New iPad Pro, Microsoft Surface Pro or $550 Off with SANS OnDemand or vLive - ends July 12!

IDFAQ: How do I convince my boss/manager/supervisor/board of directors to pay for an Intrusion Detection System (IDS)?

updated 5/10/00

Demonstrate that the benefits of an IDS outweigh the investment costs. The amount of work you might need to do will depend on the organization's perspective on information assurance. If the organization is committed to defense in depth, you (or someone else) has already grasped what illustrations will convince the decision makers that information assurance is a good thing. In any case, you are well advised to develop metrics that demonstrate that an IDS is just good business - that the investment is well worth the return you get.

How do I calculate the investment costs and the potential return?

If your company relies quite heavily on e-commerce, determine how much it will cost the organization if the Web site is down for an hour. More importantly, identify how you will know that the web site is down (or under attack). Are you really counting on customers to call you and you know?. If the site goes down regularly due to computer attacks, such as denial of service (DoS) or Web attacks, then a small investment of about $10,000 to $20,000 is cheap. The IDS then becomes an alarm that alert security personel against future probes, intrusions, or attacks. Most ID systems offer the option to set a site policy, which allows you to reset a connection that is determined to be in violation of the company's current security policies.

Are there other factors that enter into the cost equation?

Some consultants point out that it's a simple, strategic advantage to know who is accessing your network(s) and what they're doing. As an example, did your competitor just hit your Web site and read all your pages? Said differently, if you don't have an IDS, what measures are you taking to protect the stockholders' investment? Some people deploy an IDS out of curiosity -- it's interesting for a short while to be able to document the frequency and level of attacks on your network. It's also a great discovery tool - one of the first steps to successful installation and operation of an IDS is getting the network properly configured. If you've never analyzed your setup, this could be a real eye opener.

There's a new mindset that you're demonstrating a useful degree of readiness because you can detect an attack. In theory, the IDS alerts you and you increase your vigilance for a period of time, increasing your chances of detecting and countering a real attack. When the attack occurs, you have a leg up on recovery because you have a clue as to the scope and nature of the attack. This can translate into quicker recovery which means reduced administration costs and lower lost production time. Another way to look at this is to ask "how much is the organization willing to invest to reduce the time it takes to identify a problem and get it fixed?" Given that there are free software suites available that work fine on low cost Intel platforms, is the organization prepared to defend not implementing an IDS?

These days, audit tools are driving the market to give a picture in time of the status of a network. If your network is audited regularly by security analysts, you'll be criticized if their testing passes undetected. Since many auditors use wide-spectrum automated scanning tools like Internet Security Scanner (, CyberCop from Network Associates ( or a free tool such as Nessus ( , there's an immediate emotional payoff if you have an IDS that detects an ongoing scan.

What else should I do?

As we begin to understand IDS in broader terms, combining both vulnerability analysis through regular audit and intrusion detection data are becoming critical for long-term success. Using the data collected through regular audit will greatly assist in designing a sound security policy, which will reduce significantly false alarms.

At the minimum, you will need at least 3 people to maintain any sound security architecture, if you go with less, it may cost you dearly at the end. This will ensure that enough knowledge remains in the organization, if one of the members of the security team decides to leave for greener pasture.

One very important thing to remember, IDS is just another tool - part of a good security architecture and one element in a Multi-Layered Defense Strategy. They are not meant to replace firewalls but to complement them. An IDS that has sensors both inside and outside the firewall can be a big help in determining whether or not the firewall is configured and operating as expected.

Page originally authored by Guy Bruneau - DND CIRT

Page last updated by Fred Kerby