Yes, I’m biased, but I think this new interface falls into the category of “functional art.”   The version 5.0 console is the result of the combined efforts of graphic artists, two independent user experience design teams, software architects and engineers, and the most important ingredient - our customers.

TriGeo SIM version 5.0 is truly a reflection of our customer’s commitment and enthusiasm and TriGeo’s dedication to making good things better and great things extraordinary.

While the new console is striking, we recognize that “beauty is only skin deep.”  One of the most important attributes of TriGeo’s new solution is its ability to give new and power users lightning-fast insight into all of the activity that’s happening on their network - and take control when needed.

Every aspect of the interface is designed to inform, engage and empower.

The Operations Center is a great example.  The “coverflow-style” interface is used to preview widgets, and you can simply drag and drop them to your personalized dashboard.  Want to change some property of the widget, like the data analysis scope, number of monitored attributes or even just the color palette?  Just flip the widget over or click on the Widget Builder.

We designed the dashboard widgets to:

• Reflect TriGeo’s real-time focus
• Help users visualize and understand what’s really happening on their network
• Give users powerful interactive tools to refine and examine the data

Directly from the widget, you can drill-down to the alert data – transitioning from high-level data visualization, to event analysis.  Naturally, TriGeo’s “Explore” and “Respond” capabilities are also right at your fingertips giving you the ability to act immediately.

Seeing is believing.  What I’ve described here is just one of many new aspects of TriGeo SIM Version 5.0 – more will follow, but in the meantime we certainly encourage you to register for our twice-weekly demo and take a closer look for yourself.  Alternatively, you can certainly catch us at RSA (booth #817) and Interop (booth #715).

We’re excited to announce the arrival of TriGeo SIM Version 5.0, and you’re all invited to the party!  Sorry, no cake, but if you’ve been hunting for the perfect SIEM solution, we’ve got something you need to see.

You’ll want to check out the press release for some of the product highlights, and stay tuned as we update the blog with details on key features of the new release and reveal more of the “behind the scenes” process of the “making of TriGeo SIM Version 5.0″   Twitter followers and facebook fans - we look forward to your comments as the details roll out.

If you’d like to see the new version for yourself, you can register right now for today’s 12 noon (PST) webinar, or catch any of the twice-weekly “live” demonstrations.  Of course, we have a major presence again this year at both RSA (booth #817) and Interop (booth #715), and look forward to seeing you there.

“Fawkes is a phoenix, Harry. Phoenixes burst into flame when it is time for them to die and are reborn from the ashes. Fascinating creatures, phoenixes. They can carry immensely heavy loads, their tears have healing powers, and they make highly faithful pets.”

We knew that TriGeo SIM Version 5.0 represented a revolutionary new design - one that’s built on nearly a decade of experience, leverages new technologies, incorporates sophisticated design and delivers unique functionality.

Customers loved our original interface. They appreciated its form, function and simplicity, and it’s deployed on literally thousands of desktops - helping IT professionals monitor and proactively defend their networks. We also knew that there was much more that we could offer and we had a tough decision to make…

Do we extend the current design or start fresh?

We opted to invest in a completely new user interface and user experience.

In an economy that’s been characterized as the “worst since the Great Depression,” this was not an easy decision.  We committed millions of dollars and countless hours to designing and building our new console, and it’s just one of many enhancements that make TriGeo SIM Version 5.0 a game-changer in SIEM technology.

With the official release of TriGeo SIM Version 5.0 tomorrow, a phoenix will rise and true to its name; it’s capable of carrying enormous event loads, incorporates network-healing powers and is destined to become a valued and trusted member of IT teams around the world.

Yep, TriGeo SIM turns 5 on February 16th.   The press release for our latest version of TriGeo SIM rolls out on Tuesday morning and will be accompanied by posts on various aspects of the new release, but I wanted to begin simply by saying “Thanks!”

Our new release is much more than an evolutionary step forward, or the simple version number inflation that plagues the software industry.  This version is revolutionary in many ways and that includes the process by which it was built.  Work began more than a year ago when we reached out to customers to form a Customer Advisory Group.  The response to join that team was overwhelming - nearly 200 companies asked to participate within 45 minutes of the email request.  In fact, we took advantage of the tremendous response to create two independent teams of advisors.

We blended the input from our customers with feedback from industry experts, analysts and of course, our own team of software and security architects. We then gradually shaped the vision for TriGeo SIM Version 5.0 – and the road beyond.  We’ve heard great feedback from the customers that deployed the solution during our “early availability” phase, and we’ll share some of those comments with you in the days ahead.

