Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [External] Re: [SECURITY] SIEM questions.

From: "Kimmitt, Jonathan" <jonathan-kimmitt () UTULSA EDU>
Date: Fri, 14 May 2021 16:03:44 +0000
Thank you Kevin!

Just a general inquiry for the group….  We ran a Bro/Elk stack for many years, with the mindset of “collect everything, 
forever”… and it was a bear to support and maintain… we had about 8 billion events a week through it….  Generally it 
took an FTE+ to keep it functional and do searches….  That person otherwise left and we were in a bind…. So we started 
looking for something else….  **just a note of funny…  we interacted with the Bro/Elk team with Walmart several years 
ago, and while they had more servers dedicated to their log collection, we had more events going through our setup…..  
that’s when I realized we were doing things wrong… ☹ We had a lot of ‘data’, but no information on what was happening……

As much as I am hesitant to provide details on a publicly archived forum, I wanted to get the collective thoughts….

We started with a log aggregator last year, to start getting our logs in one place and filtered down to useful fields, 
and are now looking specifically for a siem/soc solution to send those logs to and help us get actionable information 
and alerting….. We were looking at Arctic Wolf and Respond software….. mostly to take advantage of the ‘as a service’ 
potential….   We have limited resources, and a wide range of inputs (office365, local ad, servers, firewalls, etc.) we 
want going in….  My hope would be to devote less than half an fte in care and feeding, and then utilize students as 
hands on daily interaction and resolution for alerts…..

I have a new team working on the issue… and their testing, vendor evaluations and such, they came up with Respond and 
Arctic Wolf…. Respond was less than 100k (tool and analysis only, no person watching)… Arctic wolf was less than 200k 
(included a person or two on Arctic wolf side to monitor)…..   so, for me, it comes down to where we want to dedicate 
resources…..  Most of me wants to get good information quickly, then focus staff to start mitigating risks…

Again, because this is a publicly posted forum, I don’t want you to share information about your environments, but I 
would be extremely interested in anything you might be willing to provide so I can see if my numbers vs cost are way 
out in left field…..   please feel free to email me directly at jonathan-kimmitt () utulsa edu<mailto:jonathan-kimmitt 
() utulsa edu> if you might be willing to provide…..

   How many FTE’s do you have total, dedicated to setup, care and feeding?
   Does your security team run the tool, or is it IT that runs it, but security uses it?
   How long did it take to setup and get configured & tuned for your environment?
   How many FTE’s do you have dedicated to alert management and mitigation?
   How many events you run through the tools weekly (or so)?
   How many inputs you have going into the system (count of devices/services sending logs to tool)?
   How often (best guestimate average) do you use the information from the tool to mitigate a risk (once a day, 10 
times a day, etc)?

Again, I appreciate any information you are willing to provide to help us down the right path….

-Jonathan


From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kevin Wilcox
Sent: Friday, May 14, 2021 10:24 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [External] Re: [SECURITY] SIEM questions.

I'm going to tack on to what Nadim said. I may be a "pure Elastic" fan but for most small shops, I think Graylog is the 
way to go. It gives you as much storage as you can put behind it (it's elasticsearch for storage under the hood for 
indexing), you can feed it with logstash so you can do all your parsing (schema on write) and enrichment up-front, it 
supports parsing at search (schema on read) and it has an excellent support community (in addition to paid support, if 
you go that route).

That doesn't mean I'm not going to say, "you should also look at the Elastic Stack" =) The biggie for me is the 
enrichment up-front. We get an MFA log, we pull the user name and IP, then we add data from Active Directory, we add 
data from inventory, we add GeoIP data (really just after ASN / company info), then we store the log event with that 
data added. It makes, e.g., doing a search like "give me all the MFA events for this department that weren't from a 
local internet provider" really quick and easy - it isn't having to crawl through and find all the usernames for that 
department AND do GeoIP at search time, it's just filtering on data that's already there. "show me when someone from x 
departments has a login event from a *new* Internet provider" -- super simple, it's just looking for a new value to 
appear in the geoip ASN field. You do need to know your log data for it to be effective...

