Securonix UEBA Review

Algorithms surface the exact indicators we need for insider threat detection


What is our primary use case?

We use it for insider threat detection. It's appliance-based in the data center.

How has it helped my organization?

Previously, we did not have visibility into some of the behaviors until we had this tool. Only then we were able to surface those behaviors. An example is that people can log into VPN at night from another country - people actually do that all the time - and that's the leading cause of a credential compromise scenario. We did not have visibility into that before so we couldn't figure out what was going on there to come up with a mitigation plan. Now we can make data-driven decisions to mitigate that vulnerability.

Securonix has enabled our team to focus on threats rather than on engineering of the platform. Algorithms deliver through the program platform. We just go into the system, point and click and pick and choose algorithms that are needed to satisfy the use case. So we don't have to write any code. We don't have to write any customizations.

The solution has also decreased the time required to investigate alerts or threats because we don't have to sort through or do the log analysis. We don't have to look at individual log entries to figure out what's going on. Now, the system has ingested the data and it has derived intelligence from those raw records. They're visualized and assembled on the timeline and presented on the dashboard. You can imagine how much that's going to save an analyst's time in investigating or knowing what's going on. And in some cases, it's even night and day, meaning it has gone from impossible to possible. In those cases the amount of decrease in time would not even be applicable, for good reason. In other cases, the time it saves us is approximately 30 to 40 percent.

Securonix UEBA also helps to surface high-risk events that require immediate attention or action. It gives us the ability to prioritize the risk. That is a focus in the design of the platform. There are many ways it allows users to prioritize the risks that are very important, per that organization's threat landscape. It's either done through re-scoring boosting or you can craft a segregated dashboard to focus on something. You can also have a targeted user-list on which you want to focus the monitoring. There are many ways to pick and choose and combine to meet our prioritization requirements.

The solutions Hadoop-based platform has definitely also provided operational benefits. We talk about the "three V's," the challenges in dealing with big data. Data is high in volume, it changes all the time - the loss is very high - and it can be unstructured. By basing the platform on the Hadoop big-data platform, versus a single SQL database, it definitely meets the requirements for monitoring.

What is most valuable?

The aggregation library is definitely very comprehensive. It covers a lot of use cases. 

Also, the feature dashboard is very well organized and intuitive to use. It organizes information on a timeline which is exactly what we need for insider threat future-analysis.

Data insights are where we can not only look at items but can visualize the activity trends over a period of time and compare them across organizations. That's very useful for us.

The algorithms surface the exact indicators that we need for the purpose of insider threat detection. That is something that we have not always found is the case with other vendors we have evaluated. We consider cyber indicators as part of insider threat detection. We don't look at them in silos. We correlate them and look at them from a holistic point of view. The algorithm for surfacing those relevant indicators is very comprehensive. We almost find everything we need to surface the indicators we want. We're very impressed with that.

What needs improvement?

There is room for improvement in the algorithms. Although I said that we have a very solid starting point - our existing library is already very comprehensive - we constantly find areas where we need to develop new algorithms. That is common across platforms. Any vendor with a solid starting point would still need to continue to evolve. That's where customers can help by giving them feedback about their challenges and asking for help in addressing them. That will help to roadmap and mature the product itself.

For how long have I used the solution?

We've been using the solution for about two years. We're on SNYPR 6.2.

What do I think about the stability of the solution?

Securonix is very stable. We do encounter error scenarios here and there in different jobs but, to a large degree, that's because our demand is very high. Our data volume is very high and it fluctuates. That goes back to the "three V's" of big data, but that said, the platform is very stable.

What do I think about the scalability of the solution?

Because we're based on clients, scalability is horizontal. It's up to us to how much we want to scale up. There's no limit to that. It's just adding nodes to the cluster or even adding additional clusters to the deployment. Moving to the cloud, we expect that's going to be even more flexible. We want scaling to be on-demand and it's only going to improve. We do not see scaling as a limiting factor in any way.

We definitely have plans to increase usage of the solution because business acquisitions keep happening. That has happened for the last two or three years within our company. Our monitoring inquiries are going to increase, based on that.

How are customer service and technical support?

