Re: SIEM Tools

[Jeannine Shantz <jshantz () SJU EDU>]

Thank you.
Jeannine

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Collyer, Jeffrey W.
(jwc3f)
Sent: Monday, January 22, 2018 11:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] SIEM Tools

Ok I’ll bite.

I do love Splunk.  I’m not anti-ELK, but I know what works for me.

Schema-on-search is a huge huge win to me.  I do not know all the fields I
may care about in all my data prior to ingesting, and we’re adding more
every day. We can argue about needing to know everything in your data prior
to indexing, but thats not a Splunk failing if you consider it one.  Splunk
solves that problem for me.

Having a company with paid support behind the product and a large community
of supporters is invaluable.  I’m one guy.  I stood up a 2 search head, 3
indexer, 2 forwarder cluster by myself.  Managing it is not a full time job.
ELK is much more intensive.  Support from Splunk itself has always been top
notch when I’ve needed it.  At a .conf2106 (the splunk conference) the
documentation group had a booth. I complained a them about something I had
found unclear.  They took notes and actually thanked me for the feedback.
The docs were updated to be more clear the Monday following the conference.
They take feedback seriously.

Dashboards/saved searches/alerts - Our analysts write their own.  They don’t
need to come to me to build something in Kabana for them.  Maybe thats not
the hurdle it used to be, but I’ve not revisited ELK lately.  Do they
sometimes break thing or write searches that are too broad. Sure.  But their
accounts are limited to the resources they can consume and when their search
falls over, its generally just their search and not the whole cluster.

Does Splunk have its warts, sure.  Is it expensive and you pay for what you
ingest - yes.  Is it worth it?  To me it is.

Ultimately it comes down to paying to be able to do more, faster with Splunk
or devoting manpower/time to managing ELK.  You pay either way its just
comes down to what you want to pay with.

Jeff






> On Jan 22, 2018, at 11:01 AM, Kevin Wilcox <wilcoxkm () APPSTATE EDU> wrote:
>
> Obscene licensing, schema-on-read architecture, massive learning curve for
> data enrichment (that can kill performance due to the schema-on-read
> architecture)...I can think of a couple of reasons to be anti-Splunk. Some
> of those can be architected around (and why I've started seeing people
> front Splunk with logstash and even nifi) but they're still problematic.
>
> Not that schema-on-write doesn't have its flaws -- reindexing data when
> you want to make a field "type" change retroactive to 20TB of log data
> isn't exactly for the faint of heart -- but the performance is
> night-and-day different for "well-tuned" systems.
>
> Invariably, the people I talk to who LOVE Splunk either had syslog-only,
> WEF-only or nothing before they did their deployments and it's not
> *Splunk* that they really love, it's the benefits of log aggregation and
> unified search that have them so enamoured.
>
> kmw
>
> On 22 January 2018 at 15:42, Frank Barton <bartonf () husson edu> wrote:
> Robert, other than the cost, I'd be very interested to know what they
> don't like about splunk. Since we implemented it a couple months ago, it
> has proved itself extremely useful to us, almost on a daily basis. Not
> only from a security perspective, but also from a troubleshooting
> perspective.
>
> Thank You
> Frank
>
> On Mon, Jan 22, 2018 at 10:35 AM, Bridges, Robert A. <bridgesra () ornl gov>
> wrote:
> All, I’m a researcher and not an operator, but I interact w/ SOC operators
> regularly.
>
>
>
> Splunk ES has gotten bad reviews from the folks I know (that’s not to say
> they don’t like/use Splunk)
>
>
>
> Stucco is an open-source R&D project (less mature) for correlating
> internal and external data: https://github.com/stucco
>
>
>
>
>
>
>
> --
>
> Robert A. Bridges, PhD, Research Mathematician, Cyber & Information
> Science Research Group, Oak Ridge National Laboratory
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv
> <SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Rob Milman
> <rob.milman () SAIT CA>
> Reply-To: The EDUCAUSE Security Constituent Group Listserv
> <SECURITY () LISTSERV EDUCAUSE EDU>
> Date: Monday, January 22, 2018 at 10:26 AM
> To: "SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
> Subject: Re: [SECURITY] SIEM Tools
>
>
>
> +1 for Splunk
>
>
>
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Madl, Michael
> Sent: Friday, January 19, 2018 7:49 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] SIEM Tools
>
>
>
> I am currently reviewing several SIEM products [QRadar, Alien Vault, Log
> Rhythm etc.].
>
>
>
> Can anyone share any success stories with the product they are utilizing.
> I have utilized Alien Vault in the past and the correlation functionality
> is pretty good.  Threat detection is also done well.
>
>
>
> Gartner has been a great tool for review but wondering if anyone had any
> strong feelings/experiences with certain tools.
>
>
>
>
>
> Thank you in advance,
>
>
>
>
>
> MICHAEL MADL
>
> INFORMATION SECURITY OFFICER
>
> UNIVERSITY INFORMATION TECHNOLOGY
>
>
>
> INDIANA WESLEYAN UNIVERSITY
>
> 4201 SOUTH WASHINGTON STREET
>
> MARION, IN 46953
>
>
>
> 765.677.2688   |   765.677.2020 FAX
>
> michael.madl () indwes edu
>
>
>
> INDWES.EDU/IT
>
>
>
> <image001.jpg>
>
>
>
> CONFIDENTIALITY NOTICE: This email, including applicable attachments, may
> include legally protected information.  If you are not the intended
> recipient of this message, you may not disclose, print, copy, save, or
> disseminate this information. If you have received this email in error,
> please notify the sender by replying to this message and immediately
> delete this message.
>
>
>
>
>
>
>
>
> --
> Frank Barton
> Security+, ACMT
> IT Systems Administrator
> Husson University

Jeffrey Collyer
Information Security Engineer
University of Virginia