Kustodian goes open-source only after success with BlueScope SOC

Fresh from the success of a major project with steel giant BlueScope, security-services provider Kustodian has changed its market approach and is now recommending open-source security tools for Australian companies interested in adding security operations centre (SOC) capabilities to its operations.

The decision represents a market shift for Kustodian, a multinational provider of penetration-testing and other security services that has worked extensively with commercial SIEM platforms in the past. However, CEO Chris Rock told CSO Australia, it recently became clear that open-source solutions – in particular, the ELK stack from Elasticsearch – offered a significant new opportunity to democratise the delivery of SOCs that often weighed in north of $1m using conventional commercial products and services.

Kustodian's recent development of an open-source SOC for BlueScope made it clear that the ELK environment not only offered powerful security capabilities, but could scale horizontally and vertically as far as most companies were likely to ever need.

“Within 3 months of development we were up and running,” Rock said. “In the 6 months since it went live, we've gotten it to such a state that we're now working to align it with ISO 27001 standards, and onselling the product to other clients. Since we got our heads around the whole ELK stack, we are not offering any other solution.”

The dramatically lower cost of the open-source option will open up SOC capabilities to smaller and resource-constrained organisations that could never have hoped to get strong security monitoring and analytics capabilities.

“Even for pen-testing many of these clients have just thousands per year in their budgets,” Rock said. “Asking them to spend $50k to install a SIEM and $50k in annual licensing is never going to happen. And they don't have the technical skills to install something that's free and open source. They're more focused on the day-to-day things.”

The ELK stack combines three core tools – Elasticsearch, Logstash and Kibana – to deliver a well-integrated security monitoring, analytics and dashboarding capability that can be heavily customised to offer real-time alerts when suspicious activity is detected.

The open-source design also facilitates the integration of the platform with third-party tools, allowing Kustodian to work with clients to bring in real-time data sources from whatever platforms a potential client organisation might be running.

“If you're dealing with a Splunk or an HP ArcSight, you've got to wait for the vendor to create a connector for each application,” Rock explained. “We can plug into a third-party box for a day or two, look at what's coming out of it, and then turn it into an ELK event.”

Kustodian's work with BlueScope has delivered a highly-scalable, global SOC that is currently processing 350,000 events per hour, generated by monitoring networks and systems supporting 16,000 employees across more than 100 locations in 17 countries. Yet even this load is “minor” compared with the scalability built into the platform: “ELK was designed for a huge ceiling, and with this product we're never going to hit any scalability problems,” Rock said. “If we can throw in three or four virtual servers with 30GB of RAM, any performance issues really don't exist.”

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list.

Get newsletters, updates, events and more right here.

Join the CSO newsletter!

Error: Please check your email address.

Tags BlueScope SOCSIEM platformschris rockELK environmentKustodianCSO Australia

More about ArcSightCSOHPISORockSplunk

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place