What is our primary use case?
We were struggling at the event level, like a lot of people do, in terms of centralized event management and notifications. We just did not have a single pane of glass where we could see events, potential issues, all on a fine thread of a timeline to compare across our enterprise. We needed to know: Is there anything else going on at the same time?
We use it extensively. Every product that we have on our network is tied into it. That's been huge for us. The thought process was, "If we're going to put it in place, we want every end-point out there to be cycling through logs or have syslogs pulled into EventTracker. Otherwise, it just didn't make sense. We wanted to have eyes on every device out there.
How has it helped my organization?
It's come in tremendously handy. We've had small incidents crop up that we've been able to isolate immediately or dig further into because of this. Without that "full-glass" look at everything we've got going on in our environment at a particular time, we would be chasing our tail a little bit: "What's happening here? Do I need to go look here? Do I need to go look there?" The ability to pull those logs in from not only all of our desktops, all of our servers, all of our appliances, but from anything else that could be logging an event, has been tremendous for us.
It has limited the time that I've had to spend combing through any device and syslogs. For example, firewalls: I'd be looking through events to try to find out if anything looks abnormal. EventTracker not only does centralized tracking, but it does a fair amount of behavioral analysis as well. It tells us: "Hey, here are events we haven't seen before." It even calls to my attention processes that are new, including unsigned processes that we need to be aware of in our environment. We also utilize their Snort plugin on the front-end. It indicates traffic that's coming in that we might want to be aware of.
We tend to start blacklisting and block-listing a tremendous amount of external IPs based upon things that the solution sees on the outside. Those could just be events hitting our firewall, but unless I'm sitting there watching my firewall on a continuous basis, I'm probably going to miss a lot of them. EventTracker is collecting that and pulling it all into a quick and easy notification. On a daily basis, I get that report to rehash: "Did you see these things? Are these acceptable? Here's behavior that we haven't seen before from this particular user." It makes me aware of things so that I can validate. It gives me a good check and balance on what we have going on in the environment and what they're seeing through a collection of event logs.
Because we've been using it for so long in our environment, I've pushed my daily duties onto other things. I've moved into other areas since I don't have to constantly monitor this equipment or the logs or check back on things. It's probably cut down 50 percent of my workload, in terms of tracking and watching and trying to play a little bit of triage after the fact. It's giving me heads-up notifications immediately. Then, as we hash back through things, either on a daily or monthly basis, we're looking at what it's finding and what we are missing. Are there things that are still cropping up that haven't been taken care of that maybe slipped through the cracks? It's not only cut down a ton of my time but even our staff time which used to be spent watching and maintaining logs on various products.
What is most valuable?
The solution is on-prem and we also utilize them for fairly full, managed services. They do tend to babysit it quite a bit. We get daily reports that they piece together for us which walk through everything that they're finding and seeing. And we sit together in a monthly service call to walk through what they found over the course of the month, just to compare notes. We backtrack and check to make sure that nothing stood out and that we didn't miss anything or to hear if they've got any concerns or questions. They're putting in the time on a daily basis for us on that.
Another valuable feature is that we've tied it into pretty much everything that we have. We've got it tied into our Office 365 and it's helping us monitor even the spam garbage there, the consistencies or the abnormalities on the spam. We've got it tied into our firewalls and into just about every appliance we have as a front-line or an in-between, including VPN and the authentication that is coming through there. It's also tied into anything that's cloud-based. We might tie into IIS logs, our antivirus logs. It's huge that it gives us that single dashboard overview of events happening, all at one time. It's been, tremendous for us.
I really appreciate the fact that the dashboard breaks everything down into a pretty easy view for me. I can pass it along, not only my boss, but to senior management, if needed. I can show them what activity is being monitored, what types of incidents there are and the type of risk, if there is one. It shows what changes are happening to privileged user accounts, access and identity, what's cropping up. It shows application activity and whether we've got system resources that aren't online and being found anymore. It's a pretty simple, easy, quick hit and there are the supporting logs behind it. If I need to drill down further, I can do that quickly. It's very effective.
