What is our primary use case?
We are using it to centralize all of our logs and have alerting on security issues.
We primarily import Windows systems and Windows Server logs (2012 and 2016). We also import Cisco ASA logs, then Cisco router and switch logs. The import works well.
How has it helped my organization?
We send the Snort IDS alerts to EventTracker, e.g., high level ones like Ransomware and data leak type alerts, we are sending the Snort alerts to EventTracker. For things like ransomware, data leaks, and data exfiltration, we have higher incident reports created, so then it also gets sent to our email and phone. As an example, this Saturday night around four o'clock, we were alerted to an incident from EventTracker. They got a Snort alert about a data leakage or data exfiltration. It was a false positive, and that is good. But, this is just one way we use EventTracker.
What is most valuable?
It is fairly easy to use. I am mainly just a one man shop. I look at EventTracker about once a day as far as different incidents and stuff goes. I don't have enough time to be tweaking all types of different things. It is a fairly easy to use as far as the UI goes.
If I were to look at logs manually, there's no way I could do that. As an example, they are 48 million logs processed a day. There is no way I could look at all 48 million of those. So, it gives me a good structure to be able to look at the different incidents which are created and do different searches.
What needs improvement?
The solution's dashboard is okay. The one thing that we ran into are issues when we upgraded to the newer version. It uses Elasticsearch for the different dashboard entries. So, we were running on spinning disks, and Elasticsearch didn't work that well. A number of the different dashboards, like my dashboard or different things like that, pull from Elasticsearch. Since Elasticsearch really wasn't working, we were having some issues with that, but we just migrated. We just got a new fan, which is all-flash. Last week, the server was migrated from spinning disks to the new flash. Now, we have moved from hard drives to SSDs, and Elasticsearch is working a lot faster.
EventTracker's UI is okay. There are some issues that I have ran into. Some stuff doesn't display on different browsers, which you think would. You think you are missing something, and you actually are. If you use a different browser at work, it works differently. That is sort of frustrating. The big thing is they have a newer version or something out other than a new update to version 9. I don't know if they're on version 9.1 or 10 (or whatever). We weren't going to update until we could try to get the Elasticsearch capability (which we now have) and migrate over to the new SAN thing.
There are a couple things that we had to tweak. One of the other things is we are getting DNS and DHCP logs from servers, which we thought required a different Microsoft hotfix, but it didn't. EventTracker's documentation wasn't current. So, it took a little while to get the DNS and DHCP logging figured out. Once we finally got it figured out, we got those set.
The searching capability has room for improvement. I know they are working on it. They have Microsoft SQL, then Elasticsearch, and it's hard to determine when I am searching what exactly it's searching through, as there is the Elasticsearch archive thing, RAID and the Microsoft SQL searching, and some like cache search things. So, there are about three different searches, and sometimes it takes a bit of trial and error to figure out what information I am actually getting.
Users need to be on SSDs in order for Elasticsearch to work well.
For how long have I used the solution?
We have been using EventTracker for about five or six years now.
I use it on a desktop machine with a wide screen, like 20-inch monitor.
What do I think about the stability of the solution?
It's okay for what it does. They're trying to add more different capabilities. One thing that I will be interested in, when and if we upgrade to a new version, would be the different types of alerts offered. They do have some different type of prebuilt alerts. The big thing is it's hard to know what things EventTracker may not be alerting on. They do have the behavior correlation part, but when I looked at that, it was using Elasticsearch. Since our Elasticsearch wasn't working that well, this was sort of problematic as there are a bunch of different false positives and stuff.
We sort of knew there would be issues when we did the upgrade because of Elasticsearch and our spinning disks. The searching isn't as easy as it could be, as far as the three different search things that you can do.
This is same with the different dashboards, as related to Elasticsearch. If we were to implement a brand new version and didn't have the hardware already, we would say, "Okay, we'll wait until we get the SSDs." But, we sort of earmarked a server. The hardware was on the old EventTracker. So, when we did the upgrade, we knew it was going to be an issue, but we didn't know how big of an issue it was going to be.
What do I think about the scalability of the solution?
