Re: Information Security tools

["Coffman, Tobiah" <tcoffman () BSU EDU>]

Jeff,

We have a Sourcefire IPS product currently deployed.  It's been in production for about 18 months.  During that time 
we've had two issues.  First, not long after deploying we had legitimate sites get added to the blacklist.  We turned 
off that feature after that.  After that, we had an issue where some authentication traffic was getting misidentified.  
Other than that, it's been great.  We've worked with IDS in the past, and it never worked out.  We got a lot of data, 
but it wasn't valuable.  In addition to attack traffic, this device coupled with our traffic shaping device has 
effectively completely eliminated our copyright notices.  We've had 2 in 18 months.

We purchased an SIEM solution this past fall.  We ended up going with EventTracker for a good mix of features and cost. 
 I would check it out and also, if you're an Internet 2 member, check out Splunk which has good discounts.

Finally, we're a Symantec customer for their DLP product.  It's a good product and we've gotten a fair amount out of 
it, but it's really expensive.  I would pursue something like that if you feel like you've cleaned up the more 
important stuff.  If you have any follow-up questions, feel free to contact me off-list.

-Tobey Coffman, CISSP
Director of Information Security
Ball State University


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John 
McMillan
Sent: Thursday, April 24, 2014 10:56 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Information Security tools

We have two different IPS products deployed, and we've used three products in total over the years. There have been 
very few issues related to the rules deployed, none of them very serious. The only major negative impact was related to 
a bug that made one of the sensors stop processing traffic but not fail open as designed.  One of our IPS products is 
also DLP capable, which is on my project list for testing and deployment.

As for SIEM, we really want to find something that we like, but so far everything we've looked at that was promising 
was also very expensive.  I'm curious to hear what others may have to say on that topic.


On Thu, Apr 24, 2014 at 9:05 AM, Jeff Borton <jborton () schoolcraft edu<mailto:jborton () schoolcraft edu>> wrote:
Wondering what this groups thoughts are on using IPS vs IDS systems, and if you have been negatively impacted by one 
over the other.  Also if anyone has used data loss prevention or SIEM tools that they have liked?

Jeff Borton
Executive Director of Information Security