Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

focus-ids logo IDS mailing list archives

Re: Question on resources needed to manage IDSes
From: Jeff Nathan <jeff () snort org>
Date: Tue, 2 Dec 2003 12:15:38 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On Dec 2, 2003, at 9:44 AM, simonis () att net wrote:


I am looking for a rule of thumb, something like this:
1-5 IDS sensors - 1 Analyst
5-15 IDS sensors -2 Analysts
15-50 IDS sensors- 3 Analysts
1 Analyst for every 30 additional IDS sensors.
Are these the number of folks "at the screen" or the head count required? If the latter, remember folks get sick and take vacation. Also, consider the need for 24x7 monitoring. Such considerations really scale up the number 
of bodies required.


[...]
Your numbers, however, don't make much sense. What about that 3rd analyst is so special that they enable the monitoring of an additional 35 sensors, when a single analyst alone can only monitor 5? Then, after 50 sensors, an add anaylst only enables the monitoring of an 30 more sensors. I suspect a more 
linear scale is likely.
A more reasonable approach would probably be to consider the alert rates in question and how many of them need to be looked at by a human being. It would be generous to assume a human could qualify a reasonably complex alert in 30 seconds. After that, it's simply a matter of doing the math.
One analyst for 30 sensors might scale if those sensors had very low alert rates. I don't think this is a sufficient model for staffing analysts.
I'd determine what the alert rates are and of those alerts how many can be qualified in post processing automatically. 

- -Jeff

- --
The most technical single-track security conference in the West.
Vancouver B.C., Canada   April, 2004   http://cansecwest.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)

iD8DBQE/zMi+Eqr8+Gkj0/0RAp5nAKCMq6GEcP/PXK2cRLq1H4sogPXbgQCffrX2
zSbJLtF3SL17hDoIsInp4pU=
=7Kjq
-----END PGP SIGNATURE-----


---------------------------------------------------------------------------
---------------------------------------------------------------------------

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]