After finishing the wave of research that covered pentesting, monitoring use cases, SOAR and TI, I’m excited to start research for a net new document covering an exciting topic rarely covered in Gartner research: Open source tools! The intent is to look at the most popular open source tools used by security operations teams out there. Things like the ELK stack, Osquery, MISP and Zeek. What I’d like to cover in this new paper is:
- Why is the tool being used? Why not a commercial alternative?
- How is it being used? What is the role of the tool in the overall security operations toolset, what are the integrations in place?
- How much effort was put to implement the tool? What about maintaining it?
- Is it just about using it or is there some active participation on the development of tool as well?
- What are requirements to get value from this tool? Skills? Anything specific in terms of infrastructure, or processes?
It is a fascinating topic, which bring a high risk of scope creep, so the lists of questions answered and tools covered are still quite fluid.
In the meantime, it would be nice to hear stories from the trenches; what are you using out there? Why? Was that picked just because it was free (I know, TCO, etc, but the software IS free….) ? Or is it a cultural aspect of your organization? Do you believe it is actually better than the commercial alternatives? Why?
Lots of questions indeed. Please help me provide some answers 🙂
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.
2 Comments
I’ve done some research on the topic in 2016, it’s in Russian but at least you could use English table from there https://www.itweek.ru/foss/article/detail.php?ID=182501
Also, I’ve used OSS when worked in Fortune 500 Oil&Gas and in a MSSP. Let’s say, there are 4 pros and 4 cons (enough for a comment but we could discuss more).
Pros:
1) We avoid slow and sometimes frustrating procurement process as well as corporate architecture committee (sometimes) and so on – our TTM could be small.
2) We change our cost driver from vendor to workforce, in some countries workforce is much cheaper to use (e.g. India?, China?, Russia, Ukraine). Also that is more agile way to manage costs for an MSSP.
3) We could do quasi-development without developing everything from zero (and we avoid battle for dev talent) and get features we really need faster.
4) OSS is mostly Unix-based so its deployment and management could be automated a lot
Cons:
1) OSS sometimes consumes enormous amount of compute and storage resources (e.g. TCO of Elastic-based data lake could be higher than Splunk ones because of data storage requirements).
2) Our TTM could be really huge, since almost all the content is going to be developed.
3) When done at production we have to use DevOps practices and manage entire fleet of CI\CD servers with Dev\Test\Prod\Demo (for a MSSP) environments making complexity paramount for even moderate-scale services. And we would start to compete for DevOps guys, who could be harder to find and want higher salaries and security ones. BTW, even security guys have to know Linux and some scripting languages to operate OSS-based services, for instance, in a SOC.
4) We have nobody to blame (very important for a corporate setting).
And all that from a position where I already have dozens of qualified candi
OSS used: OTRS, Elastic+MISP (and all possible staff around that).
This was extremely useful, Alex, thank you!