MISP is the world’s most established open source Threat Intelligence Platform (TIP), with almost 5k stars on GitHub at the time of writing. MISP provides analysts with a powerful way to collect, organise and share CTI. It also supports a host of integrations that enable automated IOC synchronisation and blocking, ensuring that analysts, alerting rules, and security controls are automatically kept up to date with emerging threats in real-time.
As an open source project, MISP can also be self-hosted on your own infrastructure. Let's take a look at what you'll need to consider when planning to self-host MISP:
If your cyber security team was to implement MISP like this, what are you forgoing?
A term with origins in macroeconomics, opportunity cost is the hidden cost of choosing one course of action over another, when both cannot be chosen at the same time.
Opportunity costs are not always financial. For example, the opportunity cost of playing video games instead of going for a hike are the benefits you’d likely have gained from hiking, such as improved fitness and mental health.
Security teams also incur opportunity costs whenever they pick one way to spend their time and resources over another.
The opportunity cost of self-hosting and maintaining MISP is the additional time and brainpower teams could have otherwise spent gathering and leveraging usable threat intelligence and enhancing their organisation’s security posture.
While at first this might not seem like a lot of time to factor into the opportunity cost equation, we find that time and time again, teams underestimate what it takes to robustly host and maintain a production MISP so that it becomes a powerful asset rather than a constant thorn in the team’s side.
Let’s dive deeper into the opportunity costs we see many teams pay when they decide to self-host MISP.
As covered in our previous article on MISP self-hosting best practices, securely and reliably hosting MISP is a significant infrastructure project, including architecture design and approval, network rules, testing, monitoring, backups, DR, base config, upgrade strategy, and SSO. An infrastructure project of this size can take teams several months to complete alongside core tasks. This is time not spent generating business value in the form of insights, actionable intelligence, and mitigating risks.
Self-hosting MISP is a cloud engineering project which often requires consultation with other IT teams and software architects. If your team doesn’t have its own cloud engineering know-how or the autonomy to spin up new infrastructure, you may also need to borrow resources from other teams.
In the enterprise, significant projects take time, planning and cross-functional collaboration to execute. Given that your CloudMISP instance is likely a low priority for other teams, this process can take months, during which time your team is not able to take full advantage of MISP and MISP integrations.
In contrast, CloudMISP is typically ready to use in 1 - 2 business days.
Giving MISP the production-worthy hosting setup it deserves is a sizable cloud engineering project. In our experience, SOC and CTI teams are full of clever folks who are capable of impressive feats of system administration. However, we’ve never been part of a security team with core metrics and performance goals focused on their cloud engineering capabilities!
The first thing that teams do once they get MISP up and running is realise how many useful integrations are possible with MISP, from Splunk, to SSO. MISP really hits its stride when it is connected with other security systems, such as SIEM platforms.
SSO is another massive value add, but not all SSO providers integrate out of the box with MISP (for example, Okta requires custom development to integrate). Whereas a managed MISP like CloudMISP can be provisioned with value-adding Splunk and SSO integrations out of the box.
While new MISP releases generally introduce powerful new features and capabilities, they can also occasionally introduce bugs, edge cases, and breaking changes. This isn’t common with MISP, but does sometimes happen.
The risk of new MISP releases leading to unforeseen consequences can be mitigated with a robust suite of automated smoke tests that ensure your MISP instance is functioning as intended. MISP doesn’t come with these tests out of the box, so they’ll need to be developed for your environment and unique configuration. This is a service we provide to all CloudMISP customers so they don’t need to worry about spending time on MISP quality assurance.
As we touched on earlier, the MISP project releases 12 - 20 updates per year, each containing new features, bug fixes, security patches, and improvements. One of the most common mistakes that teams self-hosting MISP make is that they don’t allocate ongoing time and resources to examine, apply and test each of these updates. As a result, teams end up using outdated versions of MISP that lack useful features and, critically, may contain bugs or vulnerabilities. Sometimes new versions also introduce issues, and a lack of robust testing processes before deployment could result in a non-working or feature degraded MISP instance.
This issue tends to compound over time because the further MISP falls out of date, the harder it is to upgrade to the latest version. Teams in this situation frequently find that even when they want to update MISP to the latest version, they are so many versions behind that it’s now a much more difficult project – and may even require setting up a fresh MISP from scratch.
With a managed MISP, your MISP instance will be kept up to date for you without ever having to worry about it.
Deciding to self-host MISP comes with a set of opportunity costs beyond the financial, including the allocation of your team’s time, resources, expertise and energy.
While the allure of self-hosting may initially seem appealing, in reality, self-hosting often leads teams to reinvent the wheel and divert valuable time and resources away from their core objectives.
Managed MISP solutions like CloudMISP allow you to outsource the setup and operational overhead of MISP to experienced CTI practitioners, giving you a ready-to-use MISP instance with reliable infrastructure, robust integrations, and expert maintenance.
Instead of maintaining MISP, teams can focus on generating business value and avoid the numerous opportunity costs of self-hosting MISP.
You also get ongoing guidance and access to Cosive’s MISP experts to help you avoid common mistakes, adhere to best practices, and ultimately, multiply the effectiveness of your CTI program.
If you’d like to learn more, reach out to us to request pricing and additional information about CloudMISP.