What is most valuable?
The breadth and harvesting of information the SIEM is capable of doing. I've been in this probably going on 30 years, and I've seen the growth. I found a resource that's outstanding in finding information and then the most important thing, distilling it, putting it together, which is a real big challenge in this field.
How has it helped my organization?
We're a financial service. As our title implies we deal in mortgages, which means we see a lot of personal information, credit reports, financial instruments. We're really concerned that we are able to monitor the movement of that kind of information and protect it.
LogRhythm has been extremely efficient in helping us find the bad guys, who are really out there, they're targeting businesses like us. They specifically want the findings, the money. If you can get in the middle of a loan you may have to go after 10,000 people trying to find the data, but if you can get four houses at $400,000 or $500,000 apiece, you've just harvested $2,000,000.
For us, LogRhythm has given us the kind of insight we need to understand when those threats either are being recon-ed, found out, or when they're really trying a brute force attack to get at us. It's excellent for that.
What needs improvement?
I really can't think of a particular one, I've been very satisfied with what's happening.
I know they're going to get another spike in customer base, hopefully they'll have the ability to ramp up people in support along with the customer ramp up. That's a hard game to play.
I've been part of a number of beta tests, so when CloudAI came out - which is phenomenal: The ability for something to give you information in a SIEM environment, you're often gathering data, writing rules to monitor the data, so you can see what you think you should see. But they're doing inference engine work, where they're looking at what a threat implies, and then presenting it to you.
In our field, false positives versus true positives are a big deal, but they've kind of taken it a step forward. I've come to call it - they may offer me information that I look at, that I didn't know about but I should know about - it's not a false positive because it didn't show a threat. It's a true insight because it showed me something that I wouldn't ever infer myself.
So features like that, the work that they're doing moving forward in that space, especially with machine learning. The sky's the limit in that, I'm looking forward to them doing it.
What do I think about the stability of the solution?
I find it very mature, it's well designed.
I'm sure if you're speaking with other folks today here at the LogRhythm User conference, you'll find that they're talking about all the new product roll-outs. They think these things through. Since I've been in the industry for many years, I've often found people will roll out products very soon. Often before they're mature enough to be out in the field. LogRhythm doesn't have that problem. I've been very impressed with that.
Except for the experience you often have when you do upgrades - and mostly it's the human, not the software - becoming accustomed to the new material, they've done a really great job.
What do I think about the scalability of the solution?
We tried to size what we purchased, as an appliance, properly. You never realize how much data you're gathering until, of course, you see how much you're gathering. You're thinking maybe 100 million records a month, and you find out it's 100 million records a day. But we've been able to deal with that, understand what we're using.
They've also been very helpful about throwing away the stuff. There's a lot of information that computers generate, not all of it is relevant. So we've able with it, to look at stuff and begin to filter out, in some cases, 20% to 40% of the content that isn't relevant at all.
How are customer service and technical support?
I've found through the past two years they've had a few bumps because they've become so popular - I was in customer support years ago, I understand it. When you get a quick rise in customers it's impossible to maintain a support staff at the same time that you're having a fast rise in people who've bought your product. But they've worked through it, they've been responsive to it.
I've been able to talk to the Director of Training, and the Director of Support on a couple of occasions, we've come to know each other, which is really valuable, especially in our business. Because he can look at me and say, "This is what we're doing." I appreciate the fact they're honest about the situation, they know me well enough now sometimes to be blunt, which is great. It's a good rapport, intelligent people, which is really essential.
None of this is offshore, it's all inside the United States. When I used to do secret cleared work, it was always a requirement that it be carried on within the boundary of the US. I've sort of picked that up as a habit, and these guys are really good at it. It's here, occasionally I go up to Boulder and see them, but it's very satisfactory, very reliable. They get on top of my problems, we usually fix them inside 24 to 72 hours.
Which solution did I use previously and why did I switch?
I had to do a proof of concept review two years ago when we were doing a rebid, and LogRhythm was the incumbent. I looked at some other companies. The thing that was essential for me was not only that you could gather data quickly and efficiently, but how you harvested it and how you maintained it. A lot of the other vendors had different ways of doing it, nothing I considered reliable and I was worried about the fact that, as their volume increased, the performance of their appliances would decrease.
What I found with LogRhythm, especially since I picked up one of the newer XMs, is that it has the capability to handle the volume I'm looking at but also, if I want to separate certain parts off onto certain systems, to basically spread those elements out. That was a feature that became really critical for me. Without that I'd be stuck with the pressure of one box, if it fails it takes all my operation out. So I get both, strength and diversity, because I can use multiple systems, they have that flexibility, the others didn't show me that.
Those were some of the things that were important.
Also, being able to handle tens of millions, and hundreds of millions of records from a wide variety of resources. They have something called log source types. Log source types let you ingest data from Palo Alto firewall, Cisco firewalls, big F5s, all sorts of environments, draw the data in and make it relevant.
The other environments - whenever I hear an engineering environment tell me, "Its just a simple matter of programming." It's not.
When somebody says, "Here's the log source type, and this will do this with your data," and you draw in 10 million records from the firewall, and that afternoon you can make sense of it. That was another reason why.
How was the initial setup?
We've lived through three or four years of the product, so in the early time it was major upgrades, releases had a lot going on. But now things are almost completely seamless.
LogRhythym uses both the central environment and then sensors that it spreads out. It used to be that you'd have to upgrade the central environment then get all the sensors. As they've moved through things I can now do one upgrade in one place and tell that central environment to upgrade everything else. It cuts down my time from being 12 or 13 hours for an entire operation, to about three or four hours to bring the main environment up, 15 minutes to start up the upgrades. Then it's time for coffee, come back, usually I'm done.
What other advice do I have?
Things that are important: the first time you get a SIEM in your hands you think it's great to gather everything. Then you find out within a couple of days, gathering hundreds of millions of records and trying to make heads and tails...
Begin slowly, focus on various systems, understand what they mean.
A lot of people go, show me the perimeters, show me the firewall, show me the network. Pull that data in and when you've got it then turn around, look at all of your Windows servers, your domains, those environments.
Moving slowly and classifying your data, so you can make the rules you design really specific. It helps you if you've got control on it, you can throttle volume, but also when you have anomalies pop up they don't pop up because you forgot something in a rule. They pop up because there really is something new.