This solution improves our organization daily. It saves us countless hours doing correlation work and reduces our investigatory process from days to hours. It routinely brings issues to the forefront using the AI engine and the use cases that we've built that need investigating. We constantly find new sources of logs to bring into the system to continue to make it better. 

LogRhythm does a very good job of helping SOCs manage their workflows. Our SOC is very young and we're not leveraging that feature yet. I've seen other companies' SOCs and watched them use the workflow features and it's incredibly well done. We're not mature enough yet to use it. 

For cybersecurity exposures, the one downside from LogRhythm's perspective is that it can only tell me about use cases that I've already defined. It cannot identify unknown cases at this time. However, we have just recently purchased the NDR solution and that does have this capability.

This solution is our principal mechanism for doing all investigatory work. When we get alerts from LogRhythm, we'd go back to the logs and trace those events back to their source. This is is how we shut down attacks. 

LogRhythm really gave us a better understanding of what our overall risk is within our network and has opened our eyes to include other products that helped address different types of issues. Whether it's getting into vulnerability scanners or different pieces of other software, it's opened the door to what's out there. It helped us to turn on different features or other products along the way and helped us to identify what we need to improve on and present it to our executive team.

It has not only helped us meet requirements on a development program, but it has also allowed us to focus on insider threats as well as provide forensics capabilities to identify potential security risks.

The solution enhances our organization's threat detection and response capabilities. It prioritizes alerts. We can write rules on it. It provides a comprehensive rule list out of the box. We have compliance rules for PCI and SOC. We prioritize the rules for PCI compliance. Assets that we have ingested have PCI labels, and we can identify the websites that need PCI. We can visualize threats on important assets and analyze, mitigate, and rectify them.

It's improved our organization. For example, if we have a user who's traveling overseas, or we get a suspicious login from the VPN, from a country that we're unfamiliar with, it gives us the ingest logs. The SIEM gives us a better comprehension of what type of threat activity it is and helps us decide if it's benign or legitimate.

We use Dell SecureWorks right now for our SOC. But in a much quicker-than-expected manner - literally a few months after we started really bringing everything in, and we took over teaching them how to use LogRhythm - our SOC has fallen right into line. LogRhythm is already almost replacing Dell SecureWorks and we might be able to get rid of Dell SecureWorks sooner than later.

I was the one who started getting the SOC team involved. I needed to teach them. They were a very frustrating group that didn't want to learn LogRhythm. "No, no, we're doing it our way," and it was very manual. They would pull information from Dell SecureWorks and compare it manually against other information. They were totally against LogRhythm. But very quickly, they changed their minds. Now, we get calls constantly to help support them. The leaders of the SOC, that understood LogRhythm and had some LogRhythm background, have implemented different things that have totally surpassed where we thought, six months ago, we would be. Things are going great.

We have seen a measurable decrease in the meantime to detect and respond to threats.

The benefits are almost innumerable. You can't know anything unless you are capturing the data. Once you are capturing the data, you can then make intelligent decisions around what is and is not appropriate, and what is and is not dangerous. It improves the security posture, because you can then know when things are happening that are bad.

Before the LogRhythm solution, if someone was trying to login to a server with a local admin account, I would have no way of knowing that. Nothing would log it, audit it, and it would never show up. Now, I get an AIE alarm every time that happens, because it is considered a pass the hash attack.

If we know when these things are going on in our environments, we can identify rogue admins doing things that they should not be doing, and the questions can be asked, "Why are you using this process? What's failing you that you have to go around the normal procedure to do this?"

Another big one we found was just the ridiculous amount of PSExec running around the environment by non-admins to touch other things, which we have tried to curb. Then, we were able to ingest some custom log sources that have helped us become more proactive in alarming. Some of the stuff that we are using does not do good alerting, or it does not do role-based alerting. So I do not need an IT admin in Georgia to know about a potential issue in China. He does not care.

I need that alarm to go to China, and not to Georgia, but some of our solutions will only send their alarms to one source. So, you either send it to the entire IT organization, every time it happens, or you do not send them at all. It has helped us pair down the noise to our site level admins, and give them more actionable intelligence quicker.

We are a global company. We have 37 locations. China is one big country in Asia. We are on Australia, North and South America, and in Europe, with about 5,000 full-time employees. For the technology stack, we are running a single LogRhythm LR 6403. 2500 NPS license which we are currently hitting the lid on every day, and running a combination of Trend Micro and Malwarebytes. For endpoint, doing Cisco, Firesight for IPS. We are a Cisco shop, a 100% on the network, and we are a VMware shop, 100% for the servers.

Right now, my biggest challenge is distilling the technical data that I am getting out of the LogRhythm appliance, in my reports, and translating that to business value statements to the business units to justify that I need more NPS or I need a bump to NPS, or I need another VX, which is a lot of money to spend. I have to now, instead of making the fear argument of, "Oh my god, the world's on fire." Instead, it is more of, "Here is this device, here is how this solution partners with the business to enable them to make better decisions about risk." Also, they can feel safer in making somewhat more risky decisions, because they know that this solution is behind the scenes, watching, keeping an eye on things, and our team will tell them if something is going wrong.

It has helped our organization because we utilize the SIEM for a lot of analysis, not necessarily for malicious threats at this point, because we're in development. It's helping as far as figuring out how something got changed on the system, because it is in development and things are changing constantly. We are then using that forensic analysis to figure out what was changed, so we can turn it back because, a lot of times, in development, we don't know what caused something to happen.

It has helped operationally with things that I have discovered stuff in logs, like errors. Without it, things going wrong would probably have gone undetected. It has certainly helped with some of the general user behaviors going on out there. 

It provides a measurement of the things going on in our organization from a security standpoint. We can either address the issues, or say, "That's the way it is."

LogRhythm's improved our organization by allowing all sorts of members of the organization to be able to access this data in a much easier way than they have been able to in the past. So instead of more obscure SIEMs, or things out there like Splunk, where you might have to learn an entire language for how to interact with your data, it's all very visual based.

I'd say that's a big difference right there, but also just the ease of use of getting it into and getting it indexed by the SIEM. The other piece of it that I think is pretty huge for us is just how fast it executes on that data. So in previous SIEMs, I've seen where we've had to take up to three or four minutes for a simple query. I have that back in seconds. That's definitely a huge performance improvement for us.

I would say that the maturity of the organization that I'm with now is it kind of straddles a couple of different zones. On the one hand, we have a security team, and members on the security team that have been doing what they're doing for a very long time, and a couple of them even doing that a very long time at that organization. However, the security landscape has changed just dramatically in the last few years. And that definitely sounds like totally hackneyed, but it's true, especially when it comes to cloud integrations, AI, data science, all of this stuff has changed the game so much. So I would say that we're very much behind the curve in terms of we're a team of six or seven people trying to keep up with the industry. And we really look to these next gen tools like LogRhythm's SIEM to bring us there.

