New Users
Home
Analysts & Consultants
People
Channel Advantage
Products
Technology
Case Studies
Awards
About This Guide
Michael Maloof, Providing IT teams with powerful, real-time event correlation technology
Information technology and security professionals are literally drowning in data. The devices and systems they've deployed to protect their organizations generate millions of events every day which are virtually impossible to analyze without automation. In spite of the complexity, this data must be analyzed - both to ensure the integrity of the customer, credit card, or patient data, and also to meet serious regulatory requirements and fiduciary responsibilities. To be effective in network defense, and not just for forensic analysis, the network and security event data must also be analyzed and correlated in real-time. There are numerous obstacles to performing this task efficiently, securely and with minimal personnel resources. The first significant obstacle to real-time event correlation is the fact is that none of the core defense technologies deployed in the classic defense-in-depth and best-of-breed model are designed to communicate with each other. They are simply point solutions and represent silos of information. The data from these disparate systems must be aggregated and normalized to a common taxonomy – effectively, a universal translator is required to map the French, German, Russian and Chinese of the various technologies in to English. Another major obstacle to real-time event correlation is the construction of the correlation rules. Few organizations think in terms of correlation rules, but they are certainly familiar with network policies and they can describe business rules and objectives. The challenge is to find a way to bridge their knowledge and objectives with the construction of correlation rules, without requiring IT personnel to become system programmers.
Information technology and security professionals are literally drowning in data. The devices and systems they've deployed to protect their organizations generate millions of events every day which are virtually impossible to analyze without automation. In spite of the complexity, this data must be analyzed - both to ensure the integrity of the customer, credit card, or patient data, and also to meet serious regulatory requirements and fiduciary responsibilities.
To be effective in network defense, and not just for forensic analysis, the network and security event data must also be analyzed and correlated in real-time. There are numerous obstacles to performing this task efficiently, securely and with minimal personnel resources.
The first significant obstacle to real-time event correlation is the fact is that none of the core defense technologies deployed in the classic defense-in-depth and best-of-breed model are designed to communicate with each other. They are simply point solutions and represent silos of information. The data from these disparate systems must be aggregated and normalized to a common taxonomy – effectively, a universal translator is required to map the French, German, Russian and Chinese of the various technologies in to English.
Another major obstacle to real-time event correlation is the construction of the correlation rules. Few organizations think in terms of correlation rules, but they are certainly familiar with network policies and they can describe business rules and objectives. The challenge is to find a way to bridge their knowledge and objectives with the construction of correlation rules, without requiring IT personnel to become system programmers.
Name: Michael Maloof Title: Chief Technology Officer (CTO) Likes to be called: Michael Company: TriGeo Network Security, Inc.
At TriGeo we took a unique approach to security information and event management. Traditionally, the SIEM function was viewed as passive and forensic in nature. We recognized that SIEM sits in a unique position in the network, and its enterprise-wide view represented an opportunity to create a new network defense technology. At the heart of that technology is the ability to perform real-time event analysis and correlation. The millions of events flowing through management consoles would be virtually meaningless if it wasn't for the analysis and correlation used to identify, notify and respond to suspicious behavior, malicious activity and policy violations. In achieving our goal to deliver effective, affordable and usable real-time event correlation, TriGeo created truly innovative and ground-breaking technology. TriGeo has filed four patents around this core technological advantage which is real-time event correlation and active response or threat mitigation. The primary attributes of this technology are described below: 1) The heart of security information and event management (SIEM) is correlation, and TriGeo's patent-pending technology operates entirely in memory. TriGeo’s design suffers from none of the database bottlenecks of competing systems, which is critical in high-volume attack situations. As the only 64bit SIEM appliance, TriGeo’s multi-dimensional correlation engine can detect behavioral anomalies in real-time. 2) The most powerful correlation engine would be useless without a significant library of pre-built rules (over 500) and the ability to rapidly construct new rules tailored to a specific organization. TriGeo's patent-pending Rule Builder was described by an independent review "as easy to use as Legos". 