What is most valuable?
- SmartResponse flexibility
- Ease of use
- Ease of administration
Overall, versus competitors, it is a lot easier to use, a lot more user friendly, but it still gives you a lot of flexibility to do whatever you want. The limit is your imagination, for SmartResponses at least.
How has it helped my organization?
We've actually been able to use it to show that we need more people, because we're going to be doing more. It's the center of our SOC, but we are starting to use it for operational things as well, not just security.
What needs improvement?
I would like to be able to use the Web Console, but because of our volume I can't.
Also, it needs to stay healthy. A lot of the problems seem to pop up out of nowhere, and a lot of them seem to be somewhat debilitating. We were fine for a long time, and then eventually one day our processing just dropped. I ended up talking to support for something like a month, and eventually I got to someone who said, "You should check the BIOS settings on your data processors and your indexers." Turned out there was some read-head caching setting that wasn't enabled by Dell. We were fine for over a year, and then all of a sudden, problems.
It's a great tool, just random dragons seem to cause problems.
What do I think about the stability of the solution?
Hit or miss, it depends. A month or two will go by and everything will be fine, and all of a sudden, something breaks. Then it's in the air for a little while, and then I manage to figure out what is causing the problem, fix that, and then everything is fine for a couple months. Then something else happens.
It's different every time. One specific example, I think it was related to a KB-update that basically broke a log source type, that was doing tens of millions of logs per day. And that just trashed our data processors. It put everything behind, we went down to single-digit processing, blocks-per-second processing, for a period a few weeks. I had to rebuild all the MPE rules into a new log source policy, and then everything was fine.
For a few months everything was working and then all of a sudden one day it just goes into the toilet. We didn't do any upgrades, nothing like that, so that is why I'm thinking KB-update, but I haven't pushed it.
What do I think about the scalability of the solution?
It's pretty good, it's easy to add parts, it's pretty easy to do that. It's just expensive sometimes.
When we started, we had one platform manager, and two DPXs. And then we added this second organization, network domain, etc. Then we realized that we didn't have the infrastructure we needed to support everything. We were able to buy five DPXs, etc.
How is customer service and technical support?
On a scale of one to 10 , it's a seven to eight.
Once you have escalate and validate, it's pretty easy to get to someone who knows what they're doing, and has a lot of the expertise in that specific area.
Which other solutions did I evaluate?
I know that it came down to LogRhythm, Splunk and ArcSight. They ideally wanted one person to administrate and run the whole system, which is why the other two got the boot and LogRhythm was chosen. That was the most important criterion in selecting a vendor.
What other advice do I have?
It's not perfect, but no solution is going to be perfect. If you have one person that you can dedicate forty hours a week to the SIEM it will be fine.