kmw

On Thu, May 13, 2021 at 7:44 PM Nadim El-Khoury <0000024d485fe2c4-dmarc-request () listserv educause 
edu<mailto:0000024d485fe2c4-dmarc-request () listserv educause edu>> wrote:
Hi Jonathan,

We use Graylog here at Springfield College. We are using the open-source version, and we are so far happy with it.
We started using it a couple of months ago, and so far, we indexed around 103+ GB of data from our Palo Alto firewalls 
alone. We did not even count the data from the ASA VPN devices and other systems.
As a small college with limited funds and resources, we would not be able to afford the other products.

Best,

Nadim El-Khoury
Director of Networks, Systems, Infrastructure, and Information Security Officer
Springfield College
263 Alden Street
Springfield, MA 01109
nel-khoury () springfield edu<mailto:nel-khoury () springfield edu>


On Thu, May 13, 2021 at 4:15 PM Francisco Chavez <fac3 () stmarys-ca edu<mailto:fac3 () stmarys-ca edu>> wrote:
Hi Kimmitt,

Here at Saint Mary’s we use AlienVault. Like Rich mentioned, the company has had a few bad years but the product and 
support is much better now. We currently use AlienVault USM Anywhere which is hosted on AWS.

Please feel free to reach out directly if you have any questions!

Sincerely,
Francisco Chavez


--
Francisco Chavez, MBA  | Interim CTO
Saint Mary's College of California
...............................................................................................................................
IT 
Services<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stmarys-ca.edu%2Fit-services&data=04%7C01%7C%7C6816153722f64060d4fe08d916ec4773%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637566026328897942%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=lZAeBp0NU7HjgEbABrnGKZa7p2mL%2Btj4xf8hLtJDHhE%3D&reserved=0>
phone: (925) 631-8236
email: fac3 () stmarys-ca edu<mailto:fac3 () stmarys-ca edu>


[cid:image001.jpg@01D748AC.53D2AED0]


On May 13, 2021, at 11:32 AM, Kimmitt, Jonathan <jonathan-kimmitt () UTULSA EDU<mailto:jonathan-kimmitt () UTULSA EDU>> 
wrote:

Reposting from the CIO group email for my CIO:

Happy Thursday,

Smaller institutions with pandemic-minded budgets, do you have a SIEM you’re using that is quality, provides insightful 
reporting and is either easy to manage OR managed externally? That you would recommend? (I’ll take warnings too!)

We’re looking to make a change within the next 12-18 months and I could use honest feedback on solutions, experience, 
cost, dedicated headcount support. Can email me directly:

Thanks much,


-Jonathan



~
Jonathan Kimmitt
CISSP, FIP, CDPSE, CIPP/E, CIPM, CIPT,
OTCP,GLEG, GPEN, GSNA, PCIP, CEH
Chief Information Security Officer
Information Technology
The University of Tulsa
918.631.2743


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7C%7C6816153722f64060d4fe08d916ec4773%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637566026328907907%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=2bMIySM9c4ulgkL4DMfiuiLxYUYZfgShliIyqQG3rFU%3D&reserved=0>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7C%7C6816153722f64060d4fe08d916ec4773%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637566026328907907%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=2bMIySM9c4ulgkL4DMfiuiLxYUYZfgShliIyqQG3rFU%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7C%7C6816153722f64060d4fe08d916ec4773%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637566026328917866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2F2MHij0dTQ3VvfaIvjSLoxPX3v6G9IJ7gGV6kqXjXqE%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7C%7C6816153722f64060d4fe08d916ec4773%7Cd4ff013c62b74167924f5bd93e8202d3%7C0%7C0%7C637566026328917866%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2F2MHij0dTQ3VvfaIvjSLoxPX3v6G9IJ7gGV6kqXjXqE%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Previous By Date Next
Previous By Thread Next

Current thread: