Educause Security Discussion mailing list archives
Re: SIEM Solution Recommendation
From: Mark Poepping <poepping () CMU EDU>
Date: Sun, 30 Oct 2011 18:11:57 +0000
While you're on the topic.. A few curiosities.. For those sharing a mechanism.. Did you start with this sharing assumption and include others in the requirements and vendor evaluation or has it been a side-effect (unexpected, or maybe hoped-for value, but not part of the original acquisition)? And in the sharing, does everybody have access to all the logs or does somebody dole out the permissions somehow? And for others who haven't (yet) +1-ed, are these "security products" on the radar of your applications, systems, or network folks? Are they open to or looking for an opportunity to share a single logging solution? Mark. Connected by DROID on Verizon Wireless -----Original message----- From: "Basgen, Brian" <bbasgen () PIMA EDU> To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU> Sent: Sun, Oct 30, 2011 16:24:44 GMT+00:00 Subject: Re: [SECURITY] SIEM Solution Recommendation FWIW, our sysadmins and dbas have found our Nitro SIEM quite useful for troubleshooting some system issues that have occurred. In any event, I think you are quite right that such a criteria of use by other groups is very important. I find that our most successful security products are those that are widely used outside of our security group. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Brian Basgen Director of Client Services (Acting) & Information Security Officer Pima Community College Office: 520-206-4873 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On 10/29/11 9:34 PM, "Will Froning" <will.froning () GMAIL COM> wrote:
Hello Abigail, I will second the vote for Splunk with Enterprise Security Suite. I tested Nitro, NetIQ and Splunk head-to-head and found Splunk the best of the three. The real win is the ability to use Splunk beyond just the initial project. The SIEM is really only usable by the Security group, but with Splunk I've given access to the web team, systems, networking, banner group and even the IT director. Each of them have used it to solve a number of problems that would have otherwise been difficult or time consuming with raw logs. Now the big investment has a quicker ROI for the University. The Splunk licensing model is very straightforward; X number of GB indexed per day and the ability to exceed that limit a few times a month without penalty. If you find the reporting too slow, you just buy another search head and distribute the load with no additional licensing cost. Thanks, Will On Wed, Oct 26, 2011 at 7:38 PM, Burton, Abigail F <afburton () bcm edu> wrote:Greetings All: We are in the process of doing dog and pony shows for SIEM solutions and I would like to get a general perspective of what you have experienced in-house and those that belong in the out-house :-) We are looking at: ArcSight RSA NitroSecurity NetIQ to just name a few. Any thoughts would be very helpful. Please feel free to contact me directly. Best regards, -- Abigail Burton Sr. Information Security Analyst Enterprise IT Security and Compliance Baylor College Of Medicine http://www.bcm.edu Voice: 713.798.4559 afburton () bcm edu Main: 713.798.3900 itsc () bcm edu Fax: 713.798.1205 This email and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. This communication may contain material that is privileged and legally protected from disclosure by federal law, including the Health Insurance Portability and Accountability Act (HIPAA). If you are not the intended recipient or the person responsible for delivering the email to the intended recipient, be advised that you have received this email in error and that any use, dissemination, forwarding, printing, or copying of this email is strictly prohibited. If you have received this email in error, please immediately notify the sender and delete this message.-- Will Froning Unix SysAdmin Will.Froning () GMail com MSN: wfroning () angui sh YIM: will_froning AIM: willfroning
Current thread:
- Re: SIEM Solution Recommendation Mark Poepping (Oct 30)
- Re: SIEM Solution Recommendation Basgen, Brian (Oct 30)