FAQs

Download the PDF version of the FAQs (requires registration)

Which TriGeo products and services are targeted for which types of customers? How does TriGeo benefit each group?

The TriGeo SIM solution is focused on solving problems for small to medium enterprises such as these that do not have dedicated security expertise in place, but still desire "enterprise-class" security coverage. Therefore, TriGeo SIM is designed for IT professionals who are responsible for monitoring all of the disparate security devices across the enterprise. Unlike traditional, passive security information management products, TriGeo takes an active role in defending your network. It is the only product on the market today providing automated remediation through intelligent correlation to the small to medium sized enterprises.

TriGeo SIM is used to provide enhanced security, productivity gains, and ultimate peace-of-mind to businesses. What are some examples of such applications?

Security is enhanced by providing real-time analysis, notification and response. Even if you had the staff, it's simply not possible to monitor all aspects of network security on a 24/7 basis. The volume of data generated, from even a fairly small organization, is simply overwhelming. Much greater efficiency is achieved by using automation to identify only those events that require investigation, immediate attention, or even warrant an automated response. SIM solutions, such as TriGeo SIM, are in a position to gather all alerts, and make determinations about whether traffic is malicious based on multiple pieces of data, rather than a single point — without requiring trained security specialists or gurus to analyze the incoming information. Bottom line: The peace of mind is achieved through the knowledge that the system is functioning continuously — performing the tasks that you would perform, following the rules that you established and automatically defending the network.

TriGeo SIM utilizes Active Response and Active Notification. What are the advantages of these technologies for busy security professionals?

When a worm can traverse the entire Internet in less than 10 minutes, we've reached the point where automation is not only desirable, it's essential. Firewalls actively block undesirable traffic and anti-virus software actively opens, cleans or quarantines infected email. It is a natural extension that SIMs communicates with these, and other tools, to coordinate their actions and empower them to strengthen the entire network.

This communication and coordination is precisely what TriGeo enables via its Active Response and Notification policies. The goal is simple, to empower the IT staff with a tool for rapid incident identification and remediation. We make this possible with a sophisticated event analysis and correlation process that incorporates critical assets and company policy.

When an AV product can't correct the virus, TriGeo can step in to isolate the machine from the network. When the firewall passes "apparently" harmless traffic the IDS can spot it, and TriGeo can step in to drop the connection. When a workstation is being used to explore unauthorized areas of a system, TriGeo can shut it down.

There seems to be a glut of competitors vying to deliver "centralized security event management tools" to businesses. What makes TriGeo SIM different?

Several factors contribute to our success in this arena:

• Our Automated Remediation through Intelligent CorrelationTM is the feature most often stated as driving the purchase decision. This market isn't interested in another console. They need a product that can actively defend their network.
• Our appliance-based approach is ideal for organizations with minimal IT staff simply because it's not an additional drain on their already stretched resources. We can literally be installed in minutes, and they can be fully trained the same day. All with zero downtime.
• TriGeo SIM is completely self-contained so it does not require an associated management or database server, saving both the cost and the time associated with server and database configuration.
• TriGeo SIM's interface is designed for IT teams so they can quickly configure and monitor those aspects of the network security that they consider most critical. It does not require dedicated, security professionals to use or maintain.
• TriGeo SIM comes bundled with one of the leading IDS products. This product, while quite powerful, has traditionally been daunting to configure and deploy. By bundling with TriGeo SIM, these organizations are able to employ IDS within their networks with no additional IT staff burden or cost.
• Our pricing model is an ideal fit for this market segment. TriGeo provides full coverage without complex equations for events per second, or costs per type of monitored device.

What are the key market drivers that are fueling SMBs interest in TriGeo SIM's approach to taking raw data and transforming it into security intelligence?

First and foremost is regulatory pressure. While these organizations are smaller they face precisely the same threats, utilize the same tools and must address the same auditors as their much larger counterparts. Of course, their situation is compounded by smaller staffs and budgets. Many SMBs have budget for IDS, and the smart ones realize that bringing in an IDS might appease an auditor, but it will only make their lives more difficult. We show them a way to have it all - IDS coverage, true event management, and a satisfied auditor.

TriGeo SIM facilitates simplified audits and reporting, and automates the review and analysis of log files in real-time. How does TriGeo SIM accomplish this?

TriGeo SIM's architecture is focused on real-time processing. The policy engine is the first thing to process any event, the console is second, and the database is last. This approach means that we're able to bring the full power of the appliances memory and processor to identifying, notifying and responding to threats.

Traditional auditing and reporting requires a painstaking process of manual log aggregation. Logs are generated by virtually every device in the typical data center, but no two devices log precisely the same way, and in many cases they "speak" entirely different languages. The challenge goes beyond simply getting all the logs in one place, but making sense of all the data. It requires serious effort and expertise.

We like to say that TriGeo SIM is your "security guy in a box". We package the expertise to read, interpret, filter and, most important, highlight those events that require attention. Further, by normalizing the data, translating it to a common language, we're able to generate reports that provide a system-wide view of network security. It's this complete picture that assures auditors you have your security issues under control.

From a technical perspective, TriGeo SIM uses a hybrid agent model. Where appropriate, we deploy an agent to remotely gather and securely forward the relevant events to our central repository. Alternatively, many devices and operating systems can route directly to our manager appliance. The advantage of using TriGeo's agent is that it also serves as a front-line soldier. It can be employed in numerous defense scenarios, such as isolating a compromised or infected workstation.

It's crucial for companies to make sense of critical security information pouring in from their various security systems. How does TriGeo SIM enable them to do this?

A significant percentage of TriGeo's engineering effort is focused on event normalization. This is a critical, and often underestimated, first step in security event management. It's during this process that we tune the Signal to Noise ratio. The reality is that 10,000 events might contain only a few dozen that should be monitored, and those need to be seen in context with information from multiple sources to truly evaluate. Our event-centric normalization facilitates this analysis, and distinguishes us from systems that are limited by device-centric aggregation.

Once normalized, this data can be monitored in real-time, and mapped to specific policies. Policies that answer questions such as: At what threshold does an audit event become a security event? How should we respond when an attack is focused on a critical asset? Who should we notify of inappropriate web or network access attempts? The answers to these and dozens of other questions can be modeled in TriGeo SIM's policies. This is the key to turning the raw data into actionable information.

How does TriGeo SIM work? Is it different from the traditional event-correlation technologies? If so, how?

TriGeo SIM's architecture is focused on real-time processing. The policy engine is the first thing to process any event, the console is second, and the database is last. This approach means that TriGeo is able to bring the full power of the appliances' memory and processor to identifying, notifying and responding to threats.

Traditional event management and correlation processes are database-centric, which worked well for forensic analysis where real-time response was not a factor. These systems first write to the database, query this information for their consoles, and lastly apply appropriate notification policy. At best, policy can be applied before the console, but they are still bound by database insertion speed - requiring more powerful and expensive database servers to gain any boost in performance. It should be noted that these systems are ill-equipped to provide active response, and some limit their "responses" to various notification methods (email, pager, etc.)