New functionality like playbooks are exactly how we're going to raise the maturity level of our team through automation and playbooks. That's absolutely the direct path that we see getting us to a more mature place. We've got the experience on our team, but we don't have 100 people working for us either. And so, we're really kind of looking for LogRhythm to fill that gap there.

It's all in one solution since we bought the network monitor along with it. It has made finding issues or threats on our networks a lot faster and easier. Something that would have taken our team and multiple IT people 5-6 hrs to resolve before, can now be done by one person in 1-2 hrs. Plus with built in case tracking it makes it easy to track what is going on and what has been reported.

With built in reporting it makes change tracking and compliance reporting a lot easier. WE use to have to update the documents by pulling in data from multiple sources and having to wait to get data from other departments.

This solution has improved our organization in many different ways. The biggest benefit is being able to view all information in one dashboard instead of having to look at several different applications and dashboards. I can see information across our entire environment and every aspect of our network.

LogRhythm really helps with our cybersecurity exposure because it gives us insights to make us more proactive versus reactive regarding events happening in our environment. LogRhythm gave us so much insight into blind spots that we didn't even know we had.

LogRhythm also really helped our environment in terms of security posture because it gives us so much more information that we can use in a timely manner. Some of our other providers don't give us reports until as late as the next day. With LogRhythm, we can have alarms triggered within seconds that let us know that there are particular things that need to be addressed. This is much quicker than if we just trusted that particular vendor to let us know.

It's improved our organization in a number of ways. 

Before we got the current SIEM, for example, the previous SIEM was not our primary threat-hunting tool. It was a data point we would go to occasionally.  Today, LogRhythm SIEM is our primary threat-hunting tool thanks to the user-friendly interface, which is much better compared to what we've had previously.

The ability to return relevant information from a search to provide either corroborating evidence for an investigation we were already undergoing or just being in a better place to go hunt for threats has made me feel that the environment is safer than what we had previously. 

Previously, with McAfee SIEM, we had no confidence that it would help us in an investigation, so we frequently did not lean on it. It let us down so many times. LogRhythm SIEM gives us a sense of confidence that, during an investigation, it's a solid source of information that we can use to complement the investigation or perhaps complete the entire investigation within the SIEM.

The product is improving our organization, giving us a lot more visibility. It also gives a lot of our smaller different IT organizations that we partner with better understanding of their environment and also a way to kind of structure the access to that data.

We are using a lot of the analytical capabilities. One of my favorite features is the AI engine that allows us to take multiple data events, tie them together in different patterns and different baselines in order to identify more complex threats in our environment.

Our security program is still pretty immature. It's a pretty immature company, we've existed for less than a year. We're growing very rapidly, we're trying to start with the foundational policy and compliance requirements that we have and trying to tie those and map those into LogRhythm. So that's gonna be our main tool to tie all that requirements into.

Its benefits are broad. The solution isn't necessarily made to do any one thing, but it can do anything you tell it to. It is able to tackle any different type or size of job.

We are primarily Windows-based. We have Linux. We have some Solaris. We are an isolated network. We have no connectivity to the internet, so we are more focused on insider threat and advanced persistent threat. One of the things that has really been a concern is we have a lot of software developers and engineers. These guys are gonna be able to create their own threat, so the behavioral analysis function of LogRhythm is really important, because there may not be a threat signature that we can find somewhere. We are going to need to see, "Oh hey, this guy, he is doing that at some weird hour. Okay, trigger an alert." That's probably the biggest difference. We are not going to have to worry about phishing attacks. We have really locked down. Our endpoints are going to a lot of thin clients just to eliminate a lot of potential access to systems.

LogRhythm has caught a few odds and ends, where things were done for sheer convenience. It caught this weird behavior, and alerted us, and we're like, "Why do we have a DNS server with a software install point on it?", which is completely strange because we have an official software repository where everything is supposed to be. LogRhythm caught that for us, and it was really a case of a privileged user account, which was no longer active, and someone just tried to login with it. We were like, "Who is this? It's not even the same format for the username." So, it caught something like that, and it turned out to be harmless.

Maybe years ago, they had brought someone in, not an IT guy, they were pushing out a lot of common software, and they didn't have an SCCM or a WSUS solution, so they had people going to machines, and downloading it from various locations. It is something we cleaned up, and got out of the way. We haven't had anything nefarious show up, yet.

It has also been helpful for tracking a lot of stuff, like user account activity. We have our own folks, we have vendors and contractors that come in. It's great to be able to see when their accounts are being created, and when they're being locked down, because our security people can say, "Okay, this person is a new hire. We know they are supposed to be here. This person is leaving the company. Good to see their account has been locked down." There is a lot of confirmation on account activity, which is great.

We need to catch everything before it does anything bad. Our biggest challenge is we have reporting requirements with our customer. They want to see specific types of activity, and while we want to be able to provide that, we also want to be able to catch things that might be on the edge or just outside of those boundaries. So that is our biggest challenge because I can watch the industry news and see, "Oh well, we have a threat that is coming in this way now that could possibly get on our system. How do I catch that?" Well, my customer's requirements might be too vague or too specific. I have to convince them that this is also important, include it, and here is why. So keeping my customer educated as to the threats is really critical.

• Being able to gather the data into one central location.
• Being able to leverage alarm and case management features through there on that centralized single pane of glass. That lets us work through those issues that we find from all those disparate device types, fairly quickly and efficiently using that stuff.

Key challenges and goals are retaining talent. Guys tend to do really well in this field, oftentimes monetize those skills pretty quickly. So, there is always someone willing to pay a premium out there for those skills and that talent. Therefore, you find a lot of churn from that.

We have a product that is a security orchestration and response tool Demisto and I think that from the standpoint of automation and response perhaps the first version of the playbooks is not going to compare to the product that we have that's a stand alone for that purpose. However from a price point it's very attractive and I think that as it matures we'll look at probably moving over onto the LogRhythm playbooks if it can support the kind of things that we're leveraging out of this other product and it looks like that's their plan.

It was the same that was brought up in one of the talking sessions. Our users will tend to forward every email they don't like just to be safe. It's a spam review and it takes our analysts then a ton of time to go through. So we have leveraged this to go and read from the mailbox that those spam emails all get forwarded to and then to look and analyze the hashes of any files. They'll hash them or the links in the file or the sender or anything that looks funny and it'll do all the things an analyst will do and make its determinations and then we'll see from there if we have anything to follow up on.

