Educause Security Discussion mailing list archives

Re: SIEM Tools

From: Adam Menos <amenos () ARTIC EDU>
Date: Mon, 22 Jan 2018 09:49:02 -0600

Security Onion worked well for us in my previous organization (healthcare).
Yes, you would need somebody to configure it but its free and just as good
as the some of the expensive ones..

On Mon, Jan 22, 2018 at 9:45 AM, Brad Judy <brad.judy () cu edu> wrote:

You’ve touched on one of the key pieces of the SIEM space: finding the
sweet spot for your team on usability and configurability.



A more technical team/individual who wants to spend some time to tweak
things might look more towards a Splunk or ELK based option. Skilled teams
have made really cool things with solutions like these.



A team that wants to focus on out-of-the-box functions and is willing to
put staff time on the triage side rather than config side, might go with a
Logrythm type option.  Or similarly, perhaps a team that has one deeper
tech and more SOC operator staff might want a solution designed around one
person builds dashboards/searches and others review/respond to alerts.



IMO, in both cases the vendors (and often customers) undersell the amount
of effort it takes to get something up and running from scratch to alerts
with a decent signal to noise ratio (that also don’t have a lot of false
negatives).



Like anything, it’s about figuring out what you want to accomplish, what
resources you have now, and which path bridges the gap between present and
future best for your team/organization.



Brad Judy



Information Security Officer

Office of Information Security

University of Colorado
1800 Grant Street, Suite 300
<https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D+Denver,+CO+%C2%A080203%0D+Office:+(303&entry=gmail&source=g>
Denver, CO  80203
<https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D+Denver,+CO+%C2%A080203%0D+Office:+(303&entry=gmail&source=g>

Office: (303
<https://maps.google.com/?q=1800+Grant+Street,+Suite+300+%0D+Denver,+CO+%C2%A080203%0D+Office:+(303&entry=gmail&source=g>)
860-4293

Fax: (303) 860-4302

www.cu.edu



[image: cu-logo_fl]





*From: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of
Seth Shestack <shestack () TEMPLE EDU>
*Reply-To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
*Date: *Monday, January 22, 2018 at 5:15 AM
*To: *EDUCAUSE Listserv <SECURITY () LISTSERV EDUCAUSE EDU>
*Subject: *Re: [SECURITY] SIEM Tools



WE are currently using LogRhythm and are extremely happy.

We also did a POC of Splunk which seemed very good, however we felt that
Splunk would require a larger team to manage since it required more
programming and LogRhythm had many of these correlation rules built out of
the box.



A further caution, I am not sure of your log volume but we started with a
smaller system (Trigeo which was bought out by Solarwinds) and found that
we outgrew it because it couldn’t scale.

Make sure whatever system you buy will scale to any future needs.



Seth



*From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *David D Grisham
*Sent:* Saturday, January 20, 2018 11:31 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] SIEM Tools



We are using Splunk and it is a very versatile tool.

Cheers.-grish *David Grisham*

David Grisham, PhD, CISM, CRISC

933 Bradbury Drive SE, Suite 3131

Manager, Cybersecurity, UNM Hospitals, UNM Health Science Center

505.272.5657 my email Dgrisham () salud UNM edu

DO NOT provide your username, password, or any personal information in
any email.

UNMH WILL NEVER ask you for your username or password via email.

DO NOT CLICK links or attachments unless you are positive the content is
safe.







*From:* The EDUCAUSE Security Constituent Group Listserv [
mailto:SECURITY () LISTSERV EDUCAUSE EDU <SECURITY () LISTSERV EDUCAUSE EDU>] *On
Behalf Of *WALTER KERNER
*Sent:* Friday, January 19, 2018 10:01 PM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* Re: [SECURITY] SIEM Tools



Hi Michael. We have had good luck with Alert Logic. It combines log
analysis and IDS functions and has been very valuable.



