What is our primary use case?
Our primary goal is insider trespass. We have also been using the product for account privilege misuse as well as intellectual property and data theft. Going into the cloud, we have expanded our scope to cloud applications. We never supported the cloud but now that we are using SaaS we've been able to cover cloud applications and cloud infrastructure. That use case is picking up a lot of speed. But, traditionally, it's been used for insider threat and account misuse.
How has it helped my organization?
One example of how it has helped our organization is with people who are exiting. We had a lot of issues when people were leaving the organization regarding what documents they were taking and what systems they had access to before they left. There were concerns about whether they did any sabotage or created any backdoors before they left.
One of the very big areas of help from the solution is its exit report. Before a user leaves, it provides us with a 90-day report on that user; everything that user has done, what his behavior looked like, what systems he accessed, what data he took out. It gives us a complete picture and we are now able to provide that to HR. Our security team is also able to look at it, and it helps us in making sure that, before anybody leaves our organization, we have taken all the preventative measures and have made sure they're not taking any data. That has been a very crucial use case.
The cloud has been a tremendous advance as well. We had no visibility into our cloud. Something that we never had with our traditional SIEM or any of our previous backbones was visibility into what people were uploading on our SharePoint, what people were accessing on our Azure. Cloud has definitely helped us with a lot of visibility and we are getting some good results. We hope they will get even better.
What is most valuable?
One of the most valuable features it has is the threat chaining. One of the common issues that we always had was the number of anomalies that we used to get and the number of alerts that we used to get. But with this approach of thread chaining, we've found the false-positive rate has decreased very significantly. That was something that we never could have achieved before.
It also has the ability to detect low and slow stuff. Whenever we've had any dormant issues or dormant malware - dormant processes which get executed much later - it has tremendously helped us with that.
What needs improvement?
One of the things they can improve on a little bit is the usability side, to make some things simpler. Maybe it's because of their customer base, but the tool does have a lot of knobs, you can turn a lot of things on and off and you can change things. Sometimes, it can become a little overwhelming. They should remove some confirmation options and make it simpler for the less mature customers and people who are still trying to grasp it.
For how long have I used the solution?
We were one of the early adopters of the product, so we've been using it for about eight years now. We just moved to version 6. We were on their previous version and we then migrated to 6.0. Currently, we are on the 6.2. release, and we are on their SaaS platform.
What do I think about the stability of the solution?
Regarding stability, one of the very big improvements between the previous version and this version of the product is that the current version has been a lot more stable. We've not had any downtime as of yet, except for maintenance windows. We've not seen any reports of the environment being down or data not being accessible. The current SaaS platform is pretty stable.
What do I think about the scalability of the solution?
Scalability-wise, it's great. I had some doubts when we started because they're using Solar and I heard some colleagues say that Solar would not be so scalable. But I was amazed at how they architected it. The scalability has been pretty good. We looked at a bunch of solutions, including Splunk. The search speed is pretty fast. We are able to search for data much faster than we were able to when we looked at Splunk Cloud.
The elasticity part is very helpful. If we give them a huge peak in EPS once in a while, or if our EPS drops down, it elastically grows very quickly, without any downtime or any issues. When our EPS increases the solution does not drop any data.
My team has raved about how well we are doing with searching and threat-hunting on it.
How are customer service and technical support?
We work with a lot of vendors and a lot of companies, but the support that we have gotten from Securonix, from their support and customer success teams, has been tremendous. They've always been able to help, and that's not just coming in, deploying the product, and going home. They've always been there to advise us, to help us out, and guide us.
We had a lot of issues with our data, in terms of how we were logging it, which attributes and which fields we were logging, and what information was available to the teams. They were very good about coming out and letting us know that we had all these data gaps and how we could fill them in, as well as with suggestions on how they could provide us with better value.
They work with us to enable our teams to get them up and running. Overall, they've done some good hand-holding to get us where we are today.
Which solution did I use previously and why did I switch?
We used ArcSight. We started off by using ArcSight and Securonix in parallel. Over the years, once Securonix came up with the cloud offering, that was our main pivot point to move to Securonix.