Our ability to respond quickly or the time to detect has dropped significantly. There's some things that we see now that we would have never seen. For example, maybe a domain administrator adding an account to a server's admin group that goes against process and policy but they're doing it to troubleshoot something or whatever. We have never seen that before because of the amount of logs that come out of those Microsoft security logs and the fact that we've got 6,000 servers in our environment. But the other things that we would have seen we still see them faster. When we see something that from the power firewalls that verdict change did pass something through, but now it says it's malicious an attachment on an email or something. We can take action now far faster whereas before we might have got the indication out of our antivirus tool when somebody tried to double click the attachment.

The benefits are having a deeper look into some of the applications, what's happening within them and possibly seeing configuration errors, enhancing not only the security but the functionality of different applications.

It has also provided us with increased staff productivity through orchestrated, automated workflows.

We have 10 hospitals or so throughout Minnesota, and a lot of clinics and smaller health facilities. The technology stack is mostly Microsoft based. We do about 25,000 MPS.

Key challenge is just protecting PHI, personal healthcare information, that's a challenge in our industry. Patient care comes first, even before security. Then also, healthcare is a bit behind the loop. It's a large organization, we've got over 30,000 end points.

Just like any SIEM product, LogRhythm gives you a lot of insight into your organization. The web UI has been particularly helpful for our analysts and our budding SOC program. Being able to give them a nice kind of sexy layout, dashboard. And the reporting is great for management.

Then there are all the "cobwebs" that we're discovering, that LogRhythm gives us insight into.

We can't feed it fast enough, is basically what it comes down to. It's given us a ton of insight that we didn't have before. It's been magic.

LogRhythm NextGen SIEM has improved the organization through the alarm system my team has configured. The alarm system is key to looking after all the hardware and endpoints.

It has improved the way our organization functions. It has allowed us to dive deeper into our network and figure out what is going on by parsing logs properly and being able to reduce the time it takes to work cases down from seven days to approximately two days.

LogRhythm has increased productivity because all the tools that we need are in the web UI, allowing us to find threats on our network fast and efficiently.

Our security program is still in its infancy. There is a lot of work that needs to be done. We finally were able to get our SIEM. A few things that we need to do are data loss protection, user behavior analytics, and another feature that LogRhythm offers that we're probably going to invest in the future. The program could use some work, but it is pretty solid now.

This solution has been almost like a transformative change in how we detect and then respond to incidence. Quite honestly before, we didn't know what was going on and we couldn't detect anything other than  a random virus that sent an email from our AV solution. For us, it really took off when I was a little onboard the Office 365 logs and then we were able to start monitoring locations of login and we actually detected multiple accounts that were logging in from countries that had no business being there.

That led to some investigatory work and actually led to some password resets. It was really positive and we continued to detect that type of activity and enhanced the rules, changing here and there. That was a big one for us because we had never even looked at the Office 365 audits because we didn't have a way to do it. LogRhythm brought that in and within a day or two, we're like, "These three accounts are popped and we need to get these guys off the network now." It was amazing.

We're currently processing about 3,500 messages per second. We have experienced a massive decrease in our mean-time to detect. It's actually hard to improve on nothing. It's hard to get worse than no detection, so we went from being able to like, "Oh, a virus happened," to, "This user went to a weird website. We got that from your DNS logs and then 10 minutes later, their antivirus fired on something." And now we know that we can go over there and triage that system quickly as opposed to maybe not getting the virus log for a day. The other thing is detecting when we think breaches are happening, which is something we just didn't have the capability to do before we brought in LogRhythm.

When it comes to our security maturity, I was the first person at my company to do security, and the company had been around for 30 years. I bet that started from scratch, and I started where we were bleeding which was our endpoint detection for malware and ransomware. And then be added on more layers. We added on like IPS and we added on a lot of perimeter type stuff.

While LogRhythm was probably the last component that I have onboarded in like first two-year time frame, it's now the center of the program. Everything feeds into it and that's where I go for just about everything. There are a few solutions that I still have to go out to those solutions to look at stuff but even like from a purchasing perspective, even my IT operations team, my IT applications team, my company asks vendors two questions right out of the gate. Do you have a cloud offering, and do you natively support LogRhythm? And those two are heavy, heavy hitters when it comes to whether or not we're going to put you in the running to buy your software.

It's helped us be more streamlined in our monitoring processes. We used to have multiple places where we'd have to do this work and now we have centralized all of it into one platform.

Also, the alarm functions have helped us cut down on the manual work. They bubble things up to us instead of our having to go look for stuff.

In terms of our security program maturity, I think we're fairly mature. We definitely have some ways to go still, but we're continually improving. We've had a security program for some 15 years, so it's been around and had time to mature. LogRhythym has definitely been a part of that. For the operations and monitoring pieces, going from what we had before to it being the central component for us, it has really helped us become more mature in those areas.

We've been able to go ahead and find more with less effort, just on the web interface itself.

We partner with another company to help co-manage LogRhythm SIEM, and it definitely brings everything down to a single pane of glass, especially for people who are coming into the cybersecurity industry and don't have as much experience. It helps to correlate things to where they're more human-readable.

It has also increased our overall rate of efficiency by about 10 to 15%.

More of the AIE drill-down notifications. I don't have to customize a lot of stuff. I'm more of an advocate for LogRhythm dashboards for my company, to make sure that other teams utilize what I'm bringing into LogRhythm. Use it for their operations, use it for their alarms and so on.

We're pretty new to it, but so far it's uncovered quite a bit of information. Just having everything in a single space has been very helpful.

As a security organization, our challenges are discovering where our data is at, most times, and protecting it. As I said, we're fairly young in LogRhythm, but so far it's done a very good job.

It has definitely improved our security program's maturity, because we have visibility that we didn't have before. We came from another SIEM platform that we had used for over ten years and we completely outgrew that platform. LogRhythm has given us more visibility. It has created more actionable items for us on a day-to-day basis, which gives us more work. At the same time, it has given us more tools than we had before, so that is definitely nice.

We integrated Azure logs with it and that makes it simpler. Rather than having to log into the portal, we can just check everything in one place. We can compare those to our Windows and host logs to see if any problems correlate between them.

It just makes it simpler for analysts to find everything in one place. We don't have to give everyone access to ten different things, it's just one area where we can see everything.

We're a financial service. As our title implies we deal in mortgages, which means we see a lot of personal information, credit reports, financial instruments. We're really concerned that we are able to monitor the movement of that kind of information and protect it.

LogRhythm has been extremely efficient in helping us find the bad guys, who are really out there, they're targeting businesses like us. They specifically want the findings, the money. If you can get in the middle of a loan you may have to go after 10,000 people trying to find the data, but if you can get four houses at $400,000 or $500,000 apiece, you've just harvested $2,000,000.

