Educause Security Discussion mailing list archives
Re: [External] Re: [SECURITY] SIEM questions.
From: "Kimmitt, Jonathan" <jonathan-kimmitt () UTULSA EDU>
Date: Fri, 14 May 2021 16:03:44 +0000
Thank you Kevin! Just a general inquiry for the group…. We ran a Bro/Elk stack for many years, with the mindset of “collect everything, forever”… and it was a bear to support and maintain… we had about 8 billion events a week through it…. Generally it took an FTE+ to keep it functional and do searches…. That person otherwise left and we were in a bind…. So we started looking for something else…. **just a note of funny… we interacted with the Bro/Elk team with Walmart several years ago, and while they had more servers dedicated to their log collection, we had more events going through our setup….. that’s when I realized we were doing things wrong… ☹ We had a lot of ‘data’, but no information on what was happening…… As much as I am hesitant to provide details on a publicly archived forum, I wanted to get the collective thoughts…. We started with a log aggregator last year, to start getting our logs in one place and filtered down to useful fields, and are now looking specifically for a siem/soc solution to send those logs to and help us get actionable information and alerting….. We were looking at Arctic Wolf and Respond software….. mostly to take advantage of the ‘as a service’ potential…. We have limited resources, and a wide range of inputs (office365, local ad, servers, firewalls, etc.) we want going in…. My hope would be to devote less than half an fte in care and feeding, and then utilize students as hands on daily interaction and resolution for alerts….. I have a new team working on the issue… and their testing, vendor evaluations and such, they came up with Respond and Arctic Wolf…. Respond was less than 100k (tool and analysis only, no person watching)… Arctic wolf was less than 200k (included a person or two on Arctic wolf side to monitor)….. so, for me, it comes down to where we want to dedicate resources….. Most of me wants to get good information quickly, then focus staff to start mitigating risks… Again, because this is a publicly posted forum, I don’t want you to share information about your environments, but I would be extremely interested in anything you might be willing to provide so I can see if my numbers vs cost are way out in left field….. please feel free to email me directly at jonathan-kimmitt () utulsa edu<mailto:jonathan-kimmitt () utulsa edu> if you might be willing to provide….. How many FTE’s do you have total, dedicated to setup, care and feeding? Does your security team run the tool, or is it IT that runs it, but security uses it? How long did it take to setup and get configured & tuned for your environment? How many FTE’s do you have dedicated to alert management and mitigation? How many events you run through the tools weekly (or so)? How many inputs you have going into the system (count of devices/services sending logs to tool)? How often (best guestimate average) do you use the information from the tool to mitigate a risk (once a day, 10 times a day, etc)? Again, I appreciate any information you are willing to provide to help us down the right path…. -Jonathan From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kevin Wilcox Sent: Friday, May 14, 2021 10:24 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] [External] Re: [SECURITY] SIEM questions. I'm going to tack on to what Nadim said. I may be a "pure Elastic" fan but for most small shops, I think Graylog is the way to go. It gives you as much storage as you can put behind it (it's elasticsearch for storage under the hood for indexing), you can feed it with logstash so you can do all your parsing (schema on write) and enrichment up-front, it supports parsing at search (schema on read) and it has an excellent support community (in addition to paid support, if you go that route). That doesn't mean I'm not going to say, "you should also look at the Elastic Stack" =) The biggie for me is the enrichment up-front. We get an MFA log, we pull the user name and IP, then we add data from Active Directory, we add data from inventory, we add GeoIP data (really just after ASN / company info), then we store the log event with that data added. It makes, e.g., doing a search like "give me all the MFA events for this department that weren't from a local internet provider" really quick and easy - it isn't having to crawl through and find all the usernames for that department AND do GeoIP at search time, it's just filtering on data that's already there. "show me when someone