I just want to know what's going on on the end-points. If anything gets flagged, if anything's out of order, chances are pretty good we're going to get it flagged on a couple of systems, whether it's a desktop for a firewall or an outbound request. It might get flagged on our AV, but at least I'm seeing it across all of those systems at a given time. So I really appreciate having that single location to look for any event that might be something which warrants a little bit more work.
I don't play around too much with the dashboard widgets, the stuff that's built-in. I get a daily report and, based on that, if I need to, I'll dig into it. So I don't customize things too much. I go back through things on a monthly basis as well. The dashboard is an easy enough layout and I've gotten used to using it or digging down deeper so I don't really change much in there.
In terms of log importing, I've never really had any problems with it. Everything that's a syslog is a pretty easy tie-in and pull-through. Anything else that's agent-based, like a desktop, we've had very few problems with. Microsoft's Direct Access, their direct-access, always-on VPN product was a little bit of a tough one that we had to work through to get those to pull across. But overall, the agents seem to be pretty stable, pretty efficient. They're pulling through everything that we need at this point. Anytime we've pulled in, whether it's an antivirus product - we've gone through a couple of them - various appliances, even Office 365, it has been very well-versed on all the major brands out there. If we want to pull those in or pull in the syslogs or pull in those events, we've never had an issue.
What needs improvement?
They haven't had to fixed much, but we have come back to them with requests for very specialized reporting. Something that's not canned. We might be looking at a particular functional area where we want to track specific data or specific login times. If I were to put in the time it be easy to do or it might take me a little while. But these guys can roll it back to me so quickly that I don't think twice about throwing them at them and asking for a report or a particular search. Probably the biggest thing is just: Can I search for this and what's the best way to do it? If I'm looking for two events versus a singular event, I just throw it back at them. They're the experts on it.
Right now I simply can't think of anything that we're lacking. I don't have much to throw back at them at this point.
That could change as everybody's continuing to move towards a cloud product or with the cloud products themselves, all the services which we're slowly moving toward on the cloud. We're an Office 365 tenant right now, but I can see that over the next three to five years that's going to continue to increase. I'm excited to see how they can continue to structure their product to help us take advantage of the viewing, the monitoring, and the tracking of those products. Until we get to that point, I just don't know whether they've got everything we need, or if there will be things we will need to ask for that we simply didn't require in the past.
For how long have I used the solution?
We have had EventTracker in-house now for a good five years.
What do I think about the stability of the solution?
The stability has been very good.
The only time we might have had downtime was based on our requirements where we were moving to new hardware. That doesn't happen much now because we're virtualized. But we tend to archive a lot of the data so we've moved that backend data store a couple of times. They'll either walk us through it, or they'll just take care of it if we don't have time for it.
In fact, later this afternoon we're doing exactly that. We're moving off of an older SAN to a newer SAN. We'll disconnect the old SAN, validate that all the data is flowing the way it should be in the searches and that the search capability against the archive database is still valid. Overall, it's really pretty simple.
What do I think about the scalability of the solution?
We're small. I'm assuming that the scalability would be no problem given all the other feature sets. When we've brought things on board, we've never had an issue. I don't know how large this scales or of any limitations to it. The backend data might be just what you have available. I've never been too concerned with it because we don't scale up really large. We're pretty stable as far as the number of devices goes, internally for us. I don't see that really changing much.
Most of the devices or products that we've talked to folks out there about have syslogs of some sort that we can point back. That's what we plan to do. I don't even know where that's going to go at this point, but I know that as we move into the cloud space, but I want to continue to tie that into EventTracker. I want to make sure I've got eyes on everything that we're communicating with.
How are customer service and technical support?
