Tripwire Log Center v6.5
Strengths: A very capable SIEM product that offers a few advanced capabilities.
Weaknesses: Can become expensive, and works best when integrated with the company’s other security products.
Verdict: A SIEM that is more than just a SIEM, but it really shines when incorporated into the company’s expansive security suite.
SummaryTripwire, a company better known for change management solutions, provides the perfect foundation for SIEM. After all, change management is related to tracking what's going on via logs, agents and other technologies, just like SIEM solutions do. That is not to say that Tripwire is new to the SIEM market, just that the company's Log Center product, which is in v6.5, has a great foundation to work from.
Log Center was created by Tripwire to deal with the intricacies of SIEM, which can differ from change management in several ways. First of all, there is more of an urgency surrounding SIEM. In other words, administrators need to know what is happening now as opposed to later during an audit. Log Center accomplishes that real-time data gathering by looking at log activity, such as Syslog updates, simple network management protocol (SNMP) events and so on, to monitor events that fall out of norms or baselines.
Like other products in the SIEM realm, Log Center is part of a larger product line that unifies compliance and security management. Still, the product can be used for the standalone process of SIEM, which many businesses not bound by compliance regulation only look to do.
Log Center goes a few steps further than the typical SIEM. For example, the product offers a capability called system state intelligence, which is context-aware information that combines the security state of a system with customer-specific notions of priority and risk. That may sound complex, but in practice it proves to be a valuable option, which improves security response.
Log Center is able to do that, and much else, by relying on more than just native OS auditing, by looking deeper into Syslog, SNMP, Windows Management Instrumentation (WMI) and other events. The tool then takes that raw data and performs real-time analysis to create baselines, as well as detect anomalies. By comparing the raw data against baselines and applying intelligence via defined rules, the Tripwire product can quickly identify breaches or other security threats and alert the appropriate administrator via email or other mechanisms. That creates the opportunity for a faster response to suspicious events, before they turn into full-blown security breaches.
The solution uses an intuitive GUI for management and reporting. However, this interface does not hide the product's sophistication and always seems to imply that one should be doing more with the product. It is that information overload that can prove both beneficial and detrimental at the same time. However, if Log Center is integrated into Tripwire's unified security products, the GUI makes a lot more sense and provides drilled-down, resolution-enforcing capabilities that many administrators are looking for with a unified security product.
Installation of the solution is relatively straightforward and wizards are there to help. There are some steep prerequisites though, including the need for an SQL engine of some type and a 64-bit version of Windows Server. However, those requirements do lay out the foundation for installing the rest of the company's suite of products without having to restart from scratch.