I know it's been working well for all the different log sources and stuff that we've been throwing at it. The big thing is we just have it on one big virtualized box. So, we haven't really had any instance or need to scale it beyond that.
I'm mainly the only user. My boss will occasionally use it when I'm out of the office, or something like that, but it's either going to be him or me.
We have it pretty much on all of our servers, firewalls, and routers. The big thing is we have a 500 license count. So, we have a number of different other switches and stuff which would be nice to be able to get logs and stuff from. At the same time, we are getting close to hitting up our 500 license count. Therefore, we're trying to figure out where we need to go as far as what systems are a must-have and what systems are a nice-to-have type of thing.
How are customer service and technical support?
I find EventTracker support to be quite helpful. They have been quite responsive whenever I've had any issues. For the most part, they have been good to work with. There have been a couple times where there have been some issues that have taken a bit of time to try to get resolved and figured out. However, that is sort of par for the course for different products.
Which solution did I use previously and why did I switch?
Before EventTracker, we did use another solution. I think it was a Symantec SIEM, but they discontinued it. So, we were looking for a different solution.
How was the initial setup?
The initial setup was several years ago, so I don't remember too much about it. The one thing that I do remember is there was like a database account that needed to be created, and there was some back and forth on that aspect. So, it took a little while to set up and get going.
Initially, we got it up and running, then we were going to deploy the agents on some noncritical servers to make sure that the EventTracker agent on the servers worked properly with collecting logs.
What was our ROI?
In the security space, it's hard to quantify your return on investment. So, I don't. We spend about $40,000 a year and so. It's hard to say if the SIEM saved that much money.
What's my experience with pricing, setup cost, and licensing?
When we first got the EventTracker product, we were using SIEM Simplified. At the time they didn't call it that, but it was more of a service thing. So, there was a bit more hand-holding and getting stuff set up, along with failure reports, that they did during the first one to two years. Then, we decided that the the additional money to have someone do these daily reports wasn't terribly useful, so we discontinued that service.
Licensing is interesting. By doing it by device, in some aspects, that can work to your advantage, and in some aspects, it can't.
There are different licensing models. Back in the day, it used to be events per second and trying to figure out the number of events per second during the year that all of your devices are generating. If you didn't necessarily have a solution in place to begin with, this was a little frustrating. You might add another device and all of a sudden your events per second shoot up quite a bit. With a number of system-based licenses, it's been good. The big thing is is when you get up on that license account, do you continue to add additional licenses or start removing some systems that may be not as critical as others? Like, do we need to be getting logs from different Windows test servers out there? Ideally, yes. But it all depends on the pricing.
EventTracker's subscription-based model is interesting as far as yearly license type stuff. It's nice because you know what it's going to be next year. We haven't really looked at any other solutions. The pricing at the time compared to the other solutions was a lot less. A couple of years ago, we actually looked at Splunk. The amount in Splunk's licensing model is based on 20 gigs a day, or something like that. Based on our number of logs and stuff that we were already generating, the costs would be substantially more for the amount of logs that we would be getting.
Which other solutions did I evaluate?
We looked at a handful of different solutions out there. When we were looking at SIEM solutions out there, we were looking to replace Symantec. We were looking at Arctic Wolf, EiQ Networks, Secureworks, and Trustwave.
The primary reason we went with EventTracker and the SIEM Simplified service was the CIO wanted something that was a 24/7 monitoring type of thing. That's why we went with that service. But, when we found out at the time it really wasn't 24/7, and we wanted 24/7 monitoring from more of a SOC/NOC type of thing. The EventTracker support said, "We do have that." However, that wasn't necessarily the case. It was primarily an eight to five type of thing. Supposedly, in the last couple of years, they have changed it, and it is more of a SOC/NOC type of thing.
This was one of the reasons: We were looking for a hybrid approach. Basically a SIEM that we could have on-premise where we could have someone else monitor when I was not in the office. EventTracker was able to create the different alerts and stuff like that. So, when I'm not in the office, I get alerts generated. However, we wanted some more active monitoring type stuff.
What other advice do I have?
I would rate the product as a seven (out of 10).
We don't use the dashboard widgets, but we are planning on it.
Which deployment model are you using for this solution?