There were a lot of other reasons for the move. There was a lot of fatigue from the teams in terms of having to build the content, maintain the platform, manage it - the rules and everything else. In addition, we were going for a cloud-first strategy and we had a lot of cloud infrastructure that we were not able to manage. We were using machine learning, we were on of the early adopters of it. One of the most beneficial things we saw was the combination having UBA, the SIEM, and data lake in a single platform. It used to be that our analyst would get an alert out on out of UBA and then go back into ArcSight, try to find the event for it, extract the event, investigate, and go to a different ticketing system to do the incident management. We wanted to combine all of it and have one product or one location for all.
How was the initial setup?
It was amazing how straightforward the SaaS product was. I did not expect that. The 5.0 that we had deployed was not that straightforward. It took some time and took some back and forth. But the current version was very smooth. All we had to do was spin up a VM and put one of their collectors on it. Somebody from one of our teams reported to me that it took about an hour or so to set it up.
We were able to do the upgrade of the collector ourselves. Their cloud operations team sent a notification letting us know and we just download the file and it was a simple upgrade. When there are issues, of course, we reach out.
With the previous, on-prem version, the 5.0, we used to need a lot more help because there were more steps involved. But in the last one-and-a-half years, we've mostly done it ourselves. Because it's SaaS we don't have to worry about most of the components.
From what I understand, this current version is much faster to set up, when compared to the previous version.
In terms of our implementation strategy, we took the route that most people take: crawl, walk, run. We started off with two very simple use cases: people copying data to USBs, and uploading data over the web. Over time, we matured and kept on adding more sources, cleaning up our data, figuring out how UEBA works. It's been a journey.
What was our ROI?
We have definitely seen return on our investment. We've been using the solution for quite a while now, and ROI was one of the reasons we expanded the scope. We've definitely seen quite a lot of value.
Our response time has gone down. We have also received a lot of benefit from their research team. We were recently exposed to their Threat Research Team. We got a lot of new indicators and a lot of new threats, that were not there previously in our environment, that their team had researched and come up with.
We are getting quite good value. We have a lot better feedback from our SOC in terms of the usability when compared to ArcSight. We have a lot more visibility. We are getting a good return on our investment.
What's my experience with pricing, setup cost, and licensing?
We have an annual cloud license. We have a license from our 5.0, so that license just continued. We paid them the extra cloud-hosting costs for a year which were about $300,000. That's basically the whole cost.
The licensing fee is based on the number of identities and, other than that, it's just the hosting cost.
What other advice do I have?
My advice is that you should want the new, best product. I don't want to say there is no other way, but it scales and it works. If you don't have the manpower, if you don't have the technical skills to have it deployed on-premise and manage - like us, we did not - I would definitely recommend going SaaS. The cloud-offering is a game-changer. It would have been tough for us to deploy Hadoop on-premise and manage it and maintain it. We're not mature enough to handle Hadoop. So I would definitely recommend SaaS to anybody who's looking that Securonix.
The other thing I would recommend is monitoring cloud if you're going with SaaS. We didn't know there were so many things to a monitor in our cloud infrastructure until we actually started monitoring it and figuring out the monitoring gaps.
Most of our security is running on Securonix. It's the backbone of our security so we are running quite a lot on it. We do plan to expand it. We are planning to see if it makes sense to add app data on it. We don't currently have a lot of application data flowing in. We have SAP and other applications that we are looking to add to this. We are also looking at if it makes sense to explore a little bit more on the network analytics side.
One of the key things they have improved on recently, when they moved from version 5 to version 6, is that version 5 was not scalable. It was running on a relational system and it was also a little complex to manage and run. Version 6 is a lot smoother and has a much better user interface. There is less operational overhead, because we don't have to manage it, at all. It's completely remotely managed.
We have six or seven people, specifically, who log in to the solution, not all at the same time. They are actively using it. Their roles vary from SOC to insider threat. We also have our response guys who log in, and then we have about two people who take action on threats. In terms of deployment and maintenance, this is all SaaS. In 5.0 we had about one to one-and-a-half people dedicated to it, but now we don't have any dedicated people. We just have one point of contact available on our ops side to look at any issues with the collector or if one of our data feeds has any issues. Again, it being SaaS, we have no administration overhead.
The tool has matured and it has definitely helped our program mature over time.