Re: Open source SIEM

["Powell, Andy" <ap16 () WILLIAMS EDU>]

Hi all, I've been following along with great interest on this topic, having
come from corp environments where I've deployed, tuned, used (and enjoyed!)
a variety of commercial SIEMs (QRadar, NetWitness, Exabeam DL/AA).

Dave, I'm somewhat surprised by your suggestion...MSSPs are an increasingly
attractive target
<https://krebsonsecurity.com/2019/12/ransomware-at-it-services-provider-synoptek/>
for attackers, as the bad guys know they represent the most bang for their
bitcoin. Unless you are speaking about Higher Ed MSSPs only (are there such
things?), why would you want to throw your investigative abilities into the
same pool as those corporate targets that a MSSP also serves?

I think this introduces more risk, setting aside the conversation of prompt
alerting, secure log transport, ad-hoc investigations (you don't want to
pay for), etc. The idea that logging and monitoring is sacrosanct (but
still over UDP? Hmm..) means it is too important to ship off to an MSSP,
imho.

Back to the topic at hand, we're looking at ELK stack, and thanks to this
thread I'm researching MozDef too. Secure Onion is known to me and is
currently my fall back plan. This will all play out over the next 12
months, ideally.

However, Dave infers a brilliant point...define your business
requirements...write them down, and as you evaluate any solution, you'll
have that to refer back to, ensuring it's not the tool you choose but the
capability it provides. Best of luck!

On Wed, Feb 12, 2020 at 12:17 PM David Eilken <
david.eilken () domail maricopa edu> wrote:

> I'll chime in on open-source tools for detection. I've been involved with
> the deployment/ use of the Elastic stack. Obviously many IS practitioners
> across industries use it, and Elastic has begun to tailor to IS
> specifically with endpoint agents, etc. You could build an entire career
> around it. The OpenSOC (https://opensoc.io/#portfolio) has a good list of
> tools they use with the Elasticsearch at the center.
>
> I'm somewhat surprised to see so many that have built or are considering
> building your own SIEM solution or even purchasing a SIEM/ Logging tool.
> May I ask what is your brief business case versus using an MSSP to do it
> all for you? -Is it just cost?
>
> If I had to guess, most in education don't have a SIEM or SOC in-house,
> but maybe that is changing?
>
> Thanks for expanding on this conversation,
> Dave
> [image: Maricopa Community College District Office logo]
> DAVID EILKEN MA, MBA, CISSP-ISSMP
> MARICOPA COMMUNITY COLLEGES
> Information Security Officer | ITS
> 2411 West 14th Street, Tempe, AZ 85281
> david.eilken () domail maricopa edu
> security.maricopa.edu
> O: 480-784-0637
> LinkedIn  <https://www.linkedin.com/in/eilken>| Twitter
> <https://twitter.com/daveeilken>
>
>
> On Tue, Feb 11, 2020 at 2:12 PM Kimmitt, Jonathan <
> jonathan-kimmitt () utulsa edu> wrote:
>
> > We are in the middle of this process as well….  The one piece I would add
> > to what the others have said, is that to make a SIEM effective, you have to
> > be able to manage and search your logs well….  Our old Bro & Elk Stack ran
> > about 8 billion events a week, and was generally useless.  I don’t want to
> > make that mistake in time/resources to deploy with no value on the other
> > side…..
> >
> >
> >
> > So, we have spent the time in collecting and filtering “out the noise” on
> > the log side for the last year or so with a Syslog/event log aggregator….
> > Once we are getting the logs we want, AND can do basic manual analysis to
> > answer the questions we have, AND understand how much traffic we truly
> > have, we will look into what SIEM solution best fits….
> >
> >
> >
> > Additionally, there are a lot of SIEM tools built into other tools
> > (offic365,  MS ATP, Palo, etc)… so we want to be able to utilize those to
> > the best of our ability, and send the data from them to our eventual SIEM
> > solution…..
> >
> >
> >
> > I also sent one of my Sec Analysts to the SANS 555 – SIEM with Tactical
> > Analysis course, to build good fundamentals for the next step of our SEIM
> > process…..  They used Elastic heavily in the class…..
> >
> >
> >
> > SANS is expensive, the time doing the aggregation was painful…. But I
> > really want the SEIM deployment to be successful and provide good output
> > and alerting…
> >
> >
> >
> > My general rule is a SIEM doesn’t solve any problems alone, it allows you
> > to scale up your successful manual processes effectively.  The hard part is
> > having successful manual processes… J
> >
> >
> >
> > -Jonathan
> >
> >
> >
> >
> >
> >
> >
> > *From:* The EDUCAUSE Security Community Group Listserv <
> > SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Zepu Chen
> > *Sent:* Tuesday, February 11, 2020 12:50 PM
> > *To:* SECURITY () LISTSERV EDUCAUSE EDU
> > *Subject:* [SECURITY] Open source SIEM
> >
> >
> >
> > Good Afternoon,
> >
> > We are researching the possibility to implement an open-source SIEM
> > solution at our University. The project we are currently reviewing is
> > MozDef from Mozilla. Does anyone currently have MozDef or other open-source
> > SIEM implemented in your environment? How are the implementation and
> > operations experience so far?
> > We are interested in seeing what other schools are doing. We would
> > greatly appreciate it if you would be kind enough to share any pitfalls,
> > constraints and roadblocks as well as implementation recommendations.
> >
> >
> > Thanks,
> >
> >
> >
> > [image: Denison University]
> > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdenison.edu%2F&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Cf7a9f275c25643d7820408d7af232dd9%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C1%7C637170437941526649&sdata=pwS2tk9CtK17KaKhAAUI4Hlj7Ix68XsqXxu6euOyFCE%3D&reserved=0>
> >
> > *Zepu Chen*
> > *Systems & Security Administrator*
> > Information Technology Services
> >
> > Office: 740-587-5307 <1-740-587-5307>
> > zepu.chen () denison edu
> >
> > **********
> > Replies to EDUCAUSE Community Group emails are sent to the entire
> > community list. If you want to reply only to the person who sent the
> > message, copy and paste their email address and forward the email reply.
> > Additional participation and subscription information can be found at
> > https://www.educause.edu/community
> > <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=02%7C01%7Cjonathan-kimmitt%40UTULSA.EDU%7Cf7a9f275c25643d7820408d7af232dd9%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C1%7C637170437941536643&sdata=92a60P%2Fm400g9bD99W3oH6ZFdosRfyWFoKKGzC5tkQk%3D&reserved=0>
> >
> > **********
> > Replies to EDUCAUSE Community Group emails are sent to the entire
> > community list. If you want to reply only to the person who sent the
> > message, copy and paste their email address and forward the email reply.
> > Additional participation and subscription information can be found at
> > https://www.educause.edu/community
> **********
> Replies to EDUCAUSE Community Group emails are sent to the entire
> community list. If you want to reply only to the person who sent the
> message, copy and paste their email address and forward the email reply.
> Additional participation and subscription information can be found at
> https://www.educause.edu/community


-- 
Andrew F. Powell Jr., CISSP, CCSP (he/him/his)
Information Security Director
Williams College
22 Lab Campus Drive, Williamstown, MA, 01267
O - (413) 597 - 4340
C - (978) 502 - 0086

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community