The most valuable feature is its simplicity.
It is quick to integrate with transaction systems.
The most valuable feature is the integrity.
If the file configuration has been modified, this solution calculates a hash code of the file. This means that if someone has changed the file, the solution will recalculate the hash and the admin receive a notice that the file has been modified, by sending an email or an alert to the administrator that someone has modified, added or deleted a line.
Not just files, but others like tables metadata, network device config...
Splunk is a very powerful platform. It's a machine data platform, and it can provide several models that use the same appliance and on the same platform, including some business platforms. I do believe when it comes to functionality and ease of use, Splunk is one of the market leaders in this area.
When it comes to quality, I believe Splunk is the easiest platform on the market. It has a lot of subscripts, and a lot of licenses, which can provide the customer with all the requirements they need.
The solution has some predefined use cases that we count on. It's a customizable platform as well, which can be easily customizable based on the customer requirements and the environment itself.
It provides ease of use. It's straightforward in terms of configuration and troubleshooting and log management and monitoring as well. These are the edge points in addition to it being a modular solution where you can capitalize on your current licenses with extra licensing models, which can match the customer's business requirements. It can help the customer to design or to actually plan their own roadmap. And it can be rolled out in several phases.
It's a component that is easy to configure and easy to use. They have familiar and friendly dashboards for the users. You can make a lot of the dashboards if you want to integrate with it. If you have the basic skills and basic codes you can just create more use cases. You can also have alert systems. You have a lot of different alerts that you can use. You can integrate with all the applications and scripts, like with Kaspersky. We integrate multiple publications with this product.
Splunk has features that no other solutions have. We work in organizations that have a big volume of data. Our primary use case of this solution is for indexing. The best solution that we found that could fit our needs was Splunk.
The solution offers good searching and allows for easy creation of dashboards and reports. It's intuitive and not very difficult. You just need to learn the SPL, Search Processing Language, in Splunk. This also helps you to clear more advanced use cases.
Integration is very easy as well. It's quite good. If you want to add more devices and solutions, or other technologies for monitoring, it's easily done in Splunk, with all its firewalls, its switches, and network devices.
The automation is very good.
The product is at the forefront of auto-remediation networking. It's great.
The pricing of the solution is very reasonable.
It's intuitive and has a user-friendly interface. It's also flexible. We can put files, web links in this solution through other Windows.
The most valuable feature is that the user can customize images of virtual machines in the sandbox functionality. The other vendors only use images that were created by the vendor but not the customer, end-user or partner. This helps to detect advanced threats and attacks. It helps to clone the internal structure, IT structure of some companies. So you could clone the computer of the director or the financial department and place it to the sandbox. The bad guys who are looking for a way to get into your organization when they get to a computer, they think that it's a real computer. They see software or something connected with finance and they think that this is a real computer and not a laboratory or a sandbox so they run the bad script and think that they're stealing some important information or encrypting some important information. Antivirus solutions can stop attacks when they know how these attacks play out. If we don't know how the attack is going to go, we can't identify it. It customizes the images and Trend Micro helps to identify these unknown attacks.
Different parts of the organization can quickly receive information about the bad scripts. It helps to protect the organization's infrastructure from these attacks.
Generally speaking, it just gives us a broad understanding of exactly what kind of threats occur. The submission point, analyzing point, and virtualization are within the environment that it supports. It helped us to improve our security levels and protect our internal network from any threats outside.
The HTML file sandboxing is very good.
Their technical support is very good and extremely responsive.
The solution, overall, offers very good features.
The most valuable features are the protection and that it is fast.
Trend Micro is a good solution and our clients are happy with it.
I like the sales operations testing and support.
The ecosystem is good, it's the best. It's also simple to manage.
The most valuable features are monitoring for advanced persistent threats, the system runs in a sandbox allowing for effective zero-day exploits management, and the Inspector has a built-in sandbox.
The most valuable feature for us is the ease of use. We don't have to go crazy trying to figure out how to do something. It allows you to make changes, set things up, turn on things for a customer without having to go through 37 different menus, read the manual, and try to remember it. It's pretty straightforward. That's what attracted it to us in the beginning. While we can work with complicated systems, most of our customers don't need them, then we end up just spending more time setting up the solution than we really need to. It's more productive, the customer saves money and at the same time and we make more money off of it. I can set up a whole firewall solution in 30 minutes and that's valuable to me.
We have been very happy with the security features. We find that the keyword filtering is great. Also, the antivirus filtering is excellent. One thing we always tell our customers is that we have never had a client using Kerio Control and the antivirus tools that we suggest who has been infected with any type of ransomware. We have customers who have had ransomware, but they were all ones who chose not to go with Kerio Control. That's always just been a very simple, easy, and powerful fact that we can explain to people, "We've never had a customer who has used this firewall along with our recommended antivirus and had a ransomware infection."
It is very comprehensive. It has all the active protections. It's updated regularly. We love that you can set how often threat definitions updated so you can work what is right for the site. A large company with a lot of bandwidth can update the virus definitions and security definitions hourly, if they want. A smaller site that's remote, where maybe updating the definitions will eat into the bandwidth, we can schedule those more to go later at night. It's very flexible and works for us in all types of situations. This is great because then we don't have to learn seven different products to be able to work with seven different scenarios.
We've been very happy with the solution’s firewall and intrusion detection features. The company has been pretty good when it comes to maintaining it and closing out security holes. For example, when there was a security bug found in the encryption in the VPN, they were very quick about reacting to that and coming out with a new VPN client encryption. At the same time, they made sure that for those cases where maybe you couldn't upgrade right away, there was a bit of overlap of backward capability so you weren't like, "Oh geez. I have to do everybody at once."
We love the VPN feature. That is one of our favorite things. The free client that they have makes it so easy to attach computers to the company network and we can usually set somebody up in like five minutes or so. It's real simple for the users because of the way that it presents the information you don't have all types of weird keys and stuff that users have to remember or write down, which is great because a key lost on a piece of paper is just as bad as a key found by a hacker. So, the computer memorizes it all, stores it, and makes it real simple with a push button to either connect, disconnect, or keep the connection persistent, which we love because then for a company-owned computer it stays connected from the moment the user logs in to logs out. Then, we can actually sync the user's VPN credentials to their Active Directory account and that is really helpful, because if a user leaves, disabling their Active Directory credential also disables their VPN credentials automatically and now when an employee is no longer with the company we don't have to worry about going to a separate system and shutting that VPN down until we can get our hands physically back on the laptop. We don't have security risks hanging out there.
MyKerio is a really neat tool where there's one central website that I can go and see every Kerio firewall that we manage. I don't have to go find specific logins for every firewall because I log into the MyKerio site with my master credentials, and it has two-factor authentication to make sure it's secure. Once I'm in, I can choose any of the Kerio firewalls that we manage: Kerio firewalls, Kerio Operator Phone Systems, or their Kerio Connect mail product. I can find any of them and quickly attach to it, then help the customer. It makes it real nice instead of having to chase down a list of IP addresses and passwords. As a managed service provider, it's nice because if a tech leaves, then I can cut them out of all our customers by simply closing their MyKerio account since they never actually had a direct login to the firewall itself.
The interface control manager where we can allocate LAN connections to certain VLANs is the most valuable feature. The other feature that's important for us is because everything is remote with MyKerio, as long as the boat has an internet connection, we can log onto the Kerio and get statistics, as well as provide support.
It's important because unlike a company where a company has an IT person on-site because these are yachts, they have a boat crew that is not necessarily "IT," so they rely upon us to provide them with their IT services. This is a platform that allows us to control and troubleshoot as necessary.
I would say about 95% to 97% of all of our support is managed remotely because of the nature of superyachts, where they're located, and the importance of the people that own them.
I have not run into any issues or complaints with regard to the firewall and intrusion detection features. I find that in this industry, the fact that those are services that are included is important. But I can't speak to the operability of it.
Because I interface the most with the boats and the crews, I've never run into an issue with the comprehensiveness of the security features.
In terms of the ease of use, if you took 15 different network professionals and told them to configure a Kerio Control, you would get 15 different configurations. Having said that, within our specific business segment, we have learned the configuration that works best for us and works best for our customers. The way that we have set it up is to not put the onus on the boat to make any changes, but if they need to make any changes they allow us to go in there and make changes.
From my experience, I don't necessarily do the configuration on them, but I do manage them. If there's a boat that has a problem, I'm the first phone call. Most of the time I can figure it out, but what we provide as a service is that we refer to it as a virtual ETO which is an electronics and technology officer. That would be an actual IT person, but for the most part, we just encourage our customers to defer their technical queries to us and allow us to manage it for them.
It has saved time for the members of our team who manage security based on how they're using it. It has saved time in the sense that they have an integrated security solution. I think the maritime industry is moving towards a standardized security initiative because the problem is that everything within the maritime industry is based on international, not national standards. So where and how the Kerio Control will fit into that is undetermined because the IMO, International Maritime Organization, has not yet determined what those standards are going to be. It's still a work in process.
It has a VPN back to our data center but I don't think it has increased the number of VPN clients extended to those outside our environment
The most valuable feature is the VPN. It enables us to do remote work.
I use the geo IP filtering a lot.
We also like the security. We can control what sites users can go to and we can make sure that where they're going is appropriate and that it's work-related.
The routing of the multiple Internet physical routers I have is the most valuable feature of this solution. Instead of me physically unplugging a cable from one router to the server, if one connection goes down, it automatically switches for me. So I can have all three of them plugged in. If one goes down, it just picks up the other one automatically. There's no physical cable swapping.
In terms of ease of use, it's pretty easy. It took some playing around for me to understand some of it, but I'd say if you understand what it is you're after, and how that works, then this is pretty easy.
We use the firewall. It's fine, a bit tough. I need to test it against others. I'd rather use the Kerio firewall than the Windows ones.
With the VPN features we can connect all three of our sites together.
The content filtering and VPN features are pretty easy to set up. It's a couple of clicks and it's done, so it's pretty good. I'm pretty happy with it.
