TriGeo Network Security's TriGeo Security Information Manager 3.0
TriGeo Network Security
Price: Starts at $19,820
Turning data from multiple network and security devices into actionable information isn't just a headache for Fortune 1000 companies -- SMBs with limited staff need to know quickly when their networks are threatened.
TriGeo Network Security's TriGeo Security Information Manager (TriGeo SIM) 3.0 fills this niche as a highly flexible, easy-to-manage appliance that's designed to support 50 to 5,000 active devices.
It also adds automated remediation, a plus for any organization. TriGeo SIM can issue policy-based commands to block IP addresses and ports, and shut down or reboot users through Cisco Systems, Check Point Software Technologies, Juniper Networks, WatchGuard Technologies, SonicWALL, TopLayer Networks and Fortinet devices.
Like other SIMs, the appliance gathers data -- typically logs -- from devices and applications via agents or remote logging from firewalls, routers and switches. Data is normalized and processed by the policy engine, which initiates remediation action and/or an alert via e-mail, SMS, pagers and handheld devices.
The sweet spot for TriGeo, though, is its interface and management. TriGeo has hundreds of prebuilt correlation filters and rules that are as easy to use as LEGOs.
You can create filters based on alert types, and then operate the filters based on any of the data contained within the alert. For example, you can create a "VPN Alerts" tab that can be used to show only the alerts from a Cisco VPN Concentrator. Other custom filters might show modifications to user accounts or changes to do-main properties.
The appliance ships with more than 500 predefined rules. For example, change management rules can identify when users, groups, domains or policies are manipulated. Rules can apply to a specific group of devices, be time-dependent and have easily modifiable thresholds. One drawback is the lack of directory support; users and groups have to be manually created.
Device support isn't as broad as some enterprise-level SIMs: about 100, with a hefty Cisco representation. We used the appliance to monitor events from Juniper's NetScreen firewalls, Snort IDS sensors, Cisco routers and switches, Norton Anti-Virus CE software, and Windows and Linux workstations.
Event storage capacity runs from 73GB, to 3x73GB RAID5 arrays, depending on purchase level. The Data Warehouse function can support additional storage to a second database (MS SQL server).
The live console dashboard is very good, giving security managers easy access to alerts and agent status, with the ability to drill down for detail. The Crystal Reports are acceptable; out-of-the box reports are static -- unlike the live dashboard, you can't review these reports' graphical data in real time or drill down for more detail to investigate interesting patterns. This can be remedied with a third-party tool.
With its ease of use and automated remediation features, TriGeo SIM is a sensible option for organizations that don't quite need the muscle -- or the cost -- of a large enterprise product.
This review originally appeared in the June issue of Information Security magazine.