Educause Security Discussion mailing list archives

Re: [External] Re: [SECURITY] SIEM questions.

From: Beth Albertson <albertb3 () WWU EDU>
Date: Fri, 14 May 2021 20:00:22 +0000
I used Graylog at a state agency for a few years.  Overall, I liked it, but upgrades were sometimes a pain because it 
had three moving parts, Elasticsearch, MongoDb, and the application itself.  They have "content packs", that give you 
preconfigured inputs and dashboards, which is nice.  At the time I used it, it did not have a normalization engine 
which I like very much in Splunk, which I use now.

Sincerely,

Beth Albertson, CISSP(r), PMP(r)
Director of Information Security
Western Washington University
beth.albertson () wwu edu<mailto:beth.albertson () wwu edu>
(360) 650-4472

Did you know you can opt-in to Multi-Factor Authentication (MFA) now?  Visit the ATUS 
website<https://atus.wwu.edu/kb/multi-factor-authentication-mfa-wwu-universal-accounts> and sign 
up<https://forms.office.com/Pages/ResponsePage.aspx?id=DBRG3G_i70OwrgDyV_R4_xVgs5jddepDnFeGAhuZ6HxUOUpMT1ZSTjBTUzVJQ0FEOUE5NE5HSjcxMy4u>
 now!

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Kevin Wilcox
Sent: Friday, May 14, 2021 8:24 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] [External] Re: [SECURITY] SIEM questions.

EXTERNAL MESSAGE: Use caution when opening attachments, clicking links, or responding.
I'm going to tack on to what Nadim said. I may be a "pure Elastic" fan but for most small shops, I think Graylog is the 
way to go. It gives you as much storage as you can put behind it (it's elasticsearch for storage under the hood for 
indexing), you can feed it with logstash so you can do all your parsing (schema on write) and enrichment up-front, it 
supports parsing at search (schema on read) and it has an excellent support community (in addition to paid support, if 
you go that route).

That doesn't mean I'm not going to say, "you should also look at the Elastic Stack" =) The biggie for me is the 
enrichment up-front. We get an MFA log, we pull the user name and IP, then we add data from Active Directory, we add 
data from inventory, we add GeoIP data (really just after ASN / company info), then we store the log event with that 
data added. It makes, e.g., doing a search like "give me all the MFA events for this department that weren't from a 
local internet provider" really quick and easy - it isn't having to crawl through and find all the usernames for that 
department AND do GeoIP at search time, it's just filtering on data that's already there. "show me when someone from x 
departments has a login event from a *new* Internet provider" -- super simple, it's just looking for a new value to 
appear in the geoip ASN field. You do need to know your log data for it to be effective...

kmw

On Thu, May 13, 2021 at 7:44 PM Nadim El-Khoury <0000024d485fe2c4-dmarc-request () listserv educause 
edu<mailto:0000024d485fe2c4-dmarc-request () listserv educause edu>> wrote:
Hi Jonathan,

We use Graylog here at Springfield College. We are using the open-source version, and we are so far happy with it.
We started using it a couple of months ago, and so far, we indexed around 103+ GB of data from our Palo Alto firewalls 
alone. We did not even count the data from the ASA VPN devices and other systems.
As a small college with limited funds and resources, we would not be able to afford the other products.

Best,

Nadim El-Khoury
Director of Networks, Systems, Infrastructure, and Information Security Officer
Springfield College
263 Alden Street
Springfield, MA 01109
nel-khoury () springfield edu<mailto:nel-khoury () springfield edu>


On Thu, May 13, 2021 at 4:15 PM Francisco Chavez <fac3 () stmarys-ca edu<mailto:fac3 () stmarys-ca edu>> wrote:
Hi Kimmitt,

Here at Saint Mary's we use AlienVault. Like Rich mentioned, the company has had a few bad years but the product and 
support is much better now. We currently use AlienVault USM Anywhere which is hosted on AWS.

