Gentlemen,
First let me say how happy I am that the Liquidmatrix podcast is pushing out new episodes in 2016. I look forward to listening more.
That said I find I must take exception to the "Mailbag" commentary in Episode 61.
<rant>
What definition of "enterprise" are you using?
I will heartily endorse that Matt is an "awesome" hacker and that the toolkit he is building at the startup he's at is likely totally awesome. But in what world is a startup also an enterprise?
Startups use homebrew and open source systems because they are cash-short and it makes more business sense (meaning a combination of financial, risk, compliance, and resource sense) to build versus buy.
But any true enterprise CISO that used a SIEM built by one of their team members is (using the language of the kids today) “smoking crack”.
Why? Allow me to expand the thought.. Assume Matt works for me at an $8B company and I adopted the SIEM platform he developed versus using MSSP or SIEM…
1. As the company grows the amount of time Matt will need to spend building connectors and enhancing the system will continue to grow. Matt will need to take time away from actual security (which is what I hired him for in the first place) and act more like a developer than a security staff member. Is that the best use of his limited time? I doubt it.
2. Some compliance regimes (yeah, I know, I can hear the complaints now but at the enterprise level this stuff matters) require systems you rely on for security to “have support”. I’m not a development shop! I do security for a company that makes widgets! Crap – now I have a finding in my external audit and my PCI assessor is twitching.
3. What happens when Matt gets bored (and he will – all good hackers do after a period of time) and leaves the company? Who’s going to support this thing? Now I have to go find an equally awesome hacker (not an easy prospect these days) and hope they can support this now critical piece of security infrastructure. There is a very real possibility that the system will degrade into a useless piece of crap before I can find someone to take over… That’s potentially devastating as I have *nothing* to fall back on.
Are you seriously asking me to sign up for this amount of risk? REALLY?
</rant>
Homebrew and open source security tools have their place and properly used are likely viable solutions in the startup/SMB space. Use in a true enterprise, IMO, is likely going to add so much risk that the cash expense of $VENDORPRODUCT is very much worth it.
Keep up the good podcast work, y’all. I look forward to more episodes.
Martin Fisher