Re: SIEM Tools

["Manjak, Martin" <mmanjak () ALBANY EDU>]

We're considering this multi-tiered approach also. In our case , it's prompted by the fact that we have licensing for 
VMWare's Log Insight. Granted, it's not the OpenSource tool that many others are touting, but it does offer us 
unlimited log aggregation. 

The thinking is throw the bulk stuff into something like this and feed selected info into specialty tools where 
reports, dashboards, alerts, and queries can be more readily built (or have already been built). I'm told that Log 
Insight provides hooks into Splunk to facilitate interoperability. 

Marty Manjak
CISO
University at Albany


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kevin 
Wilcox
Sent: Monday, January 22, 2018 11:28 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] SIEM Tools

There's so much good here that I don't want to snip any of it. It's painful to trim!

On 22 January 2018 at 15:45, Brad Judy <brad.judy () cu edu> wrote:

> You’ve touched on one of the key pieces of the SIEM space: finding the sweet spot for your team on usability and 
> configurability.
>
> A more technical team/individual who wants to spend some time to tweak things might look more towards a Splunk or ELK 
> based option. Skilled teams have made really cool things with solutions like these.

We've been having a similar conversation in another forum about exactly this. People were upset with their existing 
solutions because they either send everything to it and can't get what they want in a timely fashion or they can't 
afford to send enough so they're hamstrung on what they can detect/analyse.

This has caused serious conversation by the more "hands-on" folks around the idea of a multi-SIEM approach. They want 
to use Splunk, ArcSight, QRadar, etc., as their more "compliance-driven" SIEM but they want to use ELK/GrayLog/etc as 
their "first-pass" zone -- it gets everything for a couple of days or a week, gives super-quick search across 
everything and then they filter out from there.

Maybe they can't afford an extra 10GB/day just for DHCP logs in Splunk but they CAN afford a couple of VMs for ELK or 
GrayLog to take in DHCP logs and give them a quick view of <x> number of Apple devices or that <y> user has sent out 50 
DHCPDISCOVER requests every second all weekend.

Maybe they can't afford an extra 25GB/day just for DNS logs in QRadar but they CAN afford to keep six months of their 
passive DNS logs there and then send a week of DNS query logs to some ELK or GrayLog VMs for analysis about exactly who 
is requesting all those .tk domains or for a heads-up that <z> user has requested 10k unique domains in the last three 
days and 8500 of them have had "247support.co.cc" as the registered domain, 9000 were to domains registered within 
eight hours of when they were resolved and the 247support.co.cc domains all resolved to IPs that are assigned to 
Comcast and Spectrum.

As you said, Brad, it's about knowing what you expect and the true costs of deployment, care and feeding. Know what 
you're going to miss because you have to play within EPS/GB-per-day licensing schemes and plan accordingly. Maybe 
you're okay missing those sources, maybe you're not. Maybe you just don't have anyone on-staff with time to work with 
them so you don't collect them - and that's okay!

kmw