3) TriGeo was designed from the start as a network defense tool. Given its unique view of the network and its integration with dozens of network products and operating systems, TriGeo actively defends the network. It’s the brain as well as the arms and legs for organizations that don't have the luxury of 24/7 security operation centers. Only TriGeo can respond to suspicious or malicious activity by disabling accounts, modifying privileges, blocking or routing traffic or shutting a machine down – just a few of dozens of actions. TriGeo's event correlation technology, known as EPIC (Effective Policy through Intelligent Correlation), is patent-pending technology designed specifically for high-performance, real-time analysis and multi-dimensional correlation. To gain a better understanding of the revolutionary nature of the EPIC system, we’ll examine the traditional approaches to correlation and contrast them with TriGeo’s approach. Multiple event correlation systems look for patterns of behavior by evaluating discrete elements from distinct events to uncover significant relationships. Increasing the number of evaluated events and related elements increases the likelihood that a target pattern of behavior will be detected, but can also add exponential complexity to the relationships. To be effective, multiple event correlation systems must be able to construct complex, multi-dimensional correlation rules to detect significant patterns of behavior. Similarly, real-time event analysis and display systems should distinguish between significant and insignificant events. It is also critical that there be a mechanism to build the correlation rules quickly because the need for targeted monitoring or network assessment can change quite rapidly. Traditional event modeling techniques make it tedious and time consuming to build multiple event correlation systems. Existing techniques rely heavily on text-based data entry, extensive lists of correlation elements, rudimentary evaluation precedence, and event relationship metaphors such as nested parentheses. To minimize complexity, these systems often place arbitrary limits on the number and type of data elements or fields that can be used in the correlation rules, and rigidly enforce linear or static evaluation paths. Where graphical interfaces have been used, they typically utilize multi-state, banded, tabbed, or wizard-like rule construction models. These interfaces attempt to minimize the complexity by breaking the process into individual components and associated steps. These interfaces can produce limited multiple event correlations, but are only marginal improvements over pure text-based systems because the multi-step process involved still requires considerable time and effort. Also, the results suffer from significant limitations imposed by the rigidity of their designs that allow for only a fixed set of combinatorial possibilities. Existing graphical design approaches are further hampered by the fact that the relationship between the various elements cannot be seen or manipulated; in many cases, the process is entirely linear, and subsequent steps in the process can be completed only after previous elements have been defined. A simplistic example of this design approach is the Outlook Rules wizard. Most IT professionals have used this tool to construct mail processing rules, and it illustrates the limitations and constraints common to wizard-oriented rule construction. TriGeo’s approach to real-time event correlation is unique in many ways, and chief among them is the Rule Builder graphical user interface. It’s generally referred to as a “white board” model because you construct rules by dragging elements on to a central expression panel. The interface incorporates comfortable and familiar techniques such as drag and drop, an icon-based tool panel, and a graphical object selection panel. Experience has shown that IT personnel can effectively use the tool in a matter of minutes. In addition to the ease with which new rules can be created, TriGeo has incorporated hundreds (currently over 500) pre-built correlation rules that cover critical network infrastructure, change management and network security functions. We believe this extensive library of rules is the largest in the industry and it continues to grow. As an element of the Rule Builder interface, we’ve made it trivial to clone existing rules and tailor them to an organization’s unique requirements. It’s often valuable to create subtle variations of rules. For example, rules can have time of day, and day of week sensitivity where one rule simply notifies IT personnel during business hours, and a related rule takes a much more aggressive response, such as quarantining a machine, when the activity takes place after hours. In this way, the TriGeo rules are actually an effective Expert System, and we empower IT teams to construct models of analysis and response that mirror the activities they would perform if they could work 24/7/365. As one of our customers aptly stated, “I can’t always be there. TriGeo can.” TriGeo’s rule builder also incorporates an import / export and subscription model that we refer to as NATO5. The fifth article of the NATO alliance states, that “An attack on one is an attack on all”. TriGeo embraces this philosophy through the on-going research of its NATO5 team. The members of this team monitor activity in the wild and reports of new vulnerabilities and publish new rule updates to empower TriGeo users to monitor, identify and even respond to these new threats. In the design and implementation of TriGeo’s real-time event correlation technology we identified and responded to a number of factors that we recognized as critical elements of effective correlation technology. These factors are outlined below, and presented with contrasts between common approaches and TriGeo’s unique approach. Real-Time Analysis Is the data evaluated in real-time, or will you be waiting for polled data that's guaranteed to be at least 10 or 15 minutes behind? You can't correlate what you can't see, so it's important to know if the event stream is real-time. Most traditional SIEM products rely on data aggregation techniques that were simply never intended for real-time analysis. The origin of these aggregation methods is in network management or forensic analysis where there were no real-time