Friday, April 17, 2020

From my Gartner Blog - New Research: Open Source Tools!

After finishing the wave of research that covered pentesting, monitoring use cases, SOAR and TI, I’m excited to start research for a net new document covering an exciting topic rarely covered in Gartner research: Open source tools! The intent is to look at the most popular open source tools used by security operations teams out there. Things like the ELK stack, Osquery, MISP and Zeek. What I’d like to cover in this new paper is:

  • Why is the tool being used? Why not a commercial alternative?
  • How is it being used? What is the role of the tool in the overall security operations toolset, what are the integrations in place?
  • How much effort was put to implement the tool? What about maintaining it?
  • Is it just about using it or is there some active participation on the development of tool as well?
  • What are requirements to get value from this tool? Skills? Anything specific in terms of infrastructure, or processes?

It is a fascinating topic, which bring a high risk of scope creep, so the lists of questions answered and tools covered are still quite fluid.

In the meantime, it would be nice to hear stories from the trenches; what are you using out there? Why? Was that picked just because it was free (I know, TCO, etc, but the software IS free….) ? Or is it a cultural aspect of your organization? Do you believe it is actually better than the commercial alternatives? Why?

Lots of questions indeed. Please help me provide some answers 🙂

The post New Research: Open Source Tools! appeared first on Augusto Barros.

from Augusto Barros

1 comment:

  1. Elastic is also a commercial product (on-prem) and service (Elastic Cloud). Velocidex provides a better EDR and tools than osquery and all commercial solutions.

    You can take open-source stuff and innersource integrations and changes to it, usually checking licenses only in extreme cases.

    Do you know what Linux is? It's like that but better because there are more integrations above the OS layer. Linux is so successful because it is open-source.

    RockNSM and HELK are very unique in that they provide ECS and OSSEM respectively. If you use these open data models you win. If you don't use these open data models you lose. It's that simple.

    Elastic Cloud does not require infrastructure skills. Most skills going into 2020 are data skills for knowledge workers. Security Operations is now a smooth blend of SOC, CSIRT, DFIR, CTI, Purple Teaming, Cyber Exercises, and Applied Data Science.

    Our framework is IACDAutomate. On this page -- -- the Baseline Architecture PDF spells out the terms
    S/A Interface is Graylog / SysmonSearch / SecurityOnion / RockNSM / Elastic SIEM; SMAF is HELK, MISP, and LogonTracer; DME is WALKOFF (maybe also TheHive-Project Cortex), RAC are walkoff-apps and their control planes (e.g., Velocidex tools); OM is TheHive-Project.

    Just forget about contracts. You are only as good as your people and you must give your people good platforms to start from when they don't know where to start (i.e., Elastic Cloud). If they know they want or instead -- fine give them those. But nobody wants a platform that is never mentioned in their SEC555 or SEC599 class. They don't want Vendor A, Vendor L, or Vendor S shoved down their throats!

    Not all is open-source in the "I've downloaded and ran the open-source!". Open-source leads to innersourcing. It leads to clean and lasting integrations. It leads to workable situations when interoperability or reliability nightmare scenarios show their ugly faces and rear their claws.

    Open-sourcing and the innersourcing that come with it build communities. The threat communities lever this -- and if the defenders hide behind their vendors then this community force multiplier becomes even more asymmetric, sided to the threat communities.

    Get in the weeds and see for yourself. Go and see. Get off your high horse.