Snort thread run an active discussion on topic “ROI on IDS/IPS products”. The one who initiated the discussion asked the question about how to measure the ROI (return of investment) on IDS/IPS products, by giving an example that a company removed their IPS deployment after 2-year of usage because the return didn’t justify the cost of maintenance and personnel.

It is interesting that someone compared the money spent on IPS with the car insurance. It is true that there is no quantitative way to calculate the ROI for either of these two models. But I also think that they are different in that, for car insurance, the insured pays a small amount of money to cover a potentially much bigger loss and the cost is shared by the community; in the case of IPS, the customers pay the price specifically for the device and service they buy and deserve to ask for the quality that the vendor claims.

Certainly, the customer should not expect IPS can solve all security issue in the network. IPS should be one building block of the whole defense-in-depth strategy. Other products like firewall, anti-virus, patch-management and identity-management system also play important roles in this strategy.

On the other hand, IPS has its own problems. It is an industry consensus that IPS is not a device that you can leave in the basement and never touch again. To make it really useful, continuous monitoring and updating are required. This is partly because IPS is dealing with applications which is way more complicated, flexible and dynamic than TCP/IP level protocols that router/switch works on.

On the positive side, IPS technology has reached the stage that, some products do provide great configurability, extensive reporting and analysis tools and, most important, much improved stability and quality. False-positives are greatly reduced through intensive research efforts. Fine-tuning the products has become much easier for the administrators, so that IPS can be relied on to play its role in the network.