requirements. In a world in which the last major worm traversed the entire internet in less than 15 minutes, TriGeo recognizes the critical importance of real-time data collection. TriGeo captures real-time event streams from network devices and utilizes its proprietary agent technology to capture host-based events in real-time. Memory or Database Correlation Does the correlation engine process events in memory or query a database? The distinction is critical if the goal is real-time event analysis versus forensic analysis. Again, the traditional SIEM model was to aggregate log data for reporting and forensic purposes. Today, this has been extended to include regulatory compliance, and none of these objectives require real-time processing and performance. TriGeo is completely based on an in-memory pool capable of correlating millions of events without the performance bottleneck associated with database insertion and query speeds. The simple fact is that no matter what database or proprietary file system is used, RAM-based analysis is at least an order of magnitude faster, and TriGeo utilizes this reality to deliver superior event analysis and response. Multiple-Event Correlation Can the correlation system detect and associate anomalous behavior based on multiple events? Systems designed to identify the occurrence of a single event, even with time and frequency constraints, simply can't identify today's blended threats. It’s common to find systems claiming event correlation capabilities, but a review of the functionality quickly reveals that they’re not capable of correlating across devices and across events. TriGeo has comprehensive support for multiple-device, multiple-event correlation, including the unique ability to set independent thresholds of activity per event, or group of events. This is precisely what's needed when the correlated activity is dramatically different such as the number of user logon failures and denied traffic counts. Non-Linear Correlation Does the correlation rely on traditional sequential event evaluation? With today's blended, or multi-faceted, attacks there's no guarantee what order events might appear - couple that reality with typical deviations in equipment time stamps and you quickly realize that linear event correlation is extremely limited. TriGeo employs a patent-pending technology that maps events in memory and applies a completely non-linear, multi-vector, correlation algorithm. This greatly reduces the number of rules needed because it's no longer necessary to build distinct rules for every possible combination of events. Field-Level Comparison Does the product provide a rich set of discrete fields that can be used in the correlation? The event collection and normalization process often strips critical details that are needed for effective correlation, or that detail is not available in the product's rule editor. Normalization is essential for correlation, but it’s an area that is generally not considered when reviewing competing approaches to event correlation. TriGeo’s normalization process and its associated event taxonomy are significant components of our intellectual property. TriGeo captures an extensive array of field-level data, and makes it all easily accessible via our graphical rule builder. When this data is combined with user-defined groups and variables, TriGeo makes it possible to build very detailed and sophisticated rules that minimize false positives and focus your attention where and when it's needed. Environmental Awareness Can the correlation rule factor in details about the organization, such as critical assets, applications, time of day or day of week? It's vital that rules be tuned to address the specific business environment, standard processes and IT objectives. TriGeo employs several techniques to minimize the noise and maximize the value of the data that’s being captured and analyzed. This includes the use of user defined groups that can identify critical assets, and be easily integrated into rules. It also includes the use of unique time sensitivity in rules. For example, rules can be built to operate inside or outside defined business hours. Activity on a server can be monitored with regard to a defined maintenance or reboot window. Correlation Rule Builder Can you build a rule? While this question is deceptively simple, it's critically important. Most products employ rule "editors" that were clearly designed by programmers, for programmers. Even when "wizards" are used, it takes five steps to accomplish even the most basic tasks. TriGeo's rule builder employs an intuitive graphical interface using common "drag and drop" techniques, and everything is done in one location. It can be mastered in a matter of minutes and it will surprise you that something so simple can construct the most complex and powerful correlations available on the market. Active Response What happens when the rule fires? An integral component of the correlation is the action that can be taken when the modeled behavior is identified. While most products provide various notification options, such as email or pager, few go much farther. Where they do, they require human intervention to confirm or activate any pre-programmed responses. TriGeo was the pioneer and remains the leader in automated remediation through intelligent correlation. It ships with the industry’s largest arsenal of actions that can be linked directly to correlations, and utilizes a proprietary action framework to communicate directly with network infrastructure devices and host operating systems, providing network defense coverage from the perimeter to the endpoint. TriGeo can actively defend the network through highly targeted correlation rules, behavior analysis and integration with network infrastructure. The defensive arsenal includes the ability to quarantine, block, route and control services, processes, accounts, privileges and more.