The support group is tremendous about asking me if there is anything else I want, is there anything more they can do and, and I'm left a little bit speechless. I've asked for various reports or can we have something else tracked individually. That's usually a pretty quick turnaround. Their support has been very good. We've got a great relationship. They do a great job of checking back to make sure there's nothing we're missing.
I'll email their main group. I have some individual contacts and I'll reach out to them occasionally, if I need to. Typically, I try and go through their main security operations center. I get the daily email from them, and that's who I would reply back to.
If I've got a request, for example, if we're shuffling around some backend databases, something we've got to move off of a backend SAN to a new SAN, I'll just reach out to them. "Hey, we're looking to do this." Response time from them is pretty quick. We have had emails back and forth within 15 to 20 minutes.
They're very easy to get ahold of. Their security center might be maybe in a different time zone, but I've never had a problem, here in the Central Standard Time zone. Anytime I've reached out to them, I've always gotten a response pretty quickly.
Which solution did I use previously and why did I switch?
We did not have a previous SIEM. That was a very big push for us. We realized how little we had in the way of eyes on all of our products, unless we did a manual, individual triage. And even then, it was pretty limited. We knew we had a huge blind spot by not putting in a SIEM. It's been phenomenal for some of the small incidents that we've had crop up. It's been fantastic.
How was the initial setup?
The setup was actually quite easy as are the upgrades and the patches that we go through. The initial setup was a pretty simple walkthrough on their part. We bundled that in as part of the product when we purchased it. The agreement was that they'd do the setup themselves but we wanted a walkthrough as well so that we had some knowledge here. We didn't want them to just set it up and do a hand-over-the-keys deal. So we stepped through it together, which really means I did a lot of watching as they were doing a lot of the setup.
We walked through it through a WebEx. I had the server side set up on our side. At that point it was just a matter of them leading: "We're going to go here. Where's your data storage? Tie that in, install."
Out-of-the-box it was pretty straightforward and easy to use. We started pulling in all the clients as we pushed out the agents to the desktops; that was pretty easy. It was non-intrusive to our users, which is a big deal. We didn't want it to intrude on anybody. In fact, when we push out agent updates to desktops - it doesn't happen that often, maybe once or twice a year - those agent updates are seamless. Nobody's aware that that has even taken place.
If you want to do it, they'll certainly help you through it. If you want them to do it, they'll allow you to just watch what their process is in case you want to do it the next time.
Our company has about 225 end-users. We obviously have more devices than that, but not more than about double that. In terms of deployment, it was just me involved from our side.
We had things up and running within half a day, when we started doing a little bit of discovery and collecting. After a couple of days of letting it run through the system and doing discovery we found, "Those are the pieces that we've missed. Yeah, we're going to add this or that in." Now, we tend to roll through one-third or one-fourth of our desktops on an annual basis. We'll do the discovery - the agent installs pull those in. It requires very limited staff time on our part. Our helpdesk now installs the agent as they roll out a desktop, which is pretty easy. We pull it in, I validate. There's not a lot to it.
What was our ROI?
It has its value, especially when I can say that it's taken over what I was spending about 50 percent of my time on. Not only has it eliminated the need for me to spend time there, but I can put that time to use elsewhere. It's absolutely well worth it.
I'm not really the money guy or the budget guy, so I couldn't tell you from a dollars and cents standpoint, but return on investment just for my time alone over the last five years has been tremendous. I no longer spend that daily time - I don't want to say "wasted time" - but it used to take me a tremendous amount of time to sit there and try and play catch up on logs, looking for events and trying to track things on my own. That's been massive. That's been tremendous, not only for me but for the company. It's been well worth the money so I can put my time somewhere else.
What's my experience with pricing, setup cost, and licensing?
I don't know if the pricing is by the seat but we're paying about $20,000 to 25,000 a year. On top of that, we pay for the managed support services. That runs us about another $35,000 or $40,000 a year.
Which other solutions did I evaluate?
At the time, EventTracker was one of the few that did a bit of that behavioral analysis. There was another one, the name escapes me right now. But it was the only other product that I felt was in the same quadrant, as far as feature sets and the behavioral analysis go. We did not evaluate very many.