Please feel free to reach out directly if you have any questions!

Sincerely,
Francisco Chavez


--
Francisco Chavez, MBA  | Interim CTO
Saint Mary's College of California
...............................................................................................................................
IT 
Services<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.stmarys-ca.edu%2Fit-services&data=04%7C01%7Calbertb3%40WWU.EDU%7C0c387cb6974b4ded6bbf08d916ec4781%7Cdc46140ce26f43efb0ae00f257f478ff%7C0%7C1%7C637566026345010644%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=zsjOgo4F%2FgLLKMBPpUbE05hPDOFR17ZpwN5Glyxcelk%3D&reserved=0>
phone: (925) 631-8236
email: fac3 () stmarys-ca edu<mailto:fac3 () stmarys-ca edu>


[cid:image001.jpg@01D748C1.18EEA520]


On May 13, 2021, at 11:32 AM, Kimmitt, Jonathan <jonathan-kimmitt () UTULSA EDU<mailto:jonathan-kimmitt () UTULSA EDU>> 
wrote:

Reposting from the CIO group email for my CIO:

Happy Thursday,

Smaller institutions with pandemic-minded budgets, do you have a SIEM you're using that is quality, provides insightful 
reporting and is either easy to manage OR managed externally? That you would recommend? (I'll take warnings too!)

We're looking to make a change within the next 12-18 months and I could use honest feedback on solutions, experience, 
cost, dedicated headcount support. Can email me directly:

Thanks much,


-Jonathan



~
Jonathan Kimmitt
CISSP, FIP, CDPSE, CIPP/E, CIPM, CIPT,
OTCP,GLEG, GPEN, GSNA, PCIP, CEH
Chief Information Security Officer
Information Technology
The University of Tulsa
918.631.2743


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Calbertb3%40WWU.EDU%7C0c387cb6974b4ded6bbf08d916ec4781%7Cdc46140ce26f43efb0ae00f257f478ff%7C0%7C1%7C637566026345020638%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Tua0qRLs1CrjFnr2RrXjG3TR2rNXcn2iMNHg3sg00g8%3D&reserved=0>


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Calbertb3%40WWU.EDU%7C0c387cb6974b4ded6bbf08d916ec4781%7Cdc46140ce26f43efb0ae00f257f478ff%7C0%7C1%7C637566026345020638%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Tua0qRLs1CrjFnr2RrXjG3TR2rNXcn2iMNHg3sg00g8%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Calbertb3%40WWU.EDU%7C0c387cb6974b4ded6bbf08d916ec4781%7Cdc46140ce26f43efb0ae00f257f478ff%7C0%7C1%7C637566026345030630%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=UM8JxKMc%2BSWmf47bedUgWaFLKE3RWJPBwPS02IqR8NM%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at 
https://www.educause.edu/community<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Calbertb3%40WWU.EDU%7C0c387cb6974b4ded6bbf08d916ec4781%7Cdc46140ce26f43efb0ae00f257f478ff%7C0%7C1%7C637566026345030630%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=UM8JxKMc%2BSWmf47bedUgWaFLKE3RWJPBwPS02IqR8NM%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community
Current thread:

SIEM questions. Kimmitt, Jonathan (May 13)
- Re: SIEM questions. Rich Graves (May 13)
- Re: SIEM questions. Francisco Chavez (May 13)
  - Re: SIEM questions. Nadim El-Khoury (May 13)
    - Re: [External] Re: [SECURITY] SIEM questions. Kevin Wilcox (May 14)
    - Re: [External] Re: [SECURITY] SIEM questions. Kimmitt, Jonathan (May 14)
    - Re: [External] Re: [SECURITY] SIEM questions. Beth Albertson (May 14)
- Re: SIEM questions. Kimmitt, Jonathan (May 13)
- <Possible follow-ups>
- Re: SIEM questions. Perez, Roberto (May 13)