If you’d like to see the new release for yourself, we’re showing it off “live” in our twice-weekly webinars and at RSA (booth #817) and Interop (booth #715).   Sign up for a demo, come see us at the shows and stay tuned as we discuss the features and capabilities that make TriGeo SIM Version 5.0 the leading midmarket SIEM solution.

Nothing quite says “Happy Holidays” like discovering that a family member’s bank account has been hacked.  While I’m not at liberty to provide details, there’s an interesting twist to this bank heist story that I think you’ll find interesting.  In fact, I’m hoping that some of you (considering that many of TriGeo’s customers are banks) might be willing and able to comment - perhaps from personal experience, or with regard to your bank’s policy.

Our story begins with the familiar discovery that funds are missing. Since a home PC and on-line banking are involved, it’s natural to suspect the PC was compromised.  Everyone believes that some malware found its way to an unprotected system, spotted the on-line banking activity, captured the credentials and dutifully transmitted them or awaited further instructions from whoever had control of this machine.

What’s interesting about this case is that the bank has asked for the hard drive of the compromised PC.

What would you do?  What advice would you offer to the owner of this PC?

My initial advice was to quarantine the machine - get it off the internet to cut any command and control linkage, and assess the damage.  I characterized the incident as a “break in” and now it’s time to inventory what’s missing.   Just because it seems likely that banking credentials had been compromised, that didn’t mean they were the only thing of value that was stolen.

Had the computer been used to manage a stock portfolio, buy presents on Amazon, pay bills, update a Facebook account or store personal records?

Source data, like browser history, would be a good place to start, but essentially this person’s on-line identity needed a thorough scrubbing to minimize further damage and potential fraud.   Of course, the PC needs to be scrubbed as well, but that comes later.

With regard to the bank’s request, I felt cooperation with the bank would be reasonable.  I did point out that this is not a forensically sound request.  Certainly nothing on the drive could be considered “evidence” given the break in the chain of custody, but I assumed that the bank would want to identify what malware they were dealing with and perhaps gain some indication of its origin or when it was installed.  I also suggested first cloning the drive so that the owner could retain a copy.

As a generally trusting (perhaps naïve) person, this seemed prudent, but several others involved in the discussion questioned the bank’s motive…

Why did they want the drive?
What assurances did they offer with regard to how personal data would be handled?

Some felt that the bank would use the drive in an attempt to place blame on the individual, perhaps to even avoid covering the losses.  Most agreed that the real drive should remain with the owner and the clone should be handed to the bank.  Others were concerned that there was no apparent law enforcement involvement, and encouraged the individual to report to one or more agencies (depending on the jurisdiction and the size of the loss).

Fortunately, I’m not personally involved in this case, but unfortunately that means we’ll likely never know how this turns out.  Still, it raises some interesting questions about cooperation, responsibility, negligence and liability.

Imagine you’re the victim in this case, and the bank asked for your drive.
What would you do?

You don’t need to look far to find examples of “compliant” companies that were insecure, and are paying for that mistake with real dollars and public embarrassment.  Are these companies the poster children for the failure of PCI and compliance initiatives, or a wakeup call to corporate management? Probably both.  As with most things in life, the devil is in the details.  Corman is right to warn us that there are very real, highly organized, threats and the focus on compliance has become a distraction for many organizations.

As a proponent of self-reliance and personal responsibility, I would certainly prefer that everyone just “do the right thing.”  But when it comes to network security, the fact is that many organizations have no idea what ‘the right thing’ is or don’t have the budget for experienced personnel, or training to fill infrastructure holes.  Compliance initiatives did expand budgets and created the potential for increased security, but in the process they set management and board-level focus on the wrong objective.  It’s been said many times before, but it’s worth repeating: Compliant is Not Secure.

Last July, I had the opportunity to discuss this topic with Brian Prince of eWeek.  The article’s a good read and is absolutely relevant to this discussion.

The 451 Group’s take on this issue is thought provoking.  We can debate how we got here, but I think the question now is where do we go from here?  How do we shift the focus from compliance to security?

As a vendor in this space, we continue to ask ourselves what guidance and solutions can we offer to the ten’s of thousands of midmarket businesses that are sitting squarely in the crosshairs of the next wave of attacks?  It’s that very question that keeps me going day in and day out.

So what is Ilomo?

Ilomo is essentially an “old” botnet Trojan dating back to 2007, which primarily targets the banking industry via a two-pronged attack:

• Step 1: it lures unsuspecting users to a seemingly benign website.

• Step 2: it harvests user login credentials and uses them to inject itself into the browser code and assimilate the user’s machine into a borg by downloading miscellaneous malware.

• The end result: your machine becomes a zombie that has a new master. And its new master is set on sabotaging your network’s security from the inside out.