For us, LogRhythm has given us the kind of insight we need to understand when those threats either are being recon-ed, found out, or when they're really trying a brute force attack to get at us. It's excellent for that.

It serves several different features. We can check the checkbox for HIPAA compliance, SEC-type stuff.

But really, our biggest focus was actually on our clients. Because we're an accounting firm, a lot of our clients actually audit us, or they have large security questionnaires that we have to fill out. So having a SIEM product is one of those check boxes, and being able to say "yes" on security questionnaires; or one that clients come in and say, "We want proof that you're auditing your domain controllers, that you're auditing the security files servers, you know who touched our files, how they read them, deleted them, modified them." 

Being able to pull all that information up before the auditors, it's great. Very critical.

Not just for security but from an operational standpoint as well. Perhaps an end user would call with a particular problem - "I can't print in this" - and, during the investigation of that, we could find perhaps there was a log message that was generated, an error from that application. Then we could create a rule, quickly and say, "Any time that you see that log generate an alert..." 

It enables our IT staff to be a lot more proactive, to fix problems, instead of having to wait for the end user to call and say something is not working.

It takes good log sources. We have investments in endpoint protection and Mail Gateway, and our firewalls are going to be catching up soon. To have all the logs centralized, we haven't had that before across the enterprise. We had it logging at one or two locations, but this is the first time this year that we actually had all the logs go to one spot and be able to have alerts and alarms set up.

We use CrowdStrike as our endpoint, so we are in the process of getting those logs into the SIEM and we haven't got that done yet, but that's going to be a real big win for half our logs are on the endpoints that the employees have. To have that visibility is really important.

We are about 5000 users. At this point, we only have one XM appliance with an external storage. We're looking for a vendor right now, for a sales engineer to work with us in trying to upgrade it. We're looking to expand it. We're looking at monitoring more our work stations. We have about 1000 servers on it, and about 300 to 500 routers and switches on our system. And of course, we are also a Windows shop, so we have about 4000 to 5000 units on it.

A lot of it is being a single point of log management for the whole company, not only for our compliance, but basically it has become an operational tool for our company, for our day-to-day stuff. And it's more, on my end, for the security solution.

The security operation center is excellent, and we can pick logs from any system, not only the IPS or firewall. In addition, it has the capacity to accept logs and provide smart dashboards and analysis.

We have seen a lot of improvement. When I first got into LogRhythm, we were just doing the fraud side of the house. Afterwards, we started doing the infrastructure side, where we're seeing a lot of events coming in. We were getting a lot of ransomware attacks that are happening or a lot of malicious actors coming in, trying to hack ours, which we can see in the SIEM right away and use the SmartResponses to block it at the firewall level.We stop them at the edge level, and we don't have to worry about them coming in.

We do have an MSSP that does our 24 hours ops, when we're not there during normal business hours.

The playbooks will come in handy for them to go through and meet our expectations, so I can design the playbooks of what I expect and what the organization expects during certain events triggering and the process that they need to take place for them to call us up at night and say, "Hey, this is something that needs your attention."

I have plenty of log sources. Roughly, I have about 500 plus different types of log sources coming into my LogRhythm, and the support's been great. The out of the box solutions with their log message processing has majority of what I need. There are some that I had to create, because obviously the products are new, and I made LogRhythm aware of it, and they're creating custom parsers for it.

We are rated for 10,000 MPSs because we have two data processors and data indexers, but I'm only using about 3,5000 combined.

The solutions have been great for us. We use the SmartResponse to do most of our automation work for us, to block attacks, and to kick off users if they're doing anything malicious. It's saved us a lot of man hours. Based on MTT and MTRs for us, we've saved a lot of considerable time.

I did see it decrease in time to detect and response by a day, because there is myself during work hours and MSSP, which we combined, and we've reduced it to about 24 hours, mean time to detect.

I have been using LogRhythm for just a few months, but the college has had it for over a year. Until I worked with it, there was no monitoring it and the solution just sat there. The solution is just picking up speed now.

It helps us to improve our procedures management by decentralizing log management. We collect all the logs from our security devices, Windows server devices, and all the network devices into one single platform, then we can see all the events that led to the securities.

Our key challenge is how we can convince our top management that we are in a very secure state/environment.

It has helped. We are still not very mature in our use of the product, but we are trying to get there. We are pretty small on the security side, but it has helped to give us visibility into our point of sale applications.

Just maturing is one of our biggest challenges, and really leveraging all the tools that LogRhythm provides. Just keeping up with it.

We can sit and see what's going on, as well as to be able to see errors as they populate immediately since spending time looking at logs is ridiculous, trying to put all that in place.

We will be using the playbooks in the future as we get everything implemented and put in place. The idea is it's going to help automate a lot of what we're doing and make it more efficient, as well as be able to preempt, potentially, a lot of other errors.

It has improved the organization a great deal. Now we're able to see what activity that's actually being used, or what activity is actually being found in the network. So we're monitoring our firewall systems and different areas like that. So it's a great help to us because we're able to see whatever that's out there that would not have been seen previously because it aggregates all the logs together and it flags us according to the alerts that are being triggered at that time.

Right now we have just grown to eight security analysts in our group, but all have different roles. Now there's two individuals that's mainly responsible for SIEM and that's myself and my coworker and he's been cross trained. He just recently went through the LogRhythm University training which is great. So right now we do have about four analysts in this system but the main number is two.

Currently we haven't seen a measurable mean time to detect because we're not using that at this time. But after this session, we will probably go ahead and start using that for metrics.

Our security improvement or maturity level definitely has increased. We started out with three security analysts and it has grown to eight. LogRhythm has improved it because we're able to see much more data. We're able to see much more of what's out there, what type of threats we're encountering, different things like that. So it's been a great improvement.

The LogRhythm platform has helped my organization by being able to have 24 analyses on logs and events from all the various systems that feed into the LogRhythm platform. It gives our analysts the capability to assess rapidly and be able to respond to events in almost real time.

We currently have over 500 log sources inside the platform. Managing those is relatively easy. The main feature that we do take advantage of with our log sources is setting up silent log source alarms, so that way we can identify if a log source is not feeding logs as it should be.

Currently, our messages processing rate is around 2,000 messages per second.

Our mean time to detect threats has been going down, which is a good thing. Lately, our main focus has been on handling and reducing the mean time to resolve phishing incidences within the company.

Our security maturity program has been overall positively influenced, mainly in the HIPAA healthcare spectrum, by meeting third-party auditing requirements and having those tested, too, and confirmed by our third-party auditors.

It makes everything quicker when it's all centralized. Anything we need to find, it brings to our attention. Even other products we have that feed into it, instead of having to watch all of them we only have to watch one. For example, we have CrowdStrike, so instead of having to pay attention that solution - because its dashboard doesn't really pop when an alarm comes up - we can see issues with the red on the LogRhythm alarm. That is very nice.

