"I had to come up with a more intelligent way to do this," said Alan McHugh, manager of information technology at USPS FCU, a midsize credit union based in Clinton, Md., with eight branches across the U.S.
He began looking at security information management (SIM) and log management products and ultimately selected the TriGeo SIM. The appliance collects, correlates and normalizes data from USPS FCU's firewalls, terminals, servers and routers. "It's a one stop shop," McHugh said.
The appliance alerts him of threats, both internal and external via email or text message, and enforces policy. He can set it to report on certain services such as FTP or Telnet; for example, when TriGeo logs an employee using Telnet, it will alert him. "Someone on the teller line wouldn't need Telnet or FTP. I have the granular ability to say, 'Now shut it down'," McHugh said. He also has a log trail of user activity.
The device provides a central place for McHugh to track down what's happening on the roughly 150-node network, and he's been able to locate and shut down sources of attempted brute force attacks on the perimeter. "I have the source IP of where it's coming from, and can look up the IP and see who owns it, and will contact that company," he said. "If I can't reach the company, I'll call the ISP, who is usually quite responsive."
Other SIM products from large vendors were tailored for big enterprises and were too expensive, McHugh said: "It would have been overkill, budget-wise." He said some of those vendors have offered stripped down versions of their products to smaller organizations, but he believes those products fail to provide the functionality of TriGeo.
Cost was also a big factor for Pasadena Federal Credit Union (PFCU) in choosing a SIM. The California-based credit union has about 40 employees, including a two-member IT staff. Mike McDanell, IT supervisor and information security officer at PFCU, said he wanted a way to aggregate his logs and looked at SIM products from Cisco Systems Inc., Symantec Corp. and several others. "They didn't do nearly as much as TriGeo, especially for the cost," he said. TriGeo starts at $20,000, including the box and agents; McDanell said one SIM from a large vendor was about $95,000.
"TriGeo has active response, which allows me to assign rules to the logs that come in, so I can tell it to perform an action if something does occur in the network, down to the workstation level," McDanell said.
By pulling in firewall, antivirus, server, workstation and Web mail logs into one place, the appliance is saving him time. "It's making a lot less work for me as far as reviewing logs," he said. "And I can generate a lot of reports." TriGeo provides many preformatted reports but also enables customized reports.
The SIM system is compatible with a lot of devices, he added: "Just about every device you have, from Juniper devices to Barracuda spam firewalls, it can hook into and pull reports from."
Nick Selby, director of research operations and enterprise security practice director at The 451 Group, said SIM technology has become more mainstream and enterprises are finding that products from TriGeo, Q1Labs, Cisco, eIQnetworks, ArcSight, High Tower Software, netForensics and others are easier to use and maintain, plus cheaper to own than early SIM systems.
"Some of the drawbacks have been the tradeoff between price and functionality, and complexity of getting the systems set up, but this second generation, and particularly user-friendly enterprise SIM (ESIM) from established vendors like TriGeo and the others, make setup much easier, as do startups like Inspekt Security, which offers ESIM as a service," he said.
TriGeo has succeeded in marketing to small and midsize enterprises, Selby said. "It has shown innovation in its technology as well as its partnership choices," he added. "For example, bundling Snort to provide and maintain intrusion detection for businesses which may not have the resources to set up or maintain it."
For both credit unions, a big plus is TriGeo's USB Defender, which is bundled with the vendor's Windows agent and catches unauthorized USB flash drive insertions. "It denies anything I don't let onto the system as far as USBs," PFCU's McDanell said. "It's smart enough to recognize a mouse or a keyboard, but when it comes to drives, iPods, anything that's a USB device with storage, it will pop up with it."
One night earlier this year, the tool blocked a janitor's son from plugging in his iPhone. Although the incident caused no harm, it was a huge policy violation, and the credit union ended up changing cleaning crews, McDanell said.
USPS FCU's McHugh said USB Defender provides the ability to allow exceptions. The organization's CEO, for example, can load a USB storage device on the network but only with his login.
"It ticked off a lot of the staff when they found out they couldn't hook up their iPods anymore," McHugh said. "It enforces the policy you have in play."
The credit union sends all its TriGeo traffic into a SQL Server database running on a VMware ESX Server for long-term storage. With 250 gigabytes, the organization expects to get two years worth of information cataloged on it, and using a virtual server keeps costs down, McHugh said.
McDanell plans to budget next year for external data storage for the TriGeo, and is considering TriGeo's InDepth appliance. The way PFCU has it set up now, reports are pulled directly from the SIM, which can take time, especially for detailed reports, he said. The InDepth appliance archives the SIM data and allows for a deeper look at network activity, he said.
There are some initial growing pains when first implementing a SIM because building rules for it can be time consuming, McDanell said. "Once it's set up, it's wonderful," he added. "You have a pretty clear picture of what your network looks like."