Educause Security Discussion mailing list archives
Re: TriGeo SIEM Experience
From: Dexter Caldwell <Dexter.Caldwell () FURMAN EDU>
Date: Tue, 28 Apr 2009 08:57:33 -0400
I'd just like to re-emphasize Douglas' last recommendation below because it rings so true from my experience. It is critically important to size quite a bit above what you judge your eps rate to be no matter what platform you choose. Proper vetting is essential. You won't regret it. Dexter Caldwell Information Security Administrator Computing & Information Services Furman University The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> writes:
We are using enVision. We chose it largely� due to it's being able to collect Windows logs natively.� We also liked the vast number of canned reports that are fine out of the box and are really useful as templates (create a copy� and then modify)� for customizing reports. The Analyze feature is useful and we contracted for 3 days professional time to set it up and get our preliminary training. Part of that time was spent setting up a watchlist scenario that automatically notifies the CIO if there is any change in the Domain Admins security group. That was more complex than it sounds. Contact me off list if you'd like a brief overview of how we did this. � The TriGEO was one we did not look at since, at the time, the� Gartner magic quadrant report indicated it had some limitations that caused us not to include it in the process. It's a� copyrighted report so I can't send it but you could ask the vendors for an updated version (mine was 1Q07). It indicated that the TriGEO didn't scale well to large installations - that may have changed. � We did eval MARS from Cisco and found that snort (required for collecting Windows logs) if installed and not tuned, would use about 50%� of the server's CPU. � One recommendation for choosing a SIEM, you will likely underestimate the number of events per second you will feed to the box, so license it for 2 or 3 times more than you think you will need. � Douglas Daly Associate Director, Technical� Services New York Medical College Valhalla, NY� 10595 � 914.594.4961 � � � -----Original Message----- From: Christopher Jones [mailto:Christopher.Jones () UFV CA] Sent: Thursday, April 23, 2009 4:07 PM Subject: Re: TriGeo SIEM Experience Hi Daniel, � We are taking a very serious look at RSA's enVision solution.� A couple of key advantages for us is that enVision collects, stores and processes raw log information in native format instead of normalizing it.� As well, enVision is able to receive log data from are large number of disparate devices.� You might want to check it out.� Thanks. � � � Regards, Christopher Jones IT Security Administrator Information Technology Services University of the Fraser Valley 33844 King Road Abbotsford, BC� V2S 7M8 604.854.4566 [ mailto:Christopher.Jones () ufv ca ]Christopher.Jones () ufv ca � [Image] �"O'Callaghan, Daniel" <Daniel.OCallaghan () SINCLAIR EDU> 04/23/200912:35 PM >>> We are looking at a couple of SIEM solutions, and� TriGeo is one we are considering.� � We have heard good things from� local customers, but they are all in� the financial� sector or subject to SOX, so have tighter controls than� a typical .edu.� � � Does anyone have any experience with� TriGeo in an academic environment?� � Off-list replies will be kept confidential. � ________________________________________________ Daniel V. O'Callaghan, Jr., MBA, CISSP Chief Information Security Officer Sinclair Community College 444 West Third Street, 13-000F Dayton, Ohio 45402-1460 937-512-2452 Fax 937-512-2385 daniel.ocallaghan () sinclair edu �
Current thread:
- TriGeo SIEM Experience O'Callaghan, Daniel (Apr 23)
- <Possible follow-ups>
- Re: TriGeo SIEM Experience Christopher Jones (Apr 23)
- Re: TriGeo SIEM Experience Daly, Douglas (Apr 27)
- Re: TriGeo SIEM Experience Dexter Caldwell (Apr 28)