We have seen a measurable decrease in the mean time to detect and respond to threats.

In terms of seeing a measurable decrease in the meantime to detect and respond to threats, we live in the Web Console and we see things when they come in right away, and then we triage.

It has helped us centralize and have better visibility into devices on our network. We are better able to respond to threats in a timely manner.

For the same price, we have been able to go from a SIEM that could only manage about 20 percent of our environment to a full 100 percent coverage of all the devices on our network. Thus, we have seen a massive increase in the amount of data that we can collect, the type of things that we can see, the way we can look at logs, the way we can get alerts, and the way can create our own customer roles, which has allowed us to customize the work in our environment.

We didn't have a main logging system, so it's really nice to have that now, and in place. We are collecting all our logs from all the servers, routers, and its really helpful, and it's a great product to have.

Absolutely. It has helped us gain visibility into events that we didn't have before at all. We have a lot of remote locations. We manage national parks and point-of-sale devices on ships, at the top of mountains and little cabins, gas stations in the middle of Death Valley; we have a lot of difficulty around trying to keep an eye on things, and LogRhythm lets us have agents running almost anywhere we want.

It also has provided us ways to do compensating controls for systems that we couldn't otherwise secure, because of different product upgrade paths and costs. LogRhythm helps us on the compensating control side as well.

I think we're right around 1000 to 1500 (peak) logs per second, which is not a lot, but we've tuned it heavily in the last few months. We've added compression and we've turned off verbose logging, and just try to get the important things. We've been working with LogRhythm to tune what we collect, to make it is more useful or applicable. I wouldn't say that we're one of the higher end users or higher logs-per-second users, but we have 15,000 employees in peak season. We have six ships and we manage most of the national parks, so there's a lot of locations around the world. I don't have a number on buildings or assets though, but maybe 4,000 endpoints total, if you include routing and switching servers, desktop PCs.

Up until recently, I would speak with LogRhythm and they would ask me, "What do you want to do?" I'd say, "I don't know. What can you do?" "We can do anything. What do you want to do?" It's hard for us to know what we want. We just know that we want to be secure. We know we need to collect logs, we know we need to do basic things. But recently, LogRhythm came out with a package to help us tune our system for PCI compliance, like industry best practices. We don't know what all those are, so we're working with them to turn on all the bells and whistles that will make us more targeted in our strategy and collecting information, so that we're not just looking for things at random, or it's dealing with a crisis.

When we have a crisis we know what we're not getting, but we don't know how to predict that, we're fairly new into the maturity phases, so I think that they've compiled a lot of that for us, and I'm very happy that we're able to work with them now to get that hammered out.

It is a simpler system than what we had before. We had IBM QRadar, which used to give us everything, and we had to dig through, figure out, and piece it all together. LogRhythm lights up when an event occurs. As opposed to just giving us everything, it will piece things together for you and let you know that you probably should look at this. It also provides the evidence. 

It is easy to find what you're looking for. It is not like a needle in the haystack like QRadar was. It is not a mystery why something popped or why you're being alerted. It provides you the details or the evidence as to why it alerted or alarmed on something, making qualifying or investigations a little bit quicker and also allowing us to close down on remediation times.

From a security standpoint, it's the solution to have, in regards to LogRhythm. Just having a SIEM solution in your environment is definitely key. It's a very highly rated solution, but we may be moving away from it in the future. We're looking to see what else is out there. 

We've seen mean time to detect and to respond go down pretty significantly. We actually recently implemented the CloudAI solution, which allowed us to look into our users' anomalous behavior. Recently, we actually had some user who's a remote user, he traveled to somewhere else in the US, and CloudAI flagged it and was like, hey, this user is authenticating from somewhere new. This isn't somewhere we've seen before. I jumped right in, and I'm saying, "Hey, what's this user doing?" We emailed their manager who emailed them, and they said, "Oh, no, I'm just on vacation in California. It's okay." We had CloudAI learn about it, and now, it's really easy to see when a user does something anomalous.

CloudAI has been something in our environment that I have enjoyed immensely. It takes really a lot of the guesswork out of what our users are doing. Right when we implemented it, our CEO was actually out of the state, and we were having a hard time getting a lot of his user data because he was out of the state on vacation. When he came back, immediately CloudAI flagged him in the 80s with a threat score being from 0 to 100. Immediately, I was like, oh crap, our CEO's account has been compromised. But no, CloudAI was still learning our environment. It took it about a month or two to learn what was happening in our environment, what was going on, and then all of our threat scores, they kind of hover around the 20s now.

When something does something anomalous, when they work out-of-state, even when they authenticate to a different Microsoft server, it lets us know immediately what's going on, and it lets us know, and it lets us understand what our users are doing. CloudAI has definitely enhanced our security operations. It helps me understand what the users are doing almost instantaneously. It helps me understand what these users are doing in a daily report, and it helps me really feel why our users are doing certain things, why they're authenticating to certain servers. It helps me understand what their job would really want them to access or what their job has them access.

When they do something different from that, I really want to know why they're doing that. CloudAI helps me know what our users are doing. Rather than what hosts are doing or what servers are doing, it helps me know what the users are doing with their accounts. I think somewhere CloudAI would have room for improvement is maybe correlating hosts with IPs because often, I'll have a user, it'll come up with an anomaly score saying it's been authenticating from different hosts, but really what it is is it'll have the user's computer, then the user's IP that they're coming from, and sometimes their hostname with our domain name afterwards. Sometimes, CloudAI will usually be alerting us on some things that are really just the user's computer IP coming up multiple times.

I think the biggest way that it's improved us from an organizational standpoint is giving us a single view into all of our log sources and all of our infrastructure devices. Whereas before we didn't ever have that. It was always a hodgepodge of stuff put together, so I think it's the best thing is that it brings everything together so that we can all one view of it.

The playbooks are definitely something I see a lot of value and so look forward to when we do get upgraded to be able to using those playbooks. I think that's a way of automating and making sure that we're standardized in the way that me and my team or are utilizing the LogRhythm. I think playbooks are very valuable.

We really aren't tracking our mean time to respond or mean time to detect as of now, that's kind of something that I want to get better at, to kind of formalize that process. So as of now, it's hard to say how much it has, but I know just from an anecdotal standpoint, I can guarantee that we're doing a lot better in responding now than we did before, before we had the SIEM in place.

From my point of view, at a organizational level, we're able to get that insight into what users are doing, what our applications are doing, whether there is any untoward traffic coming in, whether the applications are misconfigured. It's also used, dare I say, to tick a compliance box.

It has improved our ability to see incidents when they occur, instead of maybe a few weeks or a few months down the road.

