LogRhythm NextGen SIEM Review

CloudAI gives us analytics into our user's behavior and whether or not they are acting outside of their norms. It has helped me to identify a lot of policy violations inside of our networks


Video:

What is our primary use case?

The primary use case for this solution is to monitor our environment and ensure that we are not having any breaches. In addition, this solution allows us to maintain compliance with HIPAA .

How has it helped my organization?

The SIEM and the CloudAI has improved our organization by helping us track down errors in our network. It has helped out our IT services team, and it's also helped out our database team in trying to track down errors inside of our network. It's also opened our eyes to a lot of the attacks that have been coming in to our network from outside threat actors. It's helped us stop a lot of those attacks as they're happening, and it's also helped us identify some policy violations inside of our network as well. 

I haven't used the playbooks yet, but from what I've learned here at RhythmWorld, I will be integrating the playbooks as part of our incident response policy.

What is most valuable?

The most valuable features for me are the customization features. I can build it out to do whatever I want. I've created rules in there for Crypto mining and Crypto jacking. 

The compliance aspect is phenomenal. The reporting in there is fantastic. It helps our internal audit team. It also helps us with our compliance, as well, for our audit. So it's a lot of good options in there.

CloudAI gives us analytics into our user's behavior and whether or not they are acting outside of their norms. It has helped me to identify a lot of policy violations inside of our networks. A lot of bad habits. Just for a specific use case, I've identified where an account that should have been disabled was being used by another user inside of our network. A lot of policy violations. A lot of geographical location identification inside of the networks.

CloudAI-UEBA has enhanced my security operations because I've been able to track down users with anonymous behavior. To be more specific about that, I've been able to track down users that were using accounts that they shouldn't have. So for example, we had a user that left the company and another user was using that account to access servers inside of our network that they didn't have access to. So it's very powerful. It just takes some learning to get used to.

What needs improvement?

I have over 3,300 log sources. The support for log sources is pretty good, unless you want to go to the cloud where I've had some rough spots with that. I had a hard time integrating with Office 365 because my antivirus wasn't supported. I had to get some custom parsers in order to get that integrated.

I would say that better API support for cloud log sources would be a definite improvement. 

Ease and setup would be a major improvement because it took over a week to get it all up and running, and that didn't even count tweaking it and getting it all set up for my environment. There's some room for growth there.

What do I think about the stability of the solution?

The stability is decent. During the day it works just fine. We do a lot of reporting at night and it hits the system pretty hard, but other than that, everything works perfectly. During the day, searching is perfect. It runs perfectly. The stability is fine except for those heavy hours.

Stability for CloudAI has been great. I haven't seen any issues with it dropping. I haven't had any issues with that at all.

What do I think about the scalability of the solution?

The scalability for the most part is OK. The product has some hard stop limits on what your processor can handle.  I have an XM appliance, which means it's an all in one.

I have some hard limits on how far I can go with the processing rate. So if I go above that I'll have to spec out a whole new system and then renew my license. I don't see that happening anytime soon in my environment.

How are customer service and technical support?

I have used tech support a few times when getting things set up. For the most part, they are pretty quick to get back to you and very helpful. They've also showed me a lot of tips and tricks to make things either run better or to get better results for my SIEM. The customer support is fantastic.

Which solution did I use previously and why did I switch?

I knew that we needed a SIEM solution because we had no visibility

We didn't have any SIEM monitoring tools up until I showed up at the company. We didn't have any visibility into what was going on on our networks or on our systems. So that was one of the first steps that I took when I came on with the company.

Which other solutions did I evaluate?

My shortlist was Rapid7 InsightIDR, LogRhythm, and Splunk

I had a live demo of InsightIDR running in my environment and I liked LogRhythm a whole lot more, a whole lot better than their solution.

What other advice do I have?

On average, I process around 1200 messages per second.

So measurable results for mean time to detect and mean time to respond. I don't have measurable results because there wasn't anything there beforehand. But now, we've responded within hours to events that could have been breach incidents, or in some cases within minutes and stopping attacks in their tracks.

My security program's maturity is still in its infancy. I'm basically starting it from scratch. LogRhythm has been a major step with giving me file integrity monitoring, the SIEM capabilities, log collection, a lot of things that we didn't have before. User behavior has been amazing for helping me keep track of what's going on in my network. So it's been a major stepping stone. It's the first in many.

I would rate LogRhythm as an eight out of ten because of the compliance factor. The modules for compliance are fantastic. The UEBA and CloudAI are solid for user behavior, and the SIEM itself is very powerful. I work very heavily in the customization aspect of it. Writing my own alarms, my own rules to try and track down events and alarms, stuff going on inside of my network. My only complaint really is just the lack of API support and how much work it takes to bring in cloud. That definitely needs some work. And just the time to set up is very time-intensive.

If I had a friend or a colleague that was looking to implement a SIEM, I would definitely recommend LogRhythm, and I would pretty much give them the same answers that I gave here where cloud support is still growing, but the tools that it has are very powerful. The behavior analytics are fantastic. It definitely would have to be on their list at least to look at.

**Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Add a Comment
Guest