At TriGeo we took a unique approach to security information and event management. Traditionally, the SIEM function was viewed as passive and forensic in nature. We recognized that SIEM sits in a unique position in the network, and its enterprise-wide view represented an opportunity to create a new network defense technology.
At the heart of that technology is the ability to perform real-time event analysis and correlation. The millions of events flowing through management consoles would be virtually meaningless if it wasn't for the analysis and correlation used to identify, notify and respond to suspicious behavior, malicious activity and policy violations.
In achieving our goal to deliver effective, affordable and usable real-time event correlation, TriGeo created truly innovative and ground-breaking technology. TriGeo has filed four patents around this core technological advantage which is real-time event correlation and active response or threat mitigation. The primary attributes of this technology are described below:
1) The heart of security information and event management (SIEM) is correlation, and TriGeo's patent-pending technology operates entirely in memory. TriGeo’s design suffers from none of the database bottlenecks of competing systems, which is critical in high-volume attack situations. As the only 64bit SIEM appliance, TriGeo’s multi-dimensional correlation engine can detect behavioral anomalies in real-time.
2) The most powerful correlation engine would be useless without a significant library of pre-built rules (over 500) and the ability to rapidly construct new rules tailored to a specific organization. TriGeo's patent-pending Rule Builder was described by an independent review "as easy to use as Legos".
3) TriGeo was designed from the start as a network defense tool. Given its unique view of the network and its integration with dozens of network products and operating systems, TriGeo actively defends the network. It’s the brain as well as the arms and legs for organizations that don't have the luxury of 24/7 security operation centers. Only TriGeo can respond to suspicious or malicious activity by disabling accounts, modifying privileges, blocking or routing traffic or shutting a machine down – just a few of dozens of actions.
TriGeo's event correlation technology, known as EPIC (Effective Policy through Intelligent Correlation), is patent-pending technology designed specifically for high-performance, real-time analysis and multi-dimensional correlation. To gain a better understanding of the revolutionary nature of the EPIC system, we’ll examine the traditional approaches to correlation and contrast them with TriGeo’s approach.
Multiple event correlation systems look for patterns of behavior by evaluating discrete elements from distinct events to uncover significant relationships. Increasing the number of evaluated events and related elements increases the likelihood that a target pattern of behavior will be detected, but can also add exponential complexity to the relationships. To be effective, multiple event correlation systems must be able to construct complex, multi-dimensional correlation rules to detect significant patterns of behavior. Similarly, real-time event analysis and display systems should distinguish between significant and insignificant events. It is also critical that there be a mechanism to build the correlation rules quickly because the need for targeted monitoring or network assessment can change quite rapidly.
Traditional event modeling techniques make it tedious and time consuming to build multiple event correlation systems. Existing techniques rely heavily on text-based data entry, extensive lists of correlation elements, rudimentary evaluation precedence, and event relationship metaphors such as nested parentheses. To minimize complexity, these systems often place arbitrary limits on the number and type of data elements or fields that can be used in the correlation rules, and rigidly enforce linear or static evaluation paths.
Where graphical interfaces have been used, they typically utilize multi-state, banded, tabbed, or wizard-like rule construction models. These interfaces attempt to minimize the complexity by breaking the process into individual components and associated steps. These interfaces can produce limited multiple event correlations, but are only marginal improvements over pure text-based systems because the multi-step process involved still requires considerable time and effort. Also, the results suffer from significant limitations imposed by the rigidity of their designs that allow for only a fixed set of combinatorial possibilities.
