Re: TriGeo SIEM Experience

["Daly, Douglas" <DDALY () NYMC EDU>]

We are using enVision. We chose it largely due to it's being able to collect Windows logs natively. We also liked the 
vast number of canned reports that are fine out of the box and are really useful as templates (create a copy and then 
modify) for customizing reports. The Analyze feature is useful and we contracted for 3 days professional time to set it 
up and get our preliminary training. Part of that time was spent setting up a watchlist scenario that automatically 
notifies the CIO if there is any change in the Domain Admins security group. That was more complex than it sounds. 
Contact me off list if you'd like a brief overview of how we did this.

The TriGEO was one we did not look at since, at the time, the Gartner magic quadrant report indicated it had some 
limitations that caused us not to include it in the process. It's a copyrighted report so I can't send it but you could 
ask the vendors for an updated version (mine was 1Q07). It indicated that the TriGEO didn't scale well to large 
installations - that may have changed.

We did eval MARS from Cisco and found that snort (required for collecting Windows logs) if installed and not tuned, 
would use about 50% of the server's CPU.

One recommendation for choosing a SIEM, you will likely underestimate the number of events per second you will feed to 
the box, so license it for 2 or 3 times more than you think you will need.

Douglas Daly
Associate Director,
Technical Services
New York Medical College
Valhalla, NY  10595

914.594.4961



-----Original Message-----
From: Christopher Jones [mailto:Christopher.Jones () UFV CA]
Sent: Thursday, April 23, 2009 4:07 PM
Subject: Re: TriGeo SIEM Experience

Hi Daniel,

We are taking a very serious look at RSA's enVision solution.  A couple of key advantages for us is that enVision 
collects, stores and processes raw log information in native format instead of normalizing it.  As well, enVision is 
able to receive log data from are large number of disparate devices.  You might want to check it out.  Thanks.



Regards,
Christopher Jones
IT Security Administrator
Information Technology Services
University of the Fraser Valley
33844 King Road
Abbotsford, BC  V2S 7M8
604.854.4566
Christopher.Jones () ufv ca<mailto:Christopher.Jones () ufv ca>

[cid:206382119@24042009-07C8]



> > > "O'Callaghan, Daniel" <Daniel.OCallaghan () SINCLAIR EDU> 04/23/2009 12:35 PM >>>
We are looking at a couple of SIEM solutions, and TriGeo is one we are considering.  We have heard good things from 
local customers, but they are all in the financial sector or subject to SOX, so have tighter controls than a typical 
.edu.   Does anyone have any experience with TriGeo in an academic environment?  Off-list replies will be kept 
confidential.

________________________________________________
Daniel V. O'Callaghan, Jr., MBA, CISSP
Chief Information Security Officer
Sinclair Community College
444 West Third Street, 13-000F
Dayton, Ohio 45402-1460
937-512-2452 Fax 937-512-2385
daniel.ocallaghan () sinclair edu