How has it helped my organization?
From my point of view, at a organizational level, we're able to get that insight into what users are doing, what our applications are doing, whether there is any untoward traffic coming in, whether the applications are misconfigured. It's also used, dare I say, to tick a compliance box.
What is most valuable?
The most valuable feature for me is that it's a single pane of glass for all of the analysts in my team. It gives us complete eyes and ears into what's going on within our environment. We run two separate installations. One is in our datacenter where we handle all of the sensitive data, and one is on the enterprise side, so it gives us a real good visualization of what's really going on.
What needs improvement?
In terms of the product, what really needs to improve are the metrics that you can get from it. We're all about mean time to detection, mean time to response, pulling those metrics out so I can put them into my KPI packs to present to the board. Everyone in a CISO role is having the same challenge. We've got multiple spreadsheets. Being able to leverage the SIEM to give us the information would be invaluable.
The other area is Office 365. We're cloud-first as far as our enterprise goes, and what we lack at the moment is being able to pull that information into the SIEM. I understand that that's coming, so we're looking forward to that.
What do I think about the stability of the solution?
On the whole it's been fine. We've not had any issues with volume, with the system going down. There are a couple of tweaks that you get with older systems. Patching time is always interesting. When you want to do an upgrade, if you're going from a minor version it's fine. If you're going from a major, then it's always good to use the autopilot services.
What do I think about the scalability of the solution?
In a previous role of mine, we had an IT department that thought they could do everything, and virtualization was the way to go. That definitely didn't work. In the current organization, we found the two instances are very, very scalable. Being able to get additional licenses for agents works well, very easy to do.
How is customer service and technical support?
The feedback I get from the analysts in the team is the first-line support is your traditional first line support, they'll log a call. We often get the responses in a timely manner. If it needs to be escalated, we've got good contacts within the wider organization and it gets escalated from level-one to level-two, definitely don't have any issues there.
It's nice to see that the vendor listens. If something does go wrong, they're on the phone giving you the support that you need. Other vendors don't necessarily do that as quickly as LogRhythm.
Which solutions did we use previously?
If we go back nine to 10 years, we had the advent of PCI. The standards council says you needed to use file integrity. The only real solution at the time was Tripwire. That's when I got introduced to Ross Brewer (Vice President and Managing Director of EMEA for LogRhythm). From that point, we knew this was the right solution. We wanted to gather the logs into a central place.
How was the initial setup?
In the various guises that I've had over the years, we've gone from multiple installations across 54 datacenters, globally, into our smaller setups. It's easy to install, it's pretty much, as they say, "out of the box," but it needs to be fed and watered on a daily basis. You do need a team to look after it, which I think is the same with any SIEM out there, but this is much easier to use. And because it's out of the box, you get the information you need within the first couple of hours.
Which other solutions did I evaluate?
With the new organization that I've been with for three and a half years, we spent seven months looking at other solutions out there; looking at Splunk, looking at ArcSight. We did a trial, we stood them up next to each other. Straight away it was fairly evident that the LogRhythm application itself, and the agent roll-out, was straight out of the box. Like I said, it needs feeding, watering every day, but in terms of being able to take the box, put it into your datacenter, get it up and running, they're definitely light years ahead of the competition.
What other advice do I have?
In terms of the criteria for selecting a vendor, it always comes down to cost.
And usability. I like to make sure that my analysts are hands-on when we look at these tools. What's the interface like? How easy is it to use? What's the after-sales like? What's their tech support like? These are all things we need to look at.
Also, which operating systems do the agents run on? Can you integrate into all the hardware that you've got? What syslog feeds can it take? Can it take SNMP as well?
If colleagues were looking to purchase a similar solution, the guidance that I'd give them is make sure that they draw out what they're looking to get from the solution. Make sure they have an inventory of hosts. Don't go all out, don't put everything on at once. As they said, don't try to boil the ocean at once. What are your critical hosts? Feed that information in first. Build case studies. What do you want to get from it, what are you looking for? And then work your way through it.
What I've done in the past is I've asked them to come over to our office and take a look at our implementation. I'm happy to share that information with others. I'm able to give them some case studies on what we've found with the Windows operating systems and some of the other hardware out there.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Nov 20 2017