I know they are working to resolve this issue, but Netsurion is currently unable to retrieve logs from S3 buckets. We use WP Engine for a lot of web hosting as well as AWS, and both of these platforms use S3 buckets.

I would like Netsurion to be able to pull logs from Linux devices. We have some of that capability, and I believe they can do it. However, the way it works with Amazon is strange and glitchy. Therefore, working something out with Amazon would be great.

Netsurion's SOC can be a bit too aggressive at times. We have asked them to adjust their playbook because I am tired of being notified about the same issue multiple times a day. I am aware of the issue, and it is not a cause for concern. Let's only take action on this issue if we see an actual problem.

I appreciate the recordings that Netsurion provides on Power BI for our monthly meetings. I would also like to have a dashboard that I can access anytime to review the real-time data from their website.

There's always room to improve because there would be no competition if they had a perfect solution. The GUI to perform searches within the product may not be intuitive to a new user. That's something that could be simplified, but I have no complaints about the product or the service they provide. They're phenomenal.

The product is based on an agent initially intended to talk internally, and they've simply tweaked it to talk externally. It's inside of a network versus talking on the internet. If they redeveloped the product to use internet options that are part of the operating system, it would add more security. Netsurion would keep pace with the computer as it updates and the technologies change. 

If it were to talk using the internet options inherent in the operating system, the communication would be better and more frequent. It would be part of the operating system. It would work like opening a browser and hitting the internet rather than being a standalone solution. I've suggested redeveloping the application to work more fluidly with current technology instead of working as an old solution in a new application.

I would like to see a faster response when we see things like 15,000 lockouts. I really wished that I had known that on Friday afternoon rather than waiting until I got the weekly report today. By the same token, they are looking at it from the point of view that this is a system or software malfunction. This is not a bad actor repeating the exact same password three times a second. Therefore, they can tell that this is not a bad thing. However, it's not a security event but it is an operational event for me. Knowing this sort of thing would help my team and me out more because then we would be able to clear out a lot of network traffic that we didn't know was going on. So, we would like quicker updates on non-high security events.

They haven't had to fixed much, but we have come back to them with requests for very specialized reporting. Something that's not canned. We might be looking at a particular functional area where we want to track specific data or specific login times. If I were to put in the time it be easy to do or it might take me a little while. But these guys can roll it back to me so quickly that I don't think twice about throwing them at them and asking for a report or a particular search. Probably the biggest thing is just: Can I search for this and what's the best way to do it? If I'm looking for two events versus a singular event, I just throw it back at them. They're the experts on it.

Right now I simply can't think of anything that we're lacking. I don't have much to throw back at them at this point. 

That could change as everybody's continuing to move towards a cloud product or with the cloud products themselves, all the services which we're slowly moving toward on the cloud. We're an Office 365 tenant right now, but I can see that over the next three to five years that's going to continue to increase. I'm excited to see how they can continue to structure their product to help us take advantage of the viewing, the monitoring, and the tracking of those products. Until we get to that point, I just don't know whether they've got everything we need, or if there will be things we will need to ask for that we simply didn't require in the past.

There is one area that needs improvement and that is with the agents and the server that's on-site. The system requirements are very, very high. So I need a pretty powerful server to run. If they could lighten that load so that the on-premise part of their product didn't impact my systems as much that would be ideal. My understanding is that's something they already know and are working on. If they could do that, I'd be even happier with them. 

The threat detection and response is passive. We have asked if there were options for taking action, and we have not gotten any feedback on that, which would be useful to know. Depending on the situation and threat, some actions may not be possible, but we haven't gotten any feedback on what options could be directed and actionable with the understanding that it may have an extra cost. 

It would be nice to know or find out if it is actually possible to take actions by a SIEM service or a SIEM agent. To clarify, we did get a price quote but not a demonstration. I was hoping for a demonstration of what exactly was possible and doable. We did get the pricing for it, but I was hoping for a demonstration of what it would actually look like.

I would like to see more communication with the SOC. I believe they are communicating quite a bit, but I think that relationship could be better. There was maybe one person, and I don't know if they can afford the time. We get a report generated on a particular day of the week and we go through it, trying to mitigate problems and make sure we're seeing everything that's happening. It would be helpful if the SOC spent a little more time with us going through some of those reports.

