Educause Security Discussion mailing list archives
Re: SIEM Tools
From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Mon, 22 Jan 2018 16:27:32 +0000
There's so much good here that I don't want to snip any of it. It's painful to trim! On 22 January 2018 at 15:45, Brad Judy <brad.judy () cu edu> wrote:
You’ve touched on one of the key pieces of the SIEM space: finding the sweet spot for your team on usability and configurability. A more technical team/individual who wants to spend some time to tweak things might look more towards a Splunk or ELK based option. Skilled teams have made really cool things with solutions like these.
We've been having a similar conversation in another forum about exactly this. People were upset with their existing solutions because they either send everything to it and can't get what they want in a timely fashion or they can't afford to send enough so they're hamstrung on what they can detect/analyse. This has caused serious conversation by the more "hands-on" folks around the idea of a multi-SIEM approach. They want to use Splunk, ArcSight, QRadar, etc., as their more "compliance-driven" SIEM but they want to use ELK/GrayLog/etc as their "first-pass" zone -- it gets everything for a couple of days or a week, gives super-quick search across everything and then they filter out from there. Maybe they can't afford an extra 10GB/day just for DHCP logs in Splunk but they CAN afford a couple of VMs for ELK or GrayLog to take in DHCP logs and give them a quick view of <x> number of Apple devices or that <y> user has sent out 50 DHCPDISCOVER requests every second all weekend. Maybe they can't afford an extra 25GB/day just for DNS logs in QRadar but they CAN afford to keep six months of their passive DNS logs there and then send a week of DNS query logs to some ELK or GrayLog VMs for analysis about exactly who is requesting all those .tk domains or for a heads-up that <z> user has requested 10k unique domains in the last three days and 8500 of them have had "247support.co.cc" as the registered domain, 9000 were to domains registered within eight hours of when they were resolved and the 247support.co.cc domains all resolved to IPs that are assigned to Comcast and Spectrum. As you said, Brad, it's about knowing what you expect and the true costs of deployment, care and feeding. Know what you're going to miss because you have to play within EPS/GB-per-day licensing schemes and plan accordingly. Maybe you're okay missing those sources, maybe you're not. Maybe you just don't have anyone on-staff with time to work with them so you don't collect them - and that's okay! kmw
Current thread:
- SIEM Tools Madl, Michael (Jan 19)
- Re: SIEM Tools WALTER KERNER (Jan 19)
- Re: SIEM Tools David D Grisham (Jan 20)
- Re: SIEM Tools Seth A. Shestack (Jan 22)
- Re: *EXT* Re: [SECURITY] SIEM Tools Velislav K Pavlov (Jan 22)
- Re: *EXT* Re: [SECURITY] SIEM Tools Pardonek, Jim (Jan 22)
- Re: SIEM Tools Frank Barton (Jan 22)
- Re: SIEM Tools Brad Judy (Jan 22)
- Re: SIEM Tools Adam Menos (Jan 22)
- Re: SIEM Tools Tina Thorstenson (Jan 22)
- Re: SIEM Tools Kevin Wilcox (Jan 22)
- Re: SIEM Tools Manjak, Martin (Jan 22)
- Re: SIEM Tools David D Grisham (Jan 20)
- Re: SIEM Tools WALTER KERNER (Jan 19)
- Re: SIEM Tools Chad Tracy (Jan 20)
- Re: SIEM Tools Ramon Rentas (Jan 22)
- Re: SIEM Tools Shelton Waggener (Jan 23)
- <Possible follow-ups>
- Re: SIEM Tools Bridges, Robert A. (Jan 22)
- Re: SIEM Tools Frank Barton (Jan 22)
- Re: SIEM Tools Bridges, Robert A. (Jan 22)
- Re: SIEM Tools Frank Barton (Jan 22)