DIY Security with Open Source
This morning I received word of a new SANS Webcast titled What Works in Intrusion Detection Systems. The introductory paragraph for the announcement starts with these two sentences:
"The days of do-it-yourself security using free software have passed. There is broad understanding among CIOs and CISOs that an effective cyber security program cannot be implemented without commercial technology and services."
As you might expect I strongly disagree with this claim. I was disappointed to see these sentiments expressed in an announcement about IDS sponsored by Sourcefire! The introduction appears to be standard SANS boilerplate, however. You can see the same paragraph in the SANS What Works in Intrusion Prevention: Using Multi-Function Low-Cost Appliances and What Works in Business Transaction Integrity Monitoring announcements, among others.
I find it sad that SANS would advocate this anti-open source stance. I never saw SANS teach commercial products at my first SANS conference in 1999, nor at the first SANSFIRE track I attended in 2001, nor in the intrusion detection tracks I attended in 2000 and taught in 2002 and 2003.
I believe there are places inside the enterprise where open source may not be as suited or as capable as proprietary software. Some people cannot live without Microsoft Active Directory. Mounting directories over NFS isn't quite the same as using Microsoft's protocols. In some security applications proprietary solutions are more full-featured. CORE IMPACT comes to mind. However, I believe most small to medium, and even many large, enterprises could operate securely using open source tools.
In fact, many proprietary products exist only because they need to compensate for deficiencies in other commercial software. For example, products like anti-virus, which are a requirement on Microsoft Windows, are a band-aid on top of a broken configuration and deployment model. I see absolutely no need to run anti-virus on UNIX desktops.
Who agrees or disagrees? Who is using a majority of open source tools to secure their enterprise? Who absolutely couldn't live without one or more commercial applications? If you need those proprietary apps, why? Is support the main issue? Thank you.
"The days of do-it-yourself security using free software have passed. There is broad understanding among CIOs and CISOs that an effective cyber security program cannot be implemented without commercial technology and services."
As you might expect I strongly disagree with this claim. I was disappointed to see these sentiments expressed in an announcement about IDS sponsored by Sourcefire! The introduction appears to be standard SANS boilerplate, however. You can see the same paragraph in the SANS What Works in Intrusion Prevention: Using Multi-Function Low-Cost Appliances and What Works in Business Transaction Integrity Monitoring announcements, among others.
I find it sad that SANS would advocate this anti-open source stance. I never saw SANS teach commercial products at my first SANS conference in 1999, nor at the first SANSFIRE track I attended in 2001, nor in the intrusion detection tracks I attended in 2000 and taught in 2002 and 2003.
I believe there are places inside the enterprise where open source may not be as suited or as capable as proprietary software. Some people cannot live without Microsoft Active Directory. Mounting directories over NFS isn't quite the same as using Microsoft's protocols. In some security applications proprietary solutions are more full-featured. CORE IMPACT comes to mind. However, I believe most small to medium, and even many large, enterprises could operate securely using open source tools.
In fact, many proprietary products exist only because they need to compensate for deficiencies in other commercial software. For example, products like anti-virus, which are a requirement on Microsoft Windows, are a band-aid on top of a broken configuration and deployment model. I see absolutely no need to run anti-virus on UNIX desktops.
Who agrees or disagrees? Who is using a majority of open source tools to secure their enterprise? Who absolutely couldn't live without one or more commercial applications? If you need those proprietary apps, why? Is support the main issue? Thank you.
Comments
The problem lies with the IT staff, in particular, the IT management staff. I once worked for a consulting company in Eatontown, NJ. A local customer asked our group to write a white paper on "the best" IDS product available. The determination was that for their needs (small organization), Dragon would be the best solution...and the customer promptly said, thank you, but we'll go with ISS RealSecure. They only needed/wanted two sensors, and wanted us to monitor it.
In retrospect, I think that the reason why they opted for RealSecure was much more than simply that the buzz in the industry that RS was the "best of breed". It had to do with other things such as:
(1) The IT staff would have had to develop a detailed map of their infrastructure. Already overtasked and undertrained, that map would never be done...even though there were less than 300 systems, all located within a single facility.
(2) The IT staff would have had to actually learn something. Again, being overtasked, undermanned and undertrained left them no time to learn anything new.
In addition, I think that our group imposed some restrictions on this, as well. The planning and installation of the 2 agents was completed just before I started with the company...and in retrospect, using two snort agents and a VPN to manage them would have been sufficient, and much less costly. However, doing this would have required the consulting staff (all of 2 people, one of whom's full time job was our admin) to learn something new...and there wasn't time in the contract for that.
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
The strongest link in security is the human factor.
No, those are NOT contradicting statements. When small businesses associate risk to their digital business assets, the last thing they wish to worry about is LEARNING, and ADAPTING to new unknown tools. Although in many cases good open source tools exist, what is missing in most of these tools is a level of usability that can make the BDM (business decision maker) see an immediate ROI. Where vendors of commercial applications are winning is being able to show quick integration, and low maintenance overhead. And more importantly, continued business continuity in the face of IT people changing, leaving etc.
When you have experts with a knowledgebase capable of utilizing these tools its one thing. Its an ENTIRELY different beast to deploy them and expect they can be managed by internal staff when you leave. This creates in many businesses an associated weakness, and therefore risk, that is not worth the investment.
Sourcefire is a PERFECT example. If you know what you are doing, you can use Snort yourself. Its easy to use, set up, and lots of supporting work out there to make it easy to manage. Yet Sourcefire makes a boatload of money knowing that people will PAY for the expectations of a commercial backing of people who will support the product and its integration and service beyond the original purchase. The BDM can leverage that past the initial purchase. You typically don't get that with consultants using open source tools.
It's a sad reality, but we sometimes get a black eye with a consultant installs something, leaves, and provides no real documentation path in an effort to "protect consulting revenues". I know of a few clients now who have been so burnt, they threw away perfectly good open source implementations because their consultants gave no clear indication on how to use it correctly.
Thanks for your comments. Other readers -- Harlan's Winodws IR Blog has a few recent interesting posts on training that you might like!
Thanks for your comments. I just enjoyed browsing your blog too. I wasn't aware that Mark Russinovich had a blog now. It looks like is has some great Windows info.