It's the security analyst for incident response, forensic investigations, and security monitoring.
Security Information and Event Management (SIEM) incident response Reviews
Showing reviews of the top ranking products in Security Information and Event Management (SIEM), containing the term incident response
ArcSight: incident response
LogRhythm NextGen SIEM: incident response
Our primary use case is incident response and alerting. In terms of performance, it's pretty awesome.
The SIEM and the CloudAI has improved our organization by helping us track down errors in our network. It has helped out our IT services team, and it's also helped out our database team in trying to track down errors inside of our network. It's also opened our eyes to a lot of the attacks that have been coming in to our network from outside threat actors. It's helped us stop a lot of those attacks as they're happening, and it's also helped us identify some policy violations inside of our network as well.
I haven't used the playbooks yet, but from what I've learned here at RhythmWorld, I will be integrating the playbooks as part of our incident response policy.
AT&T AlienVault USM: incident response
AlienVault USM Anywhere provides us with SIEM, at a low price-point and with a great array of functionality. SIEM is critical to our security operations and feeds incident response efforts and USM Anywhere enables us to filter the noise and concentrate the efforts of our small team on the real issues and threats.
Fortinet FortiSIEM: incident response
The scalability is there, and you can expand on the EPS (Events Per Second) as needed.
We do plan on selling this service to our customers that can see the benefit in it. We will probably introduce an incident response application to help triage incidents at a faster level.
LogPoint: incident response
DNIF: incident response
I would definitely recommend DNIF.
We have been using this solution for about six months now. It is a very new solution. It is a next-generation SIEM with security analytics and UBA - User Behavior Analytics. We have a very good team of security analysts who manage installation, implementation, and monitoring of the solution.
DNIF is much faster, much more responsive, and far superior when compared to competitive tools.
It offers a cloud model, in a very secure way, or you can deploy it on-premise, where it is much safer. Here in India, and even elsewhere, banks have a policy of not letting their data outside of the organization's data center. For those banks, DNIF will have to be deployed on-premise. For other organizations, whether they are e-commerce, manufacturing, or any other type, they can deploy it on the cloud. The cloud version is also is quite fast. The log collection works quite well, consistently. Our consultants are able to remotely monitor and do their jobs properly.
End-users don't use this solution. The main job of this solution is to collect the logs from different devices. The end-users do their normal e-mailing, their normal transaction-processing, etc. But their log sessions, their logins and logouts, are logged in Active Directory. Or if somebody accesses the internet, they have to pass through the firewall and, based on the firewall rules and policies, they are allowed access to different websites. All these sources have logs that are collected and sent to the DNIF. The solution stores the logs.
Our security analysts monitor them to find out if there is any malware, attack, or hacker who is hacking at a client and we report on that. The users are the information security team. On our side, the users are my security analysts.
We not only find out if there is an anomaly or any malware, we also do incident response. We have a ticketing tool and use that tool to report if there are any serious incidents which need to be looked into immediately, and we resolve it along with the client team.
Devo: incident response
I run an incident response, digital forensics team for OpenText. We do investigations into cyber breaches, insider threats, network exploitation, etc. We leverage Devo as a central repository to bring in customer logging in a multi-tenant environment to conduct analysis and investigations.
We have a continuous monitoring customer for whom we stream all of their logging in on sort of a traditional Devo setup. We build out the active boards, dashboards, and everything else. The customer has the ability to review it, but we review it as well, acting as a security managed service offering for them.
We use Devo in traditional ways and in some home grown ways.
For example, if there is a current answer response, I need to see what's going on in their environment. Currently, I'll stream logs from the syslog into Devo and review those. For different tools that we use to do analytics and forensics, we'll parse those out and send that up to Devo as well. We can correlate things across multiple forensic tools against log traffic, network traffic, and cloud traffic. We can do it all with Devo.
It's all public cloud, multi-factor authentication, and multi-tenant. We have multiple tenants built in as different customers, labs, etc. Devo has us set up in their cloud, and we leverage their instance.
We are using their latest version.
i-SIEM: incident response
We are saving so much time. We deal with billions of events a month. We are definitely a data-centric organization. Easily, we are able to save 75 percent of the head count for security operations that would otherwise be needed given our scale. Now, we are in a bit of a unique situation where the organization spun off from its parent company just shy of four years ago. So, we are still in a growth mode in many respects. While we are still continuing to expand our security organization from an FTE and head count perspective, it's very easy to quantify without empow we would be looking at seven to 10 more resources being required. This is opposed to the one or two who are focused on the platform today, where focused on the platform includes capacity management, general system administration of the environment, and monitoring/responding to alarms that are generated.
As a result of the automation, we are able to manage SIEM with a small security team. I'm in a unique position where we have been growing the security organization quite rapidly over the last three and a half years. But, as a direct result of the empow transition and legacy collection of tools towards the empow platform, we've been able to keep that head count flat. We've been able to redirect a lot of the security team's time away from the wash, rinse, repeat activities of responding to alarms where we have a high degree of confidence that they will be false positives, adjusting the rules accordingly. This can be a bit frustrating for the analyst when they have to spend hours a day dealing with these types of probable false positives. So, it has helped not only us keep our headcount flat relative to the resources necessary to provide the assurances that our executives expect of us for monitoring, but allows our analyst team to spend the majority of their time doing what they love. They are spending their time meaningfully with a higher degree of confidence and enjoying getting into the incident response type activity.
North of 75 percent of our time has been reduced relative to the support in the environment, starting from the general system administration, capacity management, the overall patching, and system admin of the ecosystem. Most notably would be on the time to maintain the application tier of empow, particularly that of the correlation rules. That has been reduced by north of 90 percent as compared to other platforms.
Mitigation time has been reduced by north of 75 percent for the vast majority of alarms that we receive. This varies depending on the event type. However, with the automated playbooks that we have defined and the confidence levels in the fidelity alarms, we have been able to enjoy significant reduction in our mean time to mitigate and mean time to respond.
As we have more alarms as a result of having more logs adjusted, this means we need more analysts to respond to those alarms in order for us to meet our SLAs because we have very aggressive SLAs. With a higher degree of fidelity in the alarms, we were able to avoid adding additional resources to our teams. We take into account the cost of security resources in the market and the significantly higher fidelity from the alarms that are being generated. This drove down our costs with our MSSP. It drove down my cost for human capital internally. It drove down our need to have multiple resources supporting the underlying infrastructure and health and maintenance of empow as a platform from several resources down to one. Therefore, human capital costs were significantly reduced. Our operating expenses were significantly reduced. Our capital costs were significantly reduced while tripling our capacity and our run rate reduced. It was almost a "too good to be true" situation. Fortunately, for us, it worked out very nicely.