LogRhythm NextGen SIEM Review

Our ability to respond quickly or the time to detect has dropped significantly. There's some things that we see now that we would have never seen


Video:

What is our primary use case?

My primary use case is to alert to any anomalies that may have security relevance as far as some of the industry regulations that apply to our health care, as well as payment card industry.

How has it helped my organization?

We have a product that is a security orchestration and response tool Demisto and I think that from the standpoint of automation and response perhaps the first version of the playbooks is not going to compare to the product that we have that's a stand alone for that purpose. However from a price point it's very attractive and I think that as it matures we'll look at probably moving over onto the LogRhythm playbooks if it can support the kind of things that we're leveraging out of this other product and it looks like that's their plan.

It was the same that was brought up in one of the talking sessions. Our users will tend to forward every email they don't like just to be safe. It's a spam review and it takes our analysts then a ton of time to go through. So we have leveraged this to go and read from the mailbox that those spam emails all get forwarded to and then to look and analyze the hashes of any files. They'll hash them or the links in the file or the sender or anything that looks funny and it'll do all the things an analyst will do and make its determinations and then we'll see from there if we have anything to follow up on.

Our ability to respond quickly or the time to detect has dropped significantly. There's some things that we see now that we would have never seen. For example, maybe a domain administrator adding an account to a server's admin group that goes against process and policy but they're doing it to troubleshoot something or whatever. We have never seen that before because of the amount of logs that come out of those Microsoft security logs and the fact that we've got 6,000 servers in our environment. But the other things that we would have seen we still see them faster. When we see something that from the power firewalls that verdict change did pass something through, but now it says it's malicious an attachment on an email or something. We can take action now far faster whereas before we might have got the indication out of our antivirus tool when somebody tried to double click the attachment.

What is most valuable?

Most valuable features for our organization are the centralized painted glass for us to go through and triage and see everything going on in our environment. We're a mature organization. We have a lot of tools and a lot of different implementations and to go through all those dashboards monitoring everything is just not possible. So we centralize everything and then we get it, come into the web console and we're able to triage and respond quickly to anything that is important.

We do use many other capabilities with LogRhythm. We of course collect from our printer devices and our servers as well as some of our security specific systems. We'll drink from API's. We'll also implement file integrity monitoring in our data environment. So we use a lot of different features available within LogRhythm.

It makes is possible to stay aware of much more of what's going on. We get an overview, a macro view that we can zoom in on as opposed to prior to that we had individual panes of glass. You might be stuck in the firewall interface for half a day whereas something goin on is not getting addressed that we really should probably investigate. So that's our biggest benefit.

We're not using any of the built in playbooks. We are about to go up to version 7.4 once it becomes available. We were not an early adopter because of our size.

What needs improvement?

There's two that I can think about off the top of my head. One is service protection. So for example to compare it to the antivirus product, if I'm an admin on a server I can't uninstall the antivirus product unless I have the administrator password for the antivirus not the domain administrator passwords. In the same way these guys that are out there doing upgrades in the middle of the night and stuff they don't know why anything isn't working. But the first thing they do is they want to peel off all the security products 'cause they think that's interfering. Then all of a sudden I'll have a server that is no longer even has the LogRhythm agent on it. I'm trying to figure out who uninstalled this and whatever. It gets into a situation where I just go well why is that possible? Product like Symantec antivirus or trapps or something. I couldn't uninstall it from my work station even if I'm a domain admin. I got to have that admin password for the product and I think that should be baked into the LogRhythm agent so we have more stability over our deployment.

The second thing that I would like is, like I said our login level is about 750 million logs a day, but sometimes we'll go 850 or 1.2 billion logs a day. Sometimes maybe 680. So what in my environment changed? I don't have the ability really with the tools they give me to profile the systems very well and the log sources except for running supports which I can look at and kind of the crystal reports interface or I can export it to a big giant PDF or spreadsheet. But then I'm looking, well last month the exchange service kicked out this many logs and it's a little bit more but where did the rest of it go? If I go from 750 million logs average in a day to 850 it might not just be a delta of 100,000 logs increase, it could be 150 because something else might not have generated the same amount of logs.

So for the ability for me to be able to profile a system and say what's behaving normally and abnormally you can do some of that with the AI rules and we've played a little bit with that in the past, but it would be better if it was something like what they're doing with UEBA where I can say this server kicked out 80 million logs yesterday and that's not normal for it. I'd like to see what was going on with that box. That would in some ways where my mean time to detect which servers went through a significant variance in what they typically do would be very helpful for me on a lot of days.

