Re: Tool and Software Suggestions

["Hagan, Sean" <sean.hagan () YC EDU>]

(Apologies in advance for the length of this...)


I'll be a polite contrarian and argue that Splunk is more appropriate when you're relatively flush with resources (both 
human and financial).  It could easily consume an FTE (or more), and it costs more than many other equally important 
(imho) security-related tools.

That said - and as Brendan notes - log collection and analysis are very important.  Since Justin notes that he's 
concerned with vulnerability assessment, a combined VA/SIEM solution like LogRhythm or AlienVault might make some sense 
to consider.  If you have audit/compliance requirements (doesn't everyone?), a SIEM can indeed be a very useful tool - 
it's also great for incident response and threat hunting.

As the expression goes, some of the best things in life are free (or nearly free).  The best bang for our buck has been 
joining MS-ISAC and REN-ISAC and networking with peers in and around the state - we've saved a significant amount of 
time, money, and increased efficiency and maturity by simply collaborating with and amongst other schools and 
government organizations.  Every institution is different, but after three years in my current role, the greatest 
threats and greatest payoffs I've observed have related to email security and border protections, along with security 
awareness training and MFA.

A capable NGFW firewall, threat intelligence feeds, advanced email security functionality (anti-phishing, 
anti-impersonation, and clicked-link tracking capabilities), vulnerability assessment/remediation (to include 
patching/patch management), mandated institutional MFA (at least for employees), and a decent EPP (possibly with EDR 
functionality depending on how often you're dealing with malware) would be my top picks for a new program (or new 
budget for existing program).  DLP is important but a significant challenge to implement and support, and might be more 
appropriate when you've already addressed the above to a sufficient level of maturity.  I take IAM for granted since we 
developed an in-house system to manage that several years ago, but it would definitely be worthy of significant upfront 
investment given its importance and the amount of time you might spend managing it (or unraveling it after an incident).

Since the above isn't really providing specific answers to Justin's questions:
Vulnerability Assessment:  Department of Homeland Security (DHS) offers free external vulnerability scanning via the 
NCATS Cyber Hygiene program - I'd absolutely do that regardless of whether you end up doing something else later on 
(they use a modified version of Nessus).  Nessus is popular in higher ed, but expensive if you want something that 
easily scales (Tenable Security Center).  Other solutions include Rapid7's Nexpose, Qualys Vulnerability Management, 
and others.  My experience is that you'll pay around $10 per IP per year that you want to scan for the enterprise tools 
(that's for ranges of 1k-2k IPs - you would hopefully pay less with greater quantities).

Identity and Access Management Monitoring:  As Brandon mentions, a SIEM will help a lot with this, but at great 
expense.  You might also look at tools from Netwrix (warning - they'll spam the heck out of you if you sign up to 
download anything).  We wrote our own and coupled that with a SIEM, so I can't be of much help to you on that question.

Patch/Configuration Management - joining MS-ISAC will give you access to the CIS SecureSuite toolset - which will give 
you free resources for creating and auditing against secure baseline configurations.  You may find that your 
vulnerability assessment tools can audit config management as well.  Beyond that, we use a product for patch management 
that I personally really dislike, but I'm pretty sure it's common in higher ed and SMB IT groups.  What I've observed 
being semi-actively involved in institutional patching for the last year or two is that the process is probably as 
important as the tool you choose.  EDIT:  It appears that UotC would not qualify for free CIS SecureSuite since you are 
a private school.


Good luck!

Sean

~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sean Hagan
Chief Information Security Officer
Yavapai College
(928) 717-7651 - direct
https://www.yc.edu<https://www.yc.edu/>


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of WALSH, BRENDAN
Sent: Monday, November 19, 2018 3:23 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Tool and Software Suggestions

I'm sure a number of responses will mention Splunk - in my mind, it's the best IT investment we have made.  There is a 
learning curve to it, but when it comes to log collection and correlation, Splunk is the best tool on the market.  You 
can probably start small (~10GB/day?) and grow from there - licensing is a little pricey and determined by your 
anticipated daily log volume.

