Educause Security Discussion mailing list archives
Re: Tool and Software Suggestions
From: "Hagan, Sean" <sean.hagan () YC EDU>
Date: Mon, 19 Nov 2018 23:55:50 +0000
(Apologies in advance for the length of this...) I'll be a polite contrarian and argue that Splunk is more appropriate when you're relatively flush with resources (both human and financial). It could easily consume an FTE (or more), and it costs more than many other equally important (imho) security-related tools. That said - and as Brendan notes - log collection and analysis are very important. Since Justin notes that he's concerned with vulnerability assessment, a combined VA/SIEM solution like LogRhythm or AlienVault might make some sense to consider. If you have audit/compliance requirements (doesn't everyone?), a SIEM can indeed be a very useful tool - it's also great for incident response and threat hunting. As the expression goes, some of the best things in life are free (or nearly free). The best bang for our buck has been joining MS-ISAC and REN-ISAC and networking with peers in and around the state - we've saved a significant amount of time, money, and increased efficiency and maturity by simply collaborating with and amongst other schools and government organizations. Every institution is different, but after three years in my current role, the greatest threats and greatest payoffs I've observed have related to email security and border protections, along with security awareness training and MFA. A capable NGFW firewall, threat intelligence feeds, advanced email security functionality (anti-phishing, anti-impersonation, and clicked-link tracking capabilities), vulnerability assessment/remediation (to include patching/patch management), mandated institutional MFA (at least for employees), and a decent EPP (possibly with EDR functionality depending on how often you're dealing with malware) would be my top picks for a new program (or new budget for existing program). DLP is important but a significant challenge to implement and support, and might be more appropriate when you've already addressed the above to a sufficient level of maturity. I take IAM for granted since we developed an in-house system to manage that several years ago, but it would definitely be worthy of significant upfront investment given its importance and the amount of time you might spend managing it (or unraveling it after an incident). Since the above isn't really providing specific answers to Justin's questions: Vulnerability Assessment: Department of Homeland Security (DHS) offers free external vulnerability scanning via the NCATS Cyber Hygiene program - I'd absolutely do that regardless of whether you end up doing something else later on (they use a modified version of Nessus). Nessus is popular in higher ed, but expensive if you want something that easily scales (Tenable Security Center). Other solutions include Rapid7's Nexpose, Qualys Vulnerability Management, and others. My experience is that you'll pay around $10 per IP per year that you want to scan for the enterprise tools (that's for ranges of 1k-2k IPs - you would hopefully pay less with greater quantities). Identity and Access Management Monitoring: As Brandon mentions, a SIEM will help a lot with this, but at great expense. You might also look at tools from Netwrix (warning - they'll spam the heck out of you if you sign up to download anything). We wrote our own and coupled that with a SIEM, so I can't be of much help to you on that question. Patch/Configuration Management - joining MS-ISAC will give you access to the CIS SecureSuite toolset - which will give you free resources for creating and auditing against secure baseline configurations. You may find that your vulnerability assessment tools can audit config management as well. Beyond that, we use a product for patch management that I personally really dislike, but I'm pretty sure it's common in higher ed and SMB IT groups. What I've observed being semi-actively involved in institutional patching for the last year or two is that the process is probably as important as the tool you choose. EDIT: It appears that UotC would not qualify for free CIS SecureSuite since you are a private school. Good luck! Sean ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sean Hagan Chief Information Security Officer Yavapai College (928) 717-7651 - direct https://www.yc.edu<https://www.yc.edu/> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of