Re: SIEM Tools

[Michael Klint Borozan <klint.borozan () GMAIL COM>]

SIEM is a very interesting topic, because the products from all vendors
across the board actually has added to the workload and complexity of SoC
operations.  Currently you have many existing or legacy solutions that are
presenting road maps and future integrations with other products to
increase usability, and effectiveness,  but will create the need for other
products to integrate, a problem when originally designed didn't
contemplate that integration....and will add cost.  Another category of
solutions trying to position themselves as nextgen siems are starting as a
UBA solution and adding back in other legacy SIEM features. The UBA
solution presents an interesting dilemma because it takes security event
data from other security tools and correlates it back to the UBA
information, when UBA should be used to provide context to attack
storylines constructed from your other security tools such as IPS, EDR, FW,
Linux logs, Reputation services, etc....ie it is backwards.
The Splunk solution as a SIEM is a pretty powerful correlation tool.  Some
of the downsides are costs associated with usage cost overruns, and the
complexity in training, so I suggest to talk to other users as they will
all say they cant seem to budget and its complexity makes it hard to use.
I hear it often described as the "It takes a village" model of operation
because of the requirements to update and manage correlation rules,,,but in
fairness managing correlation rules is one of the biggest issues across the
spectrum of legacy SIEMs as well.

I would recommend you look at empow cybersecurity.  No correlation rules to
manage, automates the role of a security analyst, has an embedded uba/nta
engine, automate threat hunting with an edr hunter, and can automate
mitigation through your existing tools(firewall, switches, etc),

On Fri, Jan 19, 2018 at 6:48 PM, Madl, Michael <michael.madl () indwes edu>
wrote:

> I am currently reviewing several SIEM products [QRadar, Alien Vault, Log
> Rhythm etc.].
>
>
>
> Can anyone share any success stories with the product they are utilizing.
> I have utilized Alien Vault in the past and the correlation functionality
> is pretty good.  Threat detection is also done well.
>
>
>
> Gartner has been a great tool for review but wondering if anyone had any
> strong feelings/experiences with certain tools.
>
>
>
>
>
> Thank you in advance,
>
>
>
>
>
> MICHAEL MADL
>
> INFORMATION SECURITY OFFICER
>
> UNIVERSITY INFORMATION TECHNOLOGY
>
>
>
> INDIANA WESLEYAN UNIVERSITY
>
> 4201 SOUTH WASHINGTON STREET
> <https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g>
>
> MARION, IN 46953
> <https://maps.google.com/?q=4201+SOUTH+WASHINGTON+STREET%0D+MARION,+IN+46953%0D+%C2%A0%0D+765&entry=gmail&source=g>
>
>
>
> 765.677.2688 <(765)%20677-2688>   |   765.677.2020 <(765)%20677-2020> FAX
>
> michael.madl () indwes edu <mike.madl () indwes edu>
>
>
>
> INDWES.EDU/IT <http://indwes.edu/IT>
>
>
>
> [image: cid:image001.jpg@01D3436E.D1E0F1C0]
>
>
>
> *CONFIDENTIALITY NOTICE:* *This email, including applicable attachments,
> may include legally protected information.  If you are not the intended
> recipient of this message, you may not disclose, print, copy, save, or
> disseminate this information. If you have received this email in error,
> please notify the sender by replying to this message and immediately delete
> this message.*



-- 
Best regards,

Michael Klint Borozan
630.362.7231