What's the best way to address security technology improvements on a limited budget? We want to refresh some older technologies and ideally move toward SIEM (security information event management) or another threat data correlation product, but it is difficult on a tight IT security budget. We're also considering some open source options. What's the best approach for deciding when to use free and open source security tools versus investing...
in commercial security products?
Ask the Expert!
Got a vexing question on information security management for Joseph Granneman? Ask your enterprise-specific questions today! (All questions are anonymous.)
I haven't met the information security team yet that has told me it has the budget it wants. Everyone seems to be living by the "do more with less" mantra these days. Luckily, there is a wealth of capable, open source tools available to supplement commercial tools when your budget is tight. There is no tried-and-true method for determining whether to choose a commercial versus open source tool. However, there are some things to keep in mind.
Open source security tools are usually just as technically capable as their commercial counterparts. The main difference is in the ease of configuration and updating. Open source tools can have steep learning curves and change quickly, whereas commercial tools have friendly configuration interfaces and support agreements to back them up.
If your security team lacks the technical skill required to configure and maintain an open source tool, consider a commercial tool. I also advise using commercial tools in high-risk situations where support is critical and uptime is key, unless the security team can provide that same level of support. I often layer my defenses with both commercial and open source tools. This provides defense-in-depth (multiple defensive layers attackers must penetrate) and allows my team to learn the open source tools in a low-risk environment.
Several standout open source security tools exist that should be on your short list for evaluation. OSSIM is one of the more popular and mature open source SIEMs. Dating back to 2003, it supports log formats from almost any network device and integrates well with open source IDS and vulnerability assessment tools. It also has an upgrade path to the commercial version should you need more support. If you don't have time to configure something as complex as OSSIM, Security Onion is another invaluable tool. Security Onion is a Linux distribution based on Ubuntu that includes everything necessary for building a distributed IDS/IPS sensor network that feeds into a central database. It doesn't import logs from existing network devices but is the fastest way to build a centralized alerting system using open source or even proprietary tools.
Dig Deeper on Security Event Management
Related Q&A from Joseph Granneman, Security Management
An IT security governance board is a key feature in security budgeting, but who makes up this body? Expert Joseph Granneman outlines the best ...continue reading
The security data breach public response times from Target and Neiman Marcus were noticeably different. Expert Joseph Granneman explains which one ...continue reading
Security staffing can be tricky, but talent can be found in unconventional places. Expert Joseph Granneman explains the pros and cons of hiring data ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.