Overall effectiveness is very good. I like how it is oriented to both analysts and technical support people. It's easily adopted by end users as much as by technologists.

Key challenges are going to be maintaining visibility as the technology changes, especially with cloud coming onboard, probably fairly soon. Also, the implementation of a SOC, which is relatively new to what we've been doing.

I work in the IT Security channel, reselling LogRhythm and associated consultancy services. The improvements from implementation of LogRhythm are to my clients' organizations.

Custom rules/alerts in LRM and AIE provide insight into network for internal users as well as InfoSec. Proactive account lockout alerts for SecAdmin, alerts to DBAs on domain admin access to SQL servers, PCI and GLBA compliance alerts/reports for InfoSec and Audit.

One of the evidences we have that LogRhythm is being very successful for us is in this year's penetration test. I caught the pen-testers five times in the course of their duties. That was just great ammunition to show that this works.

It's head and shoulders above what we were using, which was SolarWinds LEM.

The benefit is really getting insight into the security posture of my organization. Proof in the pudding was that we had a penetration test over the summer and we caught the penetration testers five times because of various LogRhythm alerts.

Our key challenges in security include

• standardizing our policies
• having the end user population be aware on the security side of things.

And the solution, LogRhythm, is helping us today to enforce it. We see now what it is that we're trying to propagate into the environment, based on the policies that we're monitoring today. The goal is to 100% enforce our policies.

It has improved things tremendously. Going from a third-party vendor to an in-house solution, such as the LogRhythm solution, has given us visibility into the entire organization, compared to the limitations, based on budget and whatnot, from a third-party vendor. Absolutely, we have a lot more visibility now.

I can tell you that having the ability to monitor the semi-subsidiaries that are a part of our organization, is huge in that sense.

We have 10,000 EPS, as it is. And we have between about 500 and 1500 incidents daily.

LogRhythm allows our IT/IS teams to quickly identify issues across the enterprise. Searches can be performed using any known value, IP address, hostname, username, event. The results are then used to "open a case". The case is assigned to an analyst, who can add additional info during the research and remediation efforts.

It allows us to automate a lot of things with a smaller team.

Key challenges and goals: Anytime you are building a program from the ground up, there is a lot of legwork to be done to get things tuned to the point where they are usable.

Effectiveness of solution in meeting security challenges and goals: It is very effective. It is a single pane of glass for all of the logs, that not just myself, but anybody who is looking for information about how the network is behaving can use. So, not just primarily a security tool, it is a tool for everybody if it is set up that way.

It's allowed us to have more visibility into our network as well as be able to respond more quickly to incidents seen on the network.

We have two facilities, roughly 500 logs per second. Microsoft shop, Cisco stack on the networking side. We run two FortiGate firewalls, and a slew of different security products that we have not integrated into LogRhythm.

We haven't seen the improvements yet. We bought it as a compliance tool, and it's still sitting there. It's part of the reason why came to the LogRhythm User Conference, to figure out what our next steps are. When we had to tackle PCI compliance, one of them was log aggregation, and so that was why we brought it in.

It's met all of our compliance issues, really easy to do. As I said, there's not a lot of admin overhead, so it doesn't cost an FTE for us, which is nice. I think the added benefit is when we start using it for actually doing some analytics and in increasing our security posture, we're just not there yet.

It has certainly helped with the visibility. We probably don't use the platform to its full extent. We've expanded the size of our SOC and the number of people in it. We are now starting to use the features, such as SmartResponse, to help automate things. We've probably been guilty of throwing people at the problem, as opposed to leveraging the tool itself. We are now trying to change that.

We host quite a volume of sensitive, personal data. We are a credit reference agency, based in the UK, and we hold records on probably, around about 50 million adults, both personal information and financial information. Our core role is protecting the confidentiality of that, so breaches, such as the Equifax breach, that happened recently, we have absolutely got to avoid that.

We are not leveraging the tool to its fullest extent at the moment. We had a focus session with our SOC, the other week, and we've got a defined roadmap now to make things a lot better.

We are at a good place now. We have just started using things, such as case management, whereas previously we were just responding to individual alarms.We're starting to use things a little bit more intelligently now, so not just using the technology, but also helping improve our processes through the use of the technology.

This product has made it easier for our team to correlate security events and react quicker to incidents.

I am hoping that we will be able to response to threats and gain visibility into our environment that we don't currently have.

The benefits at an organizational level would certainly be that for my company, which is in healthcare, certainly a huge compliance, but also it gives me visibility of all the departments in my company, not just the IT department. I'm able to see the actions and behaviors of the whole company, not just on my campus, but remotely as well.

Key challenge, of course, is how the threat situation changes every day. LogRhythm is on top of that and very helpful. Another challenge, of course, like many other companies, staffing is not where it should be, money is not where it's supposed to be, but we do well.

We service the University of Massachusetts, but we also have other customers, all higher-end. It's up to the customer what they want us to look at and LogRhythm, absolutely, has the tools that we need to find the data threats that the customers are interested in.

We're MSSP and we've only been using LogRhythm this past year and we've actually found several instances where we've benefited our customers with the data that we have found, that we've collected. We were able to find out what was wrong, deep dive into it, and suggest to our customers what they need to do.

In our compliance environments (NERC and SOX), we are able to provide evidence of compliance.

The SIEM and the CloudAI has improved our organization by helping us track down errors in our network. It has helped out our IT services team, and it's also helped out our database team in trying to track down errors inside of our network. It's also opened our eyes to a lot of the attacks that have been coming in to our network from outside threat actors. It's helped us stop a lot of those attacks as they're happening, and it's also helped us identify some policy violations inside of our network as well. 

I haven't used the playbooks yet, but from what I've learned here at RhythmWorld, I will be integrating the playbooks as part of our incident response policy.

Being able to see when one of our assets is down and being able to restart it really quickly has been a definite benefit. It has been really helpful in the general maintenance of our whole environment.

We're able to look at our environment and see how it's being affected, according to the log sources. We can immediately see how the system responds to things that our development team does.

It has saved us a lot of time. We've built some pretty cool custom alarms to alert us on stuff that we know is bad so we can respond to issues pretty quickly.

We have a big issue with our users, they really like to click on links and attachments. The Phishing Intelligence Engine, is a new feature they're releasing, which is really going to have a nice fit for us. Then the CloudAI stuff they built right into the SIEM. There's nothing else you've got to do other than upgrade it to the latest and greatest version. Those would be two really key opportunities for us to really take care of a security vector that we have issues with every day.

It's visibility. Frequently our network team - while our network security is paramount from a security perspective - our network team is really focused on keeping the network up. They're not concerned about intrusions, and potential malicious activity. They're making sure that users can get data from point A to point B successfully without any downtime. With LogRhythm, our SIEM solution offers more of a rounded perspective, especially from security, making sure they are not only operational, but they're operational in a security conscious manner. That's really helped. 

