Posted: 3 Min ReadExpert Perspectives

A Tip for your TIP: Forget the Commercial - Open-Source Split

There’s no single “best” solution. The best threat intel platform is one that bolsters how you deploy data to counter bad actors

Data never rests and neither do the bad guys. Each day, more than 3.7 billion people use the internet, creating some 2.5 quintillion bytes of data. And each day, defenders are locked in battle against wave after wave of attackers trying to steal or access that information for their own nefarious aims.

While we can’t expect anything resembling “peace in our time” - at least for the foreseeable future - businesses can reduce their exposure to attack by marshalling the best intelligence possible about their adversaries.

That’s why the threat intelligence market is expected to more than double to $12.9 billion by 2023 to and also why growing numbers of businesses have made a threat intelligence platform (TIP) a key element of their enterprise security strategy.

TIPs offer invaluable help to threat intelligence teams and the analysts working in Security Operations Centers by essentially serving as the hub for information aggregated from the different sources and tools that an organization uses to track and manage cyber incidents and threats.  

A TIP will streamline the often-unwieldy process of data collection by automatically collecting and normalizing data from multiple sources and formats. So instead of taking a hit-and-miss approach, analysts can make efficient decisions based on shared information gleaned from data streamed from different parts of the company flowing into a central repository or dashboard.

This both saves time by making better use of scarce resources while reducing enterprise risk by helping to answer questions such as: Which alerts should I prioritize? Is this an artifact of a targeted attack? Who's attacking me? The upshot is a deeper, more complete understanding of the threats against the organization and a valuable leg up in the escalating competition with the bad guys.

Commercial or Open-Source?

As organizations approach the question of how to equip themselves with their own TIP they can choose among both commercial and, increasingly, open-source alternatives. There’s no single “best” solution. The choice depends solely upon each company’s approach to using intelligence in light of unique requirements, capabilities and vision.

In a commercially-driven model, an enterprise will set up a development organization to create their own proprietary TIP offering; enhancing it on a regular basis with capabilities they determine will drive the greatest customer value, and hence the greatest revenue.

By contrast, the open-source TIP projects are created and supported by a collaborative community that develops new functionality prioritized by its members and making it available to anybody who wants to use it at no cost. Ideally, these users join the community and collaborate to help further enhance and develop the open-source project.

There are a couple of trade-offs here. First, the pace of enhancements is dependent upon the vibrancy of the community.  Second, although there are no licensing costs, deployment will typically require some internal technical resources.  

Again, there is no “better” choice here. The TIP market is relatively new and as adoption grows, you’ll see organizations choosing one approach over the other - just as you do with any recent technology adoption.

Don’t get hung up on the commercial/open-source split. Choose the approach that's best for you. We’re happy to support either.

A TIP is like any data analytics tool; the quality of what you’re going to get out of it is going to be proportional to what you put in.

In fact, the ultimate determination of success depends more on the inputs than the provenance of the technology. Without the proper intelligence content, a TIP by itself is of no value.

Think about it this way. A TIP is like any data analytics tool; the quality of what you’re going to get out of it is going to be proportional to what you put in. If your data sources are inappropriate, inadequate or of poor quality, it matters little that you have an excellent threat intelligence platform and really great human analysts. You’ll still struggle to get actionable operational intelligence because the system will just send your analysts down rabbit holes searching for non-existent, irrelevant or old threats. (Here are some recommendations I recently pulled together to help avoid those – and other - potential pitfalls.)

At the end of the day, what we're trying to do is enhance our customers' security posture and make it easier for security teams to use intelligence and keep their enterprises safe. This is where Symantec can step in to provide the broadest, most in-depth, timely, and accurate intelligence content.

It's not our ambition to dictate how your organization uses intelligence, but to support you each step of the way as your intelligence program matures. Ultimately, the road you choose is going to be less important than the effort you put in to achieve the overarching goal of implementing an intelligence driven security strategy.

You might also enjoy
Expert Perspectives3 Min Read

How to Choose the Right Threat Intelligence Sources for Your TIP

What you get out of your threat intelligence platform depends on what you put into it

You might also enjoy
Feature Stories4 Min Read

The Cyber Security Platform Shift – More Secure, Less Complex

How Integrated Cyber Defense reduces the integration burden on customers in a fast-changing security world

About the Author

Al Cooley

Director, DeepSight Intelligence Product Management, Symantec

Al Cooley leads product management for DeepSight Intelligence. Prior to Symantec, he worked in product leadership roles at Guardium, IBM and Industrial Defender.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.