Securonix Security Analytics Review

Spotter tool has helped us eliminate many hours required to manually create link analysis diagrams


What is our primary use case?

I run the intellectual property protection shop for the company and our primary use case is to monitor for DLP.

How has it helped my organization?

In terms of detecting cyber and insider threats, my primary focus is insider threats. It's excellent at that. The ability for the system to detect events is incumbent upon knowing your own threats and risks and predefining those, to a large extent. If you know your environment well enough to make up your own rules and define exactly what a risk or threat means in your organization, it's outstanding at detecting them.

While my primary focus is insider threats, one of the reasons we like SNYPR more than other brands is the entity analysis piece. We have picked up unnamed entities - an infected machine or a machine that had been taken over through a fishing attempt and had a bot installed on it. We have been able to detect malicious software with the system without even predefining the threat or risk model.

When it comes to the solution's behavior analytics helping to prioritize advanced threats, as long as you can pre-define what you want it to prioritize, I find it to be excellent at doing that. We have a very small team. It's very important for me to have the Securonix system highlight the most critical threats so that the analyst can see it.

We have two models. There are the people who are reacting to something negative in the company, such as someone sending a lot of things to a USB drive or trying to email out a lot of sensitive documents. Those people are easy to catch because their behavior is anomalous to themselves and to others. But for the advanced threats, we have different models in place that will highlight what we call "low and slow" behavior, where someone might be placed in the organization by a competitor or a foreign country, with the intention of removing small amounts of data over a long period of time. We have successfully built models that detect that, as well. Any system can catch the people who are going to "break the window" and steal as much data as they can in 24 hours. It's the advanced threat that's much more intricate, but we have had success with that model.

The solution benefits our company overall in the sense that we are protecting intellectual property which is the key to the company's success. But there has been a direct benefit to my team as a force-multiplier. At any given time, I have three or four analysts and we have 120,000 end-users. I feel confident in the increase in the value of cases we have found. We bring in fewer cases per year, overall, and that's attributable to the ability to tune Securonix and drop things that might be more of a "coaching-letter" type of event, rather than an investigation. We're able to tune those so that they are less of a priority than the significant data-loss events. We've been successful at catching the data-loss events.

And the functionality within the Spotter tool has helped us eliminate many hours required to create link analysis diagrams, which we used to create by hand.

It has easily decreased the time required to investigate alerts by 30 to 35 percent. The Spotter functionality, where we create link analysis diagrams within Securonix, takes about five seconds to do. We type in the pipe symbol, the word "link," and a couple of arguments and it puts the link analysis diagram right in front of us. Before, it was a manual download from three different systems and we would put things into Excel or i2 Analyst's Notebook and do the link analysis diagram that way. That single step alone is something we do for every single case which an analyst writes up, and it easily represents 30 to 35 percent of their time.

The solution has also helped us to detect threats that would otherwise have gone unnoticed. In the past, when we were using just a SIEM tool, we had reports on things like the top-ten people each day sending email to a competitor's domain, or top-ten people emailing to a personal domain, or the top-ten people copying data to a USB. We looked at six of these lists every day. When we first started using Securonix, they came to us with an event that their system had detected, something which was a fairly significant event. When I went back and looked at why we hadn't caught it ourselves first, what had happened was that Securonix was able to accurately able to identify, with its pattern-matching functionality, two personal email addresses from this person and correlate that with USB use and their sending of emails to a competitor's domain. Out of the four domains, none was high enough to get on the top-10 lists, but all four together - when they were correlated together as a single event - were very significant. That enabled an analyst to see it and react to it.

Securonix has helped to surface high-risk events that require immediate action. The preceding example is a good one. Another good example is correlating events with foreign travel, for instance. One of the things we have programmed in is HR data around a known last-day-worked. We've been able to correlate people whose last day at work was within 48 or 96 hours of having foreign travel booked. Those things, by themselves, don't really mean anything, but as part of a model they add to the score of someone who has data leakage events. We've used those factors successfully to increase the score of someone with leakage events and prioritize them so that we can react before the person has left the company and the country.

We moved to their software as a service and cut over to production, officially, in January of this year (about five months ago). It has significantly reduced the amount of time spent by the technical lead on my team doing hands-on patching, maintenance, and troubleshooting on the host server, as well as fixing the server when there were application incompatibility issues. The previous version we had sat on a standard, company Linux server. Securonix was an application package, a COTS, for the most part, that sat on top of a standard-built server. The server represented a cost to us when purchasing it and there was a cost to maintain it. Moving it to the software as a service model in the cloud has completely cut out all of that. It's a less expensive model for us to operate under.