I specifically keyed on the network, but it's really where we're able to add additional visibility across all groups, from a security perspective, that they might not be aware of. Usually a business owner is just focused on, "Is my application up, is it running? Yes." They're happy. We come in and bolt on security, and we're changing the mindset of our company one group at a time.

The benefits we see are manifold, compliance. We have to store logs. We're under SOX control, we're under now New York Department of Financial Services, cyber regulations, we are under EU GDPR, loads of regulations are coming out. To be able to store these logs and be able to access them if we need to, from an archive point of view, is very valuable.

We have a pretty varied environment. We have all kinds of compliance. We have PCI, HIPAA, FISMA and the like. We are also a large development shop. It's not as strict as we would like it to be.

As a security organization, our key challenges/goals are just staying on top of everything. The environment changes rapidly, especially with a big dev environment.

Regarding meeting those goals, In the last two months that we've had LogRhythm it's been very good. We ripped out an old SIEM that wasn't quite as easy to use. That has been nice.

The benefits are that it gives us a central pane of view for all of our logs and all the events. Where it's really helped us is that it requires less time to remediate and detect any issues.

It is an easy, centralized view of our environment.

Our key challenges and goals are maturing our security operations and security event management process.

We're a worldwide company with 50,000 employees, in probably 15 locations, three SOCs and four or five data centers.

It's made it quicker for us to see threats. It's an easier platform to work with. Its more user friendly, GUI based.

It has benefited the IT team's security functionality.

Our key challenge is HIPAA compliance. Then obviously, protection against malware, and particularly ransomware, is one vital threat to our organization.

• We have been impressed with the data that we're getting back. 
• We have been impressed with the look and feel, ease of use, and things of that nature.

As a security organization, we are constantly attacked, either from disgruntled ex-distributors, as we're a distributor-based company, or just people that don't like distributor-based companies at all. Therefore, we are constantly attacked, and we are pretty confident LogRhythm will put us in a good way that we can deal with this. 

We have got a lot to learn. However, doing the research that we did, it looks like LogRhythm is going to be a great solution for us that we'll be able to monitor external and internal traffic with our SIEM, again with Netmon, and log the sources that we need. 

LogRhythm SIEM has improved our organization by allowing us to bring in very widely diverse log sources, correlate them, and very easily create rules around alerting. We also use the case management features of the product to easily integrate both products into a single pane of glass for our analysts so they don't have to use two different products for alarming, as well as case management.

I would say we have seen a decrease in mean time to detect and respond over our previous SIEM. Basically, I think it can be attributed to the integrated case management. We are able to create cases, get eyes on those cases much more quickly than we were before.

We haven't fully integrated it or stood up the platform, so the benefits are realized yet.

We're still struggling to get a real return on it and finding something that isn't false noise. 

There have been a few things, such as weird service accounts that have an encrypted password which are locking things out. However, we haven't had a big security event success with it as of yet. We could be missing things here, not seeing what is going on.

I've got three main datacenters and then I'm processing somewhere in the vicinity of 20 million logs a day. My key challenge is making sure that I'm complying with federal regulations.

It's helping me in my compliance role. Helping me to provide evidence for our audits so that I can show we're doing what we're doing.

It creates a good feedback loop whereby I'm able to scan through and see what off-limits activities users have been doing. I think it improves the organization by letting them know that everything that they're doing is not invisible. It's a demonstration to them that they need to do what they say they're going to do and follow the policies that are in place here.

It’s brought all of our devices into one area, so I am able to understand and manage all of our devices and understand what is going on with an individual device.

The solution has significantly reduced the time and effort necessary to manage and review logs and produce reports for regulatory compliance.

LogRhythm improves our organization by giving us insight into user activity and potential security threats.

Our mean time to detect and respond has really improved with LogRhythm. We've got more people, more visibility, and on our team, looking at security incidents, and we're able to act on things more quickly.

I see room for improvement in the log ingestion. Customizing a log source is very technical, probably more technical than it has to be.

Our security program's maturity is, I would say, fairly advanced. LogRhythm uses a maturity model of crawl, walk, run, and I think we're just about to move from walking to running.

It has centralized monitoring for our security operations. Therefore, it improves our analysts' work. 

Our security program's maturity has been transformational for my staff. First from an educational standpoint, all the staff has started to go through either admin or analyst tracks and education. This definitely organizes my security operations to the point that it makes it easy for me to do security operations. It facilitates it throughout the organization.

PCI compliance was our main driver for purchasing LogRhythm, but it turns out there was just a ton of other information that really came from having that appliance, other than just being PCI compliant and checking that box for us. 

Like I said, it was just more insight into our own network, our own users, our own flow of traffic, helping to alleviate a lot of that burden from our system admins by automating some of those alerts. So, all in all, it's just been a great fit for us.

We did a bake-off with several others when we brought in LogRhythm, 10 months ago. And a lot of it was around a cost perspective. Also, its capability of easily ingesting event data from many different types of platforms. 

Some of the competitors require the use of agents that are deployed on those various end-points, or they'd be servers or otherwise, to ingest it. So this is a much quicker deployment. 

And through their upgrade processes that we've seen, it makes it a much more streamlined process, rather than having to touch on multiple end-points.

We have two facilities, a combination of all different platforms, Linux, Windows, etc. It's just all across the board.

It's definitely given us a lot of visibility into areas that we probably wouldn't have normal visibility into, such as code execution and things like that. It allows us to really drill down as to what's happening on the servers as they are being used in production, to where we can really get in and figure out what's going on.

We've actually been able to use it to show that we need more people, because we're going to be doing more. It's the center of our SOC, but we are starting to use it for operational things as well, not just security.

It allows us to delegate some of the alarming, where there's not just one person looking at it all the time. Some lower-level techs can handle basic alarming.

Key challenges, right now, are just having the resources. Whether it be humans in the seats, because, as of know, it's just me. I'm our security program. So the challenges involve just having the time and the resources to stay on top of threats.

The solution is pretty effective towards meeting these challenges. Though we don't utilize it heavily at this point in time, but we're looking to it. I think it will be a big help to us in the future.

Definitely, the LogRhythm solution is a central piece. It helps us in visualization, it helps us in monitoring of our different log sources, and helps us with auditing compliance.

This is all tying things together, bringing a lot of functionality and benefit to us.

LogRhythm NextGen SIEM covers all our primary security analysis needs. It makes it easier for us to analyze threats and improves our response times. It's a versatile platform that performs queries fast compared to other SIEM solutions.

We use a single appliance, around 5,000 MPS. We're a Windows shop, so mostly Windows servers, desktops, workstations, etc. Somewhat distributed as well, we have three main sites and 20 or so distributed sites as well.

