How has it helped my organization?
We have a big issue with our users, they really like to click on links and attachments. The Phishing Intelligence Engine, is a new feature they're releasing, which is really going to have a nice fit for us. Then the CloudAI stuff they built right into the SIEM. There's nothing else you've got to do other than upgrade it to the latest and greatest version. Those would be two really key opportunities for us to really take care of a security vector that we have issues with every day.
What is most valuable?
Favorite feature of the product is the ease of administration. There's not a lot of overhead. We don't need a FTE dedicated just to admin the product. That was one of the biggest selling features for us.
What do I think about the scalability of the solution?
Have not scaled. Like I mentioned, it was a compliance check-box. We are running what they call an all-in-one, all the features are running all in one box. But you can also take each feature as you grow, and move those features off. For example, if the Web Console is slow, you can extract that out and run it on its own separate system.
There are Fortune 500 companies running it, so obviously it scales.
How are customer service and technical support?
We had one issue, self-inflicted wound. We were capturing too many active logs and not archiving them off. We went through a process where we did Professional Services with our VAR; missed that step, that we actually needed to use some archiving. About three months into it, we're saying, "We're out of space. Performance is terrible."
Quick call to support. Support's great. You have a service manager you talk to, and then they get you to the right team. There's no bouncing around. They do all the schedule coordination, everything like that. Can't say enough about support. We were back up and running within a couple of hours.
Which solution did I use previously and why did I switch?
The general SIEM was brought in, like a lot of SEIMs are brought in, is to solve a compliance issue. To check a box. That's initially what it was brought in for. Now, I'm investigating where we're going to grow this tool. Because apparently, it's sitting in a state that's getting a little stale.
At this LogRhythm User conference I'm looking to see what additional benefits it can provide. LogRhythm can do a lot. It's just a matter of making the right choices to gradually get yourself going down the path of developing it, because it can get overwhelming, like any SIEM.
But LogRhythm's got a nice online community to shape your decision making, like, "Here is where you should start." They've got actual tips and tricks every month that you can get on, really easy things to digest over lunch hour. You've got to dedicate the time.
How was the initial setup?
The recommendation from VAR was to actually have Professional Services engagement. That was one week. Basically, that was just building out the SIEM, creating some basic rules, showing it lay of the land, where things are, where you go to administer, how do you create a case. Really basic administration.
Then, what LogRhythm also built into that was a one-week training, which we did online, which was great. That just built on to that first week of here's how it's built out, and then here's how to use it, here's how the administrate it, here's how you use it for analyzing alarms in your environment.
Which other solutions did I evaluate?
We looked at IBM, and then we also looked at Splunk.
FTE cost. We're a small shop. Infrastructure team is five people, not a dedicated security professional. Cost, being a small shop, ease of maintenance, and ease of use; top four. LogRhythm came in by far the cheapest, was easiest to maintain - this was the initial thought - that's proven out that it is. Then, actually easy to just get in there and look at the logs. It's really easy to use. From not having anybody with any real SIEM experience, to get us off the ground and running was incredible.
What other advice do I have?
From how we use it, I would rate it a 10 out of 10; not knowing exactly where we could go with it, I'd have to give it a nine, because I don't know if there are any challenges inside it. What we're doing is very limited. I would like to, as we continue to grow with the product, see if there are any ceilings on that.
I would highly recommend taking a look at the FTE requirements. They're not all the same. That's huge, depending on the size of your staff, and budget constraints too. There are other SIEM software solutions that have a lot of add-ons that continue to add cost. You need to look at the big picture of what you want it to accomplish. Ours was pretty straightforward with compliance, we didn't have a lot of additional costs. I think those are the two big takeaways I could give somebody.