Re: SIEM Tools

["Bridges, Robert A." <bridgesra () ORNL GOV>]

Frank,
They like Splunk. They found Splunk ES was involved constant configuration/reconfiguration to work well, and cost them 
more time than not having it.
bb

--
Robert A. Bridges, PhD, Research Mathematician, Cyber & Information Science Research Group, Oak Ridge National 
Laboratory

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Frank Barton 
<bartonf () HUSSON EDU>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
Date: Monday, January 22, 2018 at 10:42 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] SIEM Tools

Robert, other than the cost, I'd be very interested to know what they don't like about splunk. Since we implemented it 
a couple months ago, it has proved itself extremely useful to us, almost on a daily basis. Not only from a security 
perspective, but also from a troubleshooting perspective.

Thank You
Frank

On Mon, Jan 22, 2018 at 10:35 AM, Bridges, Robert A. <bridgesra () ornl gov<mailto:bridgesra () ornl gov>> wrote:
All, I’m a researcher and not an operator, but I interact w/ SOC operators regularly.

Splunk ES has gotten bad reviews from the folks I know (that’s not to say they don’t like/use Splunk)

Stucco is an open-source R&D project (less mature) for correlating internal and external data: https://github.com/stucco



--
Robert A. Bridges, PhD, Research Mathematician, Cyber & Information Science Research Group, Oak Ridge National 
Laboratory

From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Rob Milman <rob.milman () SAIT CA<mailto:rob.milman () SAIT CA>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Monday, January 22, 2018 at 10:26 AM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] SIEM Tools

+1 for Splunk

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Madl, Michael
Sent: Friday, January 19, 2018 7:49 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] SIEM Tools

I am currently reviewing several SIEM products [QRadar, Alien Vault, Log Rhythm etc.].

Can anyone share any success stories with the product they are utilizing.  I have utilized Alien Vault in the past and 
the correlation functionality is pretty good.  Threat detection is also done well.

Gartner has been a great tool for review but wondering if anyone had any strong feelings/experiences with certain tools.


Thank you in advance,


MICHAEL MADL
INFORMATION SECURITY OFFICER
UNIVERSITY INFORMATION TECHNOLOGY

INDIANA WESLEYAN UNIVERSITY
4201 SOUTH WASHINGTON 
STREET<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g>
MARION, IN 
46953<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g>

765.677.2688<tel:(765)%20677-2688>   |   765.677.2020<tel:(765)%20677-2020> FAX
michael.madl () indwes edu<mailto:mike.madl () indwes edu>

INDWES.EDU/IT<http://indwes.edu/IT>

[cid:image001.jpg@01D3936D.E3A53610]

CONFIDENTIALITY NOTICE: This email, including applicable attachments, may include legally protected information.  If 
you are not the intended recipient of this message, you may not disclose, print, copy, save, or disseminate this 
information. If you have received this email in error, please notify the sender by replying to this message and 
immediately delete this message.





--
Frank Barton
Security+, ACMT
IT Systems Administrator
Husson University