What is our primary use case?
We use it to monitor our firewall logs for all of our locations, all of our network logs, and alerts. We also monitor any new users added to the network or who are locked out, any new installs or uninstalls of applications on servers. And we have reports generated for any types of processes or hashes that have been run on computers or servers.
How has it helped my organization?
It gives us a real idea of our network environment, VPN access, alerts and more. We are able to identify where we're getting scanned externally from potentially malicious IP addresses. We can react to those a lot quicker than we could previously.
EventTracker has increased productivity and saved us time, absolutely. We would have to hire a full-time person to review logs if we didn't have EventTracker. I get daily and weekly reports that I review within an hour or two, each day, versus having to go look at logs on each machine. It would take me three or four times as long to review all those logs if they weren't all in the same dashboard report or alert.
What is most valuable?
The network alert is the most valuable feature. That way, we in the IT department are aware of user lockout and invalid password attempts way before a user ever even calls in. We can resolve the issue a whole lot quicker than waiting for the user to call us and figure out that they're locked out of the network or need some assistance with their password or the like.
The system's UI is pretty good, intuitive, and user-friendly.
EventTracker SIEMphonic has been a good add-on piece because doing all the logs can be time-consuming. Having a nice, weekly summary report, and the supplemental logs with them, in the event that you need to dive in any further, is helpful. Having somebody else reviewing those logs as well, on their team, is very helpful and beneficial to us.
What needs improvement?
There are some issues with searches taking a long period of time, but they assured me that they have implemented a new search function that's available in version 9, but which requires a solid-state hard drive. So we have upgraded to the solid state hard drive, but we are waiting for them to migrate over to the new drive, and then we'll see if our search results improve. Depending on how many logs you have it could take a long time to return the results if you're looking back prior to the last 30 days for, say, auditing purposes.
In other areas, it meets or exceeds our expectations.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
It's really stable. It's pretty low-maintenance, once you get it set up, as long as the server that it's hosted on is up. We haven't really had any issues with a system problem with EventTracker since we implemented it.
What do I think about the scalability of the solution?
It's definitely scalable. You can get all the way down to endpoints. They support multiple devices, applications, different firewalls, desktop, laptop. You have the ability to add in those logs. We have chosen not to do that at this time because we're mainly concerned about our servers and our domain, and it captures a lot of those logs. We have some offices that don't have a domain. For them, we just get their firewall logs because we are not too concerned about their individual workstation logs.
How are customer service and technical support?
They are very responsive. They're monitoring stuff as well, with that SIEMphonic piece. They're monitoring your logs and if there's anything you have deemed critical, they're making you aware of it, to make sure that you're aware of it. They do a really good job of following up and trying to do as much as they can to assist you in any way possible.
Which solution did I use previously and why did I switch?
We did not have a previous solution. They had already purchased this product before I came into the organization. There are a couple systems out there where people have reached out to me throughout the years and said, "Will you do a demo or evaluate our system?" But in my opinion, there's nothing that really stands out that would make me want to leave EventTracker.
Even cost-wise, if somebody is cheaper - and I don't believe that they are - it's not significant enough to make that change and go through that whole design and implementation process again, just to save a little bit of money. We are familiar with EventTracker and we're getting the good service that we expect. We really don't have any desire to go with any other vendor at this time.
How was the initial setup?
The initial setup is complex. It really depends on what alerts and reports you're looking at and what you want to filter it down to. It really depends on how much data you're looking at capturing and how to get that configured, working with their team on getting that configured for you. It was a long process from start to finish.
Now that it's in place, there are hardly ever any issues or any hiccups with it. But the initial setup can be a little time-consuming. You have to make sure you have adequate time if you're going to implement SIEM or an event-log correlation system.
Our deployment took a good 60 to 90 days from start to finish, working through all the reports and filtering it down to what we wanted. That included our firewall logs and deploying it on all the machines.
We really didn't have an implementation strategy at that point. We were just trying to get it implemented as quickly as possible on our domain server. Then we expanded it to all of our servers inside our network and then all of our firewalls.
What about the implementation team?
They provided assistance and they do with that SIEMphonic piece. We purchased training from them and then worked with them directly on what we wanted configured and how to configure it. They did most of the heavy lifting of actually configuring the reports and all the alerts. If you want filtering you can ask them, or you have the ability to go in there yourself. I personally don't have a lot of time and resources to do that, so using their staff and the resources has been very beneficial.
Overall, they are very professional and good to work with. Some of their trainers were difficult to understand, as there was a language barrier. Some other staff from outside of the US, some of their training people, the technicians who provided training, were very difficult to understand. Others were not hard to understand. It was a case-by-case issue. But we did have some issues with trying to understand them during the training. We expressed our concerns and, of course, they addressed that. It was a process we worked through.
What was our ROI?
We have absolutely seen a return on our investment in EventTracker.
What's my experience with pricing, setup cost, and licensing?
The solution is fairly expensive, but in my experience, all of the SIEM applications that I've evaluated or looked at cost about the same. It's just what a system like that costs.
Which other solutions did I evaluate?
I've looked at AlienVault. That's the only one that I can recall looking at extensively. But cost-wise it really wasn't worth it to us to switch to that system. It might have had a few more features, but EventTracker has done really well on constantly adding features and changing their UI and adding dashboards and getting more data on there that you want. I have no reason to make a switch.
What other advice do I have?
If it's your first SIEM event-correlation system, be prepared for a long process. That's not just because it's EventTracker. That seems like that's what that process takes. Again, it really depends on what data you want to capture and how much data you want to capture and how you want to review that data. That configuration process can be very time-consuming.
We're on EventTracker 8, but we're getting ready to upgrade to the most recent version of nine, but we have not upgraded yet.
I don't typically use the dashboard widgets. I have everything configured in daily, weekly, and monthly reports. We have real-time alerts configured as well. So I'm not really utilizing the dashboard widgets. I know it has a lot of features and options but I manage the system from the reports and real-time alerts. In terms of the screens we use to view the solution, we mostly use the Excel reports that are generated daily and weekly. I access them, as well as the real-time alerts, from all devices. You can view them and see the details from any type of device. But I'm looking at the alerts through my email client on whatever device I'm on.
We have logs coming from our firewall configured to auto import log data, but we are not manually importing any log data.
Currently there are only two users in EventTracker: myself, as the information security officer and another gentleman here at the bank who is the backup information security officer. He functions more as a backup, but he's never had to step into that role and use the system. He received the training, but I handle the whole system. I'm the only one deploying and maintaining the system.
We have internal staff resources for internal incident management but we do not use the EventTracker SOC team. We handle the incidents internally, leveraging the reports and alerts.
We don't have any plans to increase usage, unless we add one or two offices as we do naturally in our mortgage division.
The difficulty with the language barrier at times with their training and technical support staff is a problem. That's why I'd rate it an eight out of ten.