Educause Security Discussion mailing list archives

Re: SIEM Tools

From: Brad Judy <brad.judy () CU EDU>
Date: Mon, 22 Jan 2018 15:45:00 +0000

You’ve touched on one of the key pieces of the SIEM space: finding the sweet spot for your team on usability and 
configurability.

A more technical team/individual who wants to spend some time to tweak things might look more towards a Splunk or ELK 
based option. Skilled teams have made really cool things with solutions like these.

A team that wants to focus on out-of-the-box functions and is willing to put staff time on the triage side rather than 
config side, might go with a Logrythm type option.  Or similarly, perhaps a team that has one deeper tech and more SOC 
operator staff might want a solution designed around one person builds dashboards/searches and others review/respond to 
alerts.

IMO, in both cases the vendors (and often customers) undersell the amount of effort it takes to get something up and 
running from scratch to alerts with a decent signal to noise ratio (that also don’t have a lot of false negatives).

Like anything, it’s about figuring out what you want to accomplish, what resources you have now, and which path bridges 
the gap between present and future best for your team/organization.

Brad Judy

Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu<http://www.cu.edu/>

[cu-logo_fl]


From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Seth Shestack <shestack () TEMPLE EDU>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Monday, January 22, 2018 at 5:15 AM
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] SIEM Tools

WE are currently using LogRhythm and are extremely happy.
We also did a POC of Splunk which seemed very good, however we felt that Splunk would require a larger team to manage 
since it required more programming and LogRhythm had many of these correlation rules built out of the box.

A further caution, I am not sure of your log volume but we started with a smaller system (Trigeo which was bought out 
by Solarwinds) and found that we outgrew it because it couldn’t scale.
Make sure whatever system you buy will scale to any future needs.

Seth

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David D 
Grisham
Sent: Saturday, January 20, 2018 11:31 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] SIEM Tools

We are using Splunk and it is a very versatile tool.
Cheers.-grish David Grisham
David Grisham, PhD, CISM, CRISC
933 Bradbury Drive SE, Suite 3131
Manager, Cybersecurity, UNM Hospitals, UNM Health Science Center
505.272.5657 my email Dgrisham () salud UNM edu<mailto:Dgrisham () salud UNM edu>
DO NOT provide your username, password, or any personal information in any email.
UNMH WILL NEVER ask you for your username or password via email.
DO NOT CLICK links or attachments unless you are positive the content is safe.



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of WALTER 
KERNER
Sent: Friday, January 19, 2018 10:01 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] SIEM Tools

Hi Michael. We have had good luck with Alert Logic. It combines log analysis and IDS functions and has been very 
valuable.

On Fri, Jan 19, 2018 at 9:48 PM Madl, Michael <michael.madl () indwes edu<mailto:michael.madl () indwes edu>> wrote:
I am currently reviewing several SIEM products [QRadar, Alien Vault, Log Rhythm etc.].

Can anyone share any success stories with the product they are utilizing.  I have utilized Alien Vault in the past and 
the correlation functionality is pretty good.  Threat detection is also done well.

Gartner has been a great tool for review but wondering if anyone had any strong feelings/experiences with certain tools.


Thank you in advance,


MICHAEL MADL
INFORMATION SECURITY OFFICER
UNIVERSITY INFORMATION TECHNOLOGY

INDIANA WESLEYAN UNIVERSITY
4201 SOUTH WASHINGTON 
STREET<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g>
MARION, IN 
46953<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g>

765<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g>.677.2688
   |   765.677.2020 FAX
michael.madl () indwes edu<mailto:mike.madl () indwes edu>

INDWES.EDU/IT<http://indwes.edu/IT>

[cid:image001.jpg@01D3436E.D1E0F1C0]

CONFIDENTIALITY NOTICE: This email, including applicable attachments, may include legally protected information.  If 
you are not the intended recipient of this message, you may not disclose, print, copy, save, or disseminate this 
information. If you have received this email in error, please notify the sender by replying to this message and 
immediately delete this message.


--
Walter Kerner
AVP and CISO
Fashion Institute of Technology

Current thread:

SIEM Tools Madl, Michael (Jan 19)
- Re: SIEM Tools WALTER KERNER (Jan 19)
  - Re: SIEM Tools David D Grisham (Jan 20)
    - Re: SIEM Tools Seth A. Shestack (Jan 22)
    - Re: *EXT* Re: [SECURITY] SIEM Tools Velislav K Pavlov (Jan 22)
    - Re: *EXT* Re: [SECURITY] SIEM Tools Pardonek, Jim (Jan 22)
    - Re: SIEM Tools Frank Barton (Jan 22)
    - Re: SIEM Tools Brad Judy (Jan 22)
    - Re: SIEM Tools Adam Menos (Jan 22)
    - Re: SIEM Tools Tina Thorstenson (Jan 22)
    - Re: SIEM Tools Kevin Wilcox (Jan 22)
    - Re: SIEM Tools Manjak, Martin (Jan 22)
- Re: SIEM Tools David D Grisham (Jan 20)
  - Re: SIEM Tools Chad Tracy (Jan 20)
    - Re: SIEM Tools Ramon Rentas (Jan 22)
    - Re: SIEM Tools Shelton Waggener (Jan 23)
- Re: SIEM Tools Michael Klint Borozan (Jan 21)
- Re: SIEM Tools Rob Milman (Jan 22)

(Thread continues...)