Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Is an open-source SOC right for your organization?

public://pictures/Robert-Lemos-Technology-Journalist-Lemos-Associates.jpg
Rob Lemos Writer and analyst
 

On paper, creating a security operations center (SOC) based on open-source tools is very attractive. Companies gain a variety of necessary cybersecurity capabilities without relying on proprietary technology, with very few up-front costs and with no licensing fees.

The economies of open source have worked well for other technology disciplines. Software development, for example, has mostly embraced open-source components, with about 70% of application code coming from open-source projects, according to the Open Source Security Risk Assessment report published by software security firm Synopsys.

Yet SOCs have evolved differently. Because most security analysts are not programming their own infrastructure, requiring them not only to learn and manage, but to also further develop open-source security tools, can be a stumbling block for many companies.

Nonetheless, benefits of the technology can be significant—for the right organization. Here are the upsides and downsides of an open-source SOC.

1. Learn security by hacking the tools

For companies that have infrastructure developers who either know security or do not mind learning about it, open-source tools can be a boon. Not only does the creation of an open-source SOC develop in-house expertise, but companies also gain more control over the final systems and can more easily and quickly implement changes.

Universities are typically good places to implement open-source SOCs because the security tools themselves can be learning opportunities for cybersecurity students and because an academic institution's requirements are often different from a business's, said Daniel Basile, chief information security officer of the RELLIS campus of the Texas A&M University System.

"It is absolutely something that you should dabble in—it is a great learning resource for people that want to get into this industry. You need a skilled workforce that is going to cost you a bit more, and you have to worry about them leaving, but if you are OK with that, it could work out better for you."
Daniel Basile

2. Small, agile companies with technical developers could benefit

What goes for students in a university SOC applies equally well for employees at companies willing to invest time and effort into creating an open-source SOC. Smaller companies that do not have the capital to invest in expensive licenses and products can have not only a cheaper solution, but one that forces employees to learn more about security as well.

Such companies also have a path to grow. In many cases, the creators of an open-source tool establish a security company to manage the tool and extend it to enterprises. A common path is for smaller firms to benefit from the tool and upgrade when their needs grow.

"Smaller companies tend not to have giant budgets, and a lot of these tools are expensive," said Richard Chitamitre, a federal technology sales engineer at Corelight. The open-source core of Corelight's products is a well-known network security monitoring tool known as Zeek.

Not so much for bigger teams. 

"Creating a SOC based on open source takes a lot of effort, [because of the required] manpower to manage those tools. The majority of the companies that I have seen or worked for do not have that."
Richard Chitamitre

3. Beware of the 'strugglebus'

In 2014, Etsy moved its security log collection and analysis from Splunk to the open-source trio of technologies known as the ELK stack (the distributed search engine Elasticsearch, the log aggregation software Logstash, and the data-visualization front end Kibana). The process took a year, Ken Lee, a senior product security engineer at Etsy, told Def Con attendees during a 2016 talk.

Among the issues that the company had to deal with were performance-impacting bugs, usability worries from the security team, and a lack of features that are usually included in commercial products. For example, a bug in the driver for Samsung solid-state drives (SSDs) caused a lot of instability for Etsy's security cluster, and the company had to work around the lack of a security scheduling feature.

Lee calls the effort a ride on the "strugglebus."

"We learned a lot of good lessons from the migration process, and we got a bunch of great tools out of it. But it was not a super-easy road to go down."
Ken Lee

4. More reliance on employees

Using open source in the SOC means that companies will, by necessity, rely more on the expertise that their employees develop, which raises the fear of the employees leaving for greener pastures. Cybersecurity skills paired with infrastructure development expertise are a valuable commodity, said Corelight's Chitamitre.

"Security talent is in very high demand. And that highlights the pros and cons of an open-source SOC—it can be done, but the cost is diverted from tools to people, and these days, talented people are hard to come by."
—Richard Chitamitre

5. Know the tools and join their development

Almost every facet of a SOC has an open-source offering. Some are entry-level tools now managed by a security company that has a more feature-rich paid tier, while others are long-standing open-source projects supported by a dedicated community.

Here are just a few:

  • Aggregation, search, and visualization: Elasticsearch-Logstash-Kibana
  • Issue and incident tracking: TheHive, Bugzilla, Mantis, RedMine
  • Vulnerability assessment: OpenVAS, Nessus
  • Penetration testing tools: Kali Linux, Metasploit
  • Network monitoring: Suricata, Snort, Zeek
  • Endpoint detection and response: OSSEC, Wazuh

Overall, an open-source SOC is achievable with current tools available through open-source projects and managed by cybersecurity companies. Working with open source reduces capital costs and helps train employees in security, but the approach also increases the cost of the SOC staff and generally requires a long lead time for initial development and integration.

Texas A&M's Basile said you need to be aware of the total cost of ownership. 

"Open-source tools require a lot more hand-holding and a lot more care and feeding. So you need to be ready to have a dedicated team to keep those tools operational."
—Daniel Basile

Keep learning

Read more articles about: SecurityInformation Security