What is our primary use case?
We are a security operation center and we implement and manage DNIF for clients.
As a SIEM solution, it collects logs not only from network devices like firewalls, servers, databases, switches, or routers, but it also collects logs from applications.
The use case is that we can develop very complex correlation rules, correlating the application logs and the device logs. It enables us to detect fraud within organizations by correlating multiple logs from multiple data sources.
How has it helped my organization?
Many other SIEMs do not collect from the application logs. This solution enables us to collect logs from applications like SAP and Oracle.
We are also able to develop correlation rules very easily. The tool provides a query language called EQL which is very easy to understand. It is very easy to create queries using this language, enabling us to create exception reports.
What is most valuable?
The solution is based on a big-data platform and the response time on queries is super-fast. That's why we like this solution. It is 30 times faster than traditional SIEMs. It provides responses to queries within a minute. That's the most impressive feature we have found in this product.
Also, the UBA, the User Behavior Analytics, is a built-in threat-hunting feature. It detects and reports on any kind of malware or ransomware that enters the network. That's an amazing feature of this product.
What needs improvement?
The solution should be able to connect to endpoints, such as desktops and laptops. Endpoints are also vulnerable to malware attacks and they generate a lot of logs. If this solution had a smart connector to these logs - Windows, Linux, or any other logs - without affecting the performance of the connector, that would be wonderful.
For how long have I used the solution?
Less than one year.
What do I think about the stability of the solution?
The solution is absolutely stable and scalable. It doesn't fail easily. It's quite good. It accepts the logs consistently and steadily and it doesn't drop any packets.
What do I think about the scalability of the solution?
The scalability is excellent. You can scale up from a few gigabytes to terabytes or even petabytes. The scalability is never a question.
How are customer service and technical support?
Technical support is good. They have a good technical team in India, so we have no problem.
They also have a training division and they keep training our engineers. They are always in touch. We have their telephone number and e-mail for support, so we can always reach out to them in case our consultants or security analysts have any doubts or need clarification. They are always there. The provide 24/7 support.
Which solution did I use previously and why did I switch?
Previously, we were using ArcSight and AlienVault. We switched because this is the next generation of SIEM. It is much faster and, technology-wise, it is much better. It has UBA, User Behavior Analytics, which other solutions don't have. It has very powerful analytics and machine-learning technology, which enables us to find a pattern of attacks. It understands what normal user behavior is and, if there is abnormal behavior, it detects it and reports it. Machine-learning concepts are also embedded in the solution and that's one of the reasons we switched. This is futuristic technology.
How was the initial setup?
The setup is straightforward. Their architecture includes an adapter. Using it, you can easily connect to different devices for collecting logs. The solution has a data store and the adapter sends the logs to the data store. There is a correlation engine from which you can correlate the logs and reports. They have both a cloud-based and on-premise model also. Overall, it is not complex, it is quite easy to do.
The deployment depends on the client environment. If the client has only one location, we can deploy within ten to 15 days. If a client is spread across geographies, it will take more time: two, three, or four months. It all depends on the number of locations the client has and the number of devices. If the device list is small, we can do a very fast implementation. If the device list is big, it's going to take time.
Typically, although it depends on the number of locations, about two to three people would be enough to do the deployment. But to monitor the data in our security operations center, we typically require three level-one analysts. Each of our three shifts requires three people. There will also be a couple of level-two and a level-three. So about five to six people are enough to monitor a single client.
What's my experience with pricing, setup cost, and licensing?
The pricing is based on the log size. We have a log calculation sheet. When we approach a client, we ask them how many devices they have, how many firewalls, how many Active Directory servers, how many routers, and how many applications. We calculate the events per second, events per day, and events per month. Based on the log volume we charge a price per GB. For each GB we charge about 150 Indian rupees.
This price is only for the license subscription. On top of it, we add the service cost of monitoring. It depends on the size and volume.
Which other solutions did I evaluate?
There is one more option which has been developed in India and we are also using that. But DNIF is much more mature. The other one is called Khika. It is also good but it is still new to the market. We are still evaluating them and we are using it for smaller deployments. Cost-wise, Khika is cheaper, but feature-wise, DNIF is probably slightly better.
What other advice do I have?
I would definitely recommend DNIF.
We have been using this solution for about six months now. It is a very new solution. It is a next-generation SIEM with security analytics and UBA - User Behavior Analytics. We have a very good team of security analysts who manage installation, implementation, and monitoring of the solution.
DNIF is much faster, much more responsive, and far superior when compared to competitive tools.
It offers a cloud model, in a very secure way, or you can deploy it on-premise, where it is much safer. Here in India, and even elsewhere, banks have a policy of not letting their data outside of the organization's data center. For those banks, DNIF will have to be deployed on-premise. For other organizations, whether they are e-commerce, manufacturing, or any other type, they can deploy it on the cloud. The cloud version is also is quite fast. The log collection works quite well, consistently. Our consultants are able to remotely monitor and do their jobs properly.
End-users don't use this solution. The main job of this solution is to collect the logs from different devices. The end-users do their normal e-mailing, their normal transaction-processing, etc. But their log sessions, their logins and logouts, are logged in Active Directory. Or if somebody accesses the internet, they have to pass through the firewall and, based on the firewall rules and policies, they are allowed access to different websites. All these sources have logs that are collected and sent to the DNIF. The solution stores the logs.
Our security analysts monitor them to find out if there is any malware, attack, or hacker who is hacking at a client and we report on that. The users are the information security team. On our side, the users are my security analysts.
We not only find out if there is an anomaly or any malware, we also do incident response. We have a ticketing tool and use that tool to report if there are any serious incidents which need to be looked into immediately, and we resolve it along with the client team.