2003-11-04T08:39:11 Bruce Potter: > How much money/effort (ie: more money) had an organization spent > on IDS in order to detect nimda? [...] If the same org also had > machines a year out of date on patches (or even _4 months_, it > doesn't matter) don't you think that money would have been better > spent on patching the machines? It's not an either/or thing. Yup, an enterprise can and should blow a couple hundred grand and get some IDS out there. Been there, done that, got good value out of it. Yup, an enterprise should commit some couple hundred grand (if they use no Windows) to solve the patching problem completely. If you have a bad Windows infestation, plan on spending millions on combined manpower and loss-of-service, every year, and you'll still have machines left unpatched for months or years, for some patches. > Seriously, how many zero-day worms have there been? <crickets > chirping> I'm sure there will be one some day, but the current > rack of IDS's will be just as blind to it as your admins. Depends on the IDS. Check out what Mazu Networks is doing, they make a convincing case that they can robustly detect and alert on --- even automatically block, if you wish to enable it --- a zero-day worm. They do an awful lot more, too; as a network configuration maintenance and audit tool it's pretty impressive. Sadly, it costs. Boy does it cost. > In short, if you spend your IDS budget on figuring out how to do > patching right and mabye even for some external auditing of your > network, you'll probably not see many valid hits on your IDS. A budget that's luxurious for IDS is pitifully inadequate for patching. Big enterprises routinely plan in the neighborhood of $50K to test and deploy a single patch across their Windows systems. -Bennett
This archive was generated by hypermail 2b30 : Tue Nov 04 2003 - 14:11:02 PST