I am the only manager who manages the security. It does save me time. In the scenario where one Internet connection goes down, I used to have to run to the server room and unplug a cable, and come back. Now, I don't have to do that at all. It saves me a lot of time, 100%. With the routing, previous to this there are a few things in here that I haven't had the ability to really do how I wanted so I don't have a comparison.
The VPN is a useful feature.
When you go under status to, "active host", you see what all your users are doing. We found that this is the most useful feature.
The security features are quite easy to use. It gives us everything we need in one product.
The solution’s firewall and intrusion detection features are quite good because you can see exactly who is attacking you and who is getting blocked.
The antivirus is good. Since they changed over to a new provider (GFI), we haven't had issues with it.
Most customers are not able to understand the technology behind it. I am always trying to explain it to my customers. When I show my customers the interface of Kerio Control and all the reporting features along with the security features within the logging, they're very impressed. I have a very good relationship with my customers because this is mostly based on trust. I show them, and if they have doubts, I always say, "Just hire somebody to check my work." For example, a year and half ago in the travel industry, there were new rules for travel agencies who give out credit cards that they must comply with PCI DSS standards. There were some things that had to be adjusted and Kerio was able to adjust for that. So, it met the demands of PCI DSS standards.
When one of the employees of my customers was using a VPN Client, I created it so they will always get a message. When the VPN Client connects to Kerio Control from the outside, they will get an email so they know when they are connected and when they are disconnected what is happening to their network. I can, as an administrator, look in the logging and see what's happening. If I really wanted to manage what is happening over a month, then I could go deeply within Kerio Control and make a text file of the logging. I could then order an export to Excel to give the customer an impression of what is happening.
Our customers don't want to worry about their IP. If it's implemented well, Kerio Control is very good product for this.
The VPN is the most valuable feature. We filter out outgoing NAT packets by port. So we locked down incoming and outgoing packets with the Kerio software. It's a lot less money than our FortiGate solutions that we installed, for instance. The value in it is money savings and flexibility.
Kerio is a lot clearer to set up to do particular things, whereas when I do it on a Cisco or a FortiGate I have to go fight with it per week sometimes to do something I can do in 20 minutes on Kerio.
For the money, the comprehensiveness of the security feature is exceptional. The next level of security is the sandbox and FortiGate charges me $120,000 a year for that sandbox. I don't see that as something that Kerio would ever be adding. The next step is a big, drastic step up in company size. So for medium and small businesses, I think Kerio is about as good as I can get.
It gives us everything we need in one product for our small-size business.
For medium to small businesses, the firewall and intrusion detection features are very well priced and just excellent. The functionality for the amount that we're paying for them is excellent.
The malware and antivirus features are okay. I add stuff on top of Kerio, I have Malwarebytes. So I would give it an okay. Malwarebytes still catches quite a bit that Kerio doesn't.
I used the content filtering a little bit and it works alright. I've got a hundred VPNs at the University of New Mexico. I don't put it anywhere else though, so I don't know. I don't really have any kind of input on that, I suppose.
Their graphical user interface that allows me to open up particular ports to particular internal IPs with one external IP is very flexible and easy to use. It is also much clearer than when I go into my larger systems with two competitors, Cisco and FortiGate.
Kerio enables me to use one external IP address to cut it into multiples server solutions based on different port numbers. It saves them money if my customers are creative enough to use those features.
The traffic insight page or the administrative portal is really helpful because you can see all the internet usage down to the point where you can see if it's big files or streams. It gives us a good view of what the internet usage is of users who are coupled to an IP address. That way, if there are problems with, for example, a lot of data usage or problems with the connection, we can narrow it down to a single user or server and address the problem. It's really helpful for diagnostic data.
The content filtering is pretty good for our needs, especially with the global rules you can define. We can define global rules and use them on multiple Kerio Control installations. So we have one place to set all the rules for different customers. That's very good. The rules that it auto-updates and that are automatically available — for example, spam or indecent websites, or whatever else is in the firewall by default — are good.
The VPN works pretty well, especially with the Kerio Control VPN software. Some products don't have their own VPN software and, with Windows, sometimes it's just better to have a piece of software. That's especially true for some of our customers because they only have to open the software and press "Connect." Windows can be a little bit weird when it comes to that, and it breaks connections. You really don't see when Windows loses a connection or if you have to reconnect. The Kerio Control VPN client is pretty good at that.
The most valuable features include
I want to have access to my computer from the outside and Kerio Control plays a role because it has a VPN. This VPN is different from most other VPNs, although they have used a standard version. It is more reliable because it's a smaller group of computers to target for hackers and the like. The VPN works very well. I use it to work remotely very easily and exchange information, both to and from the location where it's deployed, and there have been no problems there.
I have one or two VPN clients, at most, that are active at one time, so it's there if needed when I'm not working at this location. It helps me a lot to have a reliable VPN client. I have no performance issues when working through VPN.
Kerio Control also has some authorizations so I am able to block internet access for certain hours for certain people.
Overall, the security features are adequate. They do what I need. I don't have much experience with anything else, so I can't compare, but they completely solved my problems.
The firewall and intrusion detection features don't hinder me, and I haven't had any attacks, as far as I can see. I want a firewall to be unobtrusive. I don't want to notice it's there. It should just do its work and protect me and not hinder me when doing real work, and that's what it does. It's very good because it shouldn't be noticed, and it's good at not being noticed and doing its work.
Overall, I don't have any problem using Kerio Control. For me, it's very easy, but I've been working in software for some 50 years.
The ease of use in the GUI itself is the most valuable feature. We like the traffic rules so we can control who has access. It's easy to determine the flow of the traffic itself so we don't have to educate on command lines and reading out command-driven output. It's a very easy-to-use interface.
The comprehensiveness of the security features is fairly good. There have been some suggestions that we've made to the GFI team that we would like to see for performance. As our company grows, we need Kerio to grow with us, and so we've suggested some ideas on making the Kerio Control appliance perform better for more users because it can become sluggish under heavy loads.
In terms of security features, Kerio gives us most of what we need. There are some granular items that we would find more useful when we want to stop a particular region from access.
The firewall and intrusion detection features are really good, it just needs a little bit more fine-tuning.
The content filtering and VPN features are great. The vpn client is ssl based, so no key cipher matching is required when setting up without information in front of you.
With Kerio Control, one very useful feature is the policy routing. This enables us to, if we have the yacht's network split up into VLANs, give the option of basically pushing different VLANs through different internet connections. This is very flexible. Then the PFM and the Netgate firewalls are also very flexible.
The user interface and the ease of use are pretty good. Everything fits together so nicely.
I really like their general IT.
I like how it's possible for me to block other countries immediately if I see the need to do so.
The initial setup is a breeze.
We have five locations and, for the person who controls it we have it set up in our main office. The ease of access, of being able to change a voice message, it links to that. The person who controls it can approve it and then she just plays it. That's great for when we have to do a holiday message or special events are happening. We love that feature.
I love the VPN that we set up. A few of us have it on our computers so that if we leave, we can still access the stores. And we can work from home if needed. When I sign into that Kerio VPN, it links me like I'm sitting in the store. It puts me in our secure network so that I can sign on to each individual store and I can run numbers. We work through ICS Vision for our stores. We have a corporate plus five stores and it lets me link to all that. If I have to work from home, it's so much faster than the way we used to do it. It saves me a couple hours of each time I use it from home. It also saves me from having to drive in.
It's the overall ease of everything. It seems to have pretty seamless connectivity for linking our stores.
Also, the firewall and intrusion detection features seem to keep people out of our servers. I know it's a little bit of a process to try to link something new into it because the firewall is very secure, but we haven't had any issues with malware attacks on our end so it must be stopping them.
The VPN and security are the most valuable features. In the current climate, with people working more remotely, it is nice to have a solution that is flexible and provides multiple features, such as, being a firewall and VPN.
The antivirus works pretty well.
The most valuable feature is the reliability of VPN capabilities. The VPN has been very reliable and secure. The security has been very good and the VPN connections are reliable in that they stay up. We don't have a lot of problems with downtime and that type of thing.
The comprehensiveness of the security features is extremely good.
Kerio offers everything I need in one product.
The firewall and intrusion detection features are good. We've had some intrusion attempts that were stopped. The firewall has been doing extremely well for attempted hacks, as well as working well with the intrusion protection.
The VPN features are good They have a solid VPN client, which we found to be extremely good and reliable on various operating systems. Other than that, the VPN has been good.
Kerio is extremely easy to use. They're easy to install and pre-configure. If you have to do any maintenance it's well handled through the system. Remote connection, logging in, and doing changes on the system is extremely well handled.
We do use the failover in our head office. The failover is working extremely well. The last test on that was May of 2000 and 2020. The failover seems to be working well and the security has been good, so they've felt very confident in having it up and working as it's supposed to be. It's configured as per the instructions and it's working really well.
Kerio has enabled us to double the number of VPN clients extended to those outside of our environment. It started a little bit before the pandemic but just because some of the companies started to work more from home to cut down on costs. But since COVID that's where it shows it's doubled.
The custom firewalling is pretty intuitive. You don't have to sit there and learn a new language or anything like that. You can just block this, open that, allow this, just allow that. With a lot of firewalls nowadays, you have to know a language. You have to sit there at the keyboard and type in special commands, and those commands are not used anywhere, just for that particular brand of firewall. Connecting the two up in two different locations for a tunnel is easy.
The comprehensiveness of the security features that Kerio Control provides us with is good. Before GFI had it, they would have more updates. The updates have been slower, but I like the things that they keep adding like the ability to block by country. I use pretty much every feature.
Kerio Control gives us everything in one solution.
The firewall and intrusion detection features are pretty good. I haven't had an issue that I know of. I hope no one's gotten any. I think it's good.
I also like the malware and antivirus features. It's sitting in front of my email server and the email server has antivirus too. The firewall catches it before the email server even catches it, so they work pretty well.