LogRhythm gives us the ability to automate. We do have some smart response plugins that we're using. Unfortunately with healthcare you end up using more contextual smart response plugins then you do actionable ones. I can't go and shut down a system 'cause unless I have absolute 100 percent confidence in the fact that it's not actually touching a person because a biomed is a computerized medical device that connects to a person. So in our environment with a half dozen hospitals, 130 clinics. We can't just go around shutting things down or even necessarily quarantining them because it might be a client server type of situation where we can't interrupt this if maybe they're giving a radiation treatment to someone. We have a lot of different enclaves and things. But LogRhythm allows me to see things that I may want to take action on via a human resource. I can send a desktop tech out there to make sure that whatever it is I'm concerned about is not in fact taking place.

What do I think about the stability of the solution?

In LogRhythm the stability is very good. We're pleased with it. However we have a high rate of logs for at least I think it is. We approach 750 million logs on a daily basis is about our average and if anything stops working or service needs to be restarted it will rapidly vary itself. We don't have too many problems with anything like that it's just from time to time if something's not available, resource it needs, things will begin to back up and then it's exciting trying to recover.

What do I think about the scalability of the solution?

Scalability is good. We had 23 systems not counting the collectors that are big LogRhythm servers, data processors, indexers. That monitors web consoles, pm's. We have in two different data centers we find that scaling for volume is very good. Scaling for the flip over for any disaster recovery situation we don't use Microsoft DNS we use Infoblox and the DR utility up to this point did not incorporate that product line and what was necessary. But they did take it back and that's what I like about how responsive they were. They didn't charge us the PSR's for all the time that we spent when it didn't work. They went back, they worked with Infoblox they handed off a technical document that I can work with my DNS guys back there and then reschedule the hours with PS. So it's really, I liked the way that they addressed it. They made it like we were important. I know we're one of many, but they took that back and they expanded their disaster recovery capability based on the fact that that's what we wanted.

How is customer service and technical support?

Oh, tech support's good. We generate a lot of tickets. Anything from log, sometimes the vendors will enrich their logging but then that changes the ability of the tool to parse it and so then we'll notice that a log is not parsing and everything's going to the catch all rule. We'll open up a ticket, they'll take care of that pretty timely as well as anytime that we have a high issue, something that's affecting our availability and visibility and our network, they're very responsive.

I was back in 2014, so I was assisting someone else who's primary function was to implement it and it was several full versions back. I think it was version six or five or something like that. I don't know what it was. I think your awareness of LogRhythm grows over time. There's certainly ways to do things that are advisable that you can get away with. Rules that are not two and two well when you're on a certain scale once you get big, no technology is going to really handle any efficient rules and log processing policies that are beyond what you need, right? So I think that we probably had a normal growth path and knowledge curve compared to others where we first got it and we tried to do too much, turned on a bunch of rules. Didn't know how to tune them. But I think that right now we have a solid implementation. We have 130, 150 alarm rules running. We're not maxing out resources. Everything is running really well from a reliability standpoint, availability from the product. We do wish that the web console would go back a little bit further with its look in time. However, it is fortunate that they've embraced some of the other stand alongside technology like Cabana and ELK stack where we can take a look at the parsed data and trend back over time.

What other advice do I have?

LogRhythm gives us the ability to automate. We do have some smart response plugins that we're using. Unfortunately with healthcare you end up using more contextual smart response plugins then you do actionable ones. I can't go and shut down a system 'cause unless I have absolute 100 percent confidence in the fact that it's not actually touching a person because a biomed is a computerized medical device that connects to a person. So in our environment with a half dozen hospitals, 130 clinics. We can't just go around shutting things down or even necessarily quarantining them because it might be a client server type of situation where we can't interrupt this if maybe they're giving a radiation treatment to someone. We have a lot of different enclaves and things. But LogRhythm allows me to see things that I may want to take action on via a human resource. I can send a desktop tech out there to make sure that whatever it is I'm concerned about is not in fact taking place.

If I had to rate LogRhythm I would say I give it an eight out of ten. I think that I like the direction that they're going as a company. I like their philosophy and their milestones that they lay out at these conferences. I do like them also from a product standpoint because some of the competitors are just not, they're price prohibitive as far as volume especially when you look at SIEM tools like Splunk. Small shops can afford Splunk, but big shops you got to really need Splunk to really afford it. The same with Qradar that's what we had previously where we were at and they just became price prohibitive. So I like LogRhythm, they have the full package. I like where they're going with network monitor. I like the UBA stuff. We're not currently using that. I like the playbook integration. It seems like they're really thoughtfully maturing their product line and I think that gives me confidence for even if I have a pain point now they're going to address that going forward.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email