from x departments has a login event from a *new* Internet provider" -- super simple, it's just looking for a new value to appear in the geoip ASN field. You do need to know your log data for it to be effective... kmw On Thu, May 13, 2021 at 7:44 PM Nadim El-Khoury <0000024d485fe2c4-dmarc-request () listserv educause edu<mailto:0000024d485fe2c4-dmarc-request () listserv educause edu>> wrote: Hi Jonathan, We use Graylog here at Springfield College. We are using the open-source version, and we are so far happy with it. We started using it a couple of months ago, and so far, we indexed around 103+ GB of data from our Palo Alto firewalls alone. We did not even count the data from the ASA VPN devices and other systems. As a small college with limited funds and resources, we would not be able to afford the other products. Best, Nadim El-Khoury Director of Networks, Systems, Infrastructure, and Information Security Officer Springfield College 263 Alden Street Springfield, MA 01109 nel-khoury () springfield edu<mailto:nel-khoury () springfield edu> On Thu, May 13, 2021 at 4:15 PM Francisco Chavez <fac3 () stmarys-ca edu<mailto:fac3 () stmarys-ca edu>> wrote: Hi Kimmitt, Here at Saint Mary’s we use AlienVault. Like Rich mentioned, the company has had a few bad years but the product and support is much better now. We currently use AlienVault USM Anywhere which is hosted on AWS. Please feel free to reach out directly if you have any questions! Sincerely, Francisco Chavez -- Francisco Chavez, MBA | Interim CTO Saint Mary's College of California ............................................................................................................................... IT Services<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stmarys-ca.edu%2Fit-services&data=04%7C01%7C%7C6816153722f64060d4fe08d916ec4773%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637566026328897942%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lZAeBp0NU7HjgEbABrnGKZa7p2mL%2Btj4xf8hLtJDHhE%3D&reserved=0> phone: (925) 631-8236 email: fac3 () stmarys-ca edu<mailto:fac3 () stmarys-ca edu> [cid:image001.jpg@01D748AC.53D2AED0] On May 13, 2021, at 11:32 AM, Kimmitt, Jonathan <jonathan-kimmitt () UTULSA EDU<mailto:jonathan-kimmitt () UTULSA EDU>> wrote: Reposting from the CIO group email for my CIO: Happy Thursday, Smaller institutions with pandemic-minded budgets, do you have a SIEM you’re using that is quality, provides insightful reporting and is either easy to manage OR managed externally? That you would recommend? (I’ll take warnings too!) We’re looking to make a change within the next 12-18 months and I could use honest feedback on solutions, experience, cost, dedicated headcount support. Can email me directly: Thanks much, -Jonathan ~ Jonathan Kimmitt CISSP, FIP, CDPSE, CIPP/E, CIPM, CIPT, OTCP,GLEG, GPEN, GSNA, PCIP, CEH Chief Information Security Officer Information Technology The University of Tulsa 918.631.2743 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7C%7C6816153722f64060d4fe08d916ec4773%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637566026328907907%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=2bMIySM9c4ulgkL4DMfiuiLxYUYZfgShliIyqQG3rFU%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7C%7C6816153722f64060d4fe08d916ec4773%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637566026328907907%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=2bMIySM9c4ulgkL4DMfiuiLxYUYZfgShliIyqQG3rFU%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7C%7C6816153722f64060d4fe08d916ec4773%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637566026328917866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2F2MHij0dTQ3VvfaIvjSLoxPX3v6G9IJ7gGV6kqXjXqE%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7C%7C6816153722f64060d4fe08d916ec4773%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637566026328917866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2F2MHij0dTQ3VvfaIvjSLoxPX3v6G9IJ7gGV6kqXjXqE%3D&reserved=0> ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- SIEM questions. Kimmitt, Jonathan (May 13)
- Re: SIEM questions. Rich Graves (May 13)
- Re: SIEM questions. Francisco Chavez (May 13)
- Re: SIEM questions. Nadim El-Khoury (May 13)
- Re: [External] Re: [SECURITY] SIEM questions. Kevin Wilcox (May 14)
- Re: [External] Re: [SECURITY] SIEM questions. Kimmitt, Jonathan (May 14)
- Re: [External] Re: [SECURITY] SIEM questions. Beth Albertson (May 14)
- Re: SIEM questions. Nadim El-Khoury (May 13)
- Re: SIEM questions. Kimmitt, Jonathan (May 13)
- <Possible follow-ups>
- Re: SIEM questions. Perez, Roberto (May 13)