David Spark here reporting for Tripwire at the 2010 RSA Conference in San Francisco.
Tripwire’s edge over other competitors in the log management space is their ability to see the connections between log events and changes on your network. The man responsible for integrating that critical feature is Robert DiFalco, Tripwire’s CTO. During our interview, DiFalco explained what integrating events and changes means by way of example.
A common occurrence with a SIEM tool is to see brute force logins. Where someone attempts five or six times to access your system, and then gets in. Problem is some organizations have 80 to 90 thousand brute force logins every single week. It’s simply not possible to look at all those events. By attaching change information to those logins, you get another level of understanding. If there is a change event connected to a brute force login, then that’s something you have to concern yourself with. Not only does Tripwire tell you there’s been a change to a file, but you can drill in deeper to see what actual changes were actually made to the file.
Check out more of Tripwire’s coverage from the 2010 RSA Conference in San Francisco.