LogRhythm NextGen SIEM Review

Visibility into all log sources in one place, and alerting are key advantages; helped us find misconfigurations

What is most valuable?

Visibility, obviously. Seeing all the logs from all the various log sources, be it perimeter, internal, overall security controls; getting it in one pane of glass. And alerting, obviously.

How has it helped my organization?

I started here two years ago, no SIEM. Now we have visibility into any type of external attacks, perimiter attacks. We've found operational problems, misconfigurations, things like that.

What needs improvement?

Logging improvements. I think that the template to reporting is just difficult, it's hard to go back. You can't modify the templates. So more customization. That would be key.

We could also use more information on how to integrate with specific vendors.

Threat intelligence is a big thing. LogRhythm actually has a pretty good threat intelligence deal, but we happen to use a vendor that is not built-in. It'd be great if LogRhythm could expand more on the user forum on how to integrate more with the more non-mainstream vendors.

What do I think about the scalability of the solution?

It's good. We have all-in-one, an XM unit, because we're a smaller shop. It's been a great, a single unit. As we've needed to expand, I've put out more collector systems feeding back into the XM unit, so it's good.

How is customer service and technical support?

We've used them many times. I'd say overall good. I was actually an ArcSight user at a previous company, I'd rank LogRhythm higher than those guys.

Which solutions did we use previously?

As I said, it was ArcSight at my previous company. I was lucky enough to try to build the security practice where I'm at now. LogRhythm was one of three that we evaluated.

How was the initial setup?

I'd say straightforward. We did have PS as well, so it was very helpful.

Which other solutions did I evaluate?

QRadar and Splunk. And, for whatever reason - it is not really a truly a SIEM player - Tripwire. Management wanted us to evaluate Tripwire.

What other advice do I have?

We're about 1200 seats, 10 locations roughly, totally a Cisco shop, from perimeter ASAs to IDS, Sourcefire, to web filtering, it's a big Cisco shop that I stepped into.

Our key security goals revolve around maturation and pulling more information into the SIEM. We started off with the low hanging fruit, the Active Directory, the SOCKS servers, things like that. But now we need to get more - all our security controls as well - security systems. We need more from executive PCs, from application servers, we need more visibility I think.

In terms of meeting these goals, this solution, on a scale of one to 10, is an eight, at least in terms of how we've been able to adopt it.

The most important criterion when selecting a vendor interoperability, the ability to pull logs, and the ease of customizing parsing logs. By far.

In terms of advice to a colleague, if they're looking at this and similar solutions: I've dealt with ArcSight before, they're a magnitude higher in terms of operationally managing the software. I haven't used QRadar, but from the surface, looking at it form 10,000 feet, I would say and Logarithm and it are probably much easier to mange, much easier to use.

LogRhythm has been really a good partner, they've reached out, they're always wanting information, "How we can improve? How can we do this or that?" Our SE and sales guy are really great. Keep in touch, so I feel like there's someone I can always reach out to if there's a problem.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Sign Up with Email