What is most valuable?
It's the ease of use, right off the bat. You can type in certain applications to bring up, it brings up graphs and it's meaningful information off the bat with a very low level of entry. Then, as you get more comfortable, you can get more advanced, more granular. But it's probably the ease of entry into it that is one of the key features so far.
How has it helped my organization?
With other solutions it's a lot of care and feeding to keep it going, making sure that your alarms and use cases are built out. With the Network Monitor it's pulling packets right off the network and doing that deep packet analytics. You're able to look right off the wire and get a true picture of what's going on. "Did this person send out an email? Did this person go to this website? Is this application running on our network in these certain areas?" You can get a very granular look.
It provides data in a user-friendly interface that I can pull off and get to management.
It does packet captures as well, so if I really wanted to dig into it I could pull those down. I could run those through other tools as well.
You can really really dig into it with some other packet-analysis tools we have. But just having it there, it's incredibly smart, incredibly easy to use, and the breadth of information we get off it is really good for investigations for us.
What needs improvement?
It's just finding the knowledge and figuring out how to apply it. The platform itself is good, but the breadth of capabilities that it has is difficult, and not always super-well communicated between LogRhythm and us.
We were using it for certain things and, as time went on, we brought in different tools to meet certain capabilities. Then after researching, "Oh, LogRhythm does this too."
It's that communication between LogRhythm and us, just letting us know - maybe it's a little bit on us as well - what the capabilities are and how we can leverage it and make the most of our investment.
Things like this LogRhythm User Conference are really great, to know where they're going, and what we actually have.
For how long have I used the solution?
I've only been in the department about two years. I think we have had it for about four or five years at this point.
What do I think about the stability of the solution?
No issues since we upgraded. Previously, it was typically every Monday that I was coming in - it would die over the weekend - and I would spend a day cleaning up databases. That was LogRhythm 6.3.
Now we're on v7.25. Since that upgrade, searches are a lot quicker. The stability, the way they split it up now with the data processors and the data indexers with the new platform, it's been fantastic.
The Network Monitor itself, I haven't had any problems with it. We're capturing rolling PCAPs, and we have about a month and a half of PCAPs from our different environments right now. Stability is quite good.
What do I think about the scalability of the solution?
Regarding scalability, I think it's more just getting time to spend in LogRhythm. We're not a huge security shop, so it's getting the time to dig into it and really figure out how we're going to build it out and learning the functionalities that exist, that we can leverage.
A lot of the time you end up getting a product, standing it up for one use case, and that's what it gets pidgeon-holed as, when really there are 100 other capabilities you can use there.
How is customer service and technical support?
We've never had any problems. We have a few different platforms we run, for vulnerability management and the like. LogRhythm's support is always, compared to the other vendors that we use, it's always same-day, next-day. Whereas other vendors, after a week, two weeks, you have to follow up.
LogRhythm support has really been "Johnny on the spot." I write to the other guys who manage the other systems and I'll say, "I put the ticket in today and it was solved the next day," and he's been waiting two weeks and following up with them and really hounding them. I've never had to do that.
Very good support.
Which other solutions did I evaluate?
We're upgrading from the old version to the new version. Then I did some research on the Network Monitor box and saw some potential there for use cases. I sold it to my management and showed them what we could do with the Freemium version first.
From there, once I showed the use case and the value there, we were able to move forward and purchase the nice nice big appliance.
Because we're government, if it's existing we can do the upgrade process, but if we wanted to switch vendors it's more of a RFP process, very arduous and long. We knew we wanted to stick with LogRhythm, but there was an opportunity for us to look at new use cases and new capabilities that we spin up.
What other advice do I have?
We're Palo Alto for a lot of our Edge stuff. We run Cisco. Palo Alto on endpoints for their traps, McAfee on some others. It's fairly distributed as well. We run all the casinos in British Columbia, they distribute all around the province, and we run all of those and they're all reporting back to us. We also run the lottery point-of-sales systems as well. You go into gas station, there's a lottery terminal there you can buy your ticket off of. We manage all those as well. Those are all wireless. A ton of stuff. Very, very large.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Nov 06 2017