Existing graphical design approaches are further hampered by the fact that the relationship between the various elements cannot be seen or manipulated; in many cases, the process is entirely linear, and subsequent steps in the process can be completed only after previous elements have been defined. A simplistic example of this design approach is the Outlook Rules wizard. Most IT professionals have used this tool to construct mail processing rules, and it illustrates the limitations and constraints common to wizard-oriented rule construction.
TriGeo’s approach to real-time event correlation is unique in many ways, and chief among them is the Rule Builder graphical user interface. It’s generally referred to as a “white board” model because you construct rules by dragging elements on to a central expression panel. The interface incorporates comfortable and familiar techniques such as drag and drop, an icon-based tool panel, and a graphical object selection panel. Experience has shown that IT personnel can effectively use the tool in a matter of minutes.
In addition to the ease with which new rules can be created, TriGeo has incorporated hundreds (currently over 500) pre-built correlation rules that cover critical network infrastructure, change management and network security functions. We believe this extensive library of rules is the largest in the industry and it continues to grow. As an element of the Rule Builder interface, we’ve made it trivial to clone existing rules and tailor them to an organization’s unique requirements. It’s often valuable to create subtle variations of rules. For example, rules can have time of day, and day of week sensitivity where one rule simply notifies IT personnel during business hours, and a related rule takes a much more aggressive response, such as quarantining a machine, when the activity takes place after hours.
In this way, the TriGeo rules are actually an effective Expert System, and we empower IT teams to construct models of analysis and response that mirror the activities they would perform if they could work 24/7/365. As one of our customers aptly stated, “I can’t always be there. TriGeo can.” TriGeo’s rule builder also incorporates an import / export and subscription model that we refer to as NATO5. The fifth article of the NATO alliance states, that “An attack on one is an attack on all”. TriGeo embraces this philosophy through the on-going research of its NATO5 team. The members of this team monitor activity in the wild and reports of new vulnerabilities and publish new rule updates to empower TriGeo users to monitor, identify and even respond to these new threats.
In the design and implementation of TriGeo’s real-time event correlation technology we identified and responded to a number of factors that we recognized as critical elements of effective correlation technology. These factors are outlined below, and presented with contrasts between common approaches and TriGeo’s unique approach.
Real-Time Analysis Is the data evaluated in real-time, or will you be waiting for polled data that's guaranteed to be at least 10 or 15 minutes behind? You can't correlate what you can't see, so it's important to know if the event stream is real-time. Most traditional SIEM products rely on data aggregation techniques that were simply never intended for real-time analysis. The origin of these aggregation methods is in network management or forensic analysis where there were no real-time requirements.
In a world in which the last major worm traversed the entire internet in less than 15 minutes, TriGeo recognizes the critical importance of real-time data collection. TriGeo captures real-time event streams from network devices and utilizes its proprietary agent technology to capture host-based events in real-time.
Memory or Database Correlation Does the correlation engine process events in memory or query a database? The distinction is critical if the goal is real-time event analysis versus forensic analysis. Again, the traditional SIEM model was to aggregate log data for reporting and forensic purposes. Today, this has been extended to include regulatory compliance, and none of these objectives require real-time processing and performance.
TriGeo is completely based on an in-memory pool capable of correlating millions of events without the performance bottleneck associated with database insertion and query speeds. The simple fact is that no matter what database or proprietary file system is used, RAM-based analysis is at least an order of magnitude faster, and TriGeo utilizes this reality to deliver superior event analysis and response.
Multiple-Event Correlation Can the correlation system detect and associate anomalous behavior based on multiple events? Systems designed to identify the occurrence of a single event, even with time and frequency constraints, simply can't identify today's blended threats. It’s common to find systems claiming event correlation capabilities, but a review of the functionality quickly reveals that they’re not capable of correlating across devices and across events.
TriGeo has comprehensive support for multiple-device, multiple-event correlation, including the unique ability to set independent thresholds of activity per event, or group of events. This is precisely what's needed when the correlated activity is dramatically different such as the number of user logon failures and denied traffic counts.
Non-Linear Correlation Does the correlation rely on traditional sequential event evaluation? With today's blended, or multi-faceted, attacks there's no guarantee what order events might appear - couple that reality with typical deviations in equipment time stamps and you quickly realize that linear event correlation is extremely limited.