Our key challenges are, mostly people, getting more resources, and the goal is just get better. Are we better today than we were yesterday?

I think it has helped immensely. I think the ability to quickly receive an alert and investigate that alert is pretty beneficial. I think it is pretty effective.

Also, the ability to remediate alerts with partial scripts is pretty good.

• Lower personnel requirements
• Improved vendor support services
• Ease of use

Key challenges are lack of personnel to manage LogRhythm. We are a small shop and we don't have a dedicated person to really manage LogRhythm, so our goal is for us to go to a level where we are doing a lot of automation.

We're in the process of a rollout right now. But from what I've seen, it will definitely be a huge benefit.

Our impression is the solution will be excellent toward meeting our meeting our existing security challenges.

Our biggest challenge right now, there is a big push towards docker containers and trying to wrap my head around how we are going to monitor and provide security for that.

We're an MSSB, we have about 10 or so different customers that all host with us. Currently we're licensed for 15,000 MPS, average, and we use about 8000 MPS average, consistently, and we're growing.

Among our key challenges is getting everybody on the same page about the value of security, and why it's worthwhile to pay for security solutions, and the people to staff them.

LogRhythm has absolutely helped improve the security of our organization. We're able to respond to potential threats in a unified system, where that was impossible before. This is our first SIEM product.

The LogRhythm AIE (Advanced Intelligence Engine) is very good at alerting my SOC to events of interest and potential security issues without flooding my team with noise.

It's got intelligence. Does a lot of the heavy lifting, you can create custom AI rules. I'm looking forward to this CloudAI.

It definitely complements all of the other solutions we have. We can feed all the logs into our system, build dashboards that the products themselves cannot provide. For example, we have web filtering, their dashboards aren't so great for that product. But when we feed it into LogRhythm, we can build dashboards that really show us what we need to see.

We keep an eye on all the events which actually are configured as an alert. This keeps us on compliant for compliance purposes.

Our key challenge and goal is maintaining a secure infrastructure. We are a power electric company, so we are trying to be as secure as we can.

It is a very good solution. It is very robust. It is very extensive. We're trying to go into the minimum requirements for compliance purposes, but I would like to start implementing more for administration purposes and security.

It has definitely matured our security posture. Before we started using it heavily, all our products were compartmentalized within the department that used it. Now that we have a central point, we have been having more integration with different departments.

The challenges are being spread out and using some of the technology that we do use, which are not easily integrated into the SIEM. We have a lot of custom parsers and just trying to get our custom products and applications to integrate into the SIEM, that was our biggest challenge.

As far as building custom parsers, it's very configurable. I've had some experience building parsers with it so far, and the ones that we have built have been working fine. Support has been pretty awesome with helping get those working well.

It helps by collecting logs from a lot of different security items, like firewalls and IPSs. It helps to give us alerts to let us know if something is happening on our network. It has really good log collection and event and alerting capabilities, so we have used those alerts to help us mitigate issues more rapidly.

We have been able to stop ransomware by being alerted through LogRhythm. That was probably one of the biggest things. Also, malware events and things like that.

We used to use a third-party vendor. We migrated to an in-house security operation center, so it's been a big difference.

We have made this the foundation of our security intelligence within our organization. It has allows us to detect and remediate Advanced Persistent Threats.

We have about 170,000 employees worldwide. We have thousands of unique log sources we're ingesting. Right now, it's kind of information overload in what we're trying to create logs off of.

Our key challenges are staffing and, right now, we're just trying to get the best bang for the buck on what we can create for alarms, so that's what we're trying to get out of being at the LogRhythm User conference.

We're about to ingest pretty much all of our log sources and write alarms based off the log sources. That's what we're working towards right now, getting valuable alarms to trigger for our SOC to action.

LogRhythm meets our problem statement, as a solution.

Pro's and con's I would say. We are short staffed, like the majority of the people are here at the LogRhythm World conference. We have a lot of alarms that get overlooked, there's not a lot of prominence to them. So our SLAs are over extended. But other than that, we're getting alerted on things that we need to quickly look at, glance, and see what needs our attention right away.

Usually, anything that's really hot, urgent, rated 90 or above, we answer those right away, and get those tasks completed.

We've got two facilities. We pretty much have one setup, the DX. We don't have any failover, just because it doesn't work for us.

Our key challenge is weeding out who is actually trying to be a threat. Now, LogRhythm certainly helps us, but it's still very difficult because we've got not a super high turnover, but high enough that you're constantly going through them looking at stuff.

Being able to actually track somebody down and figure out what they're doing. Before, we didn't really have these insights, we were going by the the seat of our pants and trying to pull whatever logs we could, whatever Unix logs we could find, and it wasn't really helpful that way. Now it pulls it all into one spot and we're actually able to correlate data and say, "Hey look, this person's really actually being shady," and go from there.

We've been able to identify certain individuals and not have issues past that.

I started here two years ago, no SIEM. Now we have visibility into any type of external attacks, perimiter attacks. We've found operational problems, misconfigurations, things like that.

It would take me a thousand hours a day to go through all that data, so, like I said, it lets me see everything in one place, and I'm able to see where the problems are.

The fact we're able to create customized monitoring reports that extract info from event logs, helps us a lot. We used to have ad hoc reports created by IT department, which meant they could manipualte content. if they ever wanted to tamper with output. Now, there's no risk for us to worry about.

I don't have metrics, but it has really improved the monitoring and alarming for us. 

Quicker ability to troubleshoot the problem, find the problem, get it fixed, and get the customers back up and using our system. 

It has helped tremendously when following up on investigations and logs. We often get bogged down with many tasks during the day. We can actually come back to a particular scenario that we are looking into, so it has been very beneficial for that.

Key challenges are our users and network. In our network, we get logs from a particular product called a NetScaler, which hides our source IPs, so that makes it a little challenging. Our goals are to tune LogRhythm further and utilize all the different modules that they do offer us. It is a challenge to get it all done.

We need to improve our internal training and use of it. We use it, but we don’t use it to its potential. It’s a very powerful and robust device and application. We don’t use it how we could.

The consolidation of the logs and being able to manage the items we have coming in -- all in one product -- has really helped this company a lot.

It's given us more insight into the traffic patterns that we see.

The ability to provide insights and simplification for complex volumes of information.

• Alerts to account usage errors.
• Reports of malware from the antivirus.
• Reports application errors presented in logs.

We used it primarily for security logging of events. We created reports based on traffic awareness for security.

Security analytics have definitely improved. It is definitely more dynamic than our old flat file archives system.

As a security organization, the key challenges and goal are data integrity and definitely user access to insure that certain sections are kept more secure than others.