The Opportunity Cost of Self-hosting MISP

Tash Postolovski
Tash Postolovski
Technical Marketing Manager
Chris Horsley
Chris Horsley
Chief Technology Officer
The Opportunity Cost of Self-hosting MISP
April 16, 2024

MISP is the world’s most established open source Threat Intelligence Platform (TIP), with almost 5k stars on GitHub at the time of writing. MISP provides analysts with a powerful way to collect, organise and share CTI. It also supports a host of integrations that enable automated IOC synchronisation and blocking, ensuring that analysts, alerting rules, and security controls are automatically kept up to date with emerging threats in real-time.

As an open source project, MISP can also be self-hosted on your own infrastructure. Let's take a look at what you'll need to consider when planning to self-host MISP:

What does it take to run MISP in production?

  1. Design and architecture: how will you host MISP securely and reliably? How will you consume feeds without exposing MISP endpoints to the internet? How will you integrate intelligence from MISP with the rest of your security architecture?
  2. Internal stakeholder approvals: planning, negotiations and resource-wrangling across teams can take months.
  3. Hosting: will you opt for single-tenant or multi-tenant hosting? Although multi-tenant hosting is cheaper, it comes with potential security and performance trade-offs.
  4. Logging: securely and reliably forwarding IOCs to your logging platform.
  5. Monitoring: including monitoring the health of your MISP instance.
  6. Frequent upgrades: the pace of upgrades to MISP is only increasing, with between 12-20 upgrades per year to review, test, and migrate.
  7. Authentication: will you use organisational SSO, such as Okta or Microsoft Entra? This will likely require a level of custom development and configuration.
  8. Alerting: alerting on logs from MISP.
  9. Backups: how will you automatically backup (and securely store backups) of your MISP database?
  10. DR plan: how will you recover from data loss or an unexpected outage?
  11. Securing: threat intelligence platforms are a high value target for attackers. How will you keep your MISP instance secure while also pulling from external feeds (and possibly even threat sharing)?

The opportunity cost of self-hosted MISP for cyber security teams

If your cyber security team was to implement MISP like this, what are you forgoing?

A term with origins in macroeconomics, opportunity cost is the hidden cost of choosing one course of action over another, when both cannot be chosen at the same time.

Opportunity costs are not always financial. For example, the opportunity cost of playing video games instead of going for a hike are the benefits you’d likely have gained from hiking, such as improved fitness and mental health.

Security teams also incur opportunity costs whenever they pick one way to spend their time and resources over another.

The opportunity cost of self-hosting and maintaining MISP is the additional time and brainpower teams could have otherwise spent gathering and leveraging usable threat intelligence and enhancing their organisation’s security posture.

While at first this might not seem like a lot of time to factor into the opportunity cost equation, we find that time and time again, teams underestimate what it takes to robustly host and maintain a production MISP so that it becomes a powerful asset rather than a constant thorn in the team’s side.

Let’s dive deeper into the opportunity costs we see many teams pay when they decide to self-host MISP.

1. Self-hosting a production-worthy MISP adds a major infrastructure project to your roadmap

As covered in our previous article on MISP self-hosting best practices, securely and reliably hosting MISP is a significant infrastructure project, including architecture design and approval, network rules, testing, monitoring, backups, DR, base config, upgrade strategy, and SSO. An infrastructure project of this size can take teams several months to complete alongside core tasks. This is time not spent generating business value in the form of insights, actionable intelligence, and mitigating risks.

2. Self-hosting MISP can slow down team velocity with red-tape, planning meetings, approvals, and resource wrangling

Self-hosting MISP is a cloud engineering project which often requires consultation with other IT teams and software architects. If your team doesn’t have its own cloud engineering know-how or the autonomy to spin up new infrastructure, you may also need to borrow resources from other teams.

In the enterprise, significant projects take time, planning and cross-functional collaboration to execute. Given that your CloudMISP instance is likely a low priority for other teams, this process can take months, during which time your team is not able to take full advantage of MISP and MISP integrations.

In contrast, CloudMISP is typically ready to use in 1 - 2 business days.

3. Getting MISP up and running in an enterprise-grade environment is a significant cloud engineering effort

Giving MISP the production-worthy hosting setup it deserves is a sizable cloud engineering project. In our experience, SOC and CTI teams are full of clever folks who are capable of impressive feats of system administration. However, we’ve never been part of a security team with core metrics and performance goals focused on their cloud engineering capabilities!

