What is our primary use case?
Our primary use case is trying to monitor irregular network traffic - identifying the type of traffic within our network, its origin, and destination IP. It could be HTTP, HTTPS, FTP, or OBDC. Once we recognize the traffic, we then correlate it, determining whether it's normal or abnormal. The data is also send via Syslog to LogRhythm SIEM to further correlate with logs from other devices to look at threats from a holistic view
How has it helped my organization?
We simply enabled the out of the box DPA rules within network monitor to look for Ransomware via SMB traffic and other types of attacks such as DNS hijacking where external DNS is being used instead of internal, and it was happening in our network environment
What is most valuable?
I think visibility is the most valuable feature - the ability to see what's going on with the network traffic even if it is not passing the firewall. It provides the lateral traffic visibility, which most can't see it in firewall and networking switch/routers with limited logs. In an internal environment, we have a customer with several database servers, and they want to know who is connecting to these critical servers, this solution enables that. In terms of attacks or any abnormal traffic, we can quickly detect it. Visibility to network lateral movement is significant.
What needs improvement?
Our customers would always like to see additional features. Ideally, they want one solution to do everything, particularly with networking products. Often customer request features that are related to their day-to-day operation such as traffic congestion and network usage at a specific endpoint. Adding operational flavor into the existing network threat detection product would allow more customers to use a single platform to satisfy all their networking visibility needs. I'd like to see more of these types of visualization or dashboard geared toward this kind of usage is built out of the box and ready to use.
Also, having network topology visuals from a specific endpoint can be a great feature that would help correlate and investigate faster.
For how long have I used the solution?
I've been using this product for four years.
What do I think about the stability of the solution?
It's an excellent & stable solution, it's based on ELK and is a proprietary solution. It provides you with an ISO file that you can install in minutes.
How are customer service and technical support?
The technical support is excellent. You can find many pre-built rules, visualization dashboards, or the Kibana dashboard within the community portal. 90% of users can just use it right out of the box and use the many built-in deep packet analytics rules and dashboard or download from the community. If you like to build your own rules, it will require some learning on the rule syntax. Any more advanced integration with an external system can request to Logrhythm support. They will be willing to answer any questions you have.
How was the initial setup?
The initial setup is very straightforward and simple. It takes about half a day to get it all done.
What's my experience with pricing, setup cost, and licensing?
Compared to many other products in the market, I think LogRhythm has the highest cost to performance ratio in terms of its value. Many customers compared us to a lot of other network tools that focused more on traffic flow and data flow, which often lack threat detections, visibility, and Deep packet analytics. However, LogRhythm NetworkNDR provides excellent visibility and threat detections because it identifies 3000 plus applications, built-in Deep packet rules, and provide SOAR capability at the same time.
What other advice do I have?
LogRhythm provides a freemium version of Netmon, so I would first advise anyone to download it and play with it first. All features are the same as a full version, and it is the best way for anyone to understand the product capability and how it works. If it works well then consider buying the product
I would rate this product a 9 out of 10.
Which deployment model are you using for this solution?