I like the VPN but I don't use content filtering that much. It works pretty well but a lot of times kids can get around that kind of stuff. I don't have kids that age anymore, so I don't have to worry about it. I don't use the content filtering that much.
Kerio is easy to use. If you don't know tech, you can't just get up and do it. Nothing can be that easy, but you don't have to be a rocket scientist to do it. `
The most common feature is the Traffic Rules, so the users can define which network or which users access which internet interface. But bandwidth management and content filtering are also commonly used.
With the Traffic Rules we define all the different sources, such as various user groups or network interfaces for the crew. And we show them that if they want the guests to access 4G internet, this is how they do it. They're defining who gets what, in the Traffic Rules.
If they've only got a single connection, and everyone's sharing it, then they would jump into bandwidth management and prioritize the boss, but also allow the crew a little bit of internet, just to get by, for WhatsApp messages and emails.
Content filtering is to stop malicious content. They don't want people accessing the various categories in the filter. The default is usually pretty good for them, things like BitTorrent, downloads, and sharing, but also the more "adult" parts of the internet.
It gives our customers pretty much everything they need in one product, in terms of security features. It's a firewall, but generally for what they want, it works.
What our customers like about it is that it has a nice interface. It's been around in the yacht sector for a long time. I was introduced to Kerio by the yacht customers. They were saying they want this firewall and I hadn't really heard of it. They're usually comfortable with it because it's a familiar interface.
By default, the firewall stops everything coming in but allows everything going out. For everything we've needed, it's done the job. If we've needed to open something up or block something we've managed to do it.
We also use the VPN quite a lot. We have an NG500 in our data center and we actually create a VPN tunnel between and our data center and each of our current customers who have a Kerio. Technically, it's one-way because they don't talk to each other via VPN. All the customers are separate, but as a support company, we can VPN from our laptops to our data center and from there we can access all our customers' networks. That is handy for us because we can log on to their IT switches or their AV equipment to offer support. We also use it for delivering email for some customers, whereby because they don't always have a guaranteed fixed IP address, we give them one, in a sense. We have a pool of IPs in our data center. All the mail hits their assigned IP address and is sent over the VPN to their email servers on board.
We also have some third-party subcontractors and we can give them access to specific customers. We can give them an account on our firewall and through our own traffic rules we can allow them or deny them access to specific customers and specific parts of that customer's network. Because they're hitting the central point, we don't necessarily want them to access all our customers. The customers themselves don't often have a big, remote-work environment because the crew is either on board or off. But we have seen a small increase in customers wanting to use VPN to access files on board, and during the COVID outbreak some of the ETOs (electronic technical officers) and the technical guys have not actually been able to get to the yacht, physically. So we've set them up with VPN so they can actually continue to do certain work. When we first started using Kerio we never really used VPN. Now, pretty much every Kerio we supply gets on the VPN.
The ease of use of Kerio is very good. Everything's there, once you know where to go or how to find things. One thing we use quite a lot, as well, is the DHCP Server, because we do a lot of work where all our devices need to have static IP addresses. Rather than going around and configuring every box, we do it all through DHCP reservations. It's easier. We've got a record of it. We can manipulate it if we need to change something or change some hardware. It's all easy. Even guys who are not used to using it can pick it up quite quickly.
The learning curve is pretty quick. It helps if someone has a general IT understanding of networking, for certain aspects. What we don't always have on a customer's site is somebody who is familiar with all aspects of the Kerio, such as interfaces, VLANs, and IP subnetting. They don't always understand DHCP, what it is and how it works. They pick it up pretty quickly, but it usually helps if someone has at least some knowledge of IT and networking. Normally, though, we find it's quite a decent balance because they will do what they want to do after a little bit of training. Anything else they'll leave to us or they'll ask us the question, and then we can either do it or go and figure it out and then come back and do it.
The intrusion prevention is good. I like the fact that it's always up, it's always secure, and it never lets us down, never locks up. It just works.
As a firewall, it keeps our public and our private networks separated and also from any intrusions from the outside.
In terms of the comprehensiveness of the security features, it does a great job of laying out what it does. It's fairly easy to edit and research. Some of the features were turned on by our IT company and I was able to easily find other features on my own by searching for videos on the internet. I've been able to block certain websites, content filter, as well as manage some of our bandwidth because we live stream on Sunday. I'm able to dedicate bandwidth for the encoder that goes to the internet. It always has enough bandwidth, no matter how many people are on the network. That's really helpful.
It provides us with everything we need in one product.
Because of the reputation of Kerio as well as all of the great things my IT company recommended, it's easy to trust a company like this for our intrusion prevention and for our security. It's really easily laid out and it just works.
The malware and antivirus features keep themselves updated once it's turned on. You don't really have to worry about anything. It scans all the incoming email and it scans for web traffic. It just works in the background. You don't even know it's there until it finds something.
The VPN feature works great and it's secure as well. I'm impressed with the speed at which it works and how easy it is to access over the VPN.
For a small office, I'm using it for a firewall. This is the most obvious primary use, along with:
I have the hardware appliance on-premise. However, I do use some of the features, like MyKerio cloud, for remote administration and backups. These are hosted on the Kerio site.
The top features are ones that we're not using yet but we soon will be because we've just had broadband upgraded in Australia. We've got something called the National Broadband Network, which is forced onto you, so you have to take it when it arrives. We'll be trying the high availability out soon. We tried that with some load balancing, it didn't quite work as we expected, but I think that was more of a configuration thing rather than a product thing.
The geo-blocking is essential because the partners we deal with are typically either in the US or Australia. We know where our traffic needs to come from and we don't post anything publicly that the general world needs to see. It's just a few discreet services that need to be hosted on this financial trading stuff.
The integration of Active Directory is very good as well. We don't use the VPN service. We use VNC. We get mixed results from the QoS, but that's another good feature. Really, dashboarding, track, and monitoring are the most important features for us as well.
We are about to test the high availability and failover protection because one of the issues we have is the device or the Hyper-V host seems to need a regular rebooting, which isn't an issue directly in itself, but it would be nice if it could do that on its own. We can't find a feature to do that. That's the complaint I'd have of that and the HA might solve that problem for us. So we'll give that a go.
Out-of-the-box, the overall comprehensiveness of the security features is pretty good. It's not just a firewall, it's kind of a firewall proxy, reverse proxy, everything out-of-the-box sort of solution. It's pretty comprehensive. I can't imagine wanting anything else, because for me as a consultant, it's not just about protecting the environment. It's also about having something that's commercial-grade because when you go in as a consultant, you need to be exposed to these tools and you need a lab environment to test these tools out. This is as close to a good commercial tool that you could possibly ask for.
In terms of the availability issue, I've considered that there are hardware options as well, which is nice. We're not sure if that will be an improvement over using Hyper-V, but that's to be decided.
Kerio Control is the primary firewall for our corporate network to the outside world. We use an IP transit that connects to an IP transit, so all the internet traffic in and out of the corporate network goes through the Kerio Control firewall. We use Kerio Control VPN Clients for our remote workers to dial into that corporate network with two-factor authentication.
We service all areas of Queensland in Australia and we've got clients from Thursday Island down to the border. We have regional sales guys, agents, and technicians throughout the state that require access to the corporate network for various reasons and that's how they get in. They require access for our call logging system and all that sort of stuff. It's the primary gateway for that. Apart from that, we also run Kerio devices in the field to do point to point VPNs.
We've had very few problems with the VPN features. Once we've set it up, it's pretty functionally user-friendly in terms of the firewall functions that we need to open and close ports on. Our users don't have a lot of problems with it. We've had to reboot it occasionally, but nothing extraordinary. Just standard maintenance rebates. Other than that, it just does the job.
We about 60 users that have access. Concurrently, there's probably only 10 concurrent users at only one time. Because of COVID, there's a lot more remote work going on. It would have been busier over that time, but I haven't actually looked at the stats since then. I know that it worked well and we didn't have any issues. Which is a nice thing not to have to worry about when there's a lot of other things on your plate.
There are only two of us that would really get in there and reconfigure the firewall. Most of the time we'll run that past TechPath anyway, just to make sure that we're not going to punch a hole. We don't intend to. In terms of checking problems, checking logs, in terms of people management as well, seeing who's been logged in, who hasn't, it's very easy to get online and get onto the device and do from anywhere. It's very easy and flexible to use.
Prior to Kerio, we couldn't uncover that data. Prior to Kerio, we were using a hardware device but it didn't have remote access or any of those features. It was something we had to do on-site and it wasn't very user-friendly. It wasn't something that management could do if they wanted to and yet this one's pretty easy if they had access.
The VPN connection is the feature that we are actually using this solution for, but routing and checking what kinds of sites are being tested or accessed, is also helpful. That can be logged and reviewed to see if everything is going okay. It's for protection of the network behind it.
Kerio Control covers quite a lot, when it comes to security. There are, of course, always things missing in a product that you would like to have, and we have even questioned the vendor to see if they can provide one of the solutions that we would like to have in the product, but that does not seem to be the case at the moment. But for us, it covers almost everything we do with it, which makes it quite a suitable product for us.
The firewall and intrusion detection features are very useful these days because hackers have a lot of tricks that they use to get into a system. With Kerio Control you can see something that's happening. Otherwise, you have to use other tools to see what's happening on the firewalls. Having IPS in it is quite useful for us.
The most valuable features are the
We need these functions. We need to do what we do and then the Kerio is quite intuitive in terms of getting everything set up and managing it after. It has quite a nice UI which is fairly straightforward.
The firewall and intrusion detection features are good. It has blocked certain things. We have a lot of blocked sites that the staff or anyone using it, the public, etc., can't go on. It works for that. I get quite a few messages every now and again, saying that a virus has been detected and I can go in and block the user who's causing the problem.
In addition, content filtering is good. We use that a lot. In terms of the content filtering we use all the basic ones that it already comes with, like phishing sites and peer-to-peer. We only use the VPN a little bit, for admin purposes, to go in and administer the other equipment onsite, like the switches.
