Re: TriGeo SIEM Experience

[Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>]

I'd just like to re-emphasize Douglas' last recommendation below because
it rings so true from my experience.  It is critically important to size
quite a bit above what you judge your eps rate to be no matter what
platform you choose.  Proper vetting is essential.  You won't regret it. 


Dexter Caldwell
Information Security Administrator
Computing & Information Services
Furman University



 
The EDUCAUSE Security Constituent Group Listserv
<SECURITY () LISTSERV EDUCAUSE EDU> writes:
> We are using enVision. We chose it largely� due to it's being able to
> collect Windows logs natively.� We also liked the vast number of canned
> reports that are fine out of the box and are really useful as templates
> (create a copy� and then modify)� for customizing reports. The Analyze
> feature is useful and we contracted for 3 days professional time to set
> it up and get our preliminary training. Part of that time was spent
> setting up a watchlist scenario that automatically notifies the CIO if
> there is any change in the Domain Admins security group. That was more
> complex than it sounds. Contact me off list if you'd like a brief
> overview of how we did this.
> � 
> The TriGEO was one we did not look at since, at the time, the� Gartner
> magic quadrant report indicated it had some limitations that caused us
> not to include it in the process. It's a� copyrighted report so I can't
> send it but you could ask the vendors for an updated version (mine was
> 1Q07). It indicated that the TriGEO didn't scale well to large
> installations - that may have changed.
> � 
> We did eval MARS from Cisco and found that snort (required for collecting
> Windows logs) if installed and not tuned, would use about 50%� of the
> server's CPU. 
> � 
> One recommendation for choosing a SIEM, you will likely underestimate the
> number of events per second you will feed to the box, so license it for 2
> or 3 times more than you think you will need.
> � 
>
> Douglas Daly
> Associate Director,
> Technical� Services
> New York Medical College
> Valhalla, NY�  10595
> � 
> 914.594.4961 
> � 
> � 
> � 
>
>
> -----Original Message-----
> From: Christopher Jones [mailto:Christopher.Jones () UFV CA] 
> Sent: Thursday, April 23, 2009 4:07 PM
> Subject: Re: TriGeo SIEM Experience
>
>
> Hi Daniel,
> � 
> We are taking a very serious look at RSA's enVision solution.�  A couple
> of key advantages for us is that enVision collects, stores and processes
> raw log information in native format instead of normalizing it.�  As
> well, enVision is able to receive log data from are large number of
> disparate devices.�  You might want to check it out.�  Thanks.
> � 
> � 
> � 
> Regards,
> Christopher Jones
> IT Security Administrator
> Information Technology Services
> University of the Fraser Valley
> 33844 King Road
> Abbotsford, BC�  V2S 7M8
> 604.854.4566
> [ mailto:Christopher.Jones () ufv ca ]Christopher.Jones () ufv ca
> � 
> [Image]
> � 
>
>
> > > > "O'Callaghan, Daniel" <Daniel.OCallaghan () SINCLAIR EDU> 04/23/2009
> 12:35 PM >>>
>
> We are looking at a couple of SIEM solutions, and� TriGeo is one we are
> considering.� � We have heard good things from� local customers, but they
> are all in� the financial� sector or subject to SOX, so have tighter
> controls than� a typical .edu.� � � Does anyone have any experience
> with� TriGeo in an academic environment?� � Off-list replies will be kept
> confidential.
> � 
>
> ________________________________________________
> Daniel V. O'Callaghan, Jr., MBA, CISSP
> Chief Information Security Officer
> Sinclair Community College
> 444 West Third Street, 13-000F
> Dayton, Ohio 45402-1460
> 937-512-2452 Fax 937-512-2385
> daniel.ocallaghan () sinclair edu
> �