- User behavior analytics.
- Alert features on any suspicious activities.
- It contributes a lot of knowledge towards your network environment.
You can add value once you connect a lot of syslogs of a lot of applications to the actual SIEM product. It pretty much does the monitoring of our network, so just having the tool secures the environment itself.
I don't have any particular suggestions at the moment, but giving the ability to their business users to leverage the functionality well is important. Right now, the way we use it internally is mainly just for our security team, but other products, like Splunk, for instance, do monitoring on not only the network but also monitoring of system performance.
Server performance is important, whether or not the application is up or down or things of that nature.
The product is very stable.
The product is very scalable.
Technical support is good. It's not great, it's good. When you leverage the tier 1 folks just to do some troubleshooting, it takes a bit of time to transition a case over. They could improve that turnaround time, especially when the first level guy doesn't know exactly what's going on or doesn't know the answers to the questions.
I wasn't directly involved in the initial implementation. I wouldn't say it's complex, but I mean just by enabling different data sources, you can go crazy with it and enabling them all in one shot is just too much.
Taking your time is probably a better approach so, that way, things operate smoothly and you can fine-tune things as you start seeing the network activity.
Ensure that it's scalable and that you have good customer support. Also, take your time doing the implementation.