A Tip for your TIP: Forget the Commercial - Open-Source Split

Data never rests and neither do the bad guys. Each day, more than 3.7 billion people use the internet, creating some 2.5 quintillion bytes of data. And each day, defenders are locked in battle against wave after wave of attackers trying to steal or access that information for their own nefarious aims.

While we can’t expect anything resembling “peace in our time” - at least for the foreseeable future - businesses can reduce their exposure to attack by marshalling the best intelligence possible about their adversaries.

That’s why the threat intelligence market is expected to more than double to $12.9 billion by 2023 to and also why growing numbers of businesses have made a threat intelligence platform (TIP) a key element of their enterprise security strategy.

TIPs offer invaluable help to threat intelligence teams and the analysts working in Security Operations Centers by essentially serving as the hub for information aggregated from the different sources and tools that an organization uses to track and manage cyber incidents and threats.  

A TIP will streamline the often-unwieldy process of data collection by automatically collecting and normalizing data from multiple sources and formats. So instead of taking a hit-and-miss approach, analysts can make efficient decisions based on shared information gleaned from data streamed from different parts of the company flowing into a central repository or dashboard.

This both saves time by making better use of scarce resources while reducing enterprise risk by helping to answer questions such as: Which alerts should I prioritize? Is this an artifact of a targeted attack? Who's attacking me? The upshot is a deeper, more complete understanding of the threats against the organization and a valuable leg up in the escalating competition with the bad guys.

Commercial or Open-Source?

As organizations approach the question of how to equip themselves with their own TIP they can choose among both commercial and, increasingly, open-source alternatives. There’s no single “best” solution. The choice depends solely upon each company’s approach to using intelligence in light of unique requirements, capabilities and vision.

In a commercially-driven model, an enterprise will set up a development organization to create their own proprietary TIP offering; enhancing it on a regular basis with capabilities they determine will drive the greatest customer value, and hence the greatest revenue.

By contrast, the open-source TIP projects are created and supported by a collaborative community that develops new functionality prioritized by its members and making it available to anybody who wants to use it at no cost. Ideally, these users join the community and collaborate to help further enhance and develop the open-source project.

There are a couple of trade-offs here. First, the pace of enhancements is dependent upon the vibrancy of the community.  Second, although there are no licensing costs, deployment will typically require some internal technical resources.  

Again, there is no “better” choice here. The TIP market is relatively new and as adoption grows, you’ll see organizations choosing one approach over the other - just as you do with any recent technology adoption.

Don’t get hung up on the commercial/open-source split. Choose the approach that's best for you. We’re happy to support either.

In fact, the ultimate determination of success depends more on the inputs than the provenance of the technology. Without the proper intelligence content, a TIP by itself is of no value.

Think about it this way. A TIP is like any data analytics tool; the quality of what you’re going to get out of it is going to be proportional to what you put in. If your data sources are inappropriate, inadequate or of poor quality, it matters little that you have an excellent threat intelligence platform and really great human analysts. You’ll still struggle to get actionable operational intelligence because the system will just send your analysts down rabbit holes searching for non-existent, irrelevant or old threats. (Here are some recommendations I recently pulled together to help avoid those – and other - potential pitfalls.)

At the end of the day, what we're trying to do is enhance our customers' security posture and make it easier for security teams to use intelligence and keep their enterprises safe. This is where Symantec can step in to provide the broadest, most in-depth, timely, and accurate intelligence content.

It's not our ambition to dictate how your organization uses intelligence, but to support you each step of the way as your intelligence program matures. Ultimately, the road you choose is going to be less important than the effort you put in to achieve the overarching goal of implementing an intelligence driven security strategy.