Tripwire Rides Log Management Gig into SIEM Business
January 27, 2010 Alex Woodie
Tripwire has built its reputation providing configuration assessment, change auditing, and compliance tools to 7,000 customers, including a handful of organizations running i/OS servers, which has been supported since last year. Now, the Oregon company is looking to build on that solid base of log management expertise with today’s launch of Tripwire Log Center, a new security information and event management (SIEM) software product designed to protect customers’ computer systems from attacks by cybercriminals and malicious software.
The recent high-profile attacks on Google, Cisco Systems, Adobe Systems, and others (via an Internet Explorer vulnerability that Microsoft rushed to patch last week) have brought mainstream media attention to the ongoing cyberwar that’s taking place between corporate and government IT systems and computer-savvy criminals from all over the world. It may come as a surprise to some that foreign governments, such as the People’s Republic of China, appear to be conducting cyberwarfare as a proxy for traditional military strength, as a recent Northrop-Grumman report alleges. But for those who were already watching, the latest flap is just another indication that IT shops with something to lose need to take the security of their networks, applications, and data very seriously.
For Tripwire, the heightened state of alert resulting from the Google-China imbroglio provides the perfect backdrop for today’s launch of its new Log Center product, which melds security smarts with Tripwire’s expertise in collecting and managing log data for the purpose of detecting unauthorized changes to configuration settings and achieving regulatory compliance.
Like other products in the SIEM category, Tripwire Log Center is designed to help customers improve their security posture by gathering and correlating security-relevant data in real-time–or as close to that as one can get. Like other SIEM products, Log Center casts a very wide net and collects many types of data about who’s accessing systems and what they are doing. And like other SIEMs, it then applies preconfigured correlation rules against that data to determine if the activity matches any previously noted pattern of attack.
This functionality has been available in SIEM solutions for years. So what gives Tripwire Log Center an edge? Several things, executives say, but it all boils down to scalability, ease of use, and the underlying application and database design.
One of the flaws of existing SIEM solutions is the inability to deal with vast amounts of diverse data in a short amount of time, notes Dwayne Melancon, vice president of strategy at the Portland, Oregon, company. “Customers say ‘We feel like we made a big investment in log tools, but we’re not getting much value out of it because it’s a sea of information and we don’t have time to figure out what it all means,” Melancon says.
Where the SIEM rubber traditionally skids off the road is the capability to match user activity with changes, and to do so within a tactical timeframe, Melancon says. For example, a SIEM system may detect something that appears to be a “dictionary attack,” or an attempt to guess the user ID and password of an authorized user (or an authorized user who’s trying to guess his own password).
One of Tripwire Log Center’s early adopters deals with 9,000 potential dictionary attacks every day, but doesn’t have the time or capability to figure out which ones are legitimate attacks and which ones are simply forgetful users, Melancon says. This is where Tripwire Log Center–with its integration with Tripwire Enterprise, its established configuration and change auditing tool–provides an advantage over traditional SIEM tools, he says.
“Now we’re able to say, ‘Filter out all log-ins with five failed tries, unless it resulted in an unauthorized change on a critical system,'” Melancon says. “We can feed that information together in real time. The software will say, ‘Here are 20 attempts that resulted in unauthorized changes.’ Those are the ones you need to go investigate, because not only did they affect your compliance posture, but they could be security breaches.”
Keeping It Simple
Tripwire would not be the first vendor to attempt to mix the two log disciplines, the first being the management of computer logs for the purpose of proving tight change control and achieving compliance with laws like Sarbanes-Oxley (a mostly batch-oriented process), and the second being the management of computer logs for the purpose of detecting security breaches (a real-time endeavor). Other vendors have tried to mingle the two log disciplines, but have struggled to build a single system that accomplishes the different goals without compromising one or the other.
That is why Tripwire keeps the two systems separate, and only combines the log data when it’s needed.
“If we mingled the data, it would be harder to optimize for query performance and for the processing, especially when you’re talking about normalizing millions or billions of events per day,” Melancon says. “You don’t want anything that’s going to slow you down. That’s why we have the two data stores separate. Each one has a specialized schema for what it does. The mingling of data all happens through APIs.”
Tripwire has also tried to learn from the too-complicated licensing and pricing schemes of traditional SIEM vendors. Instead of charging users based on the number and type of systems they’re pulling data from, which correlation rules they want to run, and how much log data they want to store, Tripwire only charges on how many events per second (EPS) their customers want to filter for potential security breaches. Pricing for Log Center starts at $19,900 for 500 EPS.
Tripwire has high hopes on taking a piece of the fragmented but growing SIEM market. “We spent a lot of time talking with existing customers that may be using other products today. One thing I thought was unique was that, for being such an established market, there are a whole lot of companies that are really willing to look at alternatives. People tend to move toward pleasure or away from pain. There may be some pain there. Because we’re coming in this later, we can hopefully learn from some of the approaches in the past that haven’t been as effective.”
Tripwire Log Center has already been installed at more than 100 Tripwire Enterprise sites, and is being formally introduced to the market today at version 6. The software runs on Windows, Unix, and Linux servers. i/OS shops will need to buy an adapter from a third-party vendor to translate i/OS logs into the XML-based format that Tripwire understands.
For more information, visit www.tripwire.com.
This article was corrected. Pricing for Tripwire Log Center starts at $19,900 per 500 EPS, not 5,000. IT Jungle regrets the error.