What is most valuable?
The fact that I can quickly determine if there is a threat actor from internal to external. That's our primary goal. We have a lot of traders and a lot of developers, internal, so that's generally where our presence is. We don't have a whole lot of online presence. We're not so much worried about external actors.
Being able to determine what a user is doing is really helpful for us.
How has it helped my organization?
We've got two facilities. We pretty much have one setup, the DX. We don't have any failover, just because it doesn't work for us.
Our key challenge is weeding out who is actually trying to be a threat. Now, LogRhythm certainly helps us, but it's still very difficult because we've got not a super high turnover, but high enough that you're constantly going through them looking at stuff.
Being able to actually track somebody down and figure out what they're doing. Before, we didn't really have these insights, we were going by the the seat of our pants and trying to pull whatever logs we could, whatever Unix logs we could find, and it wasn't really helpful that way. Now it pulls it all into one spot and we're actually able to correlate data and say, "Hey look, this person's really actually being shady," and go from there.
We've been able to identify certain individuals and not have issues past that.
What needs improvement?
There is a Group-By field that they're breaking out, which stopped me from being able to have certain events. They're breaking it out in 7.3, so they've already got it. That was the one thing that bothered me, so I'm happy about that.
What do I think about the stability of the solution?
Stability is not great but I think that's our issue. Qualys seems to blow it up all the time, but that's more on us to stop Qualys from scanning LogRhythm.
What do I think about the scalability of the solution?
Scalability is pretty good. We rolled it out at our primary company and then rolled it out past, to our sister company, which went really, really well.
How is customer service and technical support?
What other advice do I have?
It's fairly important that a solution be end-to-end unified. The fact that LogRhythm is, is working out very well for us.
I gave it eight out of 10 because of some of the issues we've had with the system actually going down but, again, that might be entirely on us. We're still in the defining phase of that.
One thing that surprised me over the course of our deployment is the amount of logs that I didn't realize we had, different log sources that we're seeing pop up, pending, being brought into the system and we haven't even seen them before. People are standing them up left and right and I'm thinking, "Guys, stop it."
Make sure that your operations guys, your network guys can actively search through it well. Get them training. Don't do half a job with it.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Nov 07 2017