Fresh from the success of a major project with steel giant BlueScope, security-services provider Kustodian has changed its market approach and is now recommending open-source security tools for Australian companies interested in adding security operations centre (SOC) capabilities to its operations.
The decision represents a market shift for Kustodian, a multinational provider of penetration-testing and other security services that has worked extensively with commercial SIEM platforms in the past. However, CEO Chris Rock told CSO Australia, it recently became clear that open-source solutions – in particular, the ELK stack from Elasticsearch – offered a significant new opportunity to democratise the delivery of SOCs that often weighed in north of $1m using conventional commercial products and services.
Kustodian's recent development of an open-source SOC for BlueScope made it clear that the ELK environment not only offered powerful security capabilities, but could scale horizontally and vertically as far as most companies were likely to ever need.
“Within 3 months of development we were up and running,” Rock said. “In the 6 months since it went live, we've gotten it to such a state that we're now working to align it with ISO 27001 standards, and onselling the product to other clients. Since we got our heads around the whole ELK stack, we are not offering any other solution.”
The dramatically lower cost of the open-source option will open up SOC capabilities to smaller and resource-constrained organisations that could never have hoped to get strong security monitoring and analytics capabilities.
“Even for pen-testing many of these clients have just thousands per year in their budgets,” Rock said. “Asking them to spend $50k to install a SIEM and $50k in annual licensing is never going to happen. And they don't have the technical skills to install something that's free and open source. They're more focused on the day-to-day things.”
The ELK stack combines three core tools – Elasticsearch, Logstash and Kibana – to deliver a well-integrated security monitoring, analytics and dashboarding capability that can be heavily customised to offer real-time alerts when suspicious activity is detected.
The open-source design also facilitates the integration of the platform with third-party tools, allowing Kustodian to work with clients to bring in real-time data sources from whatever platforms a potential client organisation might be running.
“If you're dealing with a Splunk or an HP ArcSight, you've got to wait for the vendor to create a connector for each application,” Rock explained. “We can plug into a third-party box for a day or two, look at what's coming out of it, and then turn it into an ELK event.”
Kustodian's work with BlueScope has delivered a highly-scalable, global SOC that is currently processing 350,000 events per hour, generated by monitoring networks and systems supporting 16,000 employees across more than 100 locations in 17 countries. Yet even this load is “minor” compared with the scalability built into the platform: “ELK was designed for a huge ceiling, and with this product we're never going to hit any scalability problems,” Rock said. “If we can throw in three or four virtual servers with 30GB of RAM, any performance issues really don't exist.”
Want to know more?
Why not become a CSO member and subscribe to CSO's mailing list.
Get newsletters, updates, events and more right here.