Re: SIEM Solution Recommendation

["Basgen, Brian" <bbasgen () PIMA EDU>]

(1) For us, it was a goal, but a distant one at the time. Several years ago our security efforts didn't have much 
success in providing support to operations. At the end of the day, with a SIEM in particular, we knew the device would 
not be useful in the way that we needed if our sysadmins and netadmins were not on board. After all, it is all about 
their devices, so we needed to be able to get them to connect their devices in useful and meaningful ways.

(2) We dole out permissions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Basgen
Director of Client Services (Acting)
& Information Security Officer
Pima Community College
Office: 520-206-4873
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

From: Mark Poepping <poepping () CMU EDU<mailto:poepping () CMU EDU>>
Reply-To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Date: Sun, 30 Oct 2011 11:11:57 -0700
To: EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] SIEM Solution Recommendation

While you're on the topic.. A few curiosities..

For those sharing a mechanism..
Did you start with this sharing assumption and include others in the requirements and vendor evaluation or has it been 
a side-effect (unexpected, or  maybe hoped-for value, but not part of the original acquisition)?

And in the sharing, does everybody have access to all the logs or does somebody dole out the permissions somehow?

And for others who haven't (yet) +1-ed,  are these "security products" on the radar of your applications, systems, or 
network folks?  Are they open to or looking for an opportunity  to share a single logging solution?

Mark.

Connected by DROID on Verizon Wireless


-----Original message-----
From: "Basgen, Brian" <bbasgen () PIMA EDU<mailto:bbasgen () PIMA EDU>>
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Sent: Sun, Oct 30, 2011 16:24:44 GMT+00:00
Subject: Re: [SECURITY] SIEM Solution Recommendation

FWIW, our sysadmins and dbas have found our Nitro SIEM quite useful for
troubleshooting some system issues that have occurred. In any event, I
think you are quite right that such a criteria of use by other groups is
very important. I find that our most successful security products are
those that are widely used outside of our security group.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Brian Basgen
Director of Client Services (Acting)
& Information Security Officer
Pima Community College
Office: 520-206-4873
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~





On 10/29/11 9:34 PM, "Will Froning" <will.froning () GMAIL COM<mailto:will.froning () GMAIL COM>> wrote:

> Hello Abigail,
>
> I will second the vote for Splunk with Enterprise Security Suite. I
> tested Nitro, NetIQ and Splunk head-to-head and found Splunk the best
> of the three. The real win is the ability to use Splunk beyond just
> the initial project. The SIEM is really only usable by the Security
> group, but with Splunk I've given access to the web team, systems,
> networking, banner group and even the IT director. Each of them have
> used it to solve a number of problems that would have otherwise been
> difficult or time consuming with raw logs. Now the big investment has
> a quicker ROI for the University.
>
> The Splunk licensing model is very straightforward; X number of GB
> indexed per day and the ability to exceed that limit a few times a
> month without penalty. If you find the reporting too slow, you just
> buy another search head and distribute the load with no additional
> licensing cost.
>
> Thanks,
> Will
>
> On Wed, Oct 26, 2011 at 7:38 PM, Burton, Abigail F <afburton () bcm edu<mailto:afburton () bcm edu>>
> wrote:
> > Greetings All:
> >
> > We are in the process of doing dog and pony shows for SIEM solutions
> > and I would like to get a general perspective of what you have
> > experienced in-house and those that belong in the out-house :-)
> >
> > We are looking at:
> > ArcSight
> > RSA
> > NitroSecurity
> > NetIQ
> >
> > to just name a few. Any thoughts would be very helpful. Please feel
> > free to contact me directly.
> >
> > Best regards,
> > --
> > Abigail Burton
> > Sr. Information Security Analyst
> > Enterprise IT Security and Compliance
> > Baylor College Of Medicine
> > http://www.bcm.edu
> >
> > Voice: 713.798.4559     afburton () bcm edu<mailto:afburton () bcm edu>
> > Main:  713.798.3900     itsc () bcm edu<mailto:itsc () bcm edu>
> > Fax:   713.798.1205
> >
> > This email and any files transmitted with it are confidential and are
> > intended solely for the use of the individual or entity to which they
> > are addressed.
> > This communication may contain material that is privileged and legally
> > protected from disclosure by federal law, including the Health Insurance
> > Portability and Accountability Act (HIPAA).  If you are not the intended
> > recipient or the person responsible for delivering the email to the
> > intended recipient, be advised that you have received this email in
> > error and that any use, dissemination, forwarding, printing, or copying
> > of this email is strictly prohibited.
> > If you have received this email in error, please immediately notify the
> > sender and delete this message.
>
>
>
> --
> Will Froning
> Unix SysAdmin
> Will.Froning () GMail com<mailto:Will.Froning () GMail com>
> MSN: wfroning () angui sh<mailto:wfroning () angui sh>
> YIM: will_froning
> AIM: willfroning