Back in February of this year we heard about security firm AlienVault’s creation of the OSSIM standard open source SIEM (Security Information and Event Management) information base.
Described (arguably) somewhat hopefully by its makers as a new “de facto” standard mechanism for sharing cyber threat intelligence, the AlienVault Open Threat Exchange (OTX) system is free to all users of OSSIM (and the firm’s own customers) as it aggregates, validates and publishes threat data.
But where does this data come from and is it safe?
AlienVault says that the data originates from what it calls “the broadest range of security devices” across a community of more than 18,000 OSSIM and AlienVault deployments.
The idea is that an attack on any single member of the community “alerts and arms” the entire community with “timely intelligence”, so that all users can then (in theory) be ready to better manage a similar attack.
“The OSSIM community is spread among many industries and countries, and is composed of organisations of all sizes, making it the most diverse and comprehensive threat feed possible,” said AlienVault CTO Roger Thornton.
Gartner vs. reality
That’s great – but is the security data sourced via this community driven approach as safe is it needs to be? Gartner ranked the company in its visionaries quadrant for the so-called 2012 “Magic Quadrant for Security Information and Event Management”…
… but the analyst firm’s amazing quadrants can probably be safely argued to appear in a lot more press releases than they do corporate IT strategy documents.
Editorial comment: Of course this is not just “community sourced” security data as if it were some sort of open season for malware information sharing, AlienVault’s data is based upon real world registered devices. Although, this is not to say that hackers, miscreants and ne’er-do-wellers couldn’t just infiltrate this system and start sending spurious data through the information chain. AlienVault will no doubt tell us that controls are in place to catch and stop and kind of internal hacking of this kind. But, it would largely appear, we are not about to offload too much of our IT security controls to any community powered resource despite the rise in prominence of open source software and tools. When electricity, petrol and the drinking water supply go open source, then IT security may come next.