TriGeo employs a patent-pending technology that maps events in memory and applies a completely non-linear, multi-vector, correlation algorithm. This greatly reduces the number of rules needed because it's no longer necessary to build distinct rules for every possible combination of events.
Field-Level Comparison Does the product provide a rich set of discrete fields that can be used in the correlation? The event collection and normalization process often strips critical details that are needed for effective correlation, or that detail is not available in the product's rule editor. Normalization is essential for correlation, but it’s an area that is generally not considered when reviewing competing approaches to event correlation.
TriGeo’s normalization process and its associated event taxonomy are significant components of our intellectual property. TriGeo captures an extensive array of field-level data, and makes it all easily accessible via our graphical rule builder. When this data is combined with user-defined groups and variables, TriGeo makes it possible to build very detailed and sophisticated rules that minimize false positives and focus your attention where and when it's needed.
Environmental Awareness Can the correlation rule factor in details about the organization, such as critical assets, applications, time of day or day of week? It's vital that rules be tuned to address the specific business environment, standard processes and IT objectives.
TriGeo employs several techniques to minimize the noise and maximize the value of the data that’s being captured and analyzed. This includes the use of user defined groups that can identify critical assets, and be easily integrated into rules. It also includes the use of unique time sensitivity in rules. For example, rules can be built to operate inside or outside defined business hours. Activity on a server can be monitored with regard to a defined maintenance or reboot window.
Correlation Rule Builder Can you build a rule? While this question is deceptively simple, it's critically important. Most products employ rule "editors" that were clearly designed by programmers, for programmers. Even when "wizards" are used, it takes five steps to accomplish even the most basic tasks.
TriGeo's rule builder employs an intuitive graphical interface using common "drag and drop" techniques, and everything is done in one location. It can be mastered in a matter of minutes and it will surprise you that something so simple can construct the most complex and powerful correlations available on the market.
Active Response What happens when the rule fires? An integral component of the correlation is the action that can be taken when the modeled behavior is identified. While most products provide various notification options, such as email or pager, few go much farther. Where they do, they require human intervention to confirm or activate any pre-programmed responses.
TriGeo was the pioneer and remains the leader in automated remediation through intelligent correlation. It ships with the industry’s largest arsenal of actions that can be linked directly to correlations, and utilizes a proprietary action framework to communicate directly with network infrastructure devices and host operating systems, providing network defense coverage from the perimeter to the endpoint. TriGeo can actively defend the network through highly targeted correlation rules, behavior analysis and integration with network infrastructure. The defensive arsenal includes the ability to quarantine, block, route and control services, processes, accounts, privileges and more.
TriGeo specifically targets the small to medium enterprise (SME). These businesses have unique needs that are not being addressed by SIM vendors targeting the Fortune 500. They suffer from the same “pains” as larger enterprises, but have smaller staffs and budgets. Many are also facing mounting regulatory pressures from federal mandates, such as GLBA, PCI, SOX, HIPAA and more. While TriGeo has broad network security applications, many of our customers are in highly regulated industries such as financial services, healthcare, utilities, higher education and government. Most of our customers associate TriGeo with providing not only greater network security, but doing so with an ROI that’s equivalent to at least one full time employee. To gain the greatest insight into how TriGeo has benefited these organizations, and continues to deliver extraordinary value, its best see their precise comments. Fiserv is a well know financial services, credit card processing organization comprised of over 180 discrete organizations. Listed below are a few of their comments on TriGeo: "The biggest thing we liked about TriGeo SIM was its proactive technology. We believe the active response technology will provide Fiserv with measurable ROI." "TriGeo is not only a security tool, but it also helps with day-to-day operations. Since TriGeo is real-time, our network staff can see networking errors as they occur. TriGeo will help clean up network traffic and keep it running smoothly and efficiently." "TriGeo dramatically reduced the time we spend reviewing log files - now, we spend less than 5 minutes a day. TriGeo keeps us in touch with