On Fri, Jan 19, 2018 at 9:48 PM Madl, Michael <michael.madl () indwes edu>
wrote:

I am currently reviewing several SIEM products [QRadar, Alien Vault, Log
Rhythm etc.].



Can anyone share any success stories with the product they are utilizing.
I have utilized Alien Vault in the past and the correlation functionality
is pretty good.  Threat detection is also done well.



Gartner has been a great tool for review but wondering if anyone had any
strong feelings/experiences with certain tools.





Thank you in advance,





MICHAEL MADL

INFORMATION SECURITY OFFICER

UNIVERSITY INFORMATION TECHNOLOGY



INDIANA WESLEYAN UNIVERSITY

4201 SOUTH WASHINGTON STREET
<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g>

MARION, IN 46953
<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g>



765
<https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g>
.677.2688   |   765
<https://maps.google.com/?q=4201%0D+SOUTH+WASHINGTON+STREET%0D+MARION,%0D+IN+46953+%3Chttps://maps.google.com/?q%3D4201%2BSOUTH%2BWASHINGTON%2BSTREET%250D%2BMARION,%2BIN%2B46953%250D%2B%25C2%25A0%250D%2B765%26entry%3Dgmail%26source%3Dg%3E%0D+%C2%A0%0D+765+%3Chttps://maps.google.com/?q%3D4201%2BSOUTH%2BWASHINGTON%2BSTREET%250D%2BMARION,%2BIN%2B46953%250D%2B%25C2%25A0%250D%2B765%26entry%3Dgmail%26source%3Dg%3E&entry=gmail&source=g>
.677.2020 FAX

michael.madl () indwes edu <mike.madl () indwes edu>



INDWES.EDU/IT <http://indwes.edu/IT>



[image: cid:image001.jpg@01D3436E.D1E0F1C0]



*CONFIDENTIALITY NOTICE:* *This email, including applicable attachments,
may include legally protected information.  If you are not the intended
recipient of this message, you may not disclose, print, copy, save, or
disseminate this information. If you have received this email in error,
please notify the sender by replying to this message and immediately delete
this message.*





--

Walter Kerner
AVP and CISO
Fashion Institute of Technology




-- 

Adam Menos
Director of Information Security

116 S Michigan Ave | Chicago, IL 60603
*Office:* 312.499.4031
*amenos () artic edu* <amenos () artic edu>
<http://www.artic.edu/> <http://www.saic.edu/>
<http://www.saic.edu/>   <http://www.artic.edu>

***** No member of the Information Services Department will ever request
password information via email ! Please contact TSS or CRIT Help Desk
should you receive such a request. *****

Current thread:

SIEM Tools Madl, Michael (Jan 19)
- Re: SIEM Tools WALTER KERNER (Jan 19)
  - Re: SIEM Tools David D Grisham (Jan 20)
    - Re: SIEM Tools Seth A. Shestack (Jan 22)
    - Re: *EXT* Re: [SECURITY] SIEM Tools Velislav K Pavlov (Jan 22)
    - Re: *EXT* Re: [SECURITY] SIEM Tools Pardonek, Jim (Jan 22)
    - Re: SIEM Tools Frank Barton (Jan 22)
    - Re: SIEM Tools Brad Judy (Jan 22)
    - Re: SIEM Tools Adam Menos (Jan 22)
    - Re: SIEM Tools Tina Thorstenson (Jan 22)
    - Re: SIEM Tools Kevin Wilcox (Jan 22)
    - Re: SIEM Tools Manjak, Martin (Jan 22)
- Re: SIEM Tools David D Grisham (Jan 20)
  - Re: SIEM Tools Chad Tracy (Jan 20)
    - Re: SIEM Tools Ramon Rentas (Jan 22)
    - Re: SIEM Tools Shelton Waggener (Jan 23)
- Re: SIEM Tools Michael Klint Borozan (Jan 21)
- Re: SIEM Tools Rob Milman (Jan 22)
- <Possible follow-ups>
- Re: SIEM Tools Bridges, Robert A. (Jan 22)

(Thread continues...)