DIY Security with Open Source

This morning I received word of a new SANS Webcast titled What Works in Intrusion Detection Systems. The introductory paragraph for the announcement starts with these two sentences:

"The days of do-it-yourself security using free software have passed. There is broad understanding among CIOs and CISOs that an effective cyber security program cannot be implemented without commercial technology and services."

As you might expect I strongly disagree with this claim. I was disappointed to see these sentiments expressed in an announcement about IDS sponsored by Sourcefire! The introduction appears to be standard SANS boilerplate, however. You can see the same paragraph in the SANS What Works in Intrusion Prevention: Using Multi-Function Low-Cost Appliances and What Works in Business Transaction Integrity Monitoring announcements, among others.

I find it sad that SANS would advocate this anti-open source stance. I never saw SANS teach commercial products at my first SANS conference in 1999, nor at the first SANSFIRE track I attended in 2001, nor in the intrusion detection tracks I attended in 2000 and taught in 2002 and 2003.

I believe there are places inside the enterprise where open source may not be as suited or as capable as proprietary software. Some people cannot live without Microsoft Active Directory. Mounting directories over NFS isn't quite the same as using Microsoft's protocols. In some security applications proprietary solutions are more full-featured. CORE IMPACT comes to mind. However, I believe most small to medium, and even many large, enterprises could operate securely using open source tools.

In fact, many proprietary products exist only because they need to compensate for deficiencies in other commercial software. For example, products like anti-virus, which are a requirement on Microsoft Windows, are a band-aid on top of a broken configuration and deployment model. I see absolutely no need to run anti-virus on UNIX desktops.

Who agrees or disagrees? Who is using a majority of open source tools to secure their enterprise? Who absolutely couldn't live without one or more commercial applications? If you need those proprietary apps, why? Is support the main issue? Thank you.