Educause Security Discussion mailing list archives
Re: QRadar
From: John Ramsey <jramsey () STUDENTCLEARINGHOUSE ORG>
Date: Fri, 24 Aug 2018 13:45:42 +0000
We are pretty extensive QRadar shop now for about 5 years. We’re pretty satisfied and it’s a top of the line SIEM. Like any SIEM though, there is some TLC required to ensure you’re pulling in the correct logs and tweaking alerts where necessary. John John Ramsey, Chief Information Security Officer, National Student Clearinghouse Certified: CISSP, CISM, PMP, CSSLP, CRISC, CGEIT 2300 Dulles Station Blvd., Suite 220, Herndon, VA 20171 P: 703.742.4428 | http://www.studentclearinghouse.org<http://www.studentclearinghouse.org/> Read the Clearinghouse Today Blog<https://nscblog.org/> Winner “2016 When Work Works” & “Excellence in Work-Life Balance” From: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Scott Stoops Sent: Friday, August 24, 2018 9:43 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] QRadar We recently completed a PoC of QRadar. Our intent is to purchase it as soon as we can reasonably arrange the budget. Things that affected our decisions: 1) It is a single interface. All configuration and interaction is through that single interface. 2) Initial set up was easy. Out of the box it is fairly chatty in terms of the information it presents. We anticipate that the actual tuning will take us quite some time. 3) The rules are very similar in concept to firewall rules. The logic for rules can be quite complex but each statement is straightforward. 4) The product can handle most of the common log formats out of the box. There are add-ons available to integrate with various other security products. 5) It is fairly extensible through its application marketplace. 6) We were able to work extensively with an engineer during the PoC to make sure that we could see the value in the product. During that time they assisted us with examining incidents and determining ways to handle them. We are a small shop and don't have the resources to devote a fulltime person to monitoring a SIEM. QRadar looks like the kind of product that would allow us to see value from it without full time eyes on the product. -------------------------------------------------------------------------------------------------- Scott Stoops Security Analyst II Office of Information Technology | 100 Patterson Technology Center Ashland, OH 44805 (w) 419-289-5405 sstoops () ashland edu<mailto:sstoops () ashland edu> On Fri, Aug 24, 2018 at 9:01 AM Walzer, Jeff R <walzer () pitt edu<mailto:walzer () pitt edu>> wrote: We are looking at QRadar and was looking for any feedback from any schools that have deployed it. Pros/cons, good/bad, etc. Thx --------------------------------------------------------------------------- Jeff Walzer Senior Security Analyst Computing Services and Systems Development (CSSD) University of Pittsburgh 315 S. Bellefield Ave., Rm 403 PGH, PA 15260 --------------------------------------------------------------------------- ======================================================= This message has been analyzed by Deep Discovery Email Inspector.
Current thread:
- QRadar Walzer, Jeff R (Aug 24)
- Re: QRadar Scott Stoops (Aug 24)
- Re: QRadar John Ramsey (Aug 24)
- Re: QRadar Walzer, Jeff R (Aug 24)
- Re: QRadar Scott Stoops (Aug 24)