What is our primary use case?
Securonix is a SIEM solution for us. In our deployment, it's a software as a service model, so it's a hosted solution. We are feeding several log sources to it and correlating logs, searching, building alerts. It's our primary tool for analyzing logs and alerts for our entire environment.
How has it helped my organization?
The benefit we've seen is in reducing the number of alerts from stuff that we can tune out easily. Previously, in the solution we used, there wasn't that flexibility, so we received a lot of alerts that we knew were false positives that we easily just dismissed. But it took somebody's time to look at all of those and mark them as false positives. With Securonix the alerts are easier to tune. We can exclude certain log source types. That option wasn't available in solutions we've seen in the past. The ability to tune out stuff that we don't want to see allows the team focus on real events. That's been the biggest benefit.
One example of detection of a threat would otherwise have gone unnoticed is that they have an alert for randomly generated domains. It's using our web gateway information to look at domains that our users are going to. It has the ability to look at randomly generated domains and investigate what those are and if anyone actually submitted anything to them. Phishing domains are very popular and we have seen users clicking on phishing emails and going to randomly generated domains that are spoofing login sites. Those are things that we found that we hadn't seen in the past.
The way that a Securonix is able to put a lot of the contextual information into the events is very helpful. That has reduced the amount of time required for investigating, "Hey, this might be something I need to look at," and then doing further research. It puts all of those violations in one event or case, so that you can look at different types of violations that all correlate. That has reduced the amount of time for researching some of those cases. It's dependent upon the scenario, but in some cases it could save an hour of going out and doing a bunch of individual searches.
What is most valuable?
The most important feature is for it to be reliable and scalable so it is able to ingest the amount of logs we need in a timely manner, and then make those logs available to us for search in a very quick, reliable way.
Also, since it is capable of doing UEBA — the anomaly detection, with easy-to-create rules — as we build those rules, in some products we've used in the past, they would cause performance issues. But with Securonix that hasn't been an issue. So the ability to create rules and alerts in a viable way is also very important.
What needs improvement?
Some of the user experience when doing threat-hunting, such as being able to see multiple types of analytics from different log sources in one view, would be beneficial. Right now, there are some limitations around that. So some of the user experience when doing threat-hunting could be improved. That's the main point that I've seen that we're working with them on.
How are customer service and technical support?
Technical support has been amazing. We have a lot of different security companies that we work with and with most of them it's very difficult to get competent folks to help. That's been a non-issue with Securonix. We meet regularly. Any issue we've had, they've had prompt resolutions. Customer support and making sure that we're successful has been one of the best features, one that we weren't even looking for during evaluation, but that's what we have found.
How was the initial setup?
The fact that we're using software as a service, so Securonix is hosting the infrastructure, has been a huge win for us. Before, we managed all of our SIEM on-premise. We had an appliance and we had to perform operating-system patches and upgrades to the system itself.
Getting it set up was easy. We had nothing to do. They just told us when it was ready. Then we had to set up all of our log collection to their remote ingestion node and then send that up to the cloud. Setup was definitely easy and we've been able to onboard a lot of our log sources in the first month. It's just a lot of tuning from there. So the initial setup was much easier than in our previous experience.
What was our ROI?
Return on investment is having my security team focus on their jobs and not have to maintain a SIEM. That has definitely provided a lot of value.
In addition, not having issues with the base functionality is part of the ROI. We ran a different SIEM for over five years, and if anything was tweaked then we'd end up having support tickets and spending time resolving them and making the thing work. Not having to deal with that, it's hard to measure exactly the value, but it's been very refreshing that we're actually focusing on improving our security instead of just making the log system function.
What other advice do I have?
I would say Securonix is a nine out of 10. The core functionality is the best that I've seen in the market. Being able to execute on ingesting logs, building alerts, looking at anomalies, providing fast search, and being able to provide an extensive history available to search is a huge win for us. We're often investigating stuff that happened a long time ago. The only thing that we could work on is the user experience when doing threat-hunting, and they've been open to looking at that and exploring options. So I think that will improve also.