Educause Security Discussion mailing list archives

Re: SIEM Tools

From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Mon, 22 Jan 2018 16:01:27 +0000

Obscene licensing, schema-on-read architecture, massive learning curve for
data enrichment (that can kill performance due to the schema-on-read
architecture)...I can think of a couple of reasons to be anti-Splunk. Some
of those can be architected around (and why I've started seeing people
front Splunk with logstash and even nifi) but they're still problematic.

Not that schema-on-write doesn't have its flaws -- reindexing data when you
want to make a field "type" change retroactive to 20TB of log data isn't
exactly for the faint of heart -- but the performance is night-and-day
different for "well-tuned" systems.

Invariably, the people I talk to who LOVE Splunk either had syslog-only,
WEF-only or nothing before they did their deployments and it's not *Splunk*
that they really love, it's the benefits of log aggregation and unified
search that have them so enamoured.

kmw

On 22 January 2018 at 15:42, Frank Barton <bartonf () husson edu> wrote:

Robert, other than the cost, I'd be very interested to know what they
don't like about splunk. Since we implemented it a couple months ago, it
has proved itself extremely useful to us, almost on a daily basis. Not only
from a security perspective, but also from a troubleshooting perspective.

Thank You
Frank

On Mon, Jan 22, 2018 at 10:35 AM, Bridges, Robert A. <bridgesra () ornl gov>
wrote:

All, I’m a researcher and not an operator, but I interact w/ SOC
operators regularly.



Splunk ES has gotten bad reviews from the folks I know (that’s not to say
they don’t like/use Splunk)



Stucco is an open-source R&D project (less mature) for correlating
internal and external data: https://github.com/stucco







--

Robert A. Bridges, PhD, Research Mathematician, Cyber & Information
Science Research Group, Oak Ridge National Laboratory



*From: *The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Rob Milman <
rob.milman () SAIT CA>
*Reply-To: *The EDUCAUSE Security Constituent Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU>
*Date: *Monday, January 22, 2018 at 10:26 AM
*To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
*Subject: *Re: [SECURITY] SIEM Tools



+1 for Splunk



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *Madl, Michael
*Sent:* Friday, January 19, 2018 7:49 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] SIEM Tools



I am currently reviewing several SIEM products [QRadar, Alien Vault, Log
Rhythm etc.].



Can anyone share any success stories with the product they are
utilizing.  I have utilized Alien Vault in the past and the correlation
functionality is pretty good.  Threat detection is also done well.



Gartner has been a great tool for review but wondering if anyone had any
strong feelings/experiences with certain tools.





Thank you in advance,





MICHAEL MADL

INFORMATION SECURITY OFFICER

UNIVERSITY INFORMATION TECHNOLOGY



INDIANA WESLEYAN UNIVERSITY

4201 SOUTH WASHINGTON STREET
<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g>

MARION, IN 46953
<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g>


<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET____%0D+MARION,+IN+46953+%3Chttps://maps.google.com/?q%3D4201%2BSOUTH%2BWASHINGTON%2BSTREET%250D%2BMARION,%2BIN%2B46953%250D%2B%25C2%25A0%250D%2B765%26entry%3Dgmail%26source%3Dg%3E____%0D+%C2%A0____%0D+765&entry=gmail&source=g>

765.677.2688 <(765)%20677-2688>   |   765.677.2020 <(765)%20677-2020> FAX

michael.madl () indwes edu <mike.madl () indwes edu>



INDWES.EDU/IT <http://indwes.edu/IT>



[image: id:image001.jpg@01D3436E.D1E0F1C0]



*CONFIDENTIALITY NOTICE:* *This email, including applicable attachments,
may include legally protected information.  If you are not the intended
recipient of this message, you may not disclose, print, copy, save, or
disseminate this information. If you have received this email in error,
please notify the sender by replying to this message and immediately delete
this message.*




--
Frank Barton
Security+, ACMT
IT Systems Administrator
Husson University

Current thread:

Re: SIEM Tools, (continued)
- - - Re: SIEM Tools Manjak, Martin (Jan 22)
- Re: SIEM Tools David D Grisham (Jan 20)
  - Re: SIEM Tools Chad Tracy (Jan 20)
    - Re: SIEM Tools Ramon Rentas (Jan 22)
    - Re: SIEM Tools Shelton Waggener (Jan 23)
- Re: SIEM Tools Michael Klint Borozan (Jan 21)
- Re: SIEM Tools Rob Milman (Jan 22)
- Re: SIEM Tools Bridges, Robert A. (Jan 22)
  - Re: SIEM Tools Frank Barton (Jan 22)
    - Re: SIEM Tools Bridges, Robert A. (Jan 22)
    - Re: SIEM Tools Kevin Wilcox (Jan 22)
    - Re: SIEM Tools Collyer, Jeffrey W. (jwc3f) (Jan 22)
    - Re: SIEM Tools Jeannine Shantz (Jan 22)