What other advice do I have?
They are a fantastic team. I would stack them up against anybody. If anybody asks us what we're using for a SIEM, I'd say that this is what we're using. I highly recommend them.
Stack it up against some of the other products out there. At the very least, know what you're looking for. Or, if you don't, throw it back at EventTracker and say, "We're looking to do this, can your product do it?" Let them know what you're looking to gain from this.
We started out in the same boat: "Well, why would we use you guys versus somebody else?" We had a defined requirement, that we wanted to have centralized event and incident management, and that's exactly what we got.
You need to find out if it's going to match all of the various appliances and the OS you have. Is it going to be able to pull in the syslogs? What type of products do you have in your environment? Are you pulling in Cisco devices? Whatever your firewalls are, make sure that they're matching up. I had no doubt in my mind that they were going to match up to everything in our environment, right upfront, as we gave them the list and we did that self-discovery. I think that's part of it was the workbook process. What are your devices? How many are there? What are you using for mail? What are you using for backend storage? What do you have for databases? What are the products on your network? Make sure it matches up.
I have no doubt that they'll match up well with everything out there but make sure that whatever is on your network that you want to monitor, that those specific vendors and those devices match what they can track and log events against.
Every month, when we do an assessment they ask what more they can do. Until something crops up that leaves us a little bit blind or unsure, I really don't know what they're not giving us at this point. We haven't started looking at any other products to fill any gap. I don't have a laundry list of anything I'm waiting for them to come back with, whether it's a fix or a feature.
I'll do a lot of event searches myself, more out of curiosity than anything. I might chase something down if we get a flag or notification and look for what else is taking place around that event, to get a clear picture of why it was flagged. Was this something that we brought into the environment? Were we installing something at the same time that something was flagged? What was going on? So I tend to go into the event searches a lot and the managed devices, looking for non-reportings. Those are probably my two biggest hits.
When it went from version 8 to 9, the UI changed up a little bit, so it took a little bit of getting used to. They did provide not only some on-call support to walk through things as I was asking them questions: "Nope, that's here," or, "Give this a try." They also had some pretty easy tutorials to walk through. I've done that a couple of times just to refresh myself as far as where things are. But, like I said, because we tend to lean on them for a lot of the managed side, I don't dig into it as much as I used to when we first got started with it. It's been huge just to have them a phone call away or at arm's length to say, "Can you guys take a look at this, or do this, or verify this for me?"
Typically it's just on my desktop at work. If I'm taking a look at the dashboard, I might pull up user devices - what's not reporting in. That's a biggie for us, especially as we roll out new devices and we're getting agents out on those devices. I want to make sure that they're being pulled in correctly and that I'm seeing logs. I may take a look through some of the threats, but again, their support does such a great job of combing through all the threats and kicking out any notifications to me that I don't spend a lot of time in there.
In terms of integrating it, we haven't tied EventTracker back into anybody else. At this stage, we're tying everybody into EventTracker. As we start to move into more of the cloud space, there may be some of those cloud-authority services that this may tie into. We haven't gotten to that point yet.
The biggest lesson I've learned from using it is that I think we'd take a huge step backward if we ended up losing EventTracker; whether it's EventTracker or a SIEM product of that caliber. We're part of critical infrastructure and the threats against that infrastructure have increased a tremendous amount over the last five to seven years, whether it's on the network side or the OT side.
Having the eyes and ears to be able to manage and monitor those types of events against us, in our industry, is massive. Being under a constant threat, like everybody else out there, we want to know what we have, what's in our system; we want to know where the abnormalities are. We want to see the events on a daily basis. You have to track them. You have to be proactive. You have to take some action on those things on a daily basis. Having this in place gives us the ability to see what's going on, on a daily basis, on all of our systems across the enterprise. That's massive to me.
I would absolutely rate EventTracker a ten out of ten. I love it.