The Hadoop-based platform has also provided operational benefits. With the on-premise version that we had before, we were limited in the number of data inputs. As soon as we moved it to their Hadoop-based platform, it became unlimited. It's scalable to whatever size we need. We were able to quickly add six data sources to the system, which were impossible to add before.

What is most valuable?

There are a number of things that are very useful.

What I like most is that the threat models and risk scoring are very accurate and very helpful to the analysts on my team. They help highlight the most important things for them to look at.

The second feature is that within the SNYPR product there is a functionality called Spotter. We use that for link analysis diagrams and to run the stats command. That's extremely useful because it replaces a tedious, manual process we used to go through, using Microsoft Excel and a couple of other methods, to bring data together.

The third feature is the ability to create watch lists that highlight specific predefined events in a separate window - or widget, as they call it. If I want to highlight something of interest without changing the risk score, or affecting any of the threat or risk models that we have in place, I can create a watch list. It moves those events to an area where an analyst will see them, first thing, without changing any scores or any other manipulation of data. I can highlight events that way.

What needs improvement?

A helpful feature would be an event export. A way to create more substantial summary reports would be nice.

For how long have I used the solution?

We've been Securonix customers for about six years now. We've been on the SNYPR module for about seven months.

What do I think about the stability of the solution?

We've never had a problem with it. They're responsive around the clock. We've never experienced a system outage and we've never experienced their being unavailable to help. It's highly stable.

What do I think about the scalability of the solution?

Now that we are on the cloud-based version, scalability is limited only by what we want to spend. The more events per second we add, the more the cost goes up. But that's the same with any model, anywhere. We're limited only in budget. They appear to be scalable to handle anything we can put into it.

How are customer service and technical support?

I would give them a ten out of ten on technical support. In the past, we did have some issues with their technical people, but they were quickly resolved as soon as I brought them to someone's attention. 

They don't really offer a service where they just plug it in and leave and you're on your own. They do semi-annual data scientist reviews of the events we have and the scoring behind them. They make recommendations to us on new models we can implement or ways we can change the scoring slightly to make sure we're seeing the most appropriate things. That part has been really nice.

If you previously used a different solution, which one did you use and why did you switch?

We used ArcSight. The IT department had ArcSight deployed as a SIEM, so that was the system I used to create lists like top-ten emails to competitor domains, top-ten events for USB, top-ten people going to job-search domains through the web proxy, etc.

ArcSight was not very sophisticated. It was just six PDF files a day that were representative of top-ten events in some predefined rule. There was no way to prioritize or score or, even better, correlate events. Securonix, in one example, as I mentioned, pulled together four events and chained them together, which would not have made any of the top-ten lists and that were significantly more important than anything on any of those top-ten lists that day.

How was the initial setup?

The initial setup was very straightforward. We used Professional Services and we had three meetings a week in the build process. It dropped to two meetings a week as we were migrating from one system to the next. Then we went to weekly and then biweekly break-fix meetings until everything was up and running.

Within two weeks they had it pretty fully in place and then we spent about another two weeks fine-tuning different details, because it processes data differently than the on-prem version. We were up and fully in production on the new system inside of a month.

We created the cloud-based version in parallel and we kept the on-prem solution up and running until we cut over, 100 percent, to the cloud-based solution. We kept them running in parallel for an additional month so that we could check risk scores back and forth between the two systems, to make sure one was not capturing events that the other didn't, with the exception of "net-new." As I said, when we put in the new cloud version, that enabled six more data inputs which, obviously, didn't exist in the on-prem version. But for the things that were identical, we made sure it was up and running and accurate. Then we just cut away from the old one all-together.

What about the implementation team?

The fact that we used Professional Services made a big difference because they did the heavy lifting. We just presented threat and risk models to them and data sources. Our experience with Professional Services was very good.

What was our ROI?

We have seen return on investment many times over. There have been data-loss events that we've prevented which, had they left the company, would have represented billions of dollars of intellectual property. If you look at the $250,000 a year as a percentage of a billion dollars, that's not too bad an ROI.

What's my experience with pricing, setup cost, and licensing?

We have an annual license. We pay $200,000 for the base licensing and we pay another $50,000 for the software as a service.

