Educause Security Discussion mailing list archives
Re: Open source SIEM
From: "Kimmitt, Jonathan" <jonathan-kimmitt () UTULSA EDU>
Date: Tue, 11 Feb 2020 21:12:24 +0000
We are in the middle of this process as well…. The one piece I would add to what the others have said, is that to make a SIEM effective, you have to be able to manage and search your logs well…. Our old Bro & Elk Stack ran about 8 billion events a week, and was generally useless. I don’t want to make that mistake in time/resources to deploy with no value on the other side….. So, we have spent the time in collecting and filtering “out the noise” on the log side for the last year or so with a Syslog/event log aggregator…. Once we are getting the logs we want, AND can do basic manual analysis to answer the questions we have, AND understand how much traffic we truly have, we will look into what SIEM solution best fits…. Additionally, there are a lot of SIEM tools built into other tools (offic365, MS ATP, Palo, etc)… so we want to be able to utilize those to the best of our ability, and send the data from them to our eventual SIEM solution….. I also sent one of my Sec Analysts to the SANS 555 – SIEM with Tactical Analysis course, to build good fundamentals for the next step of our SEIM process….. They used Elastic heavily in the class….. SANS is expensive, the time doing the aggregation was painful…. But I really want the SEIM deployment to be successful and provide good output and alerting… My general rule is a SIEM doesn’t solve any problems alone, it allows you to scale up your successful manual processes effectively. The hard part is having successful manual processes… ☺ -Jonathan From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Zepu Chen Sent: Tuesday, February 11, 2020 12:50 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Open source SIEM Good Afternoon, We are researching the possibility to implement an open-source SIEM solution at our University. The project we are currently reviewing is MozDef from Mozilla. Does anyone currently have MozDef or other open-source SIEM implemented in your environment? How are the implementation and operations experience so far? We are interested in seeing what other schools are doing. We would greatly appreciate it if you would be kind enough to share any pitfalls, constraints and roadblocks as well as implementation recommendations. Thanks, [Denison University]<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2F&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Cf7a9f275c25643d7820408d7af232dd9%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C1%7C637170437941526649&sdata=pwS2tk9CtK17KaKhAAUI4Hlj7Ix68XsqXxu6euOyFCE%3D&reserved=0> Zepu Chen Systems & Security Administrator Information Technology Services Office: 740-587-5307<tel:1-740-587-5307> zepu.chen () denison edu<mailto:zepu.chen () denison edu> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Cf7a9f275c25643d7820408d7af232dd9%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C1%7C637170437941536643&sdata=92a60P%2Fm400g9bD99W3oH6ZFdosRfyWFoKKGzC5tkQk%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Open source SIEM Zepu Chen (Feb 11)
- Re: Open source SIEM Cleary, Kevin (Feb 11)
- Re: Open source SIEM Rogers, Zach (Feb 11)
- Re: Open source SIEM Max McGrath (Feb 11)
- Re: Open source SIEM Kevin Wilcox (Feb 11)
- Re: Open source SIEM Kimmitt, Jonathan (Feb 11)
- Re: Open source SIEM David Eilken (Feb 12)
- Re: Open source SIEM Powell, Andy (Feb 12)
- Re: Open source SIEM Nevin, Dave (Feb 12)
- Re: Open source SIEM David Eilken (Feb 12)