Imagine yourself looking for a bookshelf. You visit a nearby furniture store only to find out they are giving several pieces of furniture, including bookshelves for free. But after examining the details, you only see bookshelves either too large or small to fit in your living room. Will you buy the free bookshelf, knowing about its undesirable measurements? Or will you purchase a bookshelf of your choice?
Freebies are good, but only if they are suitable. The same can be said for open source threat intelligence platforms (TIPs). While the freebies might attract you hard, it is important to invest some time and resources in choosing what’s best for you. In order to check all the boxes for your TIP—open-source or commercial, you need to first understand the job of a TIP.
What’s the Purpose of a TIP?
TIPs enable security teams to gather, organize, and manage threat data and intelligence. Modern-day TIPs offer the capability to receive and share intelligence from TI providers, peers, information sharing communities (ISACs/ISAOs), and OSINT sources among others. The main job of a TIP is to automate the threat intelligence collection, normalization, correlation, enrichment, and analysis. Having an advanced TIP in place allows security teams to quickly detect, manage, and act on threats. Moreover, TIPs can integrate with existing security information and event management (SIEM) tools. In a nutshell, the purpose of a TIP is to deliver end-to-end threat intelligence lifecycle management including ingestion, normalization, enrichment, analysis, and capability to bidirectionally share threat data within your trusted network.
What is an Open Source TIP?
An open-source TIP is publicly accessible just like any other open-source software that anyone can examine and modify. A case in point is Malware Information Sharing Platform (MISP). An open-source software solution, MISP collects, stores, distributes, and shares IOCs of threat incidents. Designed for security professionals, incident analysts, and malware analysts, MISP helps them ingest and analyze threat data pertaining to detected malware attacks. This automatically connects the dots between malware and its attributes, and stores data in a structured format. In addition, MISP also helps to make the rules for network intrusion detection systems (NIDS) and enables the sharing of malware information with third parties. In simpler words, MISP aims to create a platform of trust by locally storing threat information and enhancing malware detection to encourage information exchange among organizations.
What is a Commercial TIP?
Any commercial offering is a proprietary solution that is updated on a regular basis with capabilities that boost customer value and revenue. Similar is a commercial TIP offered by a vendor. By leveraging a commercial TIP, security teams can automate the collection, normalization, correlation, enrichment, analysis, dissemination, and actioning of threat intelligence. Commercial TIPs let you gather tactical as well as technical intel from multiple external sources such as commercial feed and threat intel providers, ISAC/ISAO hubs, dark web, peer, and subsidiary organizations. Besides external sources, a commercial TIP ingests threat intel from in-house tools such as SIEMs, IDS/IPS, antivirus, and a firewall. The intel collection from both sources can be monitored in one place. This enables enterprises to collaboratively collect, manage, and share threat intel with partners, vendors, clients, regulatory bodies, ISACs/ISAOs, and others. A commercial TIP has the capability to normalize the collected threat intel and convert it into STIX format for automated analysis and actions. Furthermore, using a commercial TIP, you can correlate and enrich IOCs from different internal and external intel sources. Modern TIPs also allow security teams to calculate the final risk score of the IOCs so that actioning on relevant intel can be prioritized. Based on a confidence score, a commercial TIP sieves out threat intel, blocks IOCs, and adds them to the watchlist of a SIEM solution. Last but not the least, commercial TIPs automate intel dissemination by equipping internal security operations center (SOC), threat hunting, incident response, and red teams with enriched intelligence for quick analysis and actioning. By cross-sharing enriched intel, commercial TIPs empower organizations to build a collaborative and cyber-secure environment between their internal teams and external entities.
The Choice is Yours: Open Source vs. Commercial TIPs
A maturing security team needs to evaluate TIPs on the basis of several technical and economical aspects such as service level agreements and integration with legacy and existing systems. Most importantly, a security team needs to determine which solution is right for them. An open-source TIP acts as a centralized hub for threat intelligence. However, there’s a paucity of several aspects of a true commercial TIP in it. For instance, integration with legacy systems is a perennial challenge for any new technology. When it comes to TIP, managing legacy feeds and different formats is one of the major focuses. While an open-source TIP requires substantial modification and maintenance costs to ingest the legacy feeds, a commercial TIP provides integration capabilities that can ingest threat data presented in various formats. A commercial TIP can collect both tactical and technical intelligence from different external and internal sources, and can automatically normalize this intelligence from various formats such as STIX, JSON, XML, CybOX, and MAEC amongst others. Unlike an open-source TIP, a commercial TIP supports confidence scoring of IOCs that can be leveraged to conduct actions, such as automated alerting. An advanced commercial TIP lets you visualize the MITRE ATT&CK framework, provides you with information on attacker TTPs, helps you identify trends across the cyber kill chain, and coordinate them to report intel.
There are several reasons why you might want to opt for a commercial TIP. One of them is its ability to automatically enrich threat data from multiple trusted sources and perform correlation, deduplication, analysis, and indicator deprecation in real-time. Moreover, it has features to automatically share threat information to disparate security tools for real-time actioning.
In today’s open-source marketplace, one can find scripting potential—that requires more coding resources—but not steadfast automation capabilities. On the other hand, a commercial TIP offering security, orchestration, automation, and response (SOAR) capabilities can let your security team automate tasks resulting in faster and more actionable insights. Another major aspect that should be in your checklist of criteria when you approach the TIP selection is customization. As your threat intelligence maturity model evolves, you want your TIP to progress too. Besides threat detection and incident response capabilities, you may want to add other strategic capabilities to prove the efficacy of your TIP. Customization plays a significant role here and this is where open source and commercial solutions drastically differ. With their inherent capability to be freely distributed and modified, open-source TIPs can appear to be the perfect fit for customization. However, the question is not about which solution is more customizable, but whether your security teams have the resources and skills to handle customization in a timely fashion. You may customize an open-source TIP solution by putting in tremendous coding efforts but you might end up building a costly TIP. On the contrary, commercial solutions diverge significantly in their level of customization. They are designed to be easily customized and tailored to fit your needs, giving you the ability to modify your TIP and attune the kind of data you want to include in your platform for reporting purposes. Lastly, when choosing a TIP, the cost of commercial TIPs can be seen as a big barrier. It’s true that open source TIPs have a lower cost of entry, but the support costs over time can add up and revoke the initial investment benefits. The expense of keeping an open-source TIP up-to-date with all the technologies integrated into it drives up its cost, which is not the case in a commercial TIP. Furthermore, leading security vendors are now offering commercial TIPs that are tailored to fit the budgets of mid-market enterprises having small or no security teams.
Albeit the lower cost of entry makes open-source TIPs an attractive option, the long-term investment in customization and integration may make you think twice. Eventually, it’s a question of what you need and what are your requirements. First, you need to understand the job of a TIP and what is right for your team—is it an open-source or commercial TIP solution?