This question is a great soapbox opportunity for you. The challenges you faced are probably similar to
the ones the prospective company faces. Here are the top five challenges:
❑ Right people: Finding the right people is an obvious benefit. This is why they are looking at you as a candidate. Bring up information on building a team. Put yourself in the interviewer’s position and imagine what you would expect.
❑ Regulatory drivers: With regulations such as Sarbanes-Oxley and HIPAA, companies have a responsibility to protect customer data as well as employee data. Companies also need to know whether and when their customer data was compromised.
❑ Right policy: Determining a good working policy and limiting false positives is a challenge either the company faces today or you will face when you land the job. Reference your experience with tuning. Mention your experience with customizing IDP policy and the consequences it had, such as the time you enabled all attack signatures in your policy to catch all events — shootingthe incidence of false positives through the roof. Mention how you have spent time and resources
to analyze false positives and how there was a greater chance to become immune to true attacks.
❑ Product concerns: Whether the organization has an existing IDP or relies on you to bring one in, determining the right IDP for an organization is a challenge. Mention experience with the product lifecycle. Recall experience drawing up system requirements, product selection, and budgeting. The real purpose of the IDS is to give network administrators a view into their network. It gives them a sense of what traffic is coming and going. But as with many security products, it also gives a false sense of security. Investments in the initial deployment of IDP equipment are
made, but little is done to sustain the operation.
❑ Incident response: Companies frequently grapple with how to respond to a network incident. Bring up your expertise in establishing incident response procedures. Mention that it is critical to have an established response that is agreed to by upper management. Note how you will review the procedure and look to improve it on a periodic basis.