The comprehensiveness of the security features Kerio Control provides seems good. And it seems to just work. I don't really get down into the detail of it too much, but I'm happy with what it picks up. We haven't really had any problems.
It is easy to use. We've never really used the wizards that are provided. We had a guy come in and set it all up for us in the first instance and then we built upon it by just using what he already did as a template, to do other things. But it's pretty straightforward.
We also use the failover. We have two internet lines going into it, and it works. We have a loss of connection at the minute because of a problem with BT, our ISP, so it has gone over to another line. It keeps our security going, which is good.
The firewall appliance itself is the most valuable feature.
1. The built-in anti-virus and perimeter security.
2. The VPN feature.
1. The anti-virus and perimeter security functionality minimizes vulnerabilities in our network and better secures our data. This also decreases downtime of devices due to viruses and malware attacks.
2. The VPN functionality has allowed staff to have stable remote connectivity on a secure and encrypted connection. This has improved the ability to get work done smarter and efficiently whilst working remotely (or from home).
The URL filtering is excellent. It ensures our users can't access certain sites.
The multiple categorizations of URLs are quite helpful. For example, if a URL is, a social media website, such as facebook.com, it can be classified at a certain risk level - from high to low.
The solution offers credential phishing, which is a helpful feature.
The initial setup is easy.
The solution scales well, according to the firewall.
The stability is very good.
Everything that is available with the firewall is provided to the user.
The application control and vulnerability protection are the most valuable features.
This solution has more than just the threat prevention by itself. It's also a Firewall and many other components.
The most valuable features are the simplicity, transparency, and overall ease of management.
I find the malware protection very handy. The solution has many features that save me time.
The solution offers a feature to show which traffic is the highest on the network, and which traffic is the lowest. There's also a feature that scans incoming and outgoing traffic, and one feature that is able to flag a suspicious IP address. These are all valuable features. With the IP address flag, I was able to see that I was being hacked. The moment there was an interaction between somebody on my network and that IP, the solution was able to flag it, and we were able to protect ourselves.
The dimensions is one of the most valuable features. WildFire is the sandbox solution from Palo Alto. No other sandbox solution can match WildFire.
The most valuable features are that it's:
The feature I found most valuable is the network threat analyzer in the security platform. It also integrates with GTI, or Global Threat Intelligence. Otherwise, I just use the basic features.
I like the monitoring feature where you can see all the traffic.
Overall the solution is very good. It offers great protection and gives us a good overview of what is on the network.
The entire IPS is excellent.
It's pretty good at protecting our endpoints.
The implementation was pretty straightforward.
The solution can scale.
The product is stable.
It's an excellent solution for enterprise-level businesses.
It has a lot of functions, such as firewall. We are administrators, and we create some rules to protect our network. We also monitor the traffic in and out and have disk encryption on-premises. When we detect malware, we scan for the virus on the PC. We can then delete or block the malware.
The signature-based content is very powerful.
I like the fact that we have the ability to write our custom signatures based on McAfee-made signatures.
The Malware engines are very powerful. These engines are getting information from the McAfee global intelligence services,
It offers good mobile intelligence services. On the behavioral side of the signatures are very good.
The initial setup is straightforward.
We've found that the solution to be quite stable.
The solution is quite easy to set up. You can just do everything online and then do some basic configurations. It's easy.
The solution, in general, is pretty effective.
The product has a good reputation.
The sensors and signatures can be updated.
There's a good dashboard you can drill down into. It helps you easily locate intrusions and the source of attacks.
The most valuable feature is the alerts. The alerts are meaningful. The event rolls up into meaningful and actionable alerts rather than just being noise.
The most valuable part of the product is the whole package. The features included in the Enterprise Immune System are complete and effective. Its detection engine is ridiculously good.
What I like about Darktrace is that you can quickly identify threats. I did a trial where I injected a small malware to see how long it takes for the program to identify it and to see that there is an anomaly. The response was good and it took the program less than a minute to detect it. The fast response time is definitely a plus.
The most valuable aspect of the solution is that you can see all the process mistakes. You can see all the different types of unusualcsituations that you usually don't see in a traffic solution.
Once installed, it starts picking up and learning the network very well because it's got a powerful AI integrated into it.
The user interface is very intuitive.
The Dynamic Threat Dashboard is very nice, as it lists all of your threats and rates them, and then you can choose whether to investigate further.
This solution has some good features for customization in terms of how you're tagging your network, which basically makes it easier to identify what is actually happening. You can see where the traffic is going, where it is coming from, and that sort of thing.
This solution has some powerful APIs, although we do not use that functionality at the moment.
Its most valuable feature is its ability to identify malicious connected IPs from outside and the attacks that get through to the inside.
The Ability to drill right down into an event that has been identified as something of interest so that you can be assured if it is a valid event and therefore not suffer from loads of false positives. Once that initial assurance and confidence was there, you could easily rely on the dashboard and minimise the risk of constantly drilling into each and every event but pick the ones with most risk.
I like the Antigena feature in Darktrace, as it offers immediate response and is helpful.
This product collects more data than your traditional type of software, which is useful for us.
One of the things I like most about Darktrace is the fact that it has AI analytics built into it. That merger allows us to have a look at the way that things are working within our company. The fact that it is self-learning is a benefit that has given me 100% visibility across the cloud, my SaaS (Software as a Service) providers, my Office 365 services, within my data center, and also on-premises.
We are also working with Darktrace on their alpha and beta testing for endpoint security. That is a model that we are thinking about incorporating later.
Another thing I really like is that it is a very simple product to use. It is very logical and it works beautifully.
The most valuable feature in Darktrace is that it gives me a comprehensive, detailed view of my network and whatever is happening inside it. It is a very good tool for me that helps me to remain aware of security vulnerabilities. I know what is happening on my network in real-time and it responds quickly. It is really very useful.
I find it very good in the way that they show the past events, including the attack history. You are able to visualize all of the attack paths and connectivity to see what's happened.
The GUI interface is very good.
They are using the best machine learning and AI at the moment.
It is very easy to work with Darktrace once you know how it works and the type of permissions that you need to get related to the security over a network. The interface is awesome. I'm sure that you have seen Ironman, and you know Jarvis, the computer of Tony Stark. The interface of Darktrace is very similar, and you can see in 3D, like a hologram, the whole network, traffic, and all the traces inside the network. The interface is awesome, and it provides a lot of information. At least for us, it is very easy to handle this interface, get the reports, and do the interpretation of those reports.
Darktrace also provides mobile monitoring. With an app on your mobile phone, you can view the information live, which is very useful for area directors and field engineers. Darktrace can be also correlated with any type of big data solution, such as Splunk.
The most valuable feature of this solution is that it does not require human intervention to eliminate a threat. It blocks everything automatically.
It is very stable and easy to use.
It is a stable solution.
The primary feature we are using is the artificial intelligence and machine learning functionality for reviewing and predicting network traffic and network attacks. Although we're not yet fully using the product, I like the Antigena feature which is their proactive or reactive feature, depending on the deployed antivirus center. Darktrace is for people who understand network security very well, and who have probably been in that scene for quite some time. If you're inclined towards mathematical machine learning, artificial intelligence, and to some degree, data science, this is definitely a tool for you.
The main valuable feature is that we don't need a lot of analysts. With few analysts, we have all the network monitored, 24/7.
I particularly like Antigena and the analytics around the real-time monitoring of our network. I also like its reporting because it has got a seven-day reporting period within the system. Every time you run the reports, it gives you the data about the previous seven days. I like that because it is in real-time. I enjoy reading those reports and getting a very clear and decisive idea of what's happening on my network on a real-time basis. I like the actual real-time monitoring of spoofing and things like that. I also like the user monitoring as well as the network logging capabilities.
In terms of features, the data or information they collect and unsupervised machine learning are very valuable. Its unsupervised machine learning has reduced our team's effort. Both Darktrace and Vectra work on unsupervised machine learning that learns the behavior or develops a profile on its own, which allows our security team to do some other tasks rather than spending time on Darktrace or Vectra.
Because of unsupervised machine learning, its detection capability is quite good. Along with that, if we utilize the integration feature properly, the automated incident response capability of Darktrace is quite useful.
Darktrace is very flexible.
Overall, I like the system. The product offers us a very good user interface and we've found the network visibility to be very good so far. The solution has one window and shows all networks.
The solution comes in multiple languages, including English and Arab options.
The solution is stable.
We've found that technical support is helpful and available to assist us if we need them.
The ability to detect activity on the network is very useful to us. Even if it's not necessarily an illegal activity, if it is abnormal activity, it is able to detect it and notify us.
The solution is stable.
The product scales well within a network.
The initial setup is pretty simple.
The solution isn't too expensive.
I have found the most valuable features to be artificial intelligence for cybersecurity, advanced machine learning capabilities, enterprise Immune System, Antigena Network, and Antigena Email. The way the solution detects the threat over the network before it spreads is very good. It notifies you of what the threat is exactly doing and gives you all the details about the execution of that application that had created the threat over your network.
There is an included library of threat detections, not only locally, but threats being experienced all around the world. It is similar to a database of all the threats and what is done by cybersecurity administrators across the internet. By collecting events and information all around the world makes Darktrace more proactive in dealing with threat notifications and cybersecurity detection. The service is very comprehensive and can cover all security areas.
It has simple tracking capabilities and a graphical interface that can assist you with coding, you do not need to be a guru. The dashboards are user-friendly and you do not need an application to access your work, it is all done through any browser. Additionally, there is a mobile application that is one of the best features because you can see any threats from your phone. There is a playbook that can give you instructions. For example, if you see your network servers are being injected by ransomware you can stop the session and be notified of which person on what computer triggered the threat.
The solution is very professional. Everybody would like to have an application on their phone to be more proactive about security anywhere and this solution delivers.
