What is most valuable?
Strong Analysis Engine, Easy to use web interface. Setting up rules and alerts is also quite simple. In fact, we mostly use many of the inbuilt alerts and monitors with minor modification (primarily around the trigger levels). Integrates with many available vulnerability assessment tools like Nessus, Qualys and nMap to present a single view of your infrastructure status. No requirement for a separate RDBMS saves licensing costs.
Based on my interactions with peers and vendors, for smaller organizations it is much better than other more established competitors which may offer features but are too expensive or too big for your needs. At the higher end, can easily handle workloads similar to the larger players.
How has it helped my organization?
Web interface makes it quite easy to analyse and make sense of all the logs collected.
What needs improvement?
Support for all available environments, e.g. does not support AIX v7 or later. Some minor configuration parameters like date and time format are set as per US standards.
For how long have I used the solution?
1 year including initial 3 months fine-tuning all settings and alerts
What was my experience with deployment of the solution?
Minor infrastructure issues primarily based on local vendor understanding of the tool deployment. Support from eIQ could resolve these quite quickly.
What do I think about the stability of the solution?
What do I think about the scalability of the solution?
Suits my current purpose with plenty of buffer but the system is designed to scale.
How are customer service and technical support?
Do not speak to eIQ directly but any issues raised by the vendor with them are quickly resolved or a response is given. Technical Support
Have not really used it as we have a competent vendor and get quick responses from eiQ in case of issues.
Which solution did I use previously and why did I switch?
None. First solution deployed in the organization. Before this we only had logs stored locally.
How was the initial setup?
Other than figuring out what you need to alert and at what levels, setup was quickly done. The templates already available help a lot but setting up a complex report did take some trial and error.
What about the implementation team?
Vendor deployed and managed. Vendor was competent but required some back and forth with eIQ support.
What was our ROI?
No ROI calculated but gives me better visibility into events which I did not have earlier.
What's my experience with pricing, setup cost, and licensing?
Am working on an operating expense relationship with the vendor over a period of 3 years. Total expense in India is around $90,000 over 3 years for solution + implementation. Additional expenses for the monitoring (Vendor monitors all alerts through their SOC) and day-to-day server running expenses.
Which other solutions did I evaluate?
Evaluated ArcSight and Nitro and obtained reviews for a few others from within the group. Selected this based on sizing, reviews and commercial considerations.
What other advice do I have?
It is quite a good solution for small companies who do not want to invest in larger well-known (and more expensive) solutions.
In fact, based on my experience so far and the documented capabilities of the solution, it should meet my SIEM and Threat Management needs as well for the next few years.