How has it helped my organization?
We are primarily Windows-based. We have Linux. We have some Solaris. We are an isolated network. We have no connectivity to the internet, so we are more focused on insider threat and advanced persistent threat. One of the things that has really been a concern is we have a lot of software developers and engineers. These guys are gonna be able to create their own threat, so the behavioral analysis function of LogRhythm is really important, because there may not be a threat signature that we can find somewhere. We are going to need to see, "Oh hey, this guy, he is doing that at some weird hour. Okay, trigger an alert." That's probably the biggest difference. We are not going to have to worry about phishing attacks. We have really locked down. Our endpoints are going to a lot of thin clients just to eliminate a lot of potential access to systems.
LogRhythm has caught a few odds and ends, where things were done for sheer convenience. It caught this weird behavior, and alerted us, and we're like, "Why do we have a DNS server with a software install point on it?", which is completely strange because we have an official software repository where everything is supposed to be. LogRhythm caught that for us, and it was really a case of a privileged user account, which was no longer active, and someone just tried to login with it. We were like, "Who is this? It's not even the same format for the username." So, it caught something like that, and it turned out to be harmless.
Maybe years ago, they had brought someone in, not an IT guy, they were pushing out a lot of common software, and they didn't have an SCCM or a WSUS solution, so they had people going to machines, and downloading it from various locations. It is something we cleaned up, and got out of the way. We haven't had anything nefarious show up, yet.
It has also been helpful for tracking a lot of stuff, like user account activity. We have our own folks, we have vendors and contractors that come in. It's great to be able to see when their accounts are being created, and when they're being locked down, because our security people can say, "Okay, this person is a new hire. We know they are supposed to be here. This person is leaving the company. Good to see their account has been locked down." There is a lot of confirmation on account activity, which is great.
We need to catch everything before it does anything bad. Our biggest challenge is we have reporting requirements with our customer. They want to see specific types of activity, and while we want to be able to provide that, we also want to be able to catch things that might be on the edge or just outside of those boundaries. So that is our biggest challenge because I can watch the industry news and see, "Oh well, we have a threat that is coming in this way now that could possibly get on our system. How do I catch that?" Well, my customer's requirements might be too vague or too specific. I have to convince them that this is also important, include it, and here is why. So keeping my customer educated as to the threats is really critical.
What is most valuable?
It gives us insight into our entire installation, where we are multiple sites, going as far as the East Coast to the Central West Coast. Our operation is small. I am a one-man shop right now, so it gives me a chance to aggregate all my events and logging, alerting, in one spot. I come in and can see exactly what is happening.
What needs improvement?
The biggest thing is when you are looking at the client console:A lot of the data, the reports that you can generate, then you are given just a pie chart, a list of data, or both. I would really love to be able to take some of that and not have to export it to a CSV file, so I can pull it into Excel to turn it into some other kind of graph. I know some of that's being handed off to the web console, but that would be the one thing that would be really helpful.
It is a little hard to get integrated.
The one thing that would help me the most, because I am sort of isolated from things, and the guides that LogRhythm puts out are really good. However, a lot of times, it is, "Do this, do this, and this works because of this, this works because you do this." I would love to see something where they show or explain why doing something would break something or wouldn't work for you. That is the one thing, because I have done some things, like created a GLPR, just done them a couple of times, and I had two of work really well, and one that seems like it should be perfect, it is just a simple exclusion, but it does not work at all.
What do I think about the stability of the solution?
Stability has been great.
How is customer service and technical support?
I have done a lot of good work with the account reps and engineers. It really feels like we are on the same team.
Technical support has been pretty good. It has been a challenge, because we are not connected to the Internet, and when they want to get our logs, we are like, "Well, it is going to be a few days before any of it gets to you." That's our biggest challenge, but they have tried to work with us.
Overall, they have been good. They have been pretty helpful
How was the initial setup?
I was not involved in the initial setup.
What's my experience with pricing, setup cost, and licensing?
I would recommend talking to the rep. That's the biggest thing because they will know what questions to ask.
What other advice do I have?
It does what we want, but there is so much you can do with it. It is like buying the biggest tool set you can find, then you are trying to find out, "Okay, what am I going to do with all of these tools?" Trying to tune your system with the tools that you have available is a little daunting. It was for me because I did not have the security background. If you are new, it will be a little bit daunting. The training is a big help, though.
Understand what your scope is. What are you really trying to do with this tool? If all you want to do is collect logs and pile them up somewhere on a server, this is not going to help you, and it will defeat your security goals, probably. If you are looking for something, talk to the LogRhythm rep to find out, "Okay, we are really operationally-focused. Or, we are really security-focused."
Most important criteria when selecting a vendor:
- Vendor access, which is what LogRhythm is very good at. We have got the engineers coming to us saying, "Hey, we are coming to town, is there something we can talk to you about? Do you want us to visit?"
- Very flexible.
- Really good communication is important because if something is happening, I need to be able to get it taken care of quickly, and that is what's going on.
- Scalability: It looks like it is wonderfully scalable.
- Integration: I have been interested with what I have seen with the carbon block and the endpoint stuff.