LogRhythm NextGen SIEM Review

We can now pick up what is anomalous in our network


What is our primary use case?

Primary use case for the SIEM would be for log collection and threat identification.

We're still in the beginning stages of our security solution, as far as maturity. Two years ago, this security program didn't exist. 

How has it helped my organization?

Its benefits are broad. The solution isn't necessarily made to do any one thing, but it can do anything you tell it to. It is able to tackle any different type or size of job.

What is most valuable?

The analytics that it does.

Full-spectrum analytics capabilities, which we use for:

  • User behavior.
  • Watching and monitoring for login events or any anomalies. 
  • Going through and watching trends. 
  • Knowing what activities endpoints are doing, where they're going, what websites they visit, then making sure that they're in the normal or making sure they pick up on any outliers.

What needs improvement?

I would like to see APIs well-documented and public facing, so we can get to them all.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

When it comes to a single version, it is rock solid. We haven't had any major bugs or flaws that haven't been involved with upgrading or going to another version. As long as you're on the same version, it is rock solid.

What do I think about the scalability of the solution?

It works. The biggest thing with scalability is looking at how much data you have to ingest, so if you have to build the DX to be a specific size then you have to plan out how big its going to be. Therefore, it doesn't necessarily scale easily, but you can add additional data indexers at any point.

How is customer service and technical support?

The technical support is very good. They are in the top two to three companies that we work with.

How was the initial setup?

Its very complex. As with anything, it takes time to get it working and know all the different nomenclature with it.

I do the deployment and maintenance of the solution myself.

What was our ROI?

I have seen a measurable decrease in the mean time to detect and respond to threats. We went from not detecting them to detecting them. We can actually pick up what is anomalous in our network now.

The solution has provided us with consistency and increased staff productivity through orchestrated automated work flows by at least 20 percent. 

Which other solutions did I evaluate?

Our top choices were LogRhythm and Splunk

Splunk is a data lake that doesn't necessarily do any analytics. Whereas, with this solution, we're looking at all the analytics. We can quantify data, we can drop data, and we can do what we need to, plus the pricing model is better.

What other advice do I have?

Know what you want it to do. If you buy a SIEM because its called a SIEM or someone says it's a SIEM, you're gonna end up with what someone else believes they need. Figure out what you need beforehand and make sure that those bullet points are covered because there are a lot of options.

We're currently using the built-in manual playbooks. So far, the features are very good. They are growing. I am looking forward to seeing how they expand upon it.

The automation is coming. The API access and everything else we're looking for to be able to deeply automate a lot of common tasks is still being built-in. Right now, we can do automation on simple tasks. E.g., if it sees something bad, it can take it off the network and put it in our remediation subnet. However, it does not have the capability for complex investigative actions yet.

Right now, we have about 3000 log sources and 3000 messages per second.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email