Educause Security Discussion mailing list archives
Re: TriGeo SIEM Experience
From: "Daly, Douglas" <DDALY () NYMC EDU>
Date: Mon, 27 Apr 2009 09:59:07 -0400
We are using enVision. We chose it largely due to it's being able to collect Windows logs natively. We also liked the vast number of canned reports that are fine out of the box and are really useful as templates (create a copy and then modify) for customizing reports. The Analyze feature is useful and we contracted for 3 days professional time to set it up and get our preliminary training. Part of that time was spent setting up a watchlist scenario that automatically notifies the CIO if there is any change in the Domain Admins security group. That was more complex than it sounds. Contact me off list if you'd like a brief overview of how we did this. The TriGEO was one we did not look at since, at the time, the Gartner magic quadrant report indicated it had some limitations that caused us not to include it in the process. It's a copyrighted report so I can't send it but you could ask the vendors for an updated version (mine was 1Q07). It indicated that the TriGEO didn't scale well to large installations - that may have changed. We did eval MARS from Cisco and found that snort (required for collecting Windows logs) if installed and not tuned, would use about 50% of the server's CPU. One recommendation for choosing a SIEM, you will likely underestimate the number of events per second you will feed to the box, so license it for 2 or 3 times more than you think you will need. Douglas Daly Associate Director, Technical Services New York Medical College Valhalla, NY 10595 914.594.4961 -----Original Message----- From: Christopher Jones [mailto:Christopher.Jones () UFV CA] Sent: Thursday, April 23, 2009 4:07 PM Subject: Re: TriGeo SIEM Experience Hi Daniel, We are taking a very serious look at RSA's enVision solution. A couple of key advantages for us is that enVision collects, stores and processes raw log information in native format instead of normalizing it. As well, enVision is able to receive log data from are large number of disparate devices. You might want to check it out. Thanks. Regards, Christopher Jones IT Security Administrator Information Technology Services University of the Fraser Valley 33844 King Road Abbotsford, BC V2S 7M8 604.854.4566 Christopher.Jones () ufv ca<mailto:Christopher.Jones () ufv ca> [cid:206382119@24042009-07C8]
"O'Callaghan, Daniel" <Daniel.OCallaghan () SINCLAIR EDU> 04/23/2009 12:35 PM >>>
We are looking at a couple of SIEM solutions, and TriGeo is one we are considering. We have heard good things from local customers, but they are all in the financial sector or subject to SOX, so have tighter controls than a typical .edu. Does anyone have any experience with TriGeo in an academic environment? Off-list replies will be kept confidential. ________________________________________________ Daniel V. O'Callaghan, Jr., MBA, CISSP Chief Information Security Officer Sinclair Community College 444 West Third Street, 13-000F Dayton, Ohio 45402-1460 937-512-2452 Fax 937-512-2385 daniel.ocallaghan () sinclair edu
Current thread:
- TriGeo SIEM Experience O'Callaghan, Daniel (Apr 23)
- <Possible follow-ups>
- Re: TriGeo SIEM Experience Christopher Jones (Apr 23)
- Re: TriGeo SIEM Experience Daly, Douglas (Apr 27)
- Re: TriGeo SIEM Experience Dexter Caldwell (Apr 28)