What's the best way to address security technology improvements on a limited budget? We want to refresh some older technologies and ideally move toward SIEM (security information event management) or another threat data correlation product, but it is difficult on a tight IT security budget. We're also considering some open source options. What's the best approach for deciding when to use free and open source security tools versus investing in commercial security products?
Ask the Expert!
Got a vexing question on information security management for Joseph Granneman? Ask your enterprise-specific questions today! (All questions are anonymous.)
I haven't met the information security team yet that has told me it has the budget it wants. Everyone seems to be living by the "do more with less" mantra these days. Luckily, there is a wealth of capable, open source tools available to supplement commercial tools when your budget is tight. There is no tried-and-true method for determining whether to choose a commercial versus open source tool. However, there are some things to keep in mind.
Open source security tools are usually just as technically capable as their commercial counterparts. The main difference is in the ease of configuration and updating. Open source tools can have steep learning curves and change quickly, whereas commercial tools have friendly configuration interfaces and support agreements to back them up.
If your security team lacks the technical skill required to configure and maintain an open source tool, consider a commercial tool. I also advise using commercial tools in high-risk situations where support is critical and uptime is key, unless the security team can provide that same level of support. I often layer my defenses with both commercial and open source tools. This provides defense-in-depth (multiple defensive layers attackers must penetrate) and allows my team to learn the open source tools in a low-risk environment.
Several standout open source security tools exist that should be on your short list for evaluation. OSSIM is one of the more popular and mature open source SIEMs. Dating back to 2003, it supports log formats from almost any network device and integrates well with open source IDS and vulnerability assessment tools. It also has an upgrade path to the commercial version should you need more support. If you don't have time to configure something as complex as OSSIM, Security Onion is another invaluable tool. Security Onion is a Linux distribution based on Ubuntu that includes everything necessary for building a distributed IDS/IPS sensor network that feeds into a central database. It doesn't import logs from existing network devices but is the fastest way to build a centralized alerting system using open source or even proprietary tools.
Dig Deeper on SIEM, log management and big data security analytics
Related Q&A from Joseph Granneman
The consequences of phishing attacks could fall on the victims as enterprises start to punish employees who fall for this age-old scam. Expert Joseph... Continue Reading
CERT's ITPM certification is designed to help enterprises with their insider threat programs. Expert Joseph Granneman discusses the certification and... Continue Reading
Privileged users pose a growing threat to organizations. Expert Joseph Granneman looks at this insider threat and shares ways to mitigate it. Continue Reading