Open Source or Commercial Threat Intelligence Platform (TIP)? This is a question that I get asked quite a lot. While there is merit to both options, in my opinion, the question itself is the wrong question to be asking. From my perspective this is the answer you want to arrive at rather than asking the question if you should go down the path of an open-source TIP or a commercial TIP.
So, what should you be considering to be able to reach the outcome as to whether you should go open source or purchase a commercial Threat Intelligence Platform?
In this article, I will cover the two main aspects, Commercial Considerations and Technical Considerations. While this will not be an exhaustive list, it should provide you with some insight as to some of the potentially non-obvious areas that require further research.
Commercial Considerations
For most organisations, the less money they have to spend the better it is for shareholders and investors so when it comes to a TIP the option to use open source is extremely enticing when compared to having to purchase a commercial TIP. If an open-source solution can do what you need both now and into the future, then why not use it. However, using open source can have its drawbacks.
The ROI on the surface looks to be a net positive investment, but it is the hidden costs of maintaining and supporting the open-source software that can start to aggressively erode that net positive investment.
A commercial TIP on the other hand will have upfront cost, but the ongoing costs for support and maintenance are predictable and generally speaking, a commercial TIP is an all-in-one solution whereas to replicate what a commercial TIP provides out of the box, you would likely need four open source solutions: one for sharing, one for ticketing, one for reporting, and one to manage all of your threat intelligence. This means you have 4 different open-source solutions that then need to operate and interact with each other as well as maintain and support each one of those.
Some would argue that you could reduce that from 4 solutions to 3 or less and technically you could but you would still need to make sure that all those open-source solutions can integrate nicely with each other and scale to ensure that productivity is not impacted.
The cost to maintain and support open-source solutions from a CTI perspective can become expensive and, in a world, where most security functions are stretched beyond capacity and are struggling to recruit and retain talent, the additional burden of maintaining and supporting multiple open-source solutions would not be considered an appropriate use of a threat intelligence analysts time and in turn the businesses time. Not to mention if the person maintaining these open-source solutions leaves the organisation. It may be harder to find someone with the necessary skills and experience to maintain these open-source solutions. Whereas a commercial solution’s support team can aid in providing support this right off the bat.
Don’t get me wrong, if you have the resources and the capability to support open source and it will meet your business objectives then there is no argument from me. I am just bringing to the surface the things you should consider from a commercial perspective because it is never as simple as open source as being free.
You could look at hosted open-source solutions but if you are going to spend the money on a hosted open-source solution then why wouldn’t you consider a commercial TIP who can provide you with the support you need and bring you peace of mind. However, there is no one-size-fits-all answer to the question of whether to use an open source or commercial TIP. The best option for an organisation will always depend on its specific circumstances.
Technical Considerations
Depending on where you are on your CTI journey will determine what you want to use a TIP for.
If you are just starting out and want to collect threat intelligence and send IoCs to your downstream systems to block (e.g IP Address on your firewall) then looking at how a TIP can integrate within your environment and your downstream systems is going to be an important factor to consider.
Generally speaking, a commercial TIP is going to have integrations for a majority of enterprise systems that you can integrate with straight out of the box. If an integration doesn’t exist, then a TIP vendor should be able to create an integration for you.
A commercial TIP is also going to allow you to take advantage of the evolving data models and standards and present that data in way that is easy to for threat intelligence analysts and stakeholders to consume. Being able to visualise data that is relevant to your organisation is going to help with keeping stakeholders updated and engaged.
Commercial TIPs are always going to be on the forefront of innovation as they have adequate investment and drive to improve and enhance their products. For a Threat Intelligence analyst, being able to easily search, track and identify potential threats without the need for complex query language skills not only helps improve productivity but also allows an analyst to focus on what is most important for the organisation.
Commercial TIPs will also bring automation to the table to further improve productivity by automating mundane tasks such as importing structured data, exporting data to downstream systems as well as enriching data or taking advantage of browser extensions to ingest unstructured data that is relevant to a potential threat or adversary that an analyst is investigating.
In today’s world, productivity and efficiency is a key metric to success and with a Commercial TIP these metrics can be measured by accurately and automatically defining scoring and expiration policies as well as automatic creating of tickets, tagging and retention of data straight out of the box.
On the other hand, an open-source solution could do what a commercial TIP does and may have the integration capabilities you need now and into the future but if there isn’t an integration available then it would be up to yourself or the community to build that integration.
If changes are made to one open-source solution, then you need to hope it doesn’t break any other open-source solutions that you are running together or integration with other downstream systems. In my opinion, this is why I believe that support of any solution should be towards the top of your list when it comes to weighing up your options.
For a commercial TIP you have a dedicated support team which can speed up time to resolution of any issues which you may experience as well as push out new updates, bug fixes and features on a regular basis. You are probably thinking right now. “No sh1t, of course an employee of a commercial TIP is going to be pushing for a paid solution” however, as somebody who has managed cyber security functions for critical infrastructure, national security operations for large enterprise and consulted to many organizations both large and small, I have run into these challenges myself and have seen the impact both open source and commercial solutions have had in an organization that is mostly stretched beyond capacity.
Having said that, if there is a wide enough community then issues may get resolved in a timely manner and updates, bug fixes and new features may be pushed out regularly but there is a reliance on either yourself or the community to band together to maintain the platform.
Unfortunately, from an open-source TIP perspective, I don’t think the ecosystem is there yet.
The list could go on and on, but I wanted to at least highlight the main things to consider when making the decision to invest in a TIP and by taking the above into consideration you will be able to determine if you should go down the path of an open source or commercial TIP.