important security issues as they occur." The USS-POSCO steel finishing plant is owned and operated by USS-POSCO Industries (UPI), a joint venture company established by U. S. Steel Corporation and POSCO, of the Republic of Korea. UPI identified five main reasons for selecting TriGeo: “Real time log analysis with event correlation, the ability to track the use of administrative accounts, pre-built rules based event correlations, TriGeo’s unique USB defender technology, and the fact that the TriGeo SIM product has been honored as SC magazine Best Buy SIM tool were key factors in our decision to choose TriGeo." “We wanted an appliance that provides proactive security. Trying to correlate an event on servers’ logs is not an option for UPI. We don't have the resources and time to find the needle in the hay stack. Now we have a tool that can pinpoint the problem and provide solutions." “The fact that Trigeo provides instant notifications of modifications to administrative accounts and hundreds of pre-built rules based event correlations was very important to us. We were also impressed by the stamp of approval TriGeo has received from several industry peer-reviewed publications." TriGeo recognizes that you can’t be “everything to everyone” so we’ve developed a solution specifically for businesses with 50 – 5,000 nodes under management. What’s unique to the SME/SMB market? There are three elements of a successful SME offering: Price The product has to be priced so that they can put their arms around it. Systems that begin at $100K may as well be $10,000,000. TriGeo begins at $19,840 for a fully deployed turn-key system – no hidden charges for extra equipment, additional modules or 3rd party software. Our pricing model is based simply on the level of appliance and number of nodes. In addition, our support plan includes unlimited 800 support, access to experienced network administrators, all with security credentials, and both product updates and upgrades for one full year. Deployment Rapid deployment is critical, and that’s why TriGeo is deployed on an appliance. This market simply can’t handle multi-day, much less, multi-week installation and training commitments. Our model is to pre-configure and drop ship the appliance. Initial setup and training is completed in about two hours using WebEx. Every few weeks, we follow-up to provide 30-60 minutes of targeted training, system tuning and event analysis assistance. Technology A simple interface, 500+ predefined correlations and no programming skills required are all elements of a product these organizations will actually use. Our console is intentionally simple and straightforward. It’s designed to present the alerts/events from the devices as clearly as possible.
TriGeo specifically targets the small to medium enterprise (SME). These businesses have unique needs that are not being addressed by SIM vendors targeting the Fortune 500. They suffer from the same “pains” as larger enterprises, but have smaller staffs and budgets. Many are also facing mounting regulatory pressures from federal mandates, such as GLBA, PCI, SOX, HIPAA and more.
While TriGeo has broad network security applications, many of our customers are in highly regulated industries such as financial services, healthcare, utilities, higher education and government. Most of our customers associate TriGeo with providing not only greater network security, but doing so with an ROI that’s equivalent to at least one full time employee. To gain the greatest insight into how TriGeo has benefited these organizations, and continues to deliver extraordinary value, its best see their precise comments.
Fiserv is a well know financial services, credit card processing organization comprised of over 180 discrete organizations. Listed below are a few of their comments on TriGeo:
"The biggest thing we liked about TriGeo SIM was its proactive technology. We believe the active response technology will provide Fiserv with measurable ROI."
"TriGeo is not only a security tool, but it also helps with day-to-day operations. Since TriGeo is real-time, our network staff can see networking errors as they occur. TriGeo will help clean up network traffic and keep it running smoothly and efficiently."
"TriGeo dramatically reduced the time we spend reviewing log files - now, we spend less than 5 minutes a day. TriGeo keeps us in touch with important security issues as they occur."
The USS-POSCO steel finishing plant is owned and operated by USS-POSCO Industries (UPI), a joint venture company established by U. S. Steel Corporation and POSCO, of the Republic of Korea.
UPI identified five main reasons for selecting TriGeo: “Real time log analysis with event correlation, the ability to track the use of administrative accounts, pre-built rules based event correlations, TriGeo’s unique USB defender technology, and the fact that the TriGeo SIM product has been honored as SC magazine Best Buy SIM tool were key factors in our decision to choose TriGeo."
“We wanted an appliance that provides proactive security. Trying to correlate an event on servers’ logs is not an option for UPI. We don't have the resources and time to find the needle in the hay stack. Now we have a tool that can pinpoint the problem and provide solutions."
