As a SaaS company, your time and resources are valuable. You need to make solid, strategic decisions about where to focus your time and energy. You also need to ensure that your organization is secure and compliant in the ways that matter to you and to your customers.
When it comes to security tools, there are a few options:
- Build your own
- Buy a bunch of point solutions
- Use open source security tools
- Invest in a security platform
We’ve tackled the build vs. buy question previously and explained why building a security solution from scratch can be much more costly than buying. Think multiple technologies that need to scale as they reliably collect data, turn it into meaningful alerts, and provide context around those alerts. Quite a tall order. On top of all that, you’ll also need to add features such as configuration auditing and vulnerability assessment. It’s a daunting task requiring layers of expertise.
But as a SaaS company, you’re resourceful, and you could be up for some bootstrapping if it will save money. After all, there are a bevy of vendors offering off-the-shelf (OTS) point solutions for security, not to mention free, open-source tools like OSSEC. These can seem like tempting options. But we’re here to tell you to pump the brakes!
In this post, we’ll explain why such tools can cost you more time, money, and energy than they’ll save you and why buying a comprehensive security platform is well worth the up-front investment.
Free in Cost Isn’t Free in Time
Free, open source security tools may seem like a boon to SaaS companies looking to save money, but they often require extensive configuration upon deployment and even more extensive maintenance and upgrades down the road. In assessing open source security tools for your business, you should consider whether they fit into your strategic architecture, what type of customization and configuration they’ll require to get up and running, and whether you have enough people with enough expertise on your team to manage complicated DIY security setups.
Let’s take OSSEC, an open source host intrusion detection system (IDS), as an example of why free doesn’t equal trouble-free — or zero cost. OSSEC requires DIY deployment, which means time spent on configuration before you are able to get up and running. In fact, OSSEC typically requires two to four full-time engineers to build and maintain, resulting in a total cost of ownership that is anything but free and often rises above the cost of purchasing a comprehensive security platform.
In terms of analysis, most IDS and intrusion prevention system (IPS) solutions have historically relied on attack signatures, which are static and look for specific known Indicators of Compromise (IOCs). OSSEC not only relies on such static attack signatures but expects operators to write those signatures themselves, which requires a great deal of experience to be effective.
Besides the time and expertise required to write signatures, the problem is that a security tool relying on these signatures depends on attacks being static, which is clearly not the case today. As attacks evolve, a comprehensive security platform is much better able to, instead, leverage behavioral analysis, analyzing the way environments process and users behave inside systems.
A comprehensive intrusion detection platform enables security tools to detect behaviors that static signatures simply can’t, such as:
- Application usage changes (an indicator of possible credential theft)
- Execution and command line changes (an indicator of possible remote exploit)
- Log-in and user behavior changes (an indicator of possible insider threat)
Moreover, OSSEC’s traditional file integrity monitoring (FIM) methods perform scheduled scans of file systems every six hours, creating signatures of files and comparing them to see whether a file has changed, delaying your response time. Continuous file integrity monitoring, on the other hand, detects when certain files or directories are acted upon, allowing you to respond more quickly in order to prevent a breach. Continuous file monitoring also addresses certain compliance requirements, because it provides a deeper level of auditing.
There are also no open source tools that offer automated patch monitoring or threat intelligence, so it’s necessary to add these features as point solutions to whatever open source tools you choose. Currently there are no good open source options for this, though common vulnerabilities and exposures (CVE) analysis could be completed manually by a dedicated engineer working half to full time. Similarly, the complete lack of automated open source threat intelligence solutions means that the task would need to be completed manually, requiring about half of a full-time engineer’s workday. As you can see, the cost of manpower adds up quickly
A robust security platform, on the other hand, should offer both automated patch monitoring and vulnerability monitoring all in one easy-to-use dashboard, saving you time and money while reducing the burden on your team.
Point Solutions Aren’t on Point
As with open source tools, seemingly inexpensive off-the-shelf (OTS) point solutions have hidden costs that add up quickly. Let’s take a look at some of the major costs to consider before investing in them.
Integrating point solutions with each other and with the other tools that your team uses may require expert coding in order to pull data from the right sources and feed it back to the right places. Let’s say you’d like to pull log data from a SIEM like Splunk and feed it into your security tool, then have alerts sent to you via PagerDuty or Slack. If the point solutions you choose don’t already offer integrations, you’re stuck writing them by hand. And, if they do offer integrations, you will likely still have to fine-tune an API that isn’t sufficiently customized. If you already have engineers on board who can handle integrations like this, you probably know how hard it can be to get their time.
Maintenance of point solutions requires further time and resources to deal with any hiccups as your point solutions update their codebases. Moreover, keeping the point solutions patched and making sure they work with any new tools you add (or don’t break if you subtract a tool) takes time. You will also need to review your integrations code and update your contributing sources continually as new threats emerge. With the amount of time and expertise necessary to complete and maintain integrations, those “cheap” point solutions suddenly seem much pricier.
Next, you need to think about scalability. Cloud security requires constant surveillance on all fronts. As organizations expand in the cloud, it’s common to add point solution after point solution to try to cover all types of threats and vulnerabilities. This can quickly create unmanageable tech sprawl. It’s neither scalable nor efficient with security teams that are already overworked and lacking time and resources to manage multiple point solutions. For this reason, host-based continuous monitoring via a single, unified platform tends to be quite a bit more cost-effective and scalable.
Decentralized ownership is another issue with point solutions that often compromises security. Many point solutions often means many owners, and we see companies doling out responsibility over security tools to whichever individual or team purchased them. With various owners responsible for dozens of tools and little coordination, responsibility is spread so thin that tools go without maintenance and alerts are ignored. Both threats and costs spiral out of control, creating a perfect storm for attackers. Alternatively, a platform solution easily allows for a single owner (or a tightly integrated team) that oversees all security technology, thereby streamlining visibility, management, and response. This means faster responses to threats, which minimizes fallout for your organization.
A Better Alternative: All-in-One Security
Thanks to the maturation of the security industry over the last several years, the cloud-native, integrated, end-to-end solutions that are available to the market today leave little reason to piece together your own solution from open source software and point solutions. With a wider lens on your infrastructure than a point solution could ever achieve, a comprehensive platform offers better visibility and more accurate, richly contextualized alerts to enable a faster response. When all is said and done, investing in a security platform is most often less expensive and more effective than open source or point solutions could ever be.
A single, comprehensive intrusion detection platform that coordinates security monitoring, giving you a single pane of glass view into the security of your cloud environment, can significantly cut the time needed to monitor and analyze threats, thus freeing up time to respond to them quickly and effectively.
To discover how Threat Stack’s intrusion detection platform can address your security and compliance requirements, sign up today for a demo today.