You'll want to collect authentication logs (network authentication as well as application authentication) and AD events 
first and foremost.  If you have a faculty/staff/student portal, like Ellucian Luminis, go ahead and grab activity logs 
from there too.  That should give you a good baseline for being able to monitor account activity - particularly for 
compromised accounts.

If you're part of Internet2, you and your staff can take the Splunk Power User training course at no-cost 
(https://www.internet2.edu/news/detail/11515/<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.internet2.edu%2fnews%2fdetail%2f11515%2f&c=E,1,FhJYCKLH29N80PFjCYHGuKK4wAkr6bzNc3DUKoWq4vYxtw_l8SuZuIt6pGiP-DuRWX5oZna7NEGLGNV6frGV_dcwKhIn6Ik4kOljQq6RWd12d9o,&typo=1>)

As you get rolling, Splunk could help with some of the other categories you mention as well.

Cheers - and best of luck in your endeavors!

-Brendan

Brendan Walsh, MBA, CISSP
Manager, Security and Access Management
Kent State University
330-672-8551

[1499691309012_I4E-Bronze.png]



[https://acclaim-production-app.s3.amazonaws.com/images/5e6f5247-1d61-4932-a5da-999a7feec067/isc2_cissp2.png]<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.youracclaim.com%2fbadges%2f4d9a35f4-6e94-40e1-ac27-4a784618330c%2fpublic_url&c=E,1,7Vnl6kWVBDUtLj8BXRRtix3u5irM-TEITe6K_u06i7bIhPZPopm7w2CPZZaDx62OD2gy1pk85Fa1EqwAAvafirpWYa44xON7nHQuzN0aaGI,&typo=1>




________________________________
From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> on behalf of Justin Hensley <justin.hensley () UCUMBERLANDS EDU<mailto:justin.hensley () UCUMBERLANDS 
EDU>>
Sent: Monday, November 19, 2018 4:54 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] Tool and Software Suggestions


Hello All:

The Office of Information Security here at University of the Cumberlands was just opened this past spring and I moved 
from an operational IT role to Director of Information Security.  I have a new budget available to my office for the 
first time, and I'm working on getting budget numbers together.  I'm hoping that members of this group can suggest some 
tools and software that you use in your infosec office that is invaluable to you.  I'm primarily looking to start in 
the categories of vulnerability assessment and penetration testing, identity and access management monitoring (we're an 
Active Directory shop), and patch configuration and management.  I'm aware of many tools and software packages in the 
market, but I'm always finding new ones by reading posts in this listserv so I'm hoping this will help me and others 
also.



Thanks.



Justin O. Hensley, CEH, CISSP
University of the Cumberlands
Director of Information Security
Division of Information Services
Gatliff Administration Building | Lower Level | Room 008
104 Maple Street, Williamsburg, KY, 40769
606.539.4197 Office | 606.539.4144 Fax
justin.hensley () ucumberlands edu<mailto:justin.hensley () ucumberlands edu>

www.ucumberlands.edu<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fna01.safelinks.protection.outlook.com%2f%3furl%3dhttp%253A%252F%252Fwww.ucumberlands.edu%252F%26data%3d02%257C01%257Cbmwalsh%2540KENT.EDU%257C88c66a5a81cb49b099f408d64e69933f%257Ce5a06f4a1ec44d018f73e7dd15f26134%257C1%257C0%257C636782612681274111%26sdata%3dnaZ06tLnlf3zOEpzJ6pK24m5dPdYHjOrY1g4%252FD3qSx8%253D%26reserved%3d0&c=E,1,5utLEA14f5tfZBSLJOZPDpw4BPHcxecgYxQ1ECMP7Mbad9SisXLHyNdSAbQ_8GJ_72WuQMcLnJGKz2-8Jd53q2IpqMiN9XBxbCXC3QXCtA,,&typo=1>



CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged 
information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the 
sender and delete this email from your system. Thank you.