Educause Security Discussion mailing list archives
Re: SIEM questions.
From: Rich Graves <rcgraves () GMAIL COM>
Date: Thu, 13 May 2021 14:01:39 -0500
I was Principal Security Engineer for OmniSOC.iu.edu and have used several other SIEMs at smaller scale. "It depends." Your colleagues at University of Oklahoma were happy enough with Graylog, for which you can pay if you want. It depends what data you want to ingest and what sysadmin talent you have. Graylog is more tightly coupled and less bleeding-edge than SecurityOnion. Also "free" with optional consulting, the latest version of SecurityOnion has gotten quite good. As a collection of open source projects it is loosely coupled and keeps pretty close to the leading edge of software components, and as such has sometimes become "unstable," but there are advantages to these architectural attributes, too. AlienVault, which had a few pretty bad years, has also gotten good again, I've heard, though its free version is less viable. If you have limited or possibly non-retainable sysadmin staff and smaller amounts of data, outsourcing can be reasonably priced. OmniSOC.iu.edu, ArcticWolf.com, and others would be happy to talk to you. Given your location I'm sure you are already familiar with CyberPosse from UT Austin. These 3 (and others) offer a good spread of different technical, architectural, and pricing models. OmniSOC (where I used to work) probably has the highest "floor" of the three but may scale better to a higher "ceiling," since we designed it for the literal Big Ten. I don't have any personal experience with any of the "commercial" in-house SIEMs at your scale. In general, as with any product, beware that pricing may go up after the teaser discount pricing and that the fancy bells and whistles might not be a perfect fit out of the box. Also, many vendors are preferring "cloud" because frankly it is easier for vendor tech support to deal with, not just you.
********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- SIEM questions. Kimmitt, Jonathan (May 13)
- Re: SIEM questions. Rich Graves (May 13)
- Re: SIEM questions. Francisco Chavez (May 13)
- Re: SIEM questions. Nadim El-Khoury (May 13)
- Re: [External] Re: [SECURITY] SIEM questions. Kevin Wilcox (May 14)
- Re: [External] Re: [SECURITY] SIEM questions. Kimmitt, Jonathan (May 14)
- Re: [External] Re: [SECURITY] SIEM questions. Beth Albertson (May 14)
- Re: SIEM questions. Nadim El-Khoury (May 13)
- Re: SIEM questions. Kimmitt, Jonathan (May 13)
- <Possible follow-ups>
- Re: SIEM questions. Perez, Roberto (May 13)