WALSH, BRENDAN Sent: Monday, November 19, 2018 3:23 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Tool and Software Suggestions I'm sure a number of responses will mention Splunk - in my mind, it's the best IT investment we have made. There is a learning curve to it, but when it comes to log collection and correlation, Splunk is the best tool on the market. You can probably start small (~10GB/day?) and grow from there - licensing is a little pricey and determined by your anticipated daily log volume. You'll want to collect authentication logs (network authentication as well as application authentication) and AD events first and foremost. If you have a faculty/staff/student portal, like Ellucian Luminis, go ahead and grab activity logs from there too. That should give you a good baseline for being able to monitor account activity - particularly for compromised accounts. If you're part of Internet2, you and your staff can take the Splunk Power User training course at no-cost (https://www.internet2.edu/news/detail/11515/<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.internet2.edu%2fnews%2fdetail%2f11515%2f&c=E,1,FhJYCKLH29N80PFjCYHGuKK4wAkr6bzNc3DUKoWq4vYxtw_l8SuZuIt6pGiP-DuRWX5oZna7NEGLGNV6frGV_dcwKhIn6Ik4kOljQq6RWd12d9o,&typo=1>) As you get rolling, Splunk could help with some of the other categories you mention as well. Cheers - and best of luck in your endeavors! -Brendan Brendan Walsh, MBA, CISSP Manager, Security and Access Management Kent State University 330-672-8551 [1499691309012_I4E-Bronze.png] [https://acclaim-production-app.s3.amazonaws.com/images/5e6f5247-1d61-4932-a5da-999a7feec067/isc2_cissp2.png]<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fwww.youracclaim.com%2fbadges%2f4d9a35f4-6e94-40e1-ac27-4a784618330c%2fpublic_url&c=E,1,7Vnl6kWVBDUtLj8BXRRtix3u5irM-TEITe6K_u06i7bIhPZPopm7w2CPZZaDx62OD2gy1pk85Fa1EqwAAvafirpWYa44xON7nHQuzN0aaGI,&typo=1> ________________________________ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> on behalf of Justin Hensley <justin.hensley () UCUMBERLANDS EDU<mailto:justin.hensley () UCUMBERLANDS EDU>> Sent: Monday, November 19, 2018 4:54 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Tool and Software Suggestions Hello All: The Office of Information Security here at University of the Cumberlands was just opened this past spring and I moved from an operational IT role to Director of Information Security. I have a new budget available to my office for the first time, and I'm working on getting budget numbers together. I'm hoping that members of this group can suggest some tools and software that you use in your infosec office that is invaluable to you. I'm primarily looking to start in the categories of vulnerability assessment and penetration testing, identity and access management monitoring (we're an Active Directory shop), and patch configuration and management. I'm aware of many tools and software packages in the market, but I'm always finding new ones by reading posts in this listserv so I'm hoping this will help me and others also. Thanks. Justin O. Hensley, CEH, CISSP University of the Cumberlands Director of Information Security Division of Information Services Gatliff Administration Building | Lower Level | Room 008 104 Maple Street, Williamsburg, KY, 40769 606.539.4197 Office | 606.539.4144 Fax justin.hensley () ucumberlands edu<mailto:justin.hensley () ucumberlands edu> www.ucumberlands.edu<https://linkprotect.cudasvc.com/url?a=https%3a%2f%2fna01.safelinks.protection.outlook.com%2f%3furl%3dhttp%253A%252F%252Fwww.ucumberlands.edu%252F%26data%3d02%257C01%257Cbmwalsh%2540KENT.EDU%257C88c66a5a81cb49b099f408d64e69933f%257Ce5a06f4a1ec44d018f73e7dd15f26134%257C1%257C0%257C636782612681274111%26sdata%3dnaZ06tLnlf3zOEpzJ6pK24m5dPdYHjOrY1g4%252FD3qSx8%253D%26reserved%3d0&c=E,1,5utLEA14f5tfZBSLJOZPDpw4BPHcxecgYxQ1ECMP7Mbad9SisXLHyNdSAbQ_8GJ_72WuQMcLnJGKz2-8Jd53q2IpqMiN9XBxbCXC3QXCtA,,&typo=1> CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this email in error, please notify the sender and delete this email from your system. Thank you.
Current thread:
- Tool and Software Suggestions Justin Hensley (Nov 19)
- Re: Tool and Software Suggestions Semmens, Theresa (Nov 19)
- Re: Tool and Software Suggestions WALSH, BRENDAN (Nov 19)
- Re: Tool and Software Suggestions Hagan, Sean (Nov 19)
- Re: Tool and Software Suggestions Camacaro Latouche, Jose David (Nov 20)