We are sometimes asked to compare RSA threat detection and response solutions to those custom-assembled by security experts using various open-source products. With so many quality point solutions available, it's natural to consider whether a combination of best-of-breed open-source solutions is better for a particular organization than an integrated commercial solution. RSA is a big fan of open-source software and threat intelligence, participating in the security sharing process. We all battle the same adversaries, and this collaborative tradition helps keep the internet as safe as possible for everyone. In practical terms, this is a classic “build vs. buy” choice that boils down to preferences, available skills and risk tolerance. While both are viable options, the differences are important to understand.
- Preferences Some organizations have skills specific to the open-source model, including a full understanding of various licenses such as GPL. Others are more comfortable with commercial software, which offers support, predictable upgrades and lifecycle guarantees that can offset potential license savings. Many have explicit rules about this in their governance, risk and compliance (GRC) playbooks.
- Available Skills The availability of deep security and integration skills—and the ability to retain them—is an important factor in choosing between custom integration and a commercial platform. If your organization's skill set is strong and stable, you may feel comfortable integrating different technologies for logs, packets, endpoints and NetFlow, and possibly separate analysis and remediation tools. With a commercial threat detection and response platform, the vendor manages integration, freeing up your internal resources to focus on threat hunting. The vendor also maintains interoperability with various SIEMs, IPSs and firewalls.
- Risk Tolerance Breaches have a potentially huge negative impact on organizations and are appropriately weighted in most risk programs. Open-source solutions present additional risks to evaluate, including the continued availability of high-level skills to manage and maintain the solution. You should also consider the stability of projects underlying the components and the availability of suitable alternative components, as well as the effort required to replace and integrate components. For a commercial platform, vendor stability and maturity largely define the risk of adoption. Commercial support systems lower the risk of a catastrophic outage, as do support SLAs and the availability of professional services, including incident response support.
— Arthur Fontaine is principal product marketing manager for RSA NetWitness Suite.