Cyber Security tooling is a complex topic and we wont be covering all the ins and outs of tooling in this one post but we can cover off some core concepts to help you decide on what you should implement based on a few factors.
Firstly you need to determine your model you are going to use, if you are looking to outsource your security to an MSSP (managed security service provider) then your tooling will be licensed either fully managed via the third party or self managed with them providing the license and some level of support. If your looking at internally supporting your businesses Cyber Security you do have some options.
Secondly you need to determine your time frames, if your working towards a tight deadline licensed tooling will be pretty quick to implement and should work pretty much "out of the box", speed here is a key advantage. If your deadlines are longer and have a tighter budget then open source could well be a good option.
While you can get licensed software for a specific goal, you will pay more for the fact that someone else has developed the content, rules, features of the solution. Open Source will give you a platform and features that you can implement for a minimal cost, the cost mainly comprising of hosting charges, whether on premise or cloud and the time and effort of configuring it to achieve your specific goals and the maintenance moving forward.
An example based on AWS Security:
As a comparison, without naming names, lets take two products, focusing on cloud security. One via vendor who specialises in cloud security and another platform that is opensource (they do have a licensed version, that has some additional features but the open source version works just fine).
Both systems are capable of 3 main points:
Ingesting Data
Analysing the Data
Notifying you of an Alert of interest
The vendor solution (whether self managed or vendor managed) has a defined rule base, predefined dashboards, quick to deploy and setup. However there current rule base has limitations for detection and isn't very intuitive with its customisation, so it can do somethings very well and somethings not very well but the solution is the solution.
Now the opensource solution.......its blank, vanilla would be too extreme to describe it. However this gives you flexibility, agility to develop and create and it keeps your costs way down. So how fast is it at getting data into the solution. Pretty quick if you know what you are doing, its underlying architecture is Elasticsearch, Logstash and the application on top. Some available integrations are also available directly for things such as CloudTrail, so bringing CloudTrail logs can be very quick.
How did we set up our open source system for testing? Ec2 instance to run the application, Elasticsearch and Logstash and the application. We stored CloudTrail logs and a few others for testing in an S3 bucket and used logstash to consume the data as its written. From here we didn't decide to use the standard json filter in logstash as it didn't seem to be as granular with the data as we liked (breaking down the data allows for greater analysis of the logs and quick pivots!) so we reverted to groking our own parsers.
Once the data was being ingested in a parsed manner, we can query the data, creating graphs and metrics we wanted to visualise. We then decided to create some alerting rules for suspicious activity such as "Root" user logging in, new IAM users being created/Deleted, users accessing without MFA, etc. As we hosted in AWS we used SNS (Simple Notification Service) to deliver incidents to the relevant members of the team.
So with the open source solution we had ingested data, visualised the data, created alerting that mattered to us and routed those alerts to team members for investigation and response if required.
It was a great test to see if we could achieve the same detection and alerting capability of a licensed product via open source tooling with some time and effort and a small hosting charge.
As its open source you can also expand it out to cover multiple elements, some areas we are playing with are resource inventory and audits using Open Source tools and integrating it into one platform. Creating a one stop shop for monitoring and assessments for AWS!
Now, it wasn't as easy as it sounds, there was a lot more to it, creating user accounts, changing policies, Groking in full, configuring the data sources, there was a lot of work to achieve something that could have been just deployed with a cloud formation template from a vendor and been up and running in minutes.
So which solution was the best in the end?
Either to be honest, if you outsource your solution to an MSSP who will manage the solution, alerting, response, then you will get a licensed product.
If your looking to deliver a capability internally then it depends on your skill set in house, if you have a team that is skilled and knowledgeable then opensource solutions could easily be a way forward. It will take more time to develop but probably deliver you a more tailored bespoke solution for your business.
Equally if your chosen product discovers what you need it to and you can be up and running faster but potentially has some limitations or additional licenses fees per feature then licensed works easily well!
In the end open source gives you the ability to customise and define a product for your needs, however there are loads of great licensed tools on the market, the hardest job is finding good ones. Sales pitches never highlight the floors in their products or any limitations and if you do go for an MSSP there service will be based on the product so make sure you find the right product for you and your business and then someone to manage it for you, that way you get what you need from the solution and therefore the service.
Comments