The initial setup is straightforward. When it comes to configuring their servers and the main stations here, the process is fairly simple. Rolling out agents for all our intended applications is also relatively uncomplicated, as we are accustomed to deploying such items regularly. However, the true value lies in the subsequent steps, particularly in terms of integration. This integration involves working seamlessly with CrowdStrike, coordinating with firewalls, configuring routers, and setting up switches to transmit their Syslogs to the designated systems. This entire integration process remains quite straightforward due to the presence of their comprehensive knowledge base and their continuous collaboration with all products.

One of the topics under discussion today concerns a project in which my team and I are encountering a delay. This relates to our utilization of Kempflow balancers, both internally and externally. Essentially, these load balancers direct incoming traffic along various pathways based on resource availability and security parameters. Currently, these balancers are not reporting data to Netsurion Managed XDR, primarily due to its status as a specialized product and the previous lack of an integration guide. However, this has changed, and now there exists an integration guide. The delay for integration lies with us, and this process begins with an easily manageable initial deployment. However, as we expand and enhance the system, it has the potential to become complex due to its involvement in network-wide monitoring, which is our intended outcome.

Realistically, it may take a few months, approximately 90 days, to start deriving benefits from this initiative. Yet, even after this period, we are still in the process of integrating certain elements. These outstanding integrations are pending due to the involvement of my team members.

The deployment couldn't have been easier and required approximately three staff on our side. After installation, Netsurion doesn't require much maintenance aside from providing the resources for the solution to run on. We go through support to request upgrades and customization. They take care of all of that. We only need to allocate resources. 

The onboarding process was complex. There was quite a learning curve, and few of our technical staff knew what they were talking about on the Netsurion side. But we were expected to do all the work. There were issues with the installers and the availability of people who could work through the code. I had a lot of concerns about what was being installed and how it was communicating online. It was not communicating securely.

I was hoping Netsurion could meet my expectations and have their developers fix the application to work more smoothly. Unfortunately, it took quite a bit longer than it should have to onboard. I have five companies that have a bunch of subsidiaries. Those five are using this product on probably a thousand endpoints total. We started with the first one about this time last year, and we've only just finished onboarding. The onboarding should have taken less than a month or two, but it ended up taking a year. That was a problem that we had with them, and it could potentially impact future business.

After we onboarded the first company, the learning curve went down. I found most of the cybersecurity issues in the initial deployment and would not move forward until we resolved them. That took a few months of our time. Netsurion showed some organization from a project management perspective, but there should have been more of a technical push from their side. 

As the customer, we had to provide many technical solutions, and I believe the onboarding would have gone faster if Netsurion had provided more technical resources, not just project people. The project people would push things to the next week instead of scheduling a technical person to fix that issue specifically. They were just logging hours rather than helping us move forward.

We expected that we would be fully deployed on all the discovered devices discussed before the start of the project within 90 days after we signed the contract. Things happen, so I wouldn't expect it all to get done in 90 days, but it should've been mostly done. You need to be at 80 to 90 percent before going to the SOC level and getting reports. That should've happened in under 90 days. Regardless of how many endpoints there are, there should be a real push to bring everything in within the first 90 days.

I think that's a short deadline. At 90 days, I would expect to have the devices onboarded at a minimum. At between 90 and 120 days, I expect to start seeing reports, even if they're very generalized. I expect to see what's talking and what's not. And If we're talking about the total maintenance, it's split. I would hope that Netsurion would be managing their web server, which is the receiving server that takes all the logs in. I'm doing some sorting that allows the agent that's installed to talk back. 

It is complex because we didn't really get that involved in the initial setup. They were the ones who called us, and said, "Okay, we're going to have this meeting. In this meeting, we are going to ask you a series of questions and whatever you tell us is what we are going to take care of." For example, what do you want your normal workday hours to be so we can tell that if an employee logs in at a certain time, which employees should be logging in after hours, and what systems should be talking over the weekend. They guided that discussion. It was a very easy discussion to have because they talked to us in terms of our business, not in terms of SIEM events. So, that was very good.

The initial deployment was 90 days. We signed on in August, then there was a 90-day period where we had to make sure that everything was operational. We knew this upfront. Next, we scheduled a few meetings after that. We used those next few meetings to tune the SIEM. So, we got everything in there that we expected to have over a period of weeks. They went through everything. It wasn't like drinking through a fire hose.

They were able to guide us, not giving us more information than we could handle. After we got past the initial setup period, we were able to start seeing reports. The first ones didn't make a whole lot of sense to us. However, over time, we were able to ask questions and the reports became more valuable because they were more tuned to our real environment. They began to suggest, "We now need to add in the connectors to SQL and Active Directory." We run an IBM i system, which is not a typical syslog or Windows event system. We were able to get that system set up and tuned with some reports so we could really look at our most critical systems from a security perspective. All of that happened over a period of time, yet it wasn't too rushed nor was it too slow.

The setup was actually quite easy as are the upgrades and the patches that we go through. The initial setup was a pretty simple walkthrough on their part. We bundled that in as part of the product when we purchased it. The agreement was that they'd do the setup themselves but we wanted a walkthrough as well so that we had some knowledge here. We didn't want them to just set it up and do a hand-over-the-keys deal. So we stepped through it together, which really means I did a lot of watching as they were doing a lot of the setup. 

We walked through it through a WebEx. I had the server side set up on our side. At that point it was just a matter of them leading: "We're going to go here. Where's your data storage? Tie that in, install." 