The perpetrators behind Ilomo are motivated by money. By targeting banking sites, they are able to use the information that they harvest to easily steal funds from online bankers. And, to make matters worse, Ilomo is also designed to keep an eye out for domain administrator credentials (the keys to the castle) making it even more of threat. If Ilomo captures the credentials of a privileged account on the network, it can use PsExec (part of the PsTools suite) to login to all other machines on the network, and invite them to join in on the fun…

The good news: Since Ilomo has been around for a while, virtually all major antivirus vendors have reliable signatures for detecting it.

The bad news: Every business has those one or two vulnerable machines lurking somewhere in the dark corners of their network. You know the ones. The machines that have somehow escaped our careful calculation and have painfully out-of-date signature files, no antivirus software running, or even worse, have had the antivirus service disabled by some rogue admin so he can play Elf Bowling…

Ilomo can spread at a rapid rate. If your network becomes infected, TriGeo can help. TriGeo’s correlation and active responses (such as the ability to automatically kill a process like PsExec) will alert you to this activity and stop the spread of the infection. TriGeo can also keep an eye out for unusual login attempts, like the Elf Bowler’s account suddenly trying to login to sensitive servers. In addition, TriGeo can monitor Web traffic and can warn users if a machine visits a known “bad” site associated with the virus.

TriGeo has released several new rules that are specifically designed to monitor and respond to Ilomo-like activity on the network – helping midmarket businesses shut the door on Ilomo and thieves that are trying to access sensitive information.

TriGeo customers can download Ilomo rules for free from the TriGeo Portal, or by clicking here.

As always, if you have any questions, feel free to contact Technical Support.

Key aspects of its many talents include:
· Exploit unpatched hosts vulnerable to MS08-067, usually by scanning port 445
· Spread via infected USB devices
· Shut down key security services, such as Windows Update and Antivirus
· Brute force passwords and gain access to network shares and Peer to Peer networks

While Conficker may use these methods to reach new heights of evil, the methods themselves are not new. As with most viruses and worms, the process for escalating privileges, exploiting hosts, and gaining unauthorized access remains much the same: exploit a weakness, stop the services that may prevent the nefarious deed, and then spread the love via email, network shares, peer to peer communications, or removable devices. This type of malware has a definable and traceable behavior pattern, as do most—and being able to track this activity and respond to it does not depend on knowing exactly what flavor of malware you are dealing with, given the visibility into the network a SIEM can provide. While there is certainly value in the more ‘signature-based’ approach that antivirus and IDS software use, especially when it comes time to actually remove the malware and restore the system, behavior patterns can often prove a far more valuable and flexible method of identifying the attack and stopping it in its tracks before you have a thousand systems to restore.

In the case of the TriGeo SIM, the advanced correlation engine is quite capable of identifying these unusual behavior patterns and taking immediate action to stop them. The key advantage that a SIEM has that a point solution such as antivirus or IDS/IPS does not is the ability to “see” across the entire network. Not just at the file level or just the network level, but rather all devices, from all sides. In this manner TriGeo SIM collects evidence of the effects of an attack at all levels—logon failures at the server level, critical process stops at the host level, and excessive or unusual network traffic at the network and firewall level. This visibility allows a SIEM to correlate behaviors that a single solution would be blind to, and thus be less dependent on signature based response and focused on identifying “bad” behavior of any type. More importantly, TriGeo SIM can instantly respond when this behavior is detected and disable the offending machine(s).

When the worm attempts to gain access to privileged accounts, it will try to brute force these passwords—this activity is immediately and easily detectable by simply having the TriGeo Agent on your core servers, such as your Domain Controllers. When TriGeo’s behavior-based rules (over 500 of which are included out of the box) detect a large number of logon failures in a short period of time, especially to “critical” accounts such as your Admin accounts, they will immediately generate security alerts to notify you of this behavior. In addition, if you choose to do so you can configure the TriGeo Rules to take more proactive actions, such as disabling the NIC of the offending machine or shutting it down, effectively quarantining the box until you are able to investigate further.

The same responses can be used in the event that your antivirus does detect the worm, but is unable to clean it (which happens more frequently than we’d like to think, usually because of out of date virus engines). Having an Agent on your antivirus server will allow TriGeo to collect these events and respond accordingly, even when your Antivirus service is unable to do so.

In addition, having the TriGeo Agent on all of your machines, including your workstations, will give the maximum amount of visibility and control, allowing you detect when the worm attempts to stop critical services (such as antivirus or Windows Update). Since this worm specifically takes advantage of a Windows vulnerability, if the machine is unable to obtain the update then the worm can exploit this vulnerability and gain additional privileges. Ensuring that your critical services are running as expected is only a small part of what TriGeo can do—in addition, the SIM can correlate this data with other behavior patterns, such as the unusual user account activity mentioned above, to detect that malware is loose on the network and take action immediately.

