For organizations building a security operations practice, open-source tools are a great place to start. The software is often free to use so it’s a low-risk way for teams to dig into practice areas and associated technologies in order to better understand their requirements and needs. But when it’s time to put that capability into production, they quickly find the total cost of ownership (TCO) can far exceed the TCO of an enterprise-ready solution. This is especially true if it is a platform and core aspect of the security architecture versus just a tool. I gained experience in this realm during my time at Sourcefire, a company founded by my friend (and, full disclosure, ThreatQuotient Board member) Marty Roesch to take open-source Snort, one of the seminal tools of the security industry, and package it for the enterprise.
One of the aha moments with open-source security software, is when you determine you need the functionality and want to expand its utilization beyond an initial, small group of users, but realize deploying it for detection, investigation and response across your infrastructure is a bridge too far. It turns out that open-source software is good up to a point, but it really isn’t “free.” It takes significant resources, and thus cost, to uplevel it for the enterprise with the scalability, performance, manageability and support we’ve come to expect from a core platform in our arsenal of security solutions. To explore this further, let’s use threat intelligence platforms as an example.
There are several options for open-source threat intelligence platforms that allow the storing and sharing of indicators of compromise (IoCs) with other users. Each has its own utility as a tool. However, when you look at the full gamut of threats your organization faces and the different teams, workflows and tools required to detect and respond to threats, you can start to run into limitations as you try to use it more broadly as a platform.
1. Scalability: Data is a huge challenge when it comes to threat intelligence which consists of the internal telemetry, content and data created by each layer in our security architecture, and the millions of external threat datapoints analysts are bombarded with every day. Beyond open-source feeds, organizations also subscribe to sources including commercial, government, industry and existing security vendors, as well as frameworks like MITRE ATT&CK. Bringing in, storing and making sense of data in different formats and languages from different sources requires capacity and expertise. Unless the platform is enterprise ready, people have to become experts in integrating and normalizing that data to make it useable across the enterprise.
What’s more, on an ongoing basis there’s the responsibility to manage integrations as data sources are updated and new sources are added. There may be resources in the open-source community to help, but there’s no assurance that their availability and responsiveness will meet your needs.
2. Performance: It’s great to aggregate all that data within a central platform. But if it takes five or more minutes for a query, then that data isn’t very useful. When you’re hunting for threats or investigating an incident, speed and responsiveness are paramount. Now extrapolate the usage of threat intel to your workflows; if there are five steps and each step takes five minutes to complete, the queue becomes untenable. If the infrastructure can’t ingest, query, translate and act on intelligence at an appropriate rate, it isn’t really going to help streamline workflows and improve your security.
3. Management: Stepping back and looking at the platform as the hub of your security operations, it becomes abundantly clear that enterprise-ready management capabilities are also important. In addition to industry-standard interfaces for integration, the platform should include an extensive ecosystem of pre-built integrations along with easy-to-use APIs to add others.
A software development kit (SDK) and low-code/no-code interfaces provide flexibility so teams with varying skill sets can customize dashboards, visualizations and configuration capabilities to align with their workflows and processes. An enterprise-ready threat intel platform manages and enriches threat intelligence for users so that they can operationalize data seamlessly and derive value quickly.
4. Supportability: Finally, if you’re going to put a platform in your production environment you need someone you can call when things go wrong. Any glitch can impact more than that solution because security infrastructure is now highly integrated. Threat hunts, investigations and incident response playbooks can come to a standstill when you have trouble getting the right data at the right time to the right teams and tools. Having someone to call, backed by SLAs, gives you peace of mind to put the system into production.
Training and certifications are also important. Getting users up to speed quickly, simplifying onboarding when there is turnover or as your team grows, and encouraging utilization of more advanced capabilities pave the way for success. Not to mention, you become part of a community of other enterprise customers who share your stringent requirements for selecting products. By extension, you have an opportunity to share threat intelligence, best practices and key learnings with these peers.
When it comes to cybersecurity offerings, it’s not a matter of open source or enterprise ready. It’s both. Open source is a great way to test the waters and define your requirements. But when looking at putting a platform into production, an enterprise-ready solution will ensure you can keep up with the demands of the business, today and in the future, and at a lower TCO.