The ability to roll out the services is an excellent aspect of the solution. They have advanced malware protection for URL filtering. I like working with both of these features.
The most valuable feature of this solution is support for everything in the same box, including IPS, High Availability, etc.
The main features of the Cisco Sourcefire are that it's a next-generation firewall with new features. It has application security, advanced malware protection, URL filterings, encryption, and decryption.
It is also used for email filtration and web application cyber protection.
The deployment model we used was on-premises.
The most valuable feature of this solution is the filtering.
It does well for eliminating email spam.
The GUI is user-friendly.
I like most of Cisco's features, like malware detection and URL filtering.
In general, the features are all great. However, if I need to take hardware for ASA because they need to upgrade to Firepower, we want to create rules. For that, most of the time we go to the command line. Right now Firepower is working really hard on the grid. You can apply all those rules to the grid. Even if you want to monitor the logs, for example, the activity will tell you which particular user has been blocked because of that rule. Firepower's monitoring interface is very good because you can see each and every piece. ASA also had it, but there you needed to type the command and be under the server to see all that stuff. In Firepower, you have the possibility to go directly to the firewall. The way the monitoring is displayed is also very nice. The feature I appreciate most in Firepower is actually the grid. The grid has worked very well.
The functionality they have deployed is also very good. They provide the possibility to have one manager for other firewalls, which is Firepower Management Center. I can manage many other firewalls from Firepower Management Center, by just logging on to the other device. That feature is also very great.
The idea that they implement the malware protection inside the firewall is another great feature. This has the same features and functionality as they had for the IPS device. The way they deploy the AMP is also great because from there we can even go to the packet level, both to the header of the packet, as well as inside the packet, to see if there is any virus there. Right now, the firewall has the possibility to pick up inspection, not only on the header of the packet but off the packet itself. That feature is very great.
There are a lot of features that I really appreciate with Firepower, which is why I advise most of my customers to go with Firepower.
The current solution that we are using is actually a bottleneck for us. It is negatively impacting our performance because it cannot handle our traffic. The SSL offloading did not work and gives us an error regarding resources in terms of memory and CPU.
Other than the performance issue, this product is very good because it prevents many attacks and intrusions. We have seen this from the monitoring logs. Unfortunately, with the issue related to the system slowing down, it cannot be utilized 100%. I would like to be able to use the SSL offloading and the anti-malware features.
The most valuable feature is reliability. This solution is better than Check Point.
The URL filtering is very good and you can create a group for customized URLs.
Cisco SNORT is easy to manage.
It has a huge rate of protection. It has a low level of positives and a huge rate of threat protection. It's easy to deploy and easy to implement. It has an incredible price rate compared to similar solutions. It has a good support channel, technical assistance. It's good.
It's really good to sell as far as a Cisco firewall. It's really good to sell in the complex Cisco project because Cisco's really good for networking and routing. When we are networking, it's easier to sell a security-based firewall. It's a complex product. It's really good. There is syndication between different security products, and in Cisco's case, it's with integration.
The solution is rather easy to use.
The signatures are uploaded and there's a set of recommended ones that we are using, which makes a lot easier than having to configure individual signatures together.
Cisco Sourcefire SNORT is easy to configure and the reporting is great. It's also very user-friendly.
You can do a lot of feasibility in terms of SSLI configuration which can be enabled.
You can encrypt and encrypt your data through Cisco Sourcefire so that your IPS solution can be effectively utilized.
Users have access to intelligent security automation as one of the features. It can easily automate your event impact assessment and your IPS policy tuning can be done as well as your network behavior analysis. They have introduced this intelligent security automation as part of that and then you can do a real-time contextual awareness. Basically, you can see a correlation of events that are created on your application, user devices, operating systems, or vulnerabilities. All of this real-time data can be captured including on your apps and port scans.
It is quite an intelligent product.
It can look into your north-south traffic in case of IPv6 attacks, DOS attacks, or buffer overflow. They say that it also supports against zero-day threats and items like that. They are up-to-date in terms of their threat protection, anti-bot, antivirus, and all kinds of signatures.
They have something called Firepower, which is advanced threat protection that they offer. It's a new subscription which we use for additional malware protection. It offers blocking capabilities and continuous analysis.
The solution is very stable.
The most valuable feature is the support that we get.
The feature I find most valuable is that the solution doesn't really change from year to year. The basics are there and I have so much experience with it that it's easy to use. I also like the security this solution offers.
The hardware is pretty stable. It's also a very good product performance-wise.
Initially, it wasn't mature like a firewall and there were other leaders, but now they have included almost all the features of next-generation security. Basically, it's a good product to work with.
The product is quite mature. Cisco is well known within the industry.
The solution's most valuable aspect is that it is extremely integrated. The product basically comes with the firewall features including IPS, URL filtering, malware, et cetera. The integrated features are great.
The functionalities of the product are pretty good.
Cisco has always been a premium product. There's a lot of other entry-level solutions. This is more robust.
The solution offers a good mix of features. You can always add more modules as you need to if you need even more features.
I would say that the most valuable thing is probably the Application Visibility and Control which is how it controls the application traffic on the network. I like the IPS (Intrusion Prevention System), the IOS content filtering, and the NAT network translation. I like the way it completely integrates branch offices in our perimeter security.
I think the multi-layered approach is valuable. Just the fact that it covers everything on the LSA (Local Security Authority) right up to layer 7, in-depth packet analysis, and all that. It covers everything we need it to without looking to secondary solutions.
What I have used the most and received the most benefit from is the IPsec technology. It overlays on DMVPN tunnels and being able to secure these object-based tunnels is good because they perform significantly better than traditional IPsec tunnels.
The compatibility is high with many open protocols. We use it for Radiant. We use it for any kind of network access protocols as well.
The solution is very user-friendly and easy to deal with. We find working with both the Command-Line and the Viewer very, very straightforward.
It's quite stable. We find it more stable than other options.
One of the valuable features of the solution is its flexibility and it performs great.
Mostly it's just to monitor the traffic, making sure you have the visibility, that you are able to do the incidence cross path. There are the kinds of reports and visibility, it's very important.
The most valuable feature of this solution is its modularity, so whenever you need to upgrade or add another service, you don't need to buy another box. You can activate these services on the same box, which saves a lot in terms of cost because you don't need additional hardware. Moreover, it makes manageability easier because you don't have to use several different devices.
Cisco operates on an open operating system platform so it gives you the flexibility to add other things. Cisco itself is using different manufacturers, or OEM vendors to integrate with their product. For example, Radware is providing a DDoS solution for the NGIPS box.
The most valuable feature of this solution is the support.
This is a great firewall.
The solution has a moderate amount of difficulty. You need to go over and use the documentation.
Cisco has a device manager now but this device manager is not like all device managers from ASA. It lacks a lot of features, and some of these features are very important. It makes it a challenge to configure because of the graphical interface. You have to install the management center and that itself takes time and it's not so simple.
The solution is very powerful coupled with Firepower. It's great for filtering.
Ir's signature-based. We are also using the anomaly baseline formation, where it links the network, then anything that goes away from the norm is also flagged. Those are the two most valuable features.
The most valuable feature would be the intrusion prevention for us for security reasons.
The setup is pretty straightforward.
The solution gives us a lot of visibility into our security.
The product is quite stable.
There are pretty good capabilities for scaling.
We are a solution provider and I am an engineer who deploys solutions. This is one of the products that I have experience with it in this capacity. The version that we use depends on the client.
Some of our clients are ISPs and they are using the firewall features in this product to replace old firewalls. It is doing the regular firewall inspections, VPN concentration, and other such things. For other customers, who replaced Sourcefire, they use it primarily as an inline IPS and a passive IDS. These customers do not choose very many of the firewall features.
Some customers use it for both; they have a firewall, VPN concentration, and then they do IPS inspection. This is the next-generation of these technologies.
The features that I find most valuable are the DDoS protection, IPS/IDS, and Firepower for web application filtering. These three things are pretty good and each is valuable as per the different needs of my business operations.
We are looking for cybersecurity threats, like Pinterest and this solution has a good IPS feature as well as it's VirtualBox which helps us to time and for the QD, our daily routine tasks or issues. The solution provides a clear picture of what a user is doing at a specified time.
The most valuable feature for our cloud-based deployment is the autoscaling.
For our on-premises deployment, clustering is the most valuable.
I think their fingerprints are good in terms of how they whitelist and blacklist. This is because of Talos, which is really awesome. We use that a lot.
The anomaly detection capabilities are awesome.
In the virtual deployment, you have a couple of choices depending on your needs and how much bandwidth you have that needs to be inspected. It is quite flexible because it can be deployed on the cloud as well. All the kinks which were in the previous versions were fixed.
The most valuable feature is security.
I have found the filter and the antivirus to be most valuable.
We use the Security Intelligence feature. We also use the Cisco AMP for Networks, which is used with the ITL certificate. You can use third-party integrations with the Firepower, about security. You can use the STIX format. With the STIX, you can add emergency threats to rules. This includes malware detection which has a third-party Security Intelligence platform. Included are reporting for the last seven days, V shell, and phishing tank. Cybercrime tracker is to check if any company or domain has a bad reputation on the internet. And it can give that information to the Firepower. You can use Security Intelligence to protect the network. It has preprocessors about security. They have a preprocessor for the SCADA. Cisco has evolved a lot in that area over the last few years.
Its ease of use and its ability to block and allow ports in and out of our organization are the most valuable features.
It works very well. It gives us all the information that we need.
I believe the IPS is a valuable function, because they update the signatures all the time and it's very granular. This is a good, stable solution and it's always up to date with all the security features.
I work for a system integrator and Cisco NGIPS is one of the products that we implement for our clients. This is a solution for enterprise networks and it has a lot of advanced features including security intelligence feeds and DNS security.
The tracking intelligence feature is very good. This solution provides us with the opportunity to detect threats in real-time.
Just a few days ago one of our customers had a brute force attack detected and prevented and for us, it is very important that we get alarmed beforehand from the included feature WatchGuard Dimension.