For example, TriGeo’s Worm Behavior rules detect a combination of events such as many failed logon attempts, in conjunction with an increased amount of TCP traffic (resulting from the worm’s attempts to spread itself across the network), and the attempts to stop critical services—if this combination of events is detected on a given source machine, it is immediately deemed suspicious, marked as an Incident, and action can be taken. This type of behavior is typical of almost any malware, not just Conficker, which is the real power of the behavior-based rules approach—TriGeo SIM doesn’t have to know it’s Conficker to know it’s bad news and needs to be stopped. Having visibility across the entire network allows the SIM to intelligently compare the data from all of your reporting devices and extrapolate the unusual activity, especially in the case of a virus or worm, which tends to affect so many different devices on your network.

Last but not least, our USB-Defender technology is also capable of detecting the use of USB mass storage devices and can even immediately detach “unauthorized” devices based on properties like serial number,  user, the machine, or time of day. In this manner, a USB device could be immediately detached before malware would have a chance to take hold, reducing your risk of exposure. Even in the event that you cannot disallow access to all devices, a USB attach event can be correlated with any of the unusual behavior mentioned above, or an alert from the host’s antivirus, and be immediately removed based on these findings.

In short, though a footprint may not look like a boot, that won’t stop your TriGeo SIM from identifying that someone or something has stepped on your precious network resources and stop them in their tracks. No matter what the name, the behavior is key and so is the response that TriGeo SIM can provide.

For more information on Conficker and its behavior patterns, check out the Conficker Working Group website at: http://www.confickerworkinggroup.org/wiki/pmwiki.php/ENT/Enterprise

Other sites of interest include:

https://www.honeynet.org/node/388 and https://www.honeynet.org/node/389

http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

http://mtc.sri.com/Conficker/addendumC/

http://www.us-cert.gov/cas/alerts/SA09-088A.html

I’ve been selling to the midmarket for arhummm 20+ years! (My how time flies….) I know these people really well. At conferences like the Gartner MidSize Enterprise Summit and CIO Decisions, I get the pleasure of spending a lot of time with midmarket executives who always voice their frustrations with vendors who simply, “don’t get them.” One executive at a dinner said, “We’re sick to death of companies like XX and XXXXX, who want to shove their enterprise products down our throats.” There was laughter while someone said, “Tell us how you really feel!”

These executives have got “Rodney Dangerfield Syndrome” because they feel that they “get no respect.” We’ve seen it time and time again. The big players announce midmarket initiatives that are worth about as much as the cyberpaper they’re distributed on. They frankly don’t know what or how to sell to the midmarket and are surprised when these initiatives flop.

There seems to be two corporate strategies by enterprise-focused companies that are going after the midmarket.

• They use their current organizational structure to get economies of scale. Sounds reasonable. You’ve already got a support team, a professional services group, and a sales group – just use them for the midmarket too! Wrong! We saw how poorly this worked when Cisco purchased Protego and released Cisco MARS. Customers were calling support in a foreign county and talking to reps that knew nothing about the product. Along those same lines, their sales people tend to run a 12 – 18 month sales cycle with a deal size of $225,000 aren’t the same people who do telesales to the midmarket, where our average deal is $37,000. Simply put, you can’t put people on airplanes to wine and dine prospects over an 18-month sales cycle for a $37K deal. You have to be smart about how you market, sell and support midmarket companies.

• This one is even worse than the first one. You can’t have a product strategy where one size fits all. Taking an enterprise product, renaming it, clipping some of the features and then slapping a different price tag on it is not the same as engineering a product specifically for the needs of midmarket companies. Despite their best efforts, trying to put square pegs in round holes just doesn’t cut it.

I had someone from the business development group at a very large security vendor (competitor) tell me that they, “just couldn’t figure out why they weren’t getting any traction in the midmarket.” I told him it was very simple, “You don’t have a product for them.”

At TriGeo, we’ve been called dogmatic in our commitment to the midmarket. To those that said that, I thank you. The midmarket has always been the most consistent buying segment, even during times of economic uncertainty. In fact, according to Forrester Research the midmarket is predicted to increase its spend a full percentage point over 2008 with the bulk of that spend going to security products. Not a bad target market during an economic downturn.

An executive from a log management vendor told me that everyone thought we were crazy because we were going after the midmarket and that we’d be out of business in no time at all. Now, he says, “We look like geniuses.”

Astute observation or 20/20 hindsight? You tell me.