Monday, June 06, 2005

DIY Security with Open Source

This morning I received word of a new SANS Webcast titled What Works in Intrusion Detection Systems. The introductory paragraph for the announcement starts with these two sentences:

"The days of do-it-yourself security using free software have passed. There is broad understanding among CIOs and CISOs that an effective cyber security program cannot be implemented without commercial technology and services."

As you might expect I strongly disagree with this claim. I was disappointed to see these sentiments expressed in an announcement about IDS sponsored by Sourcefire! The introduction appears to be standard SANS boilerplate, however. You can see the same paragraph in the SANS What Works in Intrusion Prevention: Using Multi-Function Low-Cost Appliances and What Works in Business Transaction Integrity Monitoring announcements, among others.

I find it sad that SANS would advocate this anti-open source stance. I never saw SANS teach commercial products at my first SANS conference in 1999, nor at the first SANSFIRE track I attended in 2001, nor in the intrusion detection tracks I attended in 2000 and taught in 2002 and 2003.

I believe there are places inside the enterprise where open source may not be as suited or as capable as proprietary software. Some people cannot live without Microsoft Active Directory. Mounting directories over NFS isn't quite the same as using Microsoft's protocols. In some security applications proprietary solutions are more full-featured. CORE IMPACT comes to mind. However, I believe most small to medium, and even many large, enterprises could operate securely using open source tools.

In fact, many proprietary products exist only because they need to compensate for deficiencies in other commercial software. For example, products like anti-virus, which are a requirement on Microsoft Windows, are a band-aid on top of a broken configuration and deployment model. I see absolutely no need to run anti-virus on UNIX desktops.

Who agrees or disagrees? Who is using a majority of open source tools to secure their enterprise? Who absolutely couldn't live without one or more commercial applications? If you need those proprietary apps, why? Is support the main issue? Thank you.

8 comments:

Keydet89 said...

I agree that many organizations, but particularly the small- to medium-sized ones, *can* be protected via open-source.

The problem lies with the IT staff, in particular, the IT management staff. I once worked for a consulting company in Eatontown, NJ. A local customer asked our group to write a white paper on "the best" IDS product available. The determination was that for their needs (small organization), Dragon would be the best solution...and the customer promptly said, thank you, but we'll go with ISS RealSecure. They only needed/wanted two sensors, and wanted us to monitor it.

In retrospect, I think that the reason why they opted for RealSecure was much more than simply that the buzz in the industry that RS was the "best of breed". It had to do with other things such as:

(1) The IT staff would have had to develop a detailed map of their infrastructure. Already overtasked and undertrained, that map would never be done...even though there were less than 300 systems, all located within a single facility.

(2) The IT staff would have had to actually learn something. Again, being overtasked, undermanned and undertrained left them no time to learn anything new.

In addition, I think that our group imposed some restrictions on this, as well. The planning and installation of the 2 agents was completed just before I started with the company...and in retrospect, using two snort agents and a VPN to manage them would have been sufficient, and much less costly. However, doing this would have required the consulting staff (all of 2 people, one of whom's full time job was our admin) to learn something new...and there wasn't time in the contract for that.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Dana Epp said...

The weakest link in security is the human factor.

The strongest link in security is the human factor.

No, those are NOT contradicting statements. When small businesses associate risk to their digital business assets, the last thing they wish to worry about is LEARNING, and ADAPTING to new unknown tools. Although in many cases good open source tools exist, what is missing in most of these tools is a level of usability that can make the BDM (business decision maker) see an immediate ROI. Where vendors of commercial applications are winning is being able to show quick integration, and low maintenance overhead. And more importantly, continued business continuity in the face of IT people changing, leaving etc.

When you have experts with a knowledgebase capable of utilizing these tools its one thing. Its an ENTIRELY different beast to deploy them and expect they can be managed by internal staff when you leave. This creates in many businesses an associated weakness, and therefore risk, that is not worth the investment.

Sourcefire is a PERFECT example. If you know what you are doing, you can use Snort yourself. Its easy to use, set up, and lots of supporting work out there to make it easy to manage. Yet Sourcefire makes a boatload of money knowing that people will PAY for the expectations of a commercial backing of people who will support the product and its integration and service beyond the original purchase. The BDM can leverage that past the initial purchase. You typically don't get that with consultants using open source tools.

It's a sad reality, but we sometimes get a black eye with a consultant installs something, leaves, and provides no real documentation path in an effort to "protect consulting revenues". I know of a few clients now who have been so burnt, they threw away perfectly good open source implementations because their consultants gave no clear indication on how to use it correctly.

Richard Bejtlich said...

Hi Harlan,

Thanks for your comments. Other readers -- Harlan's Winodws IR Blog has a few recent interesting posts on training that you might like!

Richard Bejtlich said...

Dana,

Thanks for your comments. I just enjoyed browsing your blog too. I wasn't aware that Mark Russinovich had a blog now. It looks like is has some great Windows info.

Anonymous said...

I believe the going price for a SANS "What Works" presentation is about $17,000 now. What open source project can afford that kind of marketing budget? ;-) It thus makes the best economic sense for SANS to help push the commercial applications whose publishers are paying for the webcasts and more. Of course, SANS is quite effective for that outlay. Chances are it'll be money well spent for the publishers... as long as their product actually works.

Richard Bejtlich said...

$17,000 poster -- would you mind contacting me privately through richard at taosecurity dot com? Thank you.

Anonymous said...

I think you have to take the SANS header with a grain of salt. Its a marketing tagline for their commercially driven webcasts (i.e. "Sponsored By:..."). I don't think its a general endorsement of ditching open-source or free software in favor of commercial tools (in fact, most of SANS courses overwhelmingly support free/open-source tools over commercial ones), but one thing I will say is that if the webcasts are geared towards enterprise-level security strategists or C-level executives, then it is somewhat true. Most open source security tools are very efficient at what they do (i.e. nmap, snort) but they fail to scale well to a large organization, and this is where the commercial tools have the advantage. Commercial tools almost always have better interfaces, better quality control, and most importantly, better available support than their open-source counterparts. And remember, open-source does not have to equal "free" (as in beer). Companies like Tenable and Sourcefire are making great commercial tools for the enterprise, yet both of these have, at their core, powerful and free security tools.

Anonymous said...
This comment has been removed by a blog administrator.