It works right out of the box. You just have to enable it and you can start working. I have worked with other firewalls as well. With other solutions, you have to do a lot of tweaking. WatchGuard is pretty simple to use and easy to pick up.
The VPN and the filtering features are the most valuable. Its VPN is very strong, and its services are very nice.
The main problem in India is the service. There are not enough Check Point and Fortinet Firewall services, but for this product, the service is very good.
The solution's IPS functionality and firewall functionality are the solution's most valuable features.
The most valuable feature is ease of use.
Check Point IPS has quite a decent database of attacks.
The reports are well written so that you can understand what type of attack has occurred, the originating IP address, and other details.
The number of IPS protections is amazing - after the latest update, I see more than 11000 in the SmartConsole.
All the protections are tagged and categorized by the vendor/type/product, the severity of the threat, confidence level, and performance impact of the activation, which helps in finding and enabling only he profiles that we really need (e.g. we don't have any Microsoft Windows servers in our environment, so decided to disable such protections by default).
The protections are updated based on the schedule - we used the default once-a-day approach.
I also like that the new protections may be automatically activated in the "Staging mode", which only detect the possible threat and alerts them, but doesn't block the actual traffic, thus minimizing the impact of the false positives.
The default category (Low, Medium, High, Critical) is the most valuable feature because we don't know what type of attack will happen, but with this category, we can create a policy to prevent any high and critical severity behavior. With this, we can protect our organization from weakness exploit of vulnerable systems.
IPS can protect our organization with any old vulnerabilities or if any vulnerability was detected within a few minutes. IPS can protect us as per our configured policy.
The most valuable feature is that it protects us against hundreds of different attack vectors, like ransomware. The protection is always being triggered. People try to access websites that are categorized as malware, so when the users do a DNS request for the IP of those malware websites, the IPS Blade replaces the real IP of the website that is malware with a bogus IP. The user gets an IP that doesn't exist and when he tries to access, it won't work. This is the protection that triggers the most on our infrastructure. For example, if a user tries to access malware.com, the DNS response gets changed by the IPS Blade to an IP that doesn't exist.
The most valuable feature is security.
IPS can be enabled on the same security gateway and does not require any additional hardware purchase or additional network connectivity.
It provides complete visibility and reporting on a single dashboard for the entire NG firewall, including the IPS blade on the Smart Console.
Signatures are constantly updated and it also provides virtual patching protection up to a certain extent.
It provides a detect-only mode for IPS Security policy that the admin can enable on a required segment for monitoring, giving an opportunity to observe prior to blocking.
The most valuable features of Check Point IPS are the protection it provides against the various attack vectors out there with ransomware and other malware. Once we had Check Point IPS up and running, which was really quite easy and straightforward to do, we noticed a surprising number of times that it was getting triggered.
It was a little scary thinking back to how vulnerable we were prior to having Check Point IPS in place and simply relying on our users, albeit not that many, to be safe and responsible.
The Check Point IPS module allows me granularity in creating rules. I can specify which definition to apply and to which scope or network.
I can create multiple profiles, which is helpful. Profiles are the set of rules and I can choose which one to apply. Having more profiles and more options, we have not always moved in a guaranteed way with respect to internal traffic, and rigorously with respect to external traffic.
From the outside, we block directly without waiting to look at the logs. If anything, then we will allow this traffic. From the inside, we allow traffic by default and maybe we will block it after looking at the logs.
These decisions were also supported by the degree of reliability declared by Check Point itself. If we are talking about a high degree of reliability combined with a dangerous vulnerability then you can immediately block traffic with greater confidence in not having false positives
The logs and related functionality are done very well.
It is very easy to collect and handle data in ExtraHop Reveal(X) Cloud. Integration with Big Data is also easy. Many of our customers integrate it with Big Data platforms like Splunk or Elastic.
It is also easy to handle and easy to understand.
The most valuable feature is the SecOps because they have our back and they help us with the reports. We jump on calls monthly to set goals and roadmaps internally for how we can secure our platform more.
Their SecOps program is absolutely amazing when you do not have a dedicated resource for security. Currently, we have 57 servers with the Threat Stack agent. We have about 70 servers in total. When you get to that point and you're running microservices, there's no good way to have all that data coming in from all those servers and have a system. The Threat Stack agent is providing the data. But even if we have the data, I have no time or expertise to know exactly what to look for in a log and what should alert me. Whereas their SecOps program is experienced, they know what to look for, they can continually adjust and look at the accounts. They can understand our behavior and know that something that doesn't look good is okay or we're allowing it, and then they can filter back those notifications.
It's like having an extension of your team. And then, it grows with you. If I were to hire somebody tomorrow, one security guy is not enough, but that person could directly work with the SecOps program and get up to speed, and then start taking over some of the manual toggles. And then eventually, in a year or however long, we could phase out the SecOps program. Or we could decide, no, we're not going to do that, we're just going to continue to leverage it and not built out an internal security team. The flexibility of it is just amazing.
It gives us the point of where something is happening, which is the key thing for us. (I know that there is a back-end recall, which probably gives a lot more data, but we don't use that.) We then leverage our SIEM product to provide us logs from those specific sources that it's talking about, giving us that information. It is the accuracy of: It is happening here and on this particular host, then it's going to here to this particular host. It's that focus which is probably the most advantageous to us.
The logic behind Vectra's ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation grows with severity, as there are additional alerts around that particular host. This is a useful feature rather than spamming alerts. But, we've never really had an issue with a lot of alerts. We really do triage our alerts quite well and have a good understanding of what does what.
One of the key advantages for us is we define a 24/7 service around it. We use far more of Vectra alerts than we do with our SIEM product because we understand that when we get an alert from Vectra we actually need to do something about it. You can't really say you don't get false positives, as the action has happened. It's whether we consider that action as a concern rather than a SIEM that sort of gives you a bit of an idea of, "That may be something you're interested in." Whereas, Vectra says, "This has happened. Is this something you would consider normal?" I think that's the bit that we like. It just says, "Is this normal behavior or isn't this normal?" Then, it's up to us to define whether that is or isn't, which we like.
The solution provides visibility into behaviors across the full lifecycle of an attack in our network, beyond just the internet gateway, because we do east-west traffic. So, it looks at the entire chain across there. We're fortunate enough not to be in a position that we've seen a meaningful attack. When we do have pen testers come in, we can see quite clearly how they pick traffic up and how it develops from a small or medium alert to go to higher severity, then how it adds all those events together to give more visibility.
The solution does a reasonable job of prioritizing threats and correlating them with compromised host devices. We use that as how we react to it, so we leverage their rating system. We are reasonably comfortable with it. At the end of the day, we actually spend a lot of time and effort to tweak it. It's never going to be right for every company because it depends on what your priorities are within the company, but we do leverage what they provide. If it is a high, we will treat it as a high, and we will have SLAs around that. If it's a low, we'll be less concerned, and the events that come out pretty much lead to that. The events that we see and the type of activity going on, it makes sense why it's a low, medium, or high. Just because a techie has done a port scan, that doesn't mean we need to run around shouting, "Who has done this?"
When we originally put it in, it was really quite interesting to see. Picking up the activities from the admin user and what they were doing, then going, "By the way, why have you done that?" Then looking at a scan and going, "Well, how did you know that?" So, it's sort of cool to pick up that type of stuff. We tend to trust what it tells us.
We mainly use it for the detection types, checking dark IPS or command-and-control traffic.
We bought Recall so we can have more information. Recall is an addition onto Vectra. We haven't enabled Recall yet, but we will. So, if there is an incident, we can investigate it a bit further with Vectra devices before going into other tools and servers. This gives us the metadata for network traffic. So, if we have a detection, we can check with Recall what other traffic we are seeing from that device, if there is anything else. It's mainly a quick and dirty way of looking at it and getting some extra information to see whether it's malicious.
We found that the solution captures network metadata at scale and enriches it with security information. This is one of the reasons why we added Recall, so the alert gives us information on where we need to look, then we can investigate a bit further. For example, a certain device is sending data to command-and-control server, then we can investigate whether that is really happening or just a false alarm with the metadata in Recall. It makes it easier to find out.
One of the most valuable features of the platform is its ability to provide you with aggregated risk scores based on impact and certainty of threats being detected. This is both applied to individual and host detections. This is important because it enables us to use this platform to prioritize the most likely imminent threats. So, it reduces alert fatigue follow ups for security operation center analysts. It also provides us with an ability to prioritize limited resources.
It aggregates information on a host and host basis so you can look at individual detections and how they are occurring over time. Then, you can have a look at the host scores too. One of the useful elements of that is it is able to aggregate scores together to give you a realistic view of the current risk that the host plays in your network. It also ages out detections over time. Then, if that host is not been seeing doing anything else that fits into suspicious detection, it will reduce its risk score and fall off of the quadrant where you are monitoring critical content for hosts that you're trying to detect.
When you are analyzing and triaging detections and looking for detection patterns, you are able to create filters and triage detections out. Then, in the future, those types of business usual or expected network behaviours don't create false positive triggers which would then impact risk scores.
Without the detection activities that come from Vectra, we wouldn't have been able to identify the true cause of an event's severity by relying on other tools. This would have slipped under the radar or taken a dedicated analyst days to look for it. Whereas, Vectra can aggregate the risk of multiple detections, and we are able to identify and find them within a couple of hours.
The solution's ability to reduce alerts, by rolling up numerous alerts to create a single incident or campaign, helps in that it collapses all the events to a particular host, or a particular detection to a set of hosts. So it doesn't generate too many alerts. By and large, whatever alerts it generates are actionable, and actionable within the day. With the triaging, things are improving more and more because, once we identify and investigate and determine that something is normal, or that it is a misconfiguration and we correct it, in either of these two instances, gradually the number of alerts is dropping. Recently, some new features have been introduced in the newer versions, like the Kerberos ticketing feature. That, obviously, has led to an initial spike in the number of tickets because that feature was not there. It was introduced less than a month back. Otherwise, the tickets have been decreasing, and almost all the tickets that it generates need investigation. It has very rarely been the situation that a ticket has been raised and we found that it was not unique information.
