How has it helped my organization?
We have a lot of mobile users who are not always on our network, and this gave us the ability to have full visibility into them. We're able to do real time requests and questions with the agent. So I can basically search all my agents and see if there's a malicious registry key in any of the registries. I can see a process that might be running, that should be running or shouldn't be running, I can do a real time query across the entire board.
You can use this to also see if systems are up or down, from an infrastructure level as well. So it has more than just monitoring things for malicious activity. It can also see if things are working properly as well.
What is most valuable?
The most important feature is the ability to have the end point agent on all of our systems. And since they talk back to their cloud infrastructure, it doesn't matter if the systems are on our network or not on our network. We still get real time feedback, not only on the InsightOps part, but also our InsightIDR and others as well. It's only one agent, and they all pull back data that's relevant to our network.
It also gives us a lot of almost "forensic" capabilities, because the agent itself monitors the entire system, from the registry all the way down to the file level. If there's anything malicious, or network connections, anything of that nature that's going on, you can do searches on them and it's beaconing back in real time.
What needs improvement?
Yes. The searching capability, or when you ask real time questions. The searching is pretty decent but it's still not up to par with, say, Splunk. It's much better than it used to be but it can take a little longer than you may want.
Also, when you do the real time queries, if you do too many it could take longer than you want. They're constantly improving it, so I will give them credit on that. It is getting better, but it still could take a little longer than you care for.
It's hard to say that it's not fast enough when you're querying agents that are overseas and not on your network. So, it does do a pretty good job of handling that type of traffic, but sometimes it can take a little bit for everything to populate.
What do I think about the scalability of the solution?
No, not at all. It's actually very simple. I don't know if you can or not, but you could probably deploy it through a group policy if you wanted to. But we use K Software deployment. I just take the MSI, put in a few command lines, and toss it onto all my systems as need be.
It was very, very simple to deploy the agent, and that agent automatically communicates back to their cloud service, or to your onsite collector, if it's onsite. All those settings are configured automatically, it's not something you have to do. So setting up the agents and the collector for it, you have visibility over everything, it's very simple.
And if you're also using it to integrate other logs from other sources, that's extremely easy as well, because they will ingest any logs. Some products won't, for example, take logs from Splunk, or they won't take logs unless they're in a separate format. That's probably one of the better attributes of InsightOps. If you put an onsite collector, and you point things at it to collect logs, it doesn't matter what format it's in, it can ingest just about any type of log.
You can set up alerts, queries and dashboards based off those logs as well. You're not just limited to what InsightOps has. You can also use logs from other sources to give you more insight or more information, where it's feasible.
How are customer service and technical support?
I have a Customer Success Manager, so I have called their customer support. When you call their customer support you get several people immediately jumping on what's wrong. Normally, I don't have to worry about the problems because they usually know about them before I do, because they're very on top of things.
But I do have a customer rep so if I have any problems that aren't immediate, I can email her. She always helps me take care of it the same day. Or if it's gonna be longer, because it needs to be developed, she gets that put in, then that gets worked on as well. Whenever I've had to call them, I've never had a problem with their customer support at all.
Which solution did I use previously and why did I switch?
We used to use SecureWorks as our MSSP for everything from end point protection to infrastructure monitoring. To say we weren't happy with them would be probably an understatement. We felt we were overpaying, and getting less than we should. What they tried to sell us on and say they could do, they couldn't. They said they could do true end to end correlation and visibility on all your assets, and that just didn't happen until we got Rapid7 and got their products. It was IDR, Ops and really combining the two. But even just Ops by itself gave us more visibility and better alerting than we had with SecureWorks.
One of the things I didn't like about them is that there was a lot of false positives. You would try to tune them, you'd try to work with their associates to try and get things customized to your environment, and it just never seemed to really work properly. Whereas with Ops and IDR and our other ones, we've been able to get it to a point where we don't have alert fatigue, and false positives. I don't really have to worry about that anymore, where it used to be kind of a headache.
How was the initial setup?
Very similar to when I was talking about deploying the agents and all that. It goes hand in hand with the actual setup.
There are just two of us, me and my boss, and when we did the proof of concept for it I told my boss, "I should have it set up completely in less than two weeks." He laughed at me, jokingly. But, really, I had probably 98% of it set up in the first two weeks. The last two percent were very customized things that I was trying to do personally, to see if I could get it done.
But when it came to getting it set up, getting the agents deployed, getting the collector deployed, getting all the root things, and the root metrics and operations set up, yeah two weeks was all I needed. And that was by myself. Bigger companies may take a little bit longer, whether it's red tape or it's just they have more hoops to jump through, but when it comes to really setting it up, it's not very difficult.
Which other solutions did I evaluate?
We did a proof of concept with a few other companies before we purchased this one. It seems like they are definitely one of the best in the field. Whether we're talking about ease of deployment or price. We get way more out of it than we did with SecureWorks and we pay about a third of the price.
What other advice do I have?
Make sure you know what you're trying to monitor. Because one of the things that you can do, and I started doing it at the beginning myself, is have it ingest all the logs you give it. I mean, we have everything pointed at it and giving our alerts and our logs to it. And then I got to the point where I've got everything coming in, what do I need to monitor the most? So having a very well defined path for it, on exactly what you want to use it for. What you want to monitor, how you want your alerts to go.
Just make sure you have a good starting point.
Whether it's price, customization, full user visibility, full end point invisibility, it gives you a lot that you can do with it. In some ways you're only limited based off of what you can think of, and what you come up with to monitor, or to develop, or feed for logs.