Educause Security Discussion mailing list archives

Re: SIEM Solution Recommendation

From: Mike Lococo <mike.lococo () NYU EDU>
Date: Wed, 26 Oct 2011 18:33:39 -0400

On 10/26/2011 05:31 PM, David Escalante wrote:

It depends upon what you're getting them for.  I don't view them as
interchangeable solutions, and they cost a lot of money, plus the
monitoring one does once they're installed.  Can you share more
detailed requirements as to what the SIEM is expected to do, how big
an environment it has to scale to, what number of FTEs you intend to
have tend it once installed, etc...?

I'll agree with the sentiment that asking for a generic SIEMrecommendation isn't going to get you very good advice. It's importantto talk about your specific goals. Are you driven by compliancerequirements, by a need for a better incident detection/responseconsole, or something else? Your use-cases both affect what productswill work well for you, and also whose advice will be relevant for you.


- As a start, search around for the Gartner magic quadrant for SIEM,
  it's a reasonable place to get your feet wet.
- For peer input, I'd try to get some folks on the phone who you
  know have similar use-cases and see what they're doing.  I've found
  the interactivity of a phone conversation to be critical in getting
  to the point where I understand what someone is saying about their
  SIEM.

There really isn't a body of best-practice knowledge yet, and in orderto give/get sensible advice on a mailing list you end up needing towrite a tome covering your goals, your data-sources, your projecttimeline, your technical team's skills, and your budget. Folks don'thave the time, and are often hesitant to share all that info on a publiclist so you end up getting this misleading comment with no context. Iknow that issue isn't unique to this topic, but I've found it much moresignificant for SIEM projects. You really need to be willing to spend30 minutes learning about a site and their context before they can teachyou anything about their SIEM project in a way that you'll be able toapply at your own site.


Cheers,
Mike Lococo

Current thread:

Re: SIEM Solution Recommendation, (continued)
- - - Re: SIEM Solution Recommendation Basgen, Brian (Oct 26)
    - Re: SIEM Solution Recommendation Dexter Caldwell (Oct 26)
    - Re: SIEM Solution Recommendation Mayne, Jim (Oct 26)
    - Re: SIEM Solution Recommendation Greene, Chip (Oct 26)
    - Re: SIEM Solution Recommendation Burton, Abigail F (Oct 26)
    - Re: SIEM Solution Recommendation Basgen, Brian (Oct 26)
    - Re: SIEM Solution Recommendation David Escalante (Oct 26)
    - Re: SIEM Solution Recommendation Greene, Chip (Oct 26)
    - Re: SIEM Solution Recommendation Brad Judy (Oct 27)
    - Re: SIEM Solution Recommendation Burton, Abigail F (Oct 27)
    - Re: SIEM Solution Recommendation Mike Lococo (Oct 26)
    - Re: SIEM Solution Recommendation Everett, Alex D (Oct 26)
    - Re: SIEM Solution Recommendation King, Ronald A. (Oct 26)
    - Re: SIEM Solution Recommendation Will Froning (Oct 29)
    - Re: SIEM Solution Recommendation John Kaftan (Oct 30)
    - Re: SIEM Solution Recommendation Basgen, Brian (Oct 30)
    - Re: SIEM Solution Recommendation Foerst, Daniel P. (Oct 30)