Educause Security Discussion mailing list archives
Re: SIEM Tools
From: Brad Judy <brad.judy () CU EDU>
Date: Mon, 22 Jan 2018 15:45:00 +0000
You’ve touched on one of the key pieces of the SIEM space: finding the sweet spot for your team on usability and configurability. A more technical team/individual who wants to spend some time to tweak things might look more towards a Splunk or ELK based option. Skilled teams have made really cool things with solutions like these. A team that wants to focus on out-of-the-box functions and is willing to put staff time on the triage side rather than config side, might go with a Logrythm type option. Or similarly, perhaps a team that has one deeper tech and more SOC operator staff might want a solution designed around one person builds dashboards/searches and others review/respond to alerts. IMO, in both cases the vendors (and often customers) undersell the amount of effort it takes to get something up and running from scratch to alerts with a decent signal to noise ratio (that also don’t have a lot of false negatives). Like anything, it’s about figuring out what you want to accomplish, what resources you have now, and which path bridges the gap between present and future best for your team/organization. Brad Judy Information Security Officer Office of Information Security University of Colorado 1800 Grant Street, Suite 300 Denver, CO 80203 Office: (303) 860-4293 Fax: (303) 860-4302 www.cu.edu<http://www.cu.edu/> [cu-logo_fl] From: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Seth Shestack <shestack () TEMPLE EDU> Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Date: Monday, January 22, 2018 at 5:15 AM To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] SIEM Tools WE are currently using LogRhythm and are extremely happy. We also did a POC of Splunk which seemed very good, however we felt that Splunk would require a larger team to manage since it required more programming and LogRhythm had many of these correlation rules built out of the box. A further caution, I am not sure of your log volume but we started with a smaller system (Trigeo which was bought out by Solarwinds) and found that we outgrew it because it couldn’t scale. Make sure whatever system you buy will scale to any future needs. Seth From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David D Grisham Sent: Saturday, January 20, 2018 11:31 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] SIEM Tools We are using Splunk and it is a very versatile tool. Cheers.-grish David Grisham David Grisham, PhD, CISM, CRISC 933 Bradbury Drive SE, Suite 3131 Manager, Cybersecurity, UNM Hospitals, UNM Health Science Center 505.272.5657 my email Dgrisham () salud UNM edu<mailto:Dgrisham () salud UNM edu> DO NOT provide your username, password, or any personal information in any email. UNMH WILL NEVER ask you for your username or password via email. DO NOT CLICK links or attachments unless you are positive the content is safe. From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of WALTER KERNER Sent: Friday, January 19, 2018 10:01 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] SIEM Tools Hi Michael. We have had good luck with Alert Logic. It combines log analysis and IDS functions and has been very valuable. On Fri, Jan 19, 2018 at 9:48 PM Madl, Michael <michael.madl () indwes edu<mailto:michael.madl () indwes edu>> wrote: I am currently reviewing several SIEM products [QRadar, Alien Vault, Log Rhythm etc.]. Can anyone share any success stories with the product they are utilizing. I have utilized Alien Vault in the past and the correlation functionality is pretty good. Threat detection is also done well. Gartner has been a great tool for review but wondering if anyone had any strong feelings/experiences with certain tools. Thank you in advance, MICHAEL MADL INFORMATION SECURITY OFFICER UNIVERSITY INFORMATION TECHNOLOGY INDIANA WESLEYAN UNIVERSITY 4201 SOUTH WASHINGTON STREET<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g> MARION, IN 46953<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g> 765<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g>.677.2688 | 765.677.2020 FAX michael.madl () indwes edu<mailto:mike.madl () indwes edu> INDWES.EDU/IT<http://indwes.edu/IT> [cid:image001.jpg@01D3436E.D1E0F1C0] CONFIDENTIALITY NOTICE: This email, including applicable attachments, may include legally protected information. If you are not the intended recipient of this message, you may not disclose, print, copy, save, or disseminate this information. If you have received this email in error, please notify the sender by replying to this message and immediately delete this message. -- Walter Kerner AVP and CISO Fashion Institute of Technology
Current thread:
- SIEM Tools Madl, Michael (Jan 19)
- Re: SIEM Tools WALTER KERNER (Jan 19)
- Re: SIEM Tools David D Grisham (Jan 20)
- Re: SIEM Tools Seth A. Shestack (Jan 22)
- Re: *EXT* Re: [SECURITY] SIEM Tools Velislav K Pavlov (Jan 22)
- Re: *EXT* Re: [SECURITY] SIEM Tools Pardonek, Jim (Jan 22)
- Re: SIEM Tools Frank Barton (Jan 22)
- Re: SIEM Tools Brad Judy (Jan 22)
- Re: SIEM Tools Adam Menos (Jan 22)
- Re: SIEM Tools Tina Thorstenson (Jan 22)
- Re: SIEM Tools Kevin Wilcox (Jan 22)
- Re: SIEM Tools Manjak, Martin (Jan 22)
- Re: SIEM Tools David D Grisham (Jan 20)
- Re: SIEM Tools WALTER KERNER (Jan 19)
- Re: SIEM Tools Chad Tracy (Jan 20)
- Re: SIEM Tools Ramon Rentas (Jan 22)
- Re: SIEM Tools Shelton Waggener (Jan 23)