Also, we have seen a lot of detections that are not related to the network. Where we have gained extra value in terms of the internet is during data exfiltration and suspicious domains access.
The detections focus on the host, and the host's score is dependent on how many detections it triggers. We have seen with many of our probing tools, without triaging, that these hosts pretty quickly come into the high-threat quadrant. Its intelligence comes from identifying vulnerable hosts along with the triaging part. That's something that we have seen.
The most valuable features are Cognito Recall and Cognito Detect.
I didn't think Vectra AI actually provided this functionality, but essentially it gives you access, with Recall, to instant visibility into your network through something like a SIEM solution. For us, being able to correlate all of this network data without having to manage it, has provided immediate value. It gives us the ability to really work on the stuff where I and my team have expertise, instead of having to manage a SIEM solution, as that is a whole undertaking in itself. It has expedited all our investigations and hunting activities because it's all there and available, and they manage it.
We use their Privileged Account Analytics for detecting issues with privileged accounts. Given that we're a global company with over 35,000 machines, the machine learning-type of analysis or visibility into baselining behavior in privileged accounts in the environment is something Vectra does amazingly. It's amazing the visibility that I get. Not only is it providing a baseline to understand the behaviors of how IT, for example, is acting globally and in all these different regions, but it also gives me an ability to get much more granular and understand more of the high-risk behaviors, rather than the behaviors that we expect from IT. Usually, malware attackers and normal IT activities look the same. It's about discerning what's outside of baseline, and Vectra does this amazingly, incorporating not only the account privileges but the context of what these accounts are doing on hosts, on top of that.
The solution also provides visibility into behaviors across the full life cycle of an attack, visibility into the attacker kill-chain. I personally do red-team testing and threat hunting and, in addition to the detections which Vectra has already caught, it's been able to outline a full attack from an external red team that came in and tested with us. Not only did it show exactly what they did, but it was even able to provide a profile of the type of behavior that this exhibited, which was an external actor. In my own attacks that I've conducted on the network, it's been able to detect everything and properly align it in a kill-chain fashion. That is extremely helpful in investigations because it helps align the host data a little bit when you have visibility of the network in such a way.
Vectra also triages threats and correlates them with compromised host devices.
The dashboard gives us a scoring system that allows prioritization of detections that need attention. We may not necessarily be so concerned about any single detection type, or event, but when we see any botnet detections or a brute force attack detections, we really want to get on top of those.
I find the network artificial intelligence and machine learning to be most valuable because we have also significantly increased the amount of traffic that we inspect. This has kind of lowered the burden of creating ways to drink from that fire hose of data. The artificial intelligence and machine learning help bubble up to the top things that we should go look at which are real deviations from the norm.
I would assess the solution’s ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation very highly. Rather than relying on signatures and a human to look if, "Host X has hit these four different signatures," which is probably an indicator of a fairly high confidence that something's not right, the analytics, artificial intelligence, and machine learning in this product tie those events together. It also looks for new events that are out of the ordinary, then gathers those together and tells us to look at specific hosts. This is rather than an analyst having to sift through a bunch of signature hits, and say, "Oh, this host needs to be looked at."
Also, there is a much lower operational burden of maintenance. We used to use open source monitoring tools, which are very good, but they take a lot of work to maintain and leverage. We really like the commercial off the shelf type of approach of the software, not brewing our own.
One of the most valuable features is all the correlation that it does using AI and machine learning. An example would be alerting on a host and then alerting on other things, like abnormal behavior, that it has noticed coming from the same host. It's valuable because we're a very lean team. It helps reduce workload on our team daily by performing tasks that we don't have to do manually.
It does a really good job of reducing alerts by rolling up numerous alerts to create a single incident or campaign for investigation.
It also does a really good job detecting things. Some things it detects are not really threats, but it is stuff that it should be detecting, even though the behavior, sometimes, isn't malicious.
It gives you a risk score of everything that you just found. The quadrant approach is useful because if there are things in the lower-left quadrant, then we don't necessarily need to look at them immediately. However, if there's something with a high impact and high risk score, then we will want to start looking at that right away. We found this very valuable as part of our investigative analysis approach.
The solution’s ability to reduce alerts by rolling up numerous alerts to create a single campaign for investigation is very good. Once it starts adding multiple detections, those are correlated to a campaign. Then, all of a sudden, this will increase the risk score. I've found that approach helps us with understanding exactly what we need to prioritize. I find it very useful.
The amount of metadata that the Recall solution produces is enormous. What we can find from that metadata is exceptional. Once you get to know how to use the tool, it's much simpler and more intuitive to use when finding information than using a traditional SIEM, where you have to build SQL type commands in order to retrieve data. So, I do find it very valuable.
What is pretty good is the unknown unknowns. It's the anomalies to the norm and the intelligence behind it that helps us to dig through a mountain of data and find the stuff that's important to us.
It allows us to understand what our normal traffic is, then pulls out the anomalies for us. For instance, a recent use case of it would be that it suddenly picked up that a file transfer was happening out of our estate that we weren't aware of. It hadn't been there before. There was a file transfer that suddenly appeared, that was actually in our estate that hadn't been there before. We would never have been able to see that normally, it's just that Vectra AI saw it. It was okay, it was going to a third-party and it allowed us to investigate it and find it but we would never have seen that without a notification. It understands what should be happening and then usually says "This isn't normal," and it allows us to flag it up and dig deeper into that.
It is very good at reducing alerts by rolling up numerous sellers to create a single incident or campaign for investigation. Although it doesn't reduce, it actually increases our alerts because we wouldn't have seen the stuff in the first place, but when it does create an alert, it pulls all investigative information together. We're not getting hundreds of alerts, we're getting alerts that contain all of the relevant components.
Vectra AI captures network metadata at scale and enriches it with security information. Although, we don't make the most of that, but we've never had a problem with its captures and it captures the correct data for what we want it to do. I think we could be using it better.
The information affects investigations by our security team by allowing them to be more effective and quicker in their investigations.
Vectra AI provides visibility into behaviors across the full life cycle of an attack in our network, beyond just the internet gateway. Although, we found it's flagging up early, so it's not developing to that further stage of that because it's flagging up at an early stage.
Its ability to reduce false positives takes quite a bit of tuning. We've had to put a lot of effort into tuning out false positives, so that's something that we've had to invest our time into. Obviously it's getting better and better as time goes on, but we still have to spend time tuning it.
We've seen our tuning has lessened those processes, but we're still getting more than we would want. That's probably some of our fault. It could be some issues with the way it's set up in certain areas. But, once we tune them out, they're staying tuned out.
It hasn't reduced the security analyst workload in our organization but that was never the purpose of it for us. It's an additional tool in our armory, so it hasn't reduced our workload, but it's made us more efficient.
It makes the team more efficient in speed of response. I would say it makes them more efficient in the breadth of their coverage of what they can respond to. It makes us have a more proactive response to incidents.
It has reduced the time it takes to respond to attacks. That comes back to the proactive point. It makes us able to lower down in the kill chain. We can react now, rather than reacting to incidents that happened, we can see an instant, in some cases, as it's being implemented, or as it's being launched.
It's not all attacks, but I would say that it's a shift less on the material chain. It's things that we might not even have spotted if it hadn't been for Vectra AI, so it's difficult to know how we would quantify that as an amount.
If we didn't have Vectra and the Detect for Office 365, it would be very difficult to know if our Office 365 was compromised. We tried, in the past, to do it with a SIEM solution consuming Office 365 logs and it was really time-consuming. The Office 365 Detect solution has the exact same "mindset" as the Detect solution for networks. It's almost like we can deploy it in the fire-and-forget mode. You deploy the solution and everything is configured. You have all the relevant alerts out-of-the-box. If you want to, you could tweak, configure, contextualize, and rewrite the parser, because some things might be out of date, and customize the solution. For a big company with a large team it might be feasible, but for small companies, it's an absolute showstopper. The Detect for Office 365 gives us a lot of visibility and I'm very pleased with the tool.
We use three services from Vectra: Cognito Detect, Detect for Office 365, and Cognito Recall, and we are leveraging all these services within the SOC team to have proper assessments. We even use these tools to prepare the new use cases that we want to implement into our SIEM solution. Recall stores all the metadata that is brought up from Cognito Detect at a central point, data-lake style, with an elastic stack and a Kibana interface available for everybody. Using this, we can try to see what are the general steps.
Without this, I would not have been able to have my SOC analyst do the job. Creating a data lake for cyber security would be too expensive and too time-consuming to develop, deploy, and maintain. But with this solution, I have a lot of insight into my network.
An additional thing that is very convenient with the Recall and Detect interfaces is that you can do use cases involving individuals in Recall and have them triggered in Detect. For example, we found ways to track down if users are trying to bypass proxies, which might be quite a mess in a network. We found a type of search within Recall and have it triggering alerts in Detect. As a result, things can be managed.
It's so efficient that I'm thinking about removing my SIEM solution from our organization. Ours is a small organization and having a SIEM solution is really time-consuming. It needs regular attention to properly maintain it, to keep it up and running, consume all the logs, etc. And the value that it's bringing is currently pretty low. If I have to reduce costs, I will cut costs on my SIEM solution, not on Vectra.
The solution also provides visibility into behaviors across the full life cycle of an attack in our network, beyond just the internet gateway. It provides a lot of insight on how an attack might be coming. There are multiple phases of an attack that can be detected. And there is a new feature where it can even consume intelligence feeds from Vectra, and we can also push our own threat-intelligence feeds, although these have to be tested. The behavioral model of the Detect solution also covers major malware and CryptoLockers. I know it's working. We tested some cases and they showed properly in the tool. I'm quite reassured.