With version 9 there are so many areas where they changed the look and feel and it is so much easier. I really don't have anything that is a pain point or that I have to work around or that I would like to be a little better or easier.

With version 8, there are quite a few things. The query tool was one of the big ones, and the query speed was one of the big ones, but they've made some great strides between versions 8 and 9.

There were also issues in version 8 around the ability to get the data back out. It's one thing to collect data, but it's a whole other thing to be able to present it or run it in a timely manner. The old tool, depending on how far back I was looking, might even time out and I would have to run it again. 

We don't have any of those issues with version 9, as long as we're staying within that seven-day window. You get outside the seven-day window and it still performs the same sort of way. And it's not Netsurion or SIEMphonic's fault; it's just the way they store the data and have to be able to open the data back up. But the look and feel of the query tool is still exactly the same as it was. It's just a matter of whether you are looking at that real-time, very quick access, or you are looking at more of an archive-type.

In terms of advanced queries, I wouldn't say EventTracker is lagging behind its peers. The latter just make it easier to get to them. EventTracker is designed more for a small to medium type business, which is where we fit. With a competitive tool like Splunk or LogRhythm, you're not going to get what you get with these guys out-of-the-box. With EventTracker, you're going to have to build all that yourself from scratch. You're going to have to learn that markup language to do so.

I want to stress: We're very happy with not having to deal with that out-of-the-gate. If we need to, we can always call support and they can assist us in writing those more advanced queries. The functionality exists to do advanced queries, they're just not right in your face like they are in a competitive product. But for us, that's what we want.

There's always room for improvement in terms of performance and alerting options. It would be great if they had a client for phones by which they could push a notification to us, as opposed to via email. But those are all things that they'll grow into over time.

The solution's dashboard is okay. The one thing that we ran into are issues when we upgraded to the newer version. It uses Elasticsearch for the different dashboard entries. So, we were running on spinning disks, and Elasticsearch didn't work that well. A number of the different dashboards, like my dashboard or different things like that, pull from Elasticsearch. Since Elasticsearch really wasn't working, we were having some issues with that, but we just migrated. We just got a new fan, which is all-flash. Last week, the server was migrated from spinning disks to the new flash. Now, we have moved from hard drives to SSDs, and Elasticsearch is working a lot faster.

EventTracker's UI is okay. There are some issues that I have ran into. Some stuff doesn't display on different browsers, which you think would. You think you are missing something, and you actually are. If you use a different browser at work, it works differently. That is sort of frustrating. The big thing is they have a newer version or something out other than a new update to version 9. I don't know if they're on version 9.1 or 10 (or whatever). We weren't going to update until we could try to get the Elasticsearch capability (which we now have) and migrate over to the new SAN thing. 

There are a couple things that we had to tweak. One of the other things is we are getting DNS and DHCP logs from servers, which we thought required a different Microsoft hotfix, but it didn't. EventTracker's documentation wasn't current. So, it took a little while to get the DNS and DHCP logging figured out. Once we finally got it figured out, we got those set.

The searching capability has room for improvement. I know they are working on it. They have Microsoft SQL, then Elasticsearch, and it's hard to determine when I am searching what exactly it's searching through, as there is the Elasticsearch archive thing, RAID and the Microsoft SQL searching, and some like cache search things. So, there are about three different searches, and sometimes it takes a bit of trial and error to figure out what information I am actually getting.

Users need to be on SSDs in order for Elasticsearch to work well.

Integration-wise, there is a pretty vast area of things that they are able to integrate with, but some of the tools they have are not so great. One of my pet peeves right now is the maturity of the agents that you install on Windows and Linux devices. On the Linux side, it has not been a great experience. They support CentOS and Ubuntu, but the client tends to be a little bit cumbersome and not so great. It is just okay. It is not so great because the agent that they use is basically like a SysLog forwarder of the log system of the Linux system. When it gets pushed out, they do not receive the data as a hostname. It just comes back as an IP, so they are not able to detect the hostname. There are little tedious things here and there that I have not been happy about. This is one of them.

They have their programs and tools that you have to put into your own environment. We basically ingest all the log data and then push it out to them. I wish it was a little bit different than that where we just push directly towards them. I do not know if that is a function that they thought would be better in terms of security, but I wish that instead of doing that, it should go from the device to them and not from the device to another system and then out to them. There seem to be some drawbacks to doing that.

