As a member of a maturing security team evaluating threat intelligence platforms (TIPs), you may be asking yourself whether you should use an open source solution like MISP or buy a TIP from one of the many vendors offering solutions.
According to Dan Cole, director of product management at ThreatConnect, the first and fundamental question you need to ask is: what are you actually hiring the TIP to do?
"I’d like to draw a comparison to buying a car," said Cole. "You might do some research into a car’s features such as its safety rating, sound system and whether it is economical. These are all important qualities to have in a car.
"But the problem is, by only concentrating on the features you are missing out on why you’re buying the car in the first place. Is it to get the kids to soccer practice? To survive the ultimate road trip out into the wilderness? Or do you want a super expensive car to use to show off to the other partners at the firm?" said Cole.
Deciding the reason why you’re buying the car is far more important than its features. And if you don’t have a good answer to the question: ‘Why am I buying a TIP?’, then it’s going to be much more challenging to decide between an open source or commercial options.
What are you hoping to achieve with a TIP?
Some of the reasons why an organisation might be contemplating buying a TIP include:
Centralising all of your feeds and date into one place
Figuring out which threats are really relevant to your team
How to send the right intelligence to my detection and defence devices
"If you’re in the market for a TIP then you’re likely to want it do a mix of all three. But the question you have to ask yourself when evaluating a TIP is: how effective will it be at helping me achieve my aims?"
Each area comes with its own challenges. If you’re trying to centralise all of your data in one place, for example. "Data often arrives in different formats and so you need to be able to adapt and convert the data into a common language before it can be centralised," said Cole.
There are also challenges associated with ascertaining which threats are relevant: "If you’re bringing in a million indicators you might face challenges in collaboration. If you have ten team members working on all that data, how do you know who’s responsible for what?" said Cole.
"And finally, when it comes to the stage of sending the right intel to your detection devices you’re going to face a lot of the same problems you faced bring data in," said Cole. Different defensive devices are going to require the data to be delivered in different formats and and many have bespoke setups.
The true costs of open source TPIs are difficult to predict and many organisations underestimate the range of considerations when it comes to deploying these systems and keeping them operational.
"Upfront costs of an open source TIP are going to be lower, but the longer-term costs will be higher because you’re responsible for supporting it yourself," said Cole.
But it goes beyond costs and support to the DNA of the system, Cole explains. "Commercial threat intelligence platforms will generally have been built with a particular purpose in mind; open source solutions tend to be more open ended, usually produced as part of collaborative projects. It can often be a case of too many cooks in the kitchen," said Cole.
The costs of a commercial source vary widely. Many will charge a flat fee and charge extra fees for additional services such as ongoing support. While others will offer packages based on your maturity and appetite "which is a good pricing model because it means you’re only going to pay for what you’re going to use".
"Although a commercial source will cost more upfront, the ongoing support received is a major benefit. For example, at ThreatConnect we have an entire team dedicated to managing the threat posed by the shifting APIs and to keeping all those different integrations up to date," said Cole.
A key consideration when choosing a TPI is the levels of customisation achievable.
"In theory, an open source platform should be easier to customise, but it’s not just a case of which platform is more customisable, it’s a question of, do you, as a specific organisation, have the skills to customise it. It might require so much coding and development that you’ll basically be building your own bespoke platform – which is incredibly costly in terms of time and resources.
"When it comes to customising a commercial solution, the best ones will have been designed in a way that will allow you to make the changes that you need. For example, you’ll be able to add things to the data model, customise how they work and adapt the data to be delivered in the right way for your organisation," said Cole.
Organisations often underestimate the risks involved involved with open source TIPs.
"By using community support platforms an organisation is exposing itself by referencing your infrastructure, what tools you’re using and the like," said Cole.
"A commercial TIP, however, helps create a of proactivity by integrating with the right tools and by organising information as real world threats, incidents, and victim assets as opposed to just indicators and logs. A proper TIP encourages analysts to compile data and monitor it in ways that can be responded to, for example by modeling adversaries and tracking them, so that newly developed adversary infrastructure can be identified and dealt with immediately," said Cole.
To hear the full Q&A discussion between Threat Connect's Dan Cole and SC Media UK's Tony Morbin, click here.