Case Study: TriGeo
|
With Splunk we avoided all of the growing pains of 1.0 development. - Michael Maloof, CTO |
The Challenge of Opportunity
Early in 2007 new compliance mandates and evolving security threats presented an opportunity - and a challenge to TriGeo, a leader in the growing security information and event management (SIEM) market. They saw the value of adding capabilities for extended retention times, improved alerting, and ad hoc analysis capabilities over 100% of raw log data to its product - for the entire range of SIEM customers - not just large enterprises.
The time to move on the market was now, but developing these capabilities from scratch would take time.
Yet TriGeo InDepth was delivered in less than 90 days, and would surpass log management offerings from enterprise-class SIEM competitors. Rapidly adopted by the small and midsize enterprise market since its introduction, in October of 2007, TriGeo InDepth's industry-leading remediation features increase effectiveness, reducing the labor and expertise previously required to use first-generation offerings.
Raising the Stakes
TriGeo was the first successful security information management solution for small and medium size enterprises or departments. A plug-and-play appliance, with tons of proactive features to enforce security policy, TriGeo SIM did the real-time log analysis and event correlation for customers, taking the right actions to defend their networks - without dedicated security personnel to view log events and interpret security alarms. It did so well that by mid-2007 TriGeo had more than 500 customers, and held the Leader position on the Gartner Magic Quadrant. They had broken into territory dominated by more complicated, expensive software suites.
Now, the rising role of compliance in the security information market was creating new requirements to retain and allow for ad hoc investigation and review of raw log data - even within smaller organizations and departments. More midsize companies need to comply with the Payment Card Industry (PCI) standard that applies to anyone processing credit card transactions, and even the smaller government agencies have to comply with FISMA.
Because both of these mandates are explicit about collection, retention and review of audit trails and log data they began driving smaller organizations to buy appliances exclusively focused on capture, retention and reporting of log data. None were equivalent to TriGeo in its ability to deliver real-time analysis, empower security personnel and enforce security policy. And these appliances were clumsy when it came to performing ad hoc investigations - one of the key reasons to capture and retain raw log data.
TriGeo saw this as an opportunity to provide a new offering, TriGeo InDepth. The vision was to provide 100% log capture and retention capabilities - surpassing simple log management with a superior ad hoc investigation capability - fully integrated with the TriGeo SIM solution. With TriGeo SIM and TriGeo InDepth working together, customers would have best-of-breed security, log retention, ad-hoc query, and compliance.
Easier Said than Done
TriGeo's CTO, Michael Maloof realized the only way to deliver a high-quality user experience navigating huge volumes of raw log data would be to use search technology instead of databases or flat files. His team looked at every possible approach. They considered building it from scratch as well as leveraging open source or commercial document search technologies.
They dismissed the idea of internal development, because providing fast indexed search and managing all that data were outside their core competency, and involved significant engineering challenges. Getting to market with a first generation product would take 18-24 months, and the subsequent maintenance burden would be overwhelming.
Open source document search technologies looked promising at first, but fell far short in searching logs and other IT data. Oriented toward batch updates to an index of documents, rather than real-time indexing of events that would be navigated by time caused problems. Despite being big fans of open source, TriGeo's engineers were concerned about relying on community support for such a core piece of their new product offering.
Go to the Search Source
Then Michael found Splunk, the first technology designed to be an IT Search engine from the ground up. It provided exactly the high performance, real-time indexing, ad hoc search and retention capabilities envisioned for InDepth. Plus, it had reporting and alerting capabilities that went beyond what they'd expected from a search platform. At the time, Splunk was already a second-generation solution with more than 340 enterprise and government customers, and a growing user community drawn from 100,000 downloads since its initial introduction in 2005. Best of all, the Splunk software platform was developer and partner friendly, with a small footprint and open APIs for rapid development of new applications.
Michael and his team immediately began to evaluate Splunk, and explore licensing options. With easy access to education, support and documentation they had Splunk working in their lab environment right away, and a working integrated prototype within just a few weeks.
TriGeo InDepth Launched in Ninety Days
The Splunk-fueled prototype of TriGeo InDepth was demoed at a trade show one month after work started, and was released just 90 days from project start.
InDepth was well received by customers and analysts. Two months before the first shipment a government agency purchased the first unit based on the prototype. Since then the InDepth appliance has been sold to dozens more government and commercial customers. Industry analysts view InDepth as a cornerstone of TriGeo's continued visionary leadership of the next generation of SIEM.
InDepth is a standalone appliance built on the Splunk platform. Working together with the original TriGeo SIM appliance, it leverages the existing event collection that enriches the raw data with TriGeo's normalized fields. It utilizes TriGeo's proprietary agent technology to collect events in real-time, encrypt and compress the data and guarantee delivery via TCP to the Splunk application, which does dense indexing of the raw data and TriGeo metadata.
TriGeo's engineers took an inventive approach to creating a seamless user experience, moving between existing Java console functionality and new browser-based Splunk capabilities. Users choose an InDepth menu option from within the context of any alert or event of interest. This opens a new module in the console using an embedded java browser to present Splunk Web, Splunk's browser-based interface, fully in the context of the TriGeo java application. The browser was modified to eliminate unnecessary buttons, redirects the home button to a Splunk dashboard, and prevents the ability to visit arbitrary URLs.
TriGeo also leveraged Splunk's pluggable authentication API to pass through the user's credentials based on a single login to the Java interface. Behind the scenes, TriGeo uses Splunk's web services APIs to manage users based on administrative actions from the main TriGeo Java console.
This design results in a user experience in which the web interface is just another part of the Java console. To complete the experience, Splunk Web has been skinned with TriGeo InDepth branding and some menus and options in the context of the embedded capability were removed.
When the InDepth browser is launched from an event or alarm, details such as host IP and time are passed along in the URL as the starting search, so users can immediately see the right events in context of their issue. From there, they have access to Splunk's full search, navigation and reporting capabilities for rapid investigation and analysis over all relevant data. Threats are assessed as fast as possible and can be contained using TriGeo's integrated active responses to quarantine, block, route and control services, processes, accounts and privileges.
Users can also start by typing any search into the InDepth search box in the Java console. This would be typical when responding to an externally triggered ad hoc investigation request from an auditor, law enforcement or based on a suspicion of unusual activity.
TriGeo has also made extensive use of Splunk's dashboard capabilities to provide the at-a-glance security reporting that IT security managers and auditors require. They have created standard reports that summarize security events by event type, time, host and other factors, and present them as easy-to-understand charts and graphs.
About TriGeo Network Security
TriGeo Network Security delivers enterprise security information and event management (SIEM) designed specifically for the needs of the mid-market. TriGeo SIM is the only real-time SIEM appliance that automatically identifies and responds to network attacks, suspicious behavior and policy violations. This award-winning product combines real-time log analysis, event correlation, USB detection and prevention with powerful active response technology. TriGeo SIM is both a unique network defense technology and an "Audit-Proven" compliance solution that meets the security monitoring and log management requirements imposed by PCI, GLBA, NCUA, FDIC, HIPAA, SOX and more. TriGeo has hundreds of customers across key vertical markets including financial services, health care, government, utility, retail and media/entertainment. TriGeo SIM has won numerous awards including the 2007 SC Magazine Reader Trust Award, 2007 Frost & Sullivan North American Technology Innovation of the Year Award, and the SC Magazine Best Buy of 2006 award for Event Management. The Company is a member of the PCI Security Standards Council and PCI Security Vendor Alliance, and is represented by partners nationwide.