They need to work on the tools they have. The UI of EventTracker, which is a proprietary piece of software that they built, needs improvement. It is not the friendliest thing in the world. Those are the things that they should probably work on. I know that a lot of their tools have been specifically built around their team, and their team is very familiar with it, but that is an area they probably need to work on to get their customers or even get more clients. They need to work on the UI of EventTracker.

I would like faster responses when things are found. For example, when they inform me, it is usually when they begin to respond.

The MITRE ATT&CK framework could be faster when identifying and understanding sophisticated threats. Whenever something happens, we usually get notified a couple hours later.

Their SOC team can't understand our network because they haven't worked in the actual company. This does negatively affect security posture, e.g., if you don't have knowledge about the network, then you will miss things.

Personally, I would have deployed it on its own independent server. It uses a lot of IOPS and resources. Now, we have contention between our other servers on the same cluster.

Communication is always something that can be improved, but I feel that any time we've had a communication issue, it's quickly addressed when we bring those up at the monthly meetings. Usually, it's an individual that wasn't clear in the communication, it's not the process per se. You always have to be able to segregate if the process didn't work or an individual either didn't say the right thing or my people didn't understand what they were being told. So far, I have not understood or heard of any issues that were more process or tool-related, it's individual-related. 

The industry is changing. The landscape is changing all the time and they seem to do a pretty good job of keeping up with that. That's a challenge in information security. That's a target that doesn't just move. It moves from room to room, to room, not just a few inches, one way or the other. You're constantly changing. You're chasing a moving target that's really moving. It boils it down to here's what we think is going on versus our people. If all they did was keep track of what was going on in the industry, that's all they'd do because I only have two people.

I like the dashboard. Where there is an opportunity for improvement is in the interface used for performing the searches. You have to understand Elasticsearch search too well for the security team to be able to take really full advantage of that part of the product. It's not as intuitive as I would like it to be for new staff coming in. The general query capability is a little bit challenging.

Once I expand an event I can usually cut and paste out of there into the Elasticsearch side of it to get a broader view. But it's a multi-step process. I'd would like to see them add something that lets me right-click and immediately search to it, instead of having to walk through a couple of windows. When you're doing research on events, that kind of stuff adds up in your day. It's two or three clicks, but when you're driving through a bunch of analyses, that can start to add up quickly. When it's an event that you've got going on and you need to find out what's truly happening, time is of the essence. Anything that can shorten that would be beneficial.

Everything that I've wanted has been added in. EDR was added, and MITRE was added. Those were two big ones that we didn't even have to push for. 

Netsurion's threat detection and response aren't quite mature. I would expect a little more. Instead of an Excel spreadsheet with a log output, I would rather have a web portal that I could log into and see the event live. In all fairness, they may have that, but they have not provided that to us. They send me an Excel spreadsheet, and I have to aggregate the data manually to find out what I want to look at. It would be better to have a web portal where the data is already aggregated, and I can see where the hotspots are. They could do something like Arctic Wolf, which has a web portal or page we can log into.

The weekly reporting could use some improvement. For example, when we handed them our landscape document, it took longer than I would have liked for those details to become noticeable within the reports.

The deployment of the agents could be a bit easier. We always seem to have a bit of a challenge with that. A lot of times the agents either don't deploy or they quit responding, then we have to go and redeploy them. That gets frustrating.

There are some issues with searches taking a long period of time, but they assured me that they have implemented a new search function that's available in version 9, but which requires a solid-state hard drive. So we have upgraded to the solid state hard drive, but we are waiting for them to migrate over to the new drive, and then we'll see if our search results improve. Depending on how many logs you have it could take a long time to return the results if you're looking back prior to the last 30 days for, say, auditing purposes.

In other areas, it meets or exceeds our expectations.

I'd like to see improvement in the ease of generating reports. It seems fairly cumbersome whenever you decide to start tracking new categories of events. It seems a little kludgy when trying to generate those reports. Other than that it's fine.

I would like to see the dashboard come up more quickly.

The biggest problem is that we have too many domain controllers. So, we have to keep all the clients and main system updated with the latest versions along with making sure all the firewalls are open.