- Preferences Some organizations have skills specific to the open-source model, including a full understanding of various licenses such as GPL. Others are more comfortable with commercial software, which offers support, predictable upgrades and lifecycle guarantees that can offset potential license savings. Many have explicit rules about this in their governance, risk and compliance (GRC) playbooks.
- Available Skills The availability of deep security and integration skills—and the ability to retain them—is an important factor in choosing between custom integration and a commercial platform. If your organization's skill set is strong and stable, you may feel comfortable integrating different technologies for logs, packets, endpoints and NetFlow, and possibly separate analysis and remediation tools. With a commercial threat detection and response platform, the vendor manages integration, freeing up your internal resources to focus on threat hunting. The vendor also maintains interoperability with various SIEMs, IPSs and firewalls.
- Risk Tolerance Breaches have a potentially huge negative impact on organizations and are appropriately weighted in most risk programs. Open-source solutions present additional risks to evaluate, including the continued availability of high-level skills to manage and maintain the solution. You should also consider the stability of projects underlying the components and the availability of suitable alternative components, as well as the effort required to replace and integrate components. For a commercial platform, vendor stability and maturity largely define the risk of adoption. Commercial support systems lower the risk of a catastrophic outage, as do support SLAs and the availability of professional services, including incident response support.
— Arthur Fontaine is principal product marketing manager for RSA NetWitness Suite.