Photo by Rayson Tan on Unsplash.

4. Teams that self-host often end up reinventing the wheel building essential integrations

The first thing that teams do once they get MISP up and running is realise how many useful integrations are possible with MISP, from Splunk, to SSO. MISP really hits its stride when it is connected with other security systems, such as SIEM platforms.

SSO is another massive value add, but not all SSO providers integrate out of the box with MISP (for example, Okta requires custom development to integrate). Whereas a managed MISP like CloudMISP can be provisioned with value-adding Splunk and SSO integrations out of the box.

5. Quality assurance of new MISP releases is time consuming

While new MISP releases generally introduce powerful new features and capabilities, they can also occasionally introduce bugs, edge cases, and breaking changes. This isn’t common with MISP, but does sometimes happen.

The risk of new MISP releases leading to unforeseen consequences can be mitigated with a robust suite of automated smoke tests that ensure your MISP instance is functioning as intended. MISP doesn’t come with these tests out of the box, so they’ll need to be developed for your environment and unique configuration. This is a service we provide to all CloudMISP customers so they don’t need to worry about spending time on MISP quality assurance.

6. Self-hosting requires a significant ongoing operational burden to keep MISP reliable and up to date

As we touched on earlier, the MISP project releases 12 - 20 updates per year, each containing new features, bug fixes, security patches, and improvements. One of the most common mistakes that teams self-hosting MISP make is that they don’t allocate ongoing time and resources to examine, apply and test each of these updates. As a result, teams end up using outdated versions of MISP that lack useful features and, critically, may contain bugs or vulnerabilities. Sometimes new versions also introduce issues, and a lack of robust testing processes before deployment could result in a non-working or feature degraded MISP instance.

This issue tends to compound over time because the further MISP falls out of date, the harder it is to upgrade to the latest version. Teams in this situation frequently find that even when they want to update MISP to the latest version, they are so many versions behind that it’s now a much more difficult project – and may even require setting up a fresh MISP from scratch.

With a managed MISP, your MISP instance will be kept up to date for you without ever having to worry about it.

Wrapping up

Deciding to self-host MISP comes with a set of opportunity costs beyond the financial, including the allocation of your team’s time, resources, expertise and energy.

While the allure of self-hosting may initially seem appealing, in reality, self-hosting often leads teams to reinvent the wheel and divert valuable time and resources away from their core objectives.

Managed MISP solutions like CloudMISP allow you to outsource the setup and operational overhead of MISP to experienced CTI practitioners, giving you a ready-to-use MISP instance with reliable infrastructure, robust integrations, and expert maintenance.

Instead of maintaining MISP, teams can focus on generating business value and avoid the numerous opportunity costs of self-hosting MISP.

You also get ongoing guidance and access to Cosive’s MISP experts to help you avoid common mistakes, adhere to best practices, and ultimately, multiply the effectiveness of your CTI program.

If you’d like to learn more, reach out to us to request pricing and additional information about CloudMISP.

Related posts

Browse all articles
February 21, 2024

7 MISP Best Practices: Lessons from Effective Threat Intel Teams

MISP is a powerful open source threat intelligence and sharing platform used by countless SOC teams around the world. Getting a barebones MISP instance up and running is well within the skill-set of most SOC teams. Download MISP, run it on a VM, and log in to the MISP admin console using default credentials… all within about 10 minutes. That part is easy. Now for the hard part: how do you get from a barebones MISP install to actually using MISP to solve real-world cybersecurity problems? Making that leap can be much more complex and challenging than it may seem on the surface.

February 21, 2024

How to Disrupt Phishing with Anti Phishing Canary Credentials

The traditional response to a phishing attack is to issue a take-down request and wait for the site to (possibly) be yanked offline. Take-downs, while necessary, just don’t hit phishers where it hurts - they still harvest plenty of stolen credentials while the site is up. In light of this, security teams are looking for new, more effective ways to fight back against phishers. Rather than be reactive, we want to disrupt phishers’ operations. A strategy rapidly gaining in popularity is the use of credential poisoning techniques, utilising what are referred to as ‘canary credentials’.