It triages threats and correlates them with compromised host devices. One of the convenient things about Detect is that it can be used by almost anybody. It's very clear. It's quite self-explanatory. It shows quadrants that state what is low-risk and what is high-risk. It is able to automatically pinpoint where to look. Every time we have had an internal pen test campaign, the old pen test workstation has popped up right away in the high-risk quadrant, in a matter of seconds. To filter out false positives it can also provide rules that state, "Okay, this is the standard behavior. This subnet or this workstation can do this type of thing." That means we can triage automatically. It also has some features which aren't so obvious, because they are hidden within the interface, to help you to define triage rules and lower the number of alerts. It looks at all your threat or alert landscapes, and says, "Okay, you have many alerts coming from these types of things, so this group of workstations is using this type of service. Consider defining a new, automated triage rule to reduce the number of alerts."
To give you numbers, with my SIEM I'm monitoring some IDS stuff within my network. Everything is concentrated within my SIEM. From my entire site, IDS is giving me about 5,000 more alerts than my Vectra solution. Of course it will depend on how it is configured and what types of alerts it is meant to detect, but Vectra is humanly manageable. You don't have to add something to make the triage manageable, using some time-consuming fine-tuning of the solution, requiring expertise. This is really a strong point with Vectra. You deploy it, and everything is automatically done and you have very few alerts.
Its ability to reduce false positives and help us focus on the highest-risk threats is quite amazing. I don't know how they made their behavioral or detection models, but they're very efficient. Each alert is scored with a probability and a criticality. Using this combination, it provides you insights on alerts and the risks related to alerts or to workstations. For example, a workstation that has a large number of low-criticality alerts might be pinpointed as a critical workstation to have a look at. In fact, in the previous pen test we launched, the guys were aware that the Vectra solution was deployed so they tried some less obvious tests, by not crawling all the domain controllers, and things like that. Because there were multiple, small alerts, workstations were pinpointed as being in the high-risk quadrant. This capability is honestly quite amazing.
And, of course, it has reduced the security analyst workload in our organization, on the one hand, but on the other it has increased it. It reduces the amount of attention analysts have to pay to things because they rely on the tool to do the job. We have confidence in its capability to detect and warn only on specific things of interest. But it also increases the workload because, as the tool is quite interesting to use, my guys tend to spend some time in Recall to check and fix things and to try to define new use cases. Previously, I had four analysts in my shop, and every one of them was monitoring everything that was happening on the network and in the company on a daily basis. Now, I have one analyst who is specialized in Vectra and who is using it more than the others. He is focusing on tweaking the rules and trying to find new detections. It brings us new opportunities, in fact. But it has really reduced the workload around NDS.
In addition, it has helped move work from our Tier 2 to our Tier 1 analysts. Previously, with my old IDS, all the detection had to be cross-checked multiple times before we knew if it was something really dangerous or if it was a false positive or a misconfiguration. Now, all the intelligence steps are done by the tool. It does happen that we sometimes see a false positive within the tool, but one well-trained analyst can handle the tool. I would say about 20 to 30 percent of work has moved from our Tier 2 to our Tier 1 analysts, at a global level. If I focus on only the network detections, by changing all my IDS to Vectra, the number is something like more than 90 percent.
It has increased our security efficiency. If I wanted to have the same type of coverage without Vectra, I would need to almost double the size of my team. We are a small company and my team has five guys in our SOC for monitoring and Tier 1 and Tier 2.
It reduces the time it takes for us to respond to attacks. It's quite difficult to say by how much. It depends on the detections and threat types. Previously, we had an antivirus that was warning us about malicious files that were deployed on a workstation within one year. Now, we can detect it within a few minutes, so the response time can be greatly enhanced. And the response time on a high-criticality incident would go from four hours to one hour.
The hosts are critical hosts, which are really good when used to look up things as fast as you can because these could be very risky situations. Furthermore, within detections, we try to clean up a lot of things that are low in priority. It is same thing for the accounts within Office 365: Everything that is critical has to be solved as fast as possible.
The triaging is very interesting because we can do more with less work. We have more visibility, without too many false positives. It is a work in process because there are a lot of clients in the network, and everything has to be researched to see if it is valid, but most alerts and detections are solved with a bit of triaging.
The interface is very intuitive and easy to use. It gives a good overview, and it is important to understand what is happening on the network.
The integration within our virtualization infrastructure allows us to see the traffic that is going between virtual machines, even within our host. That gives us a lot more insights.
The administrative privilege detection feature is the most valuable feature. The admin accounts are often highly accessible to the high-risk component of the environment. If those accounts are compromised or are being used in a suspicious manner, those are high-fidelity events for us to look into.
Its ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation is very useful. Given that we are not a dedicated SOC environment, having to trawl through several false positives is not something that we have the capacity for.
Cognito theoretically provides us with visibility into behaviors across the full lifecycle of an attack in our network beyond just the internet gateway. It has not been fully tested. But hypothetically it would give us full visibility into your attack chain.
We use privileged account analytics for detecting issues with privileged accounts.
It does a reliable job of parsing out the logs of all the network traffic so that we can ingest them into our SIEM and utilize them for threat hunting and case investigations. It is pretty robust and reliable. The administration time that we spend maintaining it or troubleshooting it is very low. So, the labor hour overhead is probably our largest benefit from it. We spend 99% of our time in Vectra investigating cases, responding to incidents, or hunting, and only around 1% of our time is spent patching, troubleshooting, or doing anything else. That's our largest benefit from Vectra.
We've got machine learning and AI detections, but we also have the traditional ability to create our own custom detections and rules that are important to us for compliance. When we were demoing other vendors, a large number of vendors let you make your own rules, but they don't provide their own rules and ML and AI rule engine, or they provide AI and ML, but they don't allow you to make your own rules. Vectra is very nice in that sense. We have detection rules that Vectra provides that are very common to the security industry, such as whenever there's a major event like the SolarWinds event. Those rules get built and deployed for us really quickly. We can manage our own, but then we also have the ML and the AI engine. We really like that. It is one of the few platforms that we've found to be supporting all three options.
An attractive thing about Vectra AI is the AI component that it has over the top of the detections. It will run intelligence over detections coming across in our environment and contextualize them a bit and filter them before raising them as something that the IT team or SOC need to address.
While the device itself is deployed on-prem, the hybrid nature of what it can monitor is important to us.
Its ability to group detections for us in an easier way to better identify and investigate is beneficial. It also provides detailed descriptions on the detection, which reduces our research time into what the incident is.
There are also some beneficial features around integration with existing products, like EDR, Active Directory, etc., where we can get some hooks to use the Vectra product to isolate devices when threats are found.
On a scale of good to bad, Vectra AI is good at having the ability to reduce alerts by rolling up numerous alerts to create a single incident or campaign for investigation. My frame of reference is another product that we had beforehand, which wasn't very good at this side of things. Vectra AI has been a good improvement in this space. In our pretty short time with it so far, Vectra AI has done a lot to reduce the noise and combine multiple detections into more singular or aggregated alerts that we can then investigate with a bit more context. It has been very good for us.
There is a level of automation that takes place where we don't have to write as many rules or be very specific around filtering data. It starts to learn, adapt, and automate some of the information coming in. It works by exception, which is really good. Initially, you get a little bit more noise, but once it understands what is normal in your environment, some of the detections are based on whether an action or activity is more than usual. It will then raise it. Initially, you are getting everything because everything is more than nothing, but now we are not getting much of that anymore because the baseline has been raised for what it would expect to see on the network.
We use the solution’s Privileged Account Analytics for detecting issues with privileged accounts. Privileged accounts are one of the biggest attack vectors that we can protect ourselves against. This is one of the few solutions that gives you true insight into where some of those privileged accounts are being used and when they are being used in an exceptional way.
We have found that Vectra AI captures network metadata at scale and enriches it with security information. We have seen that data enriched with integrations has been available and implemented. This comes back to the integration of our EDR solution. It is enriching its detection with existing products from our EDR suite, and probably some other integrations around AWS and Azure. In the future, we will see that improve even further.
One of the core features is that Vectra AI triages threats and correlates them with compromised host devices. From a visibility perspective, we can better track the threat across the network. Instead of us potentially finding one device that has been impacted without Vectra AI, it will give us the visibility of everywhere that threat went. Therefore, visibility has increased for us.
I think that the VPN software used through FortiGate is what our clients appreciate the most. They get secure reliable connections without lag.
It is a good product. It does what we want it to do so. I didn't find many false-positives or things like that. We mainly use the IPS and URL filtering features, and they are pretty good.
The most valuable features are security and vision, and all of the UTM functionality.
I like the simplicity of the interface, they seem to have a good grasp of that. The solution is also very easy to deploy.
Its interface is the most valuable. It is quite easy to manage.
The most valuable feature is the central command center (APEX ONE), where we can control and manage the solution.
In TippingPoint, the IPS signatures and the IPS database are much better than what is commonly available. TippingPoint is more intelligent. It can work out bypass models if the device goes bad suddenly for any reason. It actually goes into a bridge mode where it parses from the data and finds where the problem is with the software security. We configure it like this so that if that happens, we immediately switch on the IPS in the firewall because technically the scenario is like that in the gateway. We first put on the firewall and the connection goes from there before going to the internal network or LC. We put the IPS in between the perimeter firewall, in an internal port.
One of the major reasons for choosing TippingPoint is that it acquires the intelligence of the IPS signatures. It is the first IPS solution database we tried. We actually detect a lot of intrusions not detectable by other solutions. This is an important point.
Another feature is that it can work in a base mode if the device goes down. Then, even if we do not do a modification into the network to get it working, you just switch on the IPS in the firewall and the device will pass on all those packets to the underlying devices. This way the operation doesn't stop and in the meantime, you can fix the problem.
The solution is very good at tracking attacks.
The solution automatically upgrades itself well in order to be effective against future attacks.
We can manually bypass IP addresses and DNS entries if we need to.
The technical support on offer is very good.
The intrusion prevention and detection are nice.
It integrates easily.