Main Nav

We’re considering moving forward with a SIEM package implementation and I’d like to know if any of you use such a tool in your environment and if so maybe you can answer the following?


What was the impetus for considering SIEM?


What were your (broad brush) criteria (flow analysis, file integrity, general security, log aggregation, PCI compliance, etc) for choosing the product you chose?


How many staff are involved with the day to day monitoring and action of monitored events?


Are you pleased with the tool you chose and why?


Thank you


Jamie Arnold

Binghamton University

********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at



    If you're interested in details, I'll put you in touch with our ISO and his team.  I'm not all that close but I can give a high-level perspective:

To answer your question. We don't have a SIEM but have built up a integrated logging environment are we are extending this -- poor man's SIEM. We use our system to be able to demonstrate compliance to our security policies and produce daily reports out of this we review regularly.

As a side comment.

As a member of the REN-ISAC Advisory group I will put in a plug for the REN-ISAC here. This is a question that is much better asked on their security list.

The best information on security is being discussed on the REN-ISAC security lists. I looked and there were close to 2000 messages on the REN list last year across a number of lists.  All the REN security lists are closed and no vendors are on the list. As a result, your security team can get unbiased information from a variety of university sources and feel confident no one will leak information. 

Today there are 358 universities that are members, the list is here - .

There is a small cost to participate in the REN (under a $1000), but most security people that decide to participate say the community is like adding an additional staff member to the security team. If you have a small security team the REN gives you access to an incredible wealth of community expertise. If you have a large security team you probably are utilizing the work products of the REN community.

There is a system called SES -- Security Event System (SES) -- that the REN is working on with funding support from NSF that you might want to look at in thinking about SIEM ( ) . The SES system can compliment your SIEM or can be used as a first step without the major purchase price.