know damn well what they are > doing.' I assert that if the customer knew what they were doing to the > degree that you imply they'd be writing their own snort rules. Sourcefire > has a good product based on this and it has its place in organizations that > can run it. > There are many customers that will never have that expertise. They have no > choice but to trust their vendor to have the expertise necessary to write > signatures and clearly communicate the efficacy of those signatures. This is > the bulk of the potential IPS market, those people that want something > better than a firewall but can't afford to digest 100,000 events per day. > > -J
I'm glad you mentioned Sourcefire directly. I've had to manage a few different brands of IDS/IPS including ISS, Dragon, and Sourcefire now. As pure IPS they all have the challenge of needing someone qualified enough to accurately interpret event data and tune down the false positives. IMO, what helps the Sourcefire product stand out is the addition of RNA and similar features. The added intelligence RNA provides dramatically decreases the time and effort and analyst needs to make an informed decision on the validity of an alert. You still have to deploy it correctly and employ qualified analysts but if you're looking for a way to quantify ROI consider how much time (= $$$) it saves an analyst to have most, if not all, the data they need to qualify an alert right at their fingertips rather than having to go and hunt it down or manually correlate it from other sources (ie VA scans, system inventories, other sys admins). It's still a hard number to pin down but I think it's worth mentioning. Disclaimer - No, I don't work for Sourcefire (but if Mr. Roesch would open a spot on the prof services team we could remedy that). ;-) Scott
