OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: RE: IDS: The price of Security Software
From: Klaus, Chris (ISSAtlanta) (CKlausiss.net)
Date: Mon Oct 30 2000 - 17:53:43 CST

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owneruow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
-----------------------------------------------------------------------------

> Another resource is the Open-Source community. There are OpenSource
> Scanners and IDS that are equal to or better in performance than the
> commercial software. The drawback to the opensource may be that it
> requires a higher level of knowledge in some cases to use it, but the
> price you pay in time and money to learn how to use it in
> some cases may
> be cheaper than the cost of a commercial software package.

To build all the security checks for both IDS and vulnerability scanners
requires a team of security experts working full-time. Most organizations I
talk with do not have the resources to develop their own attack signatures
and vulnerability checks, despite free tools being open sourced. Long term,
as the number of attack types and attack methods increase, I do not see how
a non-security company could justify the cost of hiring a team to keep up,
but rather pay a security vendor to do that for them. How many companies
rely on open source antivirus solutions? It's very expensive to hire a
team of security experts that can program and keep updating the security
intelligence of scanners and IDS.

In the past, a free security tool might have had equivalent number of
security checks, but with a dedicated security team at a commercial
security vendor, the delta between commercial and freeware will continue to
grow. As we continue to integrate both network and host based IDS and
scanners into a single full solution, and companies look at the complete
total solution, not just a point product, the number of security checks
within all four quadrants (net-scan, net-IDS, host-scan, host-IDS)
dramatically differs between commercial and freeware.

Another option for looking at vulnerability scanning cost, is managed
security services and remote perimeter scanning. There are many companies
offering remote scanning services. If you are just assessing your DMZ and
perimeter servers, it might be cost effective to have a security company do
monthly or quarterly scans and send you a report. This way, you do not even
have to deal with updating the vulnerability scanner with new checks,
hopefully the company providing the service does. This is a new area for
security scanning services that is starting to take off.

Many companies just hire security consultants to come in and do security
audits and penetration testing. This is useful for internal security and
not needing to buy the tool directly.

So with scanning, you can:
1) use a free tool and update it with your own security checks or rely on
open source community to update it.
2) buy a commercial scanning tool
3) buy the service of remote scanning
4) hire some security consultants to do vulnerability assessment.

There are +'s and -'s to each approach and they each can be optimized for
your budget.

>
> There are good and bad products across the board of
> commercial and Open
> Source. The best way to find out what you need most is to have a
> "bake-off" and get all the players together to see what best
> suits you and
> your environment.
>
> Another good resource is Talisker's site at
> http://www.networkintrusion.co.uk
>
>
> ALL: This question comes up a lot, (or rather this answer).
> IS there a
> place in the FAQ for this list that people could be easily
> directed to to
> save time and effort?
>
>
>
> -blue0ne
> http://www.digitz.org
>
>
> On Thu, 26 Oct 2000, Hui zhu wrote:
>
> > Archive: http://msgs.securepoint.com/ids
> > FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> > IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> > HELP: Having problems... email questions to ids-owneruow.edu.au
> > NOTE: Remove this section from reply msgs otherwise the msg
> will bounce.
> > SPAM: DO NOT send unsolicted mail to this list.
> > UNSUBSCRIBE: email "unsubscribe ids" to majordomouow.edu.au
> >
> --------------------------------------------------------------
> ---------------
> > Hi , everyone,
> >
> > Our company want to buy some secuirty software, so I contact
> > with some vendor. But the price is very high. For example, the
> > CyberCop scanner licence is based on network user, 300 users
> > licence is US$20000. Why is it based on user number instead of
> > server number? I just want to scan my several server, not all
> > the user desktop. are all the security scanner and IDS such
> > expensive?????
> >
> > Can someone give some information of difference licence price
> > of difference product????
> >
> > Thanks.
> >
> > Zhu Hui
> > Information Security Analyst
> >
> > ________________________________________________
> > Get your own "800" number - Free
> > Free voicemail, fax, email, and a lot more
> > http://www.ureach.com/reg/tag
> >
>