OSSEC is an Open Source Host-based Intrusion Detection System project that has been around since 2003. It was acquired by Third Brigade in 2008, and then Third Brigade was acquired by Trend Micro in 2009. Trend Micro recently completed a global survey of the OSSEC installed base that yielded some interesting results.
OSSEC performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alert and active response as ways to protect servers. OSSEC has a phenomenally loyal base of users - we had 21% of the OSSEC email distribution list complete the survey (a phenomenal response rate … the stylish T-shirt we’re giving away might have juiced results slightly). This November 2009 survey helped me to cut through some of the cloud hype to get at today’s reality.
OSSEC provides basic server security that helps users with compliance. 71% had deployed OSSEC to comply with PCI mandates, 18% HIPAA, 18% SOX, along with a scattering of other mandates such as EU Data Privacy and UK Data Protection Act. When we asked for ways to improve OSSEC, a plurality of users echoed what one user said, “As it is, I truly love OSSEC.” The survey highlighted room for OSSEC improvement (manageability, reporting, deployment), but that is why you pay money for Trend Micro Deep Security 7.0, for functionality above and beyond OSSEC.
The survey uncovered four useful nuggets of information
1. 10% of the OSSEC survey respondents had suffered a data breach.
The data breach number caught my attention, especially in view of the TrendLabs Malware Blog report on the issue. The malware researchers found:
“During the analysis of approximately 100 million compromised IP addresses, we identified that half of all IP addresses were infected for at least 300 days. That percentage rises to eighty percent if the minimum time is reduced to a month."
1 out of 10 of the OSSEC users has suffered from a data breach, and the TrendLabs data shows that the actual number could be higher because of undetected compromises. The OSSEC users are typically protecting servers (10% of OSSEC users encountered a breach) while the TrendLabs numbers are different because those numbers include lots of PCs (both business and consumer) in addition to servers.
2. OSSEC survey respondents have a heterogeneous mishmash of various operating systems (lots of Linux and Windows) and hypervisors (mostly VMware, but Citrix, Hyper-V, etc).
The heterogeneous mix of OSSEC operating system and hypervisor environments speaks to the need for solutions to adapt to customer needs. “Point” security solutions might protect that point, but enterprises will not readily accept such approaches. This is one reason why Trend Micro Deep Security can support physical, virtual and cloud environments. We support a variety of operating systems, VMware VMsafe virtual appliances, and use an agent-based approach to work with multiple hypervisors feeding a single console to manage all such environments.
3. 36% of respondents deployed OSSEC for compliance, and over 2/3rds of that was for PCI DSS compliance.
Compliance drives a large amount of IT security activity. I recall a recent survey from Ted Ritter at Nemertes Research on virtualization sercurity that showed 80% of IT spending tied to compliance initiatives.
4. 74% listed security as the top concern in considering deploying applications to the public cloud.
The cloud adoption in the survey is relatively modest – 2 in 10 are evaluating moving applications into the public cloud. I suspect that part of the reason for that modest uptake is the respondent pool. Open source folks using OSSEC do not have a ready budget to pay for cloud computing Infrastructure-as-a-Service.
The OSSEC survey (to the hundreds of respondents – thank you to each and every one!) tells me that cloud computing is happening, but the reality is somewhat behind the cloud hype. We will continue to listen attentively to the open source community that is so committed and enthusiastic about OSSEC.