We are sometimes asked to compare our threat detection and response solutions to those custom assembled by security experts using various open source products. With a wide array of quality point solutions available, it’s natural to consider whether a combination of best-of-breed open source solutions can be a better option for a particular organization, rather than an integrated commercial solution.
To start with, RSA is a big fan of open source software and open source threat intelligence, participating in the security sharing process. This collaborative tradition is strong in the security space, as we all battle the same adversaries to protect our organizations, and to keep the internet as safe as possible for everyone.
In practical terms, this is a classic “build vs. buy” choice, and boils down to an organization’s preferences, available skills, and risk tolerance. While strong solutions are possible with either choice, the differences are important to understand.
- Preferences Some organizations are very comfortable with open source software. They’ve typically built up skills specific to the open source software model, particularly community- and self-support, along with a full understanding of the various licenses including GPL. Other organizations are more comfortable with commercial software, or even actively prefer that approach. For these organizations, the availability of support, predictable upgrades, and lifecycle guarantees offsets potential license savings. Many have explicit rules about this in their governance, risk, and compliance (GRC) playbooks.
- Available Skills The availability of deep security and integration skills – and the ability to retain them – is an important factor in choosing between custom integration and a commercial platform. If your organization’s skill set is strong and stable, you may feel comfortable integrating different technology for logs, packets, endpoint, and netflow, and possibly separate analysis and remediation tools. Remember that this is not a one-time event, but a continuous process of maintaining integration and adding capabilities as they become available. In the case of a commercial threat detection and response platform, the integration is managed by the vendor. This frees up resources to focus on the threat hunting activity. Furthermore, in the case of RSA offerings, the threat hunting activity can be easily split between analysts of differing skills, making everyone much more productive. Lastly, interoperability with various SIEMs, IPSs, firewalls, etc., is maintained by the vendors so customers don’t need to worry about it.
- Risk Tolerance For organizations that integrate security strategy with business strategy, IT risk is an important category. Breaches have a potentially huge negative impact, and are appropriately weighted in most risk programs. For the open source version, there are additional risks that must be evaluated. Among these are the continued availability of high-level skills required to manage and maintain the solution. You’ll also want to consider the stability of projects underlying the components used, and the availability of suitable alternative components – as well as the effort required to replace and integrate that component. For a commercial platform, the stability and maturity of the vendor, both from technology and business perspectives, defines the risk in adopting it. Commercial support systems lower the risk of a catastrophic outage, as do support SLAs and the existence of professional services, including incident response support.
So the choice is ultimately dependent on the organization making the decision. If done really well, a custom-integrated solution can be effective. However, with that choice you have to possess (and retain) the skills to do it. In addition, you make yourself dependent on multiple projects/vendors, increasing the risk that one may cease to maintain a solution, or fail altogether.
Our approach is to integrate across our RSA offerings so customers don’t need to worry about that part, and to interoperate with any component a customer chooses to use in place. A common example is a customer adding RSA threat detection and response components to its existing SIEM solution. In this instance the analysis and detection takes place in the RSA framework, so you still get all the benefits of integration.
One good piece of advice for anyone considering a threat detection and response solution – really for any IT decision – is to look out five years into the future, and consider changes that may impact your organization. Certainly internal considerations, such as maintenance of employee skills and organizational risk tolerance, will be important. It’s also critical to evaluate the probability that technology partners will continue to support your activities at a predictable and professional level. Remember that security is a process, not an event. When you choose something as critically important as a threat detection and response solution, you need to treat it as an ongoing commitment. It’s important to choose wisely.
Learn more about our threat detection and response capabilities in RSA NetWitness® Suite, as well as our participation in the security sharing process through RSA® Live and Live Connect, RSA® Link and RSA® Research threat intelligence sharing.