In terms of any additional costs, it depends on how extensively we use the Professional Services. I might spend another $45,000 to $50,000 a year on them, but that's because we're always coming up with new things and changes. If I wasn't asking them to make coding or application changes, then that cost would be unnecessary because the additional cost for the software as a service includes the maintenance, 24/7 monitoring, etc. Because the Hadoop version is new to us, we're expanding into new data sources and new threat and risk models. For that, there's an additional cost for the coding.

Which other solutions did I evaluate?

We looked at a product from Lockheed Martin which was very analyst-centered. It produced a lot of CSV files as output and required having an analyst who could really pull together Excel spreadsheets and do a lot of manual work. 

We had looked at Securonix for a couple of years at trade shows and we knew we liked the concept of an UEBA. But then when we did a demo with them in a bake-off with the Lockheed Martin product, and the Securonix user interface was hands-down better and the event correlation and the behavior analysis pieces were what really sold us. We have a number of static, pure analysis rules built for behavior analysis, but now that we've had it in place for a few years, it's far more sophisticated in the dynamic behavior analysis, through the machine-learning the system does. That has been far more beneficial to us than the static rules.

In those respects, they were hands-down better than the other product we put them in the bake-off with. Quite honestly, it has worked so well in the six years we've had Securonix in here that I haven't gone back into the market to even looked at what the competition has. It saves me a lot of stress. 

Looking for a new product and evaluating takes so much time and there's so much cost in swapping them out. For example, if you had invested in a server infrastructure and have to take that down because it doesn't match up, there's a cost to that. There's software licensing. There's also the fact that my team has five years of experience in navigating the Securonix user interface. With a new product, they'd have to start from scratch, learning something new.

What other advice do I have?

The single thing I recommend most is understanding your environment and being able to articulate the risk and threat models. Securonix is very good now, better than when we first bought them, because we were early adopters. We're in the pharmaceutical space and they didn't have very many Pharmas. They were very good at financial institutions, the banks, the credit card companies and that sort of data, but when it came to risk and threat models for Pharma, we were so successful because we knew what we wanted.

I had studied insider threat and behavior analysis for quite a while before we brought in Securonix and was able to start out with very accurate models and articulate things like the relationship between sender and recipient of emails. Is there generally a higher risk with one-to-one or one-to-many relationships on either side? If the data is in the body of an email or in an attachment, which is more important to me? Different models, like competitor domain or personal domain, or USB use: What are the most important things to know about your own environment? Be able to tell them in a way that helps them build the risk models.

Probably in some environments, again, finance for example, where they've had years of experience, they could probably plug in a box and you could just throw all of your events at it and it would be accurate in at least pointing out the anomalies. But you would still need to be able to say what, in your environment, is bad and what is not. That is the single biggest thing: Know your own environment and they can build it to match your needs.

The biggest lesson we've learned using Securonix, in hindsight, is that if we had paid the additional $45,000 to start with, in the cloud, we would have been years farther ahead. We're trying to stay very low-budget. We built the on-prem version and thought that was going to be sufficient, but we ran out of space and the ability to add new data sources and risk and threat models. The on-prem version became limiting. The biggest lesson we learned was that we probably should have spent what was not a lot more money and had the cloud, Hadoop-based version, much earlier in the game than we did.

If I had a big enough staff, it would probably be preferable to do some of the back-end, hands-on coding ourselves, but I don't have that kind of talent on hand. Outside of that, we have no complaints about it. When we've asked them to make certain changes to the user interface or to workflow within the tool, they've been very quick to respond and make those subtle changes for us. Outside of that, we're fairly pleased with this platform.

We have three intelligence analysts and they look at the events themselves, do the initial assessments, and write up the cases. I direct the team and I have one technical lead. I'm in the compliance division, so my team monitors for compliance with specific corporate policies. In addition, our IT department recently also purchased Securonix and they're building a platform on software risk to complement the insider threat that I have. There are currently five users there.

The Securonix team does all of the back-end work because it's housed entirely in their cloud.

Overall, I would give Securonix a ten out of ten. We've been extremely happy with them as a company and as a product. The product has been very good for my career. But again, we put the time into making it accurate right from the start so we have found some fairly significant things. I feel the product is accurate. Whenever we have worked with the company, they've been a good bunch to work with. I'm happy to stand up on their behalf. It's been a true partnership with Securonix, more than that we just license their product and use it.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
1 visitor found this review helpful
Add a Comment
Guest
Sign Up with Email