A brief case study of California Casualty's decision to ditch its Cisco MARS security box in favor of a less expensive and more comprehensive product from AccelOps.
When California Casualty recently replaced its Cisco MARS security box, the property and casualty insurance company not only swapped out the hardware appliance for a software-based virtual one, but also ended up phasing other tools it found to be no longer necessary.
California Casualty ditched the Cisco Security Monitoring, Analysis and Response System (MARS), a security information event and monitoring (SIEM) appliance, mainly because Cisco wanted the company to scrap the device and start over again with a brand-new one. The insurance company, which still uses Cisco firewalls and intrusion-detection products, wanted to upgrade its existing box, as starting from scratch proved more expensive than was acceptable.
"Our existing MARS installation was an older box that had reached end of life," says Skip Moon, assistant vice president, network development and engineering at San Mateo-based California Casualty, which has about 700 employees, two data centers and three call centers. "Cisco wouldn't do [a simple software] upgrade and wanted a whole new start-from-scratch license. We realized we had to do something"
Other Cisco MARS customers, such as Bank of the West, have been seeking alternatives in light of Cisco's decision late last year to end support for new third-party devices.
California Casualty wound up evaluating what was available in the SIEM market, though only came upon its choice of AccelOps because it was also looking for a configuration management database. AccelOps, it turned out, could fill the security-event and monitoring role, even as it can collect detail about infrastructure, polling devices, receiving syslog and NetFlow data, to generate security-related reports and alerts.
"We're running it on VMware, and it does take some resources, it's not insignificant," Moon says. AccelOps has been integrated into the company's data centers, though hasn't required a dedicated server, he says.
Another interesting thing about AccelOps is that the company's CEO and co-founder, Imin Lee, had previously started a company called Protego Networks that Cisco bought for its SIEM technology -- the technology at the heart of Cisco's MARS line.
California Casualty says that the AccelOps product costs considerably less than the MARS appliance, but that the main advantage is that after a few months of use, the virtual appliance "takes half the time of an engineer than MARS," Moon says.
AccelOps is collecting all the configuration information about California Casualty's infrastructure, providing a wide array of actionable information.
"If someone's user account is locked out, for instance, AccelOps can tell us about it right away, who it is, where they are in the network, and we can call them because maybe somebody is trying to use their account," Moon says.
In fact, AccelOps has wide enough functionality that California Casualty decided to stop using a few monitoring tools, including CA Spectrum for availability and performance monitoring, because it seemed redundant. "We picked it to replace a Cisco MARS installation for security management, but it's also monitoring the network and the devices for availability," Moon says.