We are sometimes asked to compare RSA threat detection and response solutions to those custom-assembled by security experts using various open-source products. With so many quality point solutions available, it's natural to consider whether a combination of best-of-breed open-source solutions is better for a particular organization than an integrated commercial solution.

RSA is a big fan of open-source software and threat intelligence, participating in the security sharing process. We all battle the same adversaries, and this collaborative tradition helps keep the internet as safe as possible for everyone.

In practical terms, this is a classic “build vs. buy” choice that boils down to preferences, available skills and risk tolerance. While both are viable options, the differences are important to understand.

  • Preferences
    Some organizations have skills specific to the open-source model, including a full understanding of various licenses such as GPL. Others are more comfortable with commercial software, which offers support, predictable upgrades and lifecycle guarantees that can offset potential license savings. Many have explicit rules about this in their governance, risk and compliance (GRC) playbooks.

  • Available Skills
    The availability of deep security and integration skills—and the ability to retain them—is an important factor in choosing between custom integration and a commercial platform. If your organization's skill set is strong and stable, you may feel comfortable integrating different technologies for logs, packets, endpoints and NetFlow, and possibly separate analysis and remediation tools.
    With a commercial threat detection and response platform, the vendor manages integration, freeing up your internal resources to focus on threat hunting. The vendor also maintains interoperability with various SIEMs, IPSs and firewalls.

  • Risk Tolerance
    Breaches have a potentially huge negative impact on organizations and are appropriately weighted in most risk programs. Open-source solutions present additional risks to evaluate, including the continued availability of high-level skills to manage and maintain the solution. You should also consider the stability of projects underlying the components and the availability of suitable alternative components, as well as the effort required to replace and integrate components.

    For a commercial platform, vendor stability and maturity largely define the risk of adoption. Commercial support systems lower the risk of a catastrophic outage, as do support SLAs and the availability of professional services, including incident response support.

Remember, this isn't only about building a solution; it's about keeping it going. If you have—and can retain—the internal skills to do that, a custom-integrated solution can be effective. But it also means you'll be depending on multiple solution providers, which increases your risk if one stops supporting a product or simply fails altogether.

Good advice for anyone considering a threat detection and response solution is to look ahead five years at changes that may impact your organization. Internal considerations about employee skills and organizational risk tolerance are important. It's also critical to evaluate whether technology partners will continue to provide support at a predictable and professional level. Security is a process, not an event, so think of your choice as an ongoing commitment. Be informed, and choose wisely.


— Arthur Fontaine is 
principal product marketing manager
 for RSA NetWitness Suite.