“The fact that Trigeo provides instant notifications of modifications to administrative accounts and hundreds of pre-built rules based event correlations was very important to us. We were also impressed by the stamp of approval TriGeo has received from several industry peer-reviewed publications."
TriGeo recognizes that you can’t be “everything to everyone” so we’ve developed a solution specifically for businesses with 50 – 5,000 nodes under management. What’s unique to the SME/SMB market? There are three elements of a successful SME offering:
Price The product has to be priced so that they can put their arms around it. Systems that begin at $100K may as well be $10,000,000. TriGeo begins at $19,840 for a fully deployed turn-key system – no hidden charges for extra equipment, additional modules or 3rd party software. Our pricing model is based simply on the level of appliance and number of nodes. In addition, our support plan includes unlimited 800 support, access to experienced network administrators, all with security credentials, and both product updates and upgrades for one full year.
Deployment Rapid deployment is critical, and that’s why TriGeo is deployed on an appliance. This market simply can’t handle multi-day, much less, multi-week installation and training commitments. Our model is to pre-configure and drop ship the appliance. Initial setup and training is completed in about two hours using WebEx. Every few weeks, we follow-up to provide 30-60 minutes of targeted training, system tuning and event analysis assistance.
Technology A simple interface, 500+ predefined correlations and no programming skills required are all elements of a product these organizations will actually use. Our console is intentionally simple and straightforward. It’s designed to present the alerts/events from the devices as clearly as possible.
Michael Maloof, CISSP, is the Chief Technology Officer for TriGeo Network Security where he leads an award-winning team of engineers and researchers working on the cutting edge of real-time network security analysis, event correlation and automated remediation. As a serial entrepreneur, TriGeo is Michael’s fourth venture in a career that spans twenty five years of technology research, design and development. Maloof is a published author, and co-inventor of TriGeo’s patent-pending event correlation graphical user interface, which independent reviews have recognized as powerful and unique yet as “easy to use as Legos”. Prior to joining TriGeo, Maloof was the co-founder and CEO of an Enterprise Resource Planning software company. His team’s engineering excellence and unique intellectual property were among the factors that prompted acquisition by a public company. In previous ventures, Maloof counted some of Silicon Valley’s largest companies among his clients including Hewlett Packard, Advanced Micro Devices, Varian Associates, Santa Clara County, KLA-Tencor and NGK. He’s an avid cyclist and international adventure traveler and in recent years has combined these two passions by cycling in numerous locations around the world. His wife of twenty years, Michelle Dickman, has been his partner in numerous ventures and adventures and is credited as the business brains of the team. As Michael describes it, he builds the products and Michelle builds the companies.
Michael Maloof, CISSP, is the Chief Technology Officer for TriGeo Network Security where he leads an award-winning team of engineers and researchers working on the cutting edge of real-time network security analysis, event correlation and automated remediation. As a serial entrepreneur, TriGeo is Michael’s fourth venture in a career that spans twenty five years of technology research, design and development.
Maloof is a published author, and co-inventor of TriGeo’s patent-pending event correlation graphical user interface, which independent reviews have recognized as powerful and unique yet as “easy to use as Legos”.
Prior to joining TriGeo, Maloof was the co-founder and CEO of an Enterprise Resource Planning software company. His team’s engineering excellence and unique intellectual property were among the factors that prompted acquisition by a public company. In previous ventures, Maloof counted some of Silicon Valley’s largest companies among his clients including Hewlett Packard, Advanced Micro Devices, Varian Associates, Santa Clara County, KLA-Tencor and NGK.
He’s an avid cyclist and international adventure traveler and in recent years has combined these two passions by cycling in numerous locations around the world. His wife of twenty years, Michelle Dickman, has been his partner in numerous ventures and adventures and is credited as the business brains of the team. As Michael describes it, he builds the products and Michelle builds the companies.
TriGeo Network Security, Inc. 510 Clearwater Loop, Suite 1 Post Falls, ID 83854 USA Tel: 1-208-664-7000
Recommend this to others:
HOME |
ADVERTISE WITH US |
TELL US ABOUT YOURSELF |
UPDATED PRIVACY POLICY |
Copyright © 2006 Silicon Valley Communications - All rights reserved.
