What is most valuable?
- The integratedness
- The parsing
- Their partnerships with various device manufacturers
They keep it up to date, you don't have to worry about that when their products change.
I think as an aggregator it works very well, and as a case management tool it works very well. I think it works reasonably well for parsing. I think there's always room for improvement there; I'm thinking any solution that I've seen, it's just a difficult problem to solve.
How has it helped my organization?
We're an MSSB, we have about 10 or so different customers that all host with us. Currently we're licensed for 15,000 MPS, average, and we use about 8000 MPS average, consistently, and we're growing.
Among our key challenges is getting everybody on the same page about the value of security, and why it's worthwhile to pay for security solutions, and the people to staff them.
LogRhythm has absolutely helped improve the security of our organization. We're able to respond to potential threats in a unified system, where that was impossible before. This is our first SIEM product.
What needs improvement?
I would like to see more focus on it being a data lake. We have around 100 terabytes of data stored in LogRhythm, machine data, sensor data. That all could be used for operations tasks as well. It would really be awful to have to stand up another Splunk instance at 100 terabytes alongside of it.
Also, seeing more analytics features, and more flexibility around that, and their schema.
Bringing it out completely horizontally scalable, and also continued focus on supporting lots of different vendors, for a lot of data sources.
What do I think about the scalability of the solution?
Scalability is not great, at the moment. That's changing with newer releases, and I know that's been a focus of the team. It's actually the purpose of my coming to the LogRhythm user conference, to learn more about that.
They're moving towards a horizontally scalable system, and frankly a lot of their competitors don't have this yet either, so it's kind of a wash in that. I think once they get to that point where they're completely horizontally scalable in all components, they'll have a leg up on the competitors, at least for a little while, until they get there as well.
How are customer service and technical support?
Great in some areas, not so great in others. We had a lot of challenges during our initial deployment, self-inflicted in some ways. Others, we didn't have the right support, and the technical services team was stretched pretty thin when we used them.
It was hard to schedule time with them and get pre-deployment meetings, a proper architecture review on time, so we knew that our environment was ready for the deployment.
Which solution did I use previously and why did I switch?
We used EiQ. It was terrible. Just straight up, they didn't fulfill support promises. They pivoted from being a self-hosted company to hosting in the cloud and offshore, using offshore analysts. So, it just wasn't a fit anymore. And their product didn't scale.
We needed something that would give us a single pane of glass, that visibility over our whole organization - and correlate all the data - without too much staffing needs.
How was the initial setup?
We undersized the environment from a hardware perspective, which led to the system not performing well.
I'd say the requirements weren't really well defined, in our particular situation, but from what I've heard, other customers don't necessarily have that same issue. I think it was more so that LogRhythm was just growing at that time, and they had more customers than they knew what to do with.
Which other solutions did I evaluate?
We looked at RSA, we looked at Alien Vault, we looked at a vanilla ELK Stack homegrown solution. We actually evaluated that one. And we also looked at McAfee/Intel at the time, security.
We went with LogRhythm because aligning with the critical security controls, SAN security controls, was important for us. Also, the price was good, MSSP support was good. I think ultimately it was the combination of their willingness to partner with us, and the price.
What other advice do I have?
I would say for us, being an MSSB, when selecting a vendor, scalability is paramount. And the support ability. If we're going to drop a lot of money on a solution, it needs to be easy for our analysts to get up to speed with it. That's worth a little bit extra, versus going with something that requires months of training just to do the basic running of the system.
If I were to advise a colleague looking at this or a similar solution, I would say take a look at all the options, figure out what you need out of a solution first, and then just make sure you evaluate it. If possible, test drive it. See what it can do, not in a sales presentation. Don't just look at a PowerPoint, actually test drive it.