Educause Security Discussion mailing list archives

Re: SIEM Tools

From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Mon, 22 Jan 2018 16:27:32 +0000

There's so much good here that I don't want to snip any of it. It's
painful to trim!

On 22 January 2018 at 15:45, Brad Judy <brad.judy () cu edu> wrote:

You’ve touched on one of the key pieces of the SIEM space: finding the sweet spot for your team on usability and 
configurability.

A more technical team/individual who wants to spend some time to tweak things might look more towards a Splunk or ELK 
based option. Skilled teams have made really cool things with solutions like these.


We've been having a similar conversation in another forum about
exactly this. People were upset with their existing solutions because
they either send everything to it and can't get what they want in a
timely fashion or they can't afford to send enough so they're
hamstrung on what they can detect/analyse.

This has caused serious conversation by the more "hands-on" folks
around the idea of a multi-SIEM approach. They want to use Splunk,
ArcSight, QRadar, etc., as their more "compliance-driven" SIEM but
they want to use ELK/GrayLog/etc as their "first-pass" zone -- it gets
everything for a couple of days or a week, gives super-quick search
across everything and then they filter out from there.

Maybe they can't afford an extra 10GB/day just for DHCP logs in Splunk
but they CAN afford a couple of VMs for ELK or GrayLog to take in DHCP
logs and give them a quick view of <x> number of Apple devices or that
<y> user has sent out 50 DHCPDISCOVER requests every second all
weekend.

Maybe they can't afford an extra 25GB/day just for DNS logs in QRadar
but they CAN afford to keep six months of their passive DNS logs there
and then send a week of DNS query logs to some ELK or GrayLog VMs for
analysis about exactly who is requesting all those .tk domains or for
a heads-up that <z> user has requested 10k unique domains in the last
three days and 8500 of them have had "247support.co.cc" as the
registered domain, 9000 were to domains registered within eight hours
of when they were resolved and the 247support.co.cc domains all
resolved to IPs that are assigned to Comcast and Spectrum.

As you said, Brad, it's about knowing what you expect and the true
costs of deployment, care and feeding. Know what you're going to miss
because you have to play within EPS/GB-per-day licensing schemes and
plan accordingly. Maybe you're okay missing those sources, maybe
you're not. Maybe you just don't have anyone on-staff with time to
work with them so you don't collect them - and that's okay!

kmw

Current thread:

SIEM Tools Madl, Michael (Jan 19)
- Re: SIEM Tools WALTER KERNER (Jan 19)
  - Re: SIEM Tools David D Grisham (Jan 20)
    - Re: SIEM Tools Seth A. Shestack (Jan 22)
    - Re: *EXT* Re: [SECURITY] SIEM Tools Velislav K Pavlov (Jan 22)
    - Re: *EXT* Re: [SECURITY] SIEM Tools Pardonek, Jim (Jan 22)
    - Re: SIEM Tools Frank Barton (Jan 22)
    - Re: SIEM Tools Brad Judy (Jan 22)
    - Re: SIEM Tools Adam Menos (Jan 22)
    - Re: SIEM Tools Tina Thorstenson (Jan 22)
    - Re: SIEM Tools Kevin Wilcox (Jan 22)
    - Re: SIEM Tools Manjak, Martin (Jan 22)
- Re: SIEM Tools David D Grisham (Jan 20)
  - Re: SIEM Tools Chad Tracy (Jan 20)
    - Re: SIEM Tools Ramon Rentas (Jan 22)
    - Re: SIEM Tools Shelton Waggener (Jan 23)
- Re: SIEM Tools Michael Klint Borozan (Jan 21)
- Re: SIEM Tools Rob Milman (Jan 22)
- <Possible follow-ups>
- Re: SIEM Tools Bridges, Robert A. (Jan 22)
  - Re: SIEM Tools Frank Barton (Jan 22)
    - Re: SIEM Tools Bridges, Robert A. (Jan 22)

(Thread continues...)