On a scale of one to ten, I'll give Securonix tech support a ten. They're extremely knowledgeable, they're able to flex, and they're dedicated. AT&T as a client is very demanding. Our scale is large, our complexity is very high, our data is very complex. 

If you previously used a different solution, which one did you use and why did you switch?

Prior to Securonix, we didn't have a tool whose mission was insider threat detection.

We went with it primarily from the algorithm perspective. Some vendors claim they're doing behavior analysis but they're not really looking at it from the perspective that we want to look at it. For example, we want location anomalies, time anomalies and the like. We worried about non-mature indicators and nobody was worried about those, they were worried about entities. Securonix is very comprehensive in those algorithms. We didn't have to develop new algorithms, it was just plug-and-play. And how wonderful was that? That was a critical success factor for us.

Another success factor was that it made the job easy for the analysts. The visualization, the dashboard, the timeline. You would think those would be natural requirements for a platform like this but not every player was able to give us all that. Securonix definitely stood out from those perspectives.

How was the initial setup?

The initial setup is complex because we're talking about a very complex technology. Our hardware detectors are very complex and our deployment is large-scale. The number of clusters and the number of nodes of each type in the clusters is huge. And we have to synchronize between elements and make sure the service runs from end-to-end so it's not a trivial job. But that's not unique to this vendor. It comes with the technology itself. Anything that's based on big data or that involves algorithms, that involves data ingestion, would be that complex at that type of scale. Our process is very unique.

In terms of implementation strategy, we definitely wanted to get close on the first shot. For example, the platform comes with out-of-the-box algorithms. We considered them as the starting points for us. By enabling them with their initial conditions we were looking to strike close on that first shot. Then, we looked to get exact in the second step. In that step, we looked at maturing of the content and we wanted it to be guided by our clients. At that stage our threat clients could come to us and be exact with how they wanted those conditions, the algorithms, to be. We then took that into our content maturing process to get it exact for them. It was definitely a phased approach.

What about the implementation team?

Securonix helped with the deployment. They were very knowledgeable and were able to pivot. Each client deployment scenario would be slightly different. There was no one-size-fits-all strategy or solution. But they were able to pivot based on our unique challenges.

For example, we were on Hadoop and then we moved Cloudera, which was a unique AT&T requirement. They were still able to integrate with that environment quickly. They're knowledgeable and they're able to flex, and those were very critical success factors for us.

What was our ROI?

We have definitely seen return on investment. We have a good contract with them in terms of monitoring as we have unlimited licenses.

Which other solutions did I evaluate?

We evaluated a bunch of them, some of the well-known ones like Exabeam and IBM QRadar. They're big players in the space.

What other advice do I have?

The biggest lesson I have seen from using Securonix is that you should never underestimate how complex and large scale a client deployment could be. Prior to Securonix coming to us, they had huge success in different sectors with big and small companies, until they had us. We were a challenge. We have successfully overcome the challenges and proved they're the best. But everybody who went through that process learned a lot about never underestimating how complex a client can become and how demanding they can be.

My advice would be to consider Securonix. You can horizontally compare competitors across the space but really pay attention to what they can offer. That's how they impressed us when we compared. Sometimes you can't tell the difference until you compare different varieties of apples. Sometimes, when we asked the same question to five vendors, four of them didn't even understand what the question meant. That was an indication in and of itself and showed the difference. So pay attention to this player and compare them against others. That's going to make you more confident. Don't pass over this one.

Within our company, the number of users who are using the platform to monitor threats and develop content is less than ten people. It's a very controlled user group because of the sensitivity of the user data and the activity data within the platform. We have a dedicated team within the chief security office called the Insider Threat Program Team. They are responsible for operational monitoring, keeping the system up, developing content, and responding to the findings. They do all things connected with the platform. But the platform itself monitors a user-base of 600,000 people.

In terms of deployment and maintenance, we have two people from our group who are leading that effort but in the background, with regard to the data center deployment, there are a bunch of people supporting it from that perspective.

We don't use their cloud monitoring functionality but we are interested in that area too.

Overall, I would rate the solution at ten out of ten. There have been a lot of challenges, but the more we face challenges and I see how we work through them, the more confident we are in this product.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email