Educause Security Discussion mailing list archives
Re: SIEM Tools
From: Michael Klint Borozan <klint.borozan () GMAIL COM>
Date: Sun, 21 Jan 2018 20:18:36 -0800
SIEM is a very interesting topic, because the products from all vendors across the board actually has added to the workload and complexity of SoC operations. Currently you have many existing or legacy solutions that are presenting road maps and future integrations with other products to increase usability, and effectiveness, but will create the need for other products to integrate, a problem when originally designed didn't contemplate that integration....and will add cost. Another category of solutions trying to position themselves as nextgen siems are starting as a UBA solution and adding back in other legacy SIEM features. The UBA solution presents an interesting dilemma because it takes security event data from other security tools and correlates it back to the UBA information, when UBA should be used to provide context to attack storylines constructed from your other security tools such as IPS, EDR, FW, Linux logs, Reputation services, etc....ie it is backwards. The Splunk solution as a SIEM is a pretty powerful correlation tool. Some of the downsides are costs associated with usage cost overruns, and the complexity in training, so I suggest to talk to other users as they will all say they cant seem to budget and its complexity makes it hard to use. I hear it often described as the "It takes a village" model of operation because of the requirements to update and manage correlation rules,,,but in fairness managing correlation rules is one of the biggest issues across the spectrum of legacy SIEMs as well. I would recommend you look at empow cybersecurity. No correlation rules to manage, automates the role of a security analyst, has an embedded uba/nta engine, automate threat hunting with an edr hunter, and can automate mitigation through your existing tools(firewall, switches, etc), On Fri, Jan 19, 2018 at 6:48 PM, Madl, Michael <michael.madl () indwes edu> wrote:
I am currently reviewing several SIEM products [QRadar, Alien Vault, Log Rhythm etc.]. Can anyone share any success stories with the product they are utilizing. I have utilized Alien Vault in the past and the correlation functionality is pretty good. Threat detection is also done well. Gartner has been a great tool for review but wondering if anyone had any strong feelings/experiences with certain tools. Thank you in advance, MICHAEL MADL INFORMATION SECURITY OFFICER UNIVERSITY INFORMATION TECHNOLOGY INDIANA WESLEYAN UNIVERSITY 4201 SOUTH WASHINGTON STREET <https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g> MARION, IN 46953 <https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g> 765.677.2688 <(765)%20677-2688> | 765.677.2020 <(765)%20677-2020> FAX michael.madl () indwes edu <mike.madl () indwes edu> INDWES.EDU/IT <http://indwes.edu/IT> [image: cid:image001.jpg@01D3436E.D1E0F1C0] *CONFIDENTIALITY NOTICE:* *This email, including applicable attachments, may include legally protected information. If you are not the intended recipient of this message, you may not disclose, print, copy, save, or disseminate this information. If you have received this email in error, please notify the sender by replying to this message and immediately delete this message.*
-- Best regards, Michael Klint Borozan 630.362.7231
Current thread:
- Re: SIEM Tools, (continued)
- Re: SIEM Tools Frank Barton (Jan 22)
- Re: SIEM Tools Brad Judy (Jan 22)
- Re: SIEM Tools Adam Menos (Jan 22)
- Re: SIEM Tools Tina Thorstenson (Jan 22)
- Re: SIEM Tools Kevin Wilcox (Jan 22)
- Re: SIEM Tools Manjak, Martin (Jan 22)
- Re: SIEM Tools Chad Tracy (Jan 20)
- Re: SIEM Tools Ramon Rentas (Jan 22)
- Re: SIEM Tools Shelton Waggener (Jan 23)
- Re: SIEM Tools Frank Barton (Jan 22)
- Re: SIEM Tools Bridges, Robert A. (Jan 22)
- Re: SIEM Tools Kevin Wilcox (Jan 22)
- Re: SIEM Tools Collyer, Jeffrey W. (jwc3f) (Jan 22)
- Re: SIEM Tools Jeannine Shantz (Jan 22)