Richard Kirk of AlienVault introduces Open Threat Exchange, a free, open-source enterprise IT security tool
A team of “ethical hackers” from AlienVault has already given the world OSSIM, a popular open source security information and event management (SIEM) tool, but as more and more cybercriminals are adopting open source models and even using proprietary social networks to exchange information, a new approach to IT security is needed.
Enter AlienVault Open Threat Exchange (OTX), a free system for gathering, processing and sharing threat intelligence, that launched today. TechWeekEurope sat down with Richard Kirk, senior vice president of international operations at AlienVault, to talk about security, community and giving things away for free.
So what is Open Threat Exchange in a nutshell?
A lot of IT security companies collect threat information from their users, and then do their best to share that information to benefit those users. Good examples of this are the anti-virus software companies like Symantec and McAfee. On the other hand you have national security organisations like the NSA, which collect information from any source they can get their hands on, and then share it with the intelligence communities and a select number of important organisations.
This type of information should really be available to everybody, but it’s quite difficult to get your hands on it. None of the traditional IT security companies can do it, because they lack access. Since we have more than 16,000 users of our open source product OSSIM, as well as a large number of commercial users, we have access to a ton of information.
If we can get to that information, we can process it and turn it into valuable threat intelligence that we can share with our users. OTX is about collecting data from individual installations of AlienVault, bringing it together, analysing it, and then sending it back so it can be automatically installed and be used in threat management and correlation. Nobody else is doing that today.
Who would be your main competitors?
Companies selling other SIEM platforms. But because they don’t have an open source community, it is highly unlikely that they will get high-end commercial clients to share information. And because we are open source, we have access to a wide user base of people who are willing to share. From this point of view, there isn’t really a true competitor.
Why free and open source, and not subscription?
We have a history of open source products, but we also have an enterprise product that people can use if they want to. We have established ourselves in the community, as the most widely-used SIEM platform in the world. The reason we go the open source route is we believe that to do this kind of work, you need access to a wide set of data. If you can’t see threat information coming from many different places, there aren’t enough data points to do anything meaningful with it. The most important thing is to have a global view of different types of threats.
We want to make it as easy as possible to share information. Of course it’s totally anonymous. We will apply our security experience to it, and then give it back for free. If we would try to make this software commercial, people would think long and hard whether they should share any information with us.
Nothing is really free. So how are you making money?
We make money through sales of our enterprise SIEM platform. It offers better scalability, comprehensive logging and report writing facilities, has redundancy built into it, and is more reliable. There are also other additional features. But the commercial product is completely separate from Open Threat Exchange.
We believe we need much better threat information across the whole security landscape, not just anti-virus or firewall. And the only way that you can do that is gather information through a platform like AlienVault.
Any examples of major companies using AlienVault?
Telefonica is a big client of ours. They have a variety of security operation centres spread around the world managing their very extensive network. They realised they need to have information flowing between these security centres. For example, if they have a security operation centre in Latin America, and they see a local threat, they can assume this threat will hit Spain pretty soon, but they don’t know when. They need to have information updated automatically, to deal with global issues, and that’s where we come in.
Can you tell us about your “anti-hacker” team?
We have a security research team which is well-known in the hacking scene. Two or three weeks ago the head of our security team discovered a link between the Sykipot Trojan and China.
Our team says we need to make our approach work in real-time because there’s no doubt that is what hackers are doing and the only way to do that is through data. We are trying to stay ahead of the game. The AlienVault platform is uploading information on hourly basis. It is then immediately processed. Sure, it’s not instant, but it is quicker than anything else today.
How well do you know Internet security? Try our quiz and find out!