Some of the kids, (we are called CISOs now), get all the cool toys and the rest of us sit and watch while we play with our Lincoln Logs. All of us have the basic security controls – nobody would run a business these days without firewalls, access controls, AV and all of those generate logs (Lincoln Logs – security logs, coincidence? I think not). But only the “security rich” kids have the really cool stuff like IDS systems, vulnerability scanning, user and data monitoring, network and system discovery and monitoring. That is why the security rich kids needed SIEM products to tie them all together and find the proverbial needle of actionable information in the haystack of security data (needle in a stack of needles for those of you that went to engineering school).

When the rest of us did manage to scrape up enough money for a SIEM, we realized that all we had to throw into it was our stupid logs – and that took months to integrate.

Now I am not joining some populist political bandwagon, I don’t think the kids with all the toys are my problem and I am actually thrilled that there are CISOs that work in businesses that recognize the importance of effective risk management. I think the richest CISOs in the world are still a long way from being spoiled and I am happy they have all those cool toys. But I am keen on seeing how the rest of us get some of those cool toys at our house too.

Well kids, things have changed.

We owe great thanks to the authors of the dozens of open source tools that deliver those cool advanced security features and to the brilliant engineers at AlienVault who built OSSIM which ties them all together into the AlienVault Unified Security Management Platform™  aka AV-USM™. Now we can all have the same visibility that the rich kids do at a fraction of the price and a fraction of the time to deploy. It turns out the rich kids can actually use this to have visibility in their summer homes too (the “edges of the enterprise” that often don’t have the same investment in advanced security controls). Have a look around for details on AV-USM™ or check out www.ossim.net for information on the world’s most popular SIEM solution, OSSIM.

Other ways cyber security is similar to childhood? I am pretty sure that “APT” and monsters under my bed are of the same construct – fictitious names we give to the real world things that we fear most. Now if I can just figure out if the tooth fairy and the security team that proactively responds to risk are really out there somewhere.

So why did we choose the open source model?

There are many reasons that sound nicer than the truth, all of them adding to the motivation and/or growing into us over time. But the single most important reason was that back in 2002, we had very – and I mean *very* – limited resources, and we needed exposure. Not exposure in the marketing sense, but in the validation and assistance sense.

We had a need to fill from day one, which was providing a valuable service to our MSSP customers at the lowest cost possible to ourselves and in extension, to them. There was no market that could provide validation and everything we did was new to our customers and to us as well. Sharing our work with fellow Snort, Nessus, Nagios, OpenNMS, ACID, etc… users seemed like the only way to validate how we understood computer security.

And there was little or no advantage in us hiding the code from anybody, so we went out with full disclosure and licensed using the BSD license, one of the most open licenses out there (we switched to GPL to protect our IP a little bit more after founding AlienVault in 2007).

What were the immediate benefits of going open source, both for us developers as well as for our end users?

A lot has been said about contributions to open source projects and the value of those contributions. It is true that we’ve had excellent contributions during the 10 years working on OSSIM, but they’ve been scarce and scattered over time. Talking with other leaders of open source projects, this dynamic seems to repeat itself; people do contribute, but it’s not like you have a pool of highly skilled developers at your full disposal.

Good contribution is easily recognizable: somebody tells you they’ve looked into your code, fixed a problem and would like to share the solution. That you can work with. Somebody asking how to help… 95% of the time they won’t be able to. So, code exposure has had it’s benefits. We’ve had a lot of fixes, including security fixes, sent in on important stuff and they have improved OSSIM.

Plus, people deserve to know what’s running in their security system IMO anyway. Until there are regulations in place requiring secure code, the only way you can have some level of peace of mind is looking at it yourself or having someone look at it for you.

There’s one kind of end-user that benefits the most from having access to the code, and here again we hit against one of those hot topics around open source: freedom to modify the code. Most users don’t need to modify the code. If they do need to, then you haven’t done your job correctly because you should’ve created a wizard/api/plugin architecture or whatever so that most users don’t need to get into that. Unfortunately, those who need the most modifications are those wanting to make money with the project without giving those modifications back to the community. Because of people like these, projects like Nessus unfortunately had to go closed source.

What are we doing different?

When we do modify something and it’s useful for the original users of the programs, we give those patches back (we’ve contributed to OSSEC, NTop, Nessus, Snort, Emerging Threats, etc…). If modifications aren’t useful, we’ll patch a version ourselves and provide the patches for anybody to use. In rare occasions (ACID, inProtect) we did so many modifications ourselves that were only useful in the SIEM context that the best approach was to fork these projects.

Our motto is to always have a full featured state-of-the art open source SIEM out there. More than 97% of what we develop goes directly into the open source version, while only about a 3% makes it into the AV-USM™ version.
The features we hold back are those that in our opinion differentiate users who don’t have the resources to support our development from those who do. Users vs. Customers in clear text.

So what does this mean to you, our customer?
Through us, you are tapping into a lot of talent, years of hard work, a lot of valuable tools, validated by a very big community of users and you get to see whats under the hood. Your support means that we can afford to continue to make a better product and make the world a better place for everybody.

I hope you have enjoyed this very quick immersion into why we, AlienVault decided to go Open Source.