What is most valuable?
<li>Correlation Engine simpleness</li>
<li>Visual agent deployment</li>
<li>Stream based solution performed by iscale bus (no latency due to the database layer) </li>
How has it helped my organization?
<li>Better security incident analysis</li>
<li>New scopes for security events and correlation</li>
<li>Better performances on device failures actions</li>
What needs improvement?
<li>Agent development flexibility</li>
For how long have I used the solution?
I worked on version 5 and then 6 for a total of 6 years. My personal score is 4 stars based on my experience with the latest version I worked on (probably version 7 should be much more better.)
What was my experience with deployment of the solution?
On version 5, builder was somewhat unstable during deployment -> workaround strong procedure with too many middle steps of saves.
What do I think about the stability of the solution?
The wizard agent module is very sensible to network changes and needs a restart on every network change (versions 5 and 6).
What do I think about the scalability of the solution?
I have not seen any issues with scalability.
Which solution did I use previously and why did I switch?
I had another SIEM installation (nFX) working for another application domain.
How was the initial setup?
Complex but mainly because of all the network variables we had. Imagine to map firewalls rules passively and then request the ability from an external group not really involved in the installation.
What about the implementation team?
Actually we were the system integrator and we provided a large enterprise solution.
Which other solutions did I evaluate?
Novell SIEM was my second technology of this kind. Previously I experienced the nFX and later even the McAfee ESM and the Splunk ES.
What other advice do I have?
Be aware that without any technical support from NetIQ it could be very hard to administer.