Connect with us

Hi, what are you looking for?


Threat Intelligence

From Open Source to Enterprise Ready: 4 Pillars to Meet Your Security Requirements

Open source is a great way to test the waters and define requirements. But when looking at putting a platform into production, an enterprise-ready solution will ensure you can keep up with business demands.

Threat intelligence Platforms

For organizations building a security operations practice, open-source tools are a great place to start. The software is often free to use so it’s a low-risk way for teams to dig into practice areas and associated technologies in order to better understand their requirements and needs. But when it’s time to put that capability into production, they quickly find the total cost of ownership (TCO) can far exceed the TCO of an enterprise-ready solution. This is especially true if it is a platform and core aspect of the security architecture versus just a tool. I gained experience in this realm during my time at Sourcefire, a company founded by my friend (and, full disclosure, ThreatQuotient Board member) Marty Roesch to take open-source Snort, one of the seminal tools of the security industry, and package it for the enterprise.

One of the aha moments with open-source security software, is when you determine you need the functionality and want to expand its utilization beyond an initial, small group of users, but realize deploying it for detection, investigation and response across your infrastructure is a bridge too far. It turns out that open-source software is good up to a point, but it really isn’t “free.” It takes significant resources, and thus cost, to uplevel it for the enterprise with the scalability, performance, manageability and support we’ve come to expect from a core platform in our arsenal of security solutions. To explore this further, let’s use threat intelligence platforms as an example.

There are several options for open-source threat intelligence platforms that allow the storing and sharing of indicators of compromise (IoCs) with other users. Each has its own utility as a tool. However, when you look at the full gamut of threats your organization faces and the different teams, workflows and tools required to detect and respond to threats, you can start to run into limitations as you try to use it more broadly as a platform.

1. Scalability: Data is a huge challenge when it comes to threat intelligence which consists of the internal telemetry, content and data created by each layer in our security architecture, and the millions of external threat datapoints analysts are bombarded with every day. Beyond open-source feeds, organizations also subscribe to sources including commercial, government, industry and existing security vendors, as well as frameworks like MITRE ATT&CK. Bringing in, storing and making sense of data in different formats and languages from different sources requires capacity and expertise. Unless the platform is enterprise ready, people have to become experts in integrating and normalizing that data to make it useable across the enterprise.

What’s more, on an ongoing basis there’s the responsibility to manage integrations as data sources are updated and new sources are added. There may be resources in the open-source community to help, but there’s no assurance that their availability and responsiveness will meet your needs.

2. Performance: It’s great to aggregate all that data within a central platform. But if it takes five or more minutes for a query, then that data isn’t very useful. When you’re hunting for threats or investigating an incident, speed and responsiveness are paramount. Now extrapolate the usage of threat intel to your workflows; if there are five steps and each step takes five minutes to complete, the queue becomes untenable. If the infrastructure can’t ingest, query, translate and act on intelligence at an appropriate rate, it isn’t really going to help streamline workflows and improve your security.

3. Management: Stepping back and looking at the platform as the hub of your security operations, it becomes abundantly clear that enterprise-ready management capabilities are also important. In addition to industry-standard interfaces for integration, the platform should include an extensive ecosystem of pre-built integrations along with easy-to-use APIs to add others.

A software development kit (SDK) and low-code/no-code interfaces provide flexibility so teams with varying skill sets can customize dashboards, visualizations and configuration capabilities to align with their workflows and processes. An enterprise-ready threat intel platform manages and enriches threat intelligence for users so that they can operationalize data seamlessly and derive value quickly.

Advertisement. Scroll to continue reading.

4. Supportability: Finally, if you’re going to put a platform in your production environment you need someone you can call when things go wrong. Any glitch can impact more than that solution because security infrastructure is now highly integrated. Threat hunts, investigations and incident response playbooks can come to a standstill when you have trouble getting the right data at the right time to the right teams and tools. Having someone to call, backed by SLAs, gives you peace of mind to put the system into production.

Training and certifications are also important. Getting users up to speed quickly, simplifying onboarding when there is turnover or as your team grows, and encouraging utilization of more advanced capabilities pave the way for success. Not to mention, you become part of a community of other enterprise customers who share your stringent requirements for selecting products. By extension, you have an opportunity to share threat intelligence, best practices and key learnings with these peers.

When it comes to cybersecurity offerings, it’s not a matter of open source or enterprise ready. It’s both. Open source is a great way to test the waters and define your requirements. But when looking at putting a platform into production, an enterprise-ready solution will ensure you can keep up with the demands of the business, today and in the future, and at a lower TCO.

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...


The top five categories of Bad Bot attacks are fake account creation, account takeovers, scraping, account management, and in-product abuse.


Deepfakes, left unchecked, are set to become the cybercriminals’ next big weapon

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Threat Intelligence

A new research report discusses the five most exploited vulnerabilities of 2022, and the five key risks that security teams should consider.