Out-of-the-box it was pretty straightforward and easy to use. We started pulling in all the clients as we pushed out the agents to the desktops; that was pretty easy. It was non-intrusive to our users, which is a big deal. We didn't want it to intrude on anybody. In fact, when we push out agent updates to desktops - it doesn't happen that often, maybe once or twice a year - those agent updates are seamless. Nobody's aware that that has even taken place. 

If you want to do it, they'll certainly help you through it. If you want them to do it, they'll allow you to just watch what their process is in case you want to do it the next time.

Our company has about 225 end-users. We obviously have more devices than that, but not more than about double that. In terms of deployment, it was just me involved from our side. 

We had things up and running within half a day, when we started doing a little bit of discovery and collecting. After a couple of days of letting it run through the system and doing discovery we found, "Those are the pieces that we've missed. Yeah, we're going to add this or that in." Now, we tend to roll through one-third or one-fourth of our desktops on an annual basis. We'll do the discovery - the agent installs pull those in. It requires very limited staff time on our part. Our helpdesk now installs the agent as they roll out a desktop, which is pretty easy. We pull it in, I validate. There's not a lot to it.

I was involved in the initial deployment. 

It was relatively straightforward as I recall. It's just deploying an agent. You need a server. We built that form, and they did most of the work for us.

We needed maybe one and a half people to handle the deployment. 

It doesn't really require much maintenance. During quarterly meetings, they will push updates to us; those are pretty low-impact.

We have a hybrid setup. They have a cloud-based component, and that's where the SOC sits. Then, there's an on-premise server that feeds to their cloud.

The initial setup was very straightforward. I have my own in-house expertise and experience when dealing with some log collection services. I know all the infrastructure. I handle all the infrastructure. From our standpoint, it was relatively straightforward because we are not that big of a shop.

Start-to-finish, the deployment took awhile. It was over the course of several weeks, given that they had to schedule their staff as well as our staff because of the boots-on-the-ground stuff that we had to do. So, it did take time over the course of several weeks.

Netsurion was easy to deploy. I have worked with other systems that were a little less complex, but they weren't quite as easy to deploy. It's on every machine we have in the enterprise, so technically, every person I have in this company is using the software, whether they realize it or not. My entire team is involved in going through reports and remediating. 

When I got here, the CISO before me was retiring, and he was about 75 percent of the way through the implementation. I did about the last 25 percent of the agents. So I can't really speak to the setup.

But I can speak to upgrades, and those have gone seamlessly. That is part of the managed services that we contract with them. They do all the upgrades for us and make sure they perform correctly and make sure all the agent endpoints upgrade correctly. And if they don't upgrade correctly, they have to take whatever actions are necessary.

But I don't see why the initial setup wouldn't have been fairly straightforward, because of everything else I've seen in the tool. They seem to have really good documentation and they definitely have really good support staff, if I've got any kind of questions or problems at all.

The time an upgrade takes depends on if it's a major or a minor. If it's a minor upgrade, like a 0.1-type of upgrade, those usually take place overnight. Their headquarters are in Europe, so by the time I get into work at 7:00 a.m. Central, the smaller ones will often be done. Otherwise, they'll give us the outage window, and it depends. The 8.0 to 9.0 was almost like a forklift. It was almost like a whole new product. That one took six to eight hours.

But the great thing, the way their product is designed, is if the endpoints can't deliver their logs, they will just keep on collecting them locally. As soon as the server comes back online, they deliver them. I never lose anything. It's just I didn't have the ability to query during the upgrade period. That's another thing that's wonderful. It's not like I have some little moment in time that I sure hope something hasn't happened, because I don't have visibility. I do have visibility. It's just a matter of whether it is actually in the query tool yet or not.

When I first got here, we had some problems pushing out some updates and we never did really resolve it. It was something within our environment. They don't have that problem in other customers' environments. But they came up with a workaround. They're responsible for doing those, and it's been flawless.

We didn't have a competing product. This solution was just slowly pushed out to the various things that we wanted to collect data from. Initially, all of our on-prem servers had agents installed, including various versions of Windows, Unix, and Linux-type hosts, as well as to our networking equipment and our firewall. Some of those things collect syslogs, while the Windows boxes, for example, have a real agent on them.

The process was that the console was stood up and we slowly we went after our prioritized endpoints. Things like our domain controllers were first. We slowly moved down the priority list until we got to the low-value assets. Those were the ones that I implemented. So the critical components were already in place when I got here.

The initial setup was completely painless. They gave us a spec sheet for the on-premise server. We built a VM that matched that spec, and they then installed their software and got it up and running. We could be as involved or as uninvolved as we wanted to be; that was our choice. When it came to deploying the client pieces, they worked with us to identify which machine should get it and when. They took care of the pushing of that information out. When we started getting the data in, and it came time to start tweaking the rules, they took the lead on that as well. It really, truly was a painless process.

The deployment took less than a week. We had an analyst at that time who was running point on it. I wasn't even involved. I didn't need to be involved in it at that level. One of our entry-level analysts was able to work with them to get everything caught up.

I and one analyst are involved in the day-to-day maintenance of the application. Our entire IT staff, nine people, uses it for log review and incident correlation. We try to put the information out there for the rest of our team members to use.

The initial setup was several years ago, so I don't remember too much about it. The one thing that I do remember is there was like a database account that needed to be created, and there was some back and forth on that aspect. So, it took a little while to set up and get going.

Initially, we got it up and running, then we were going to deploy the agents on some noncritical servers to make sure that the EventTracker agent on the servers worked properly with collecting logs. 

Some of it is a bit tedious. I am trying to get everything integrated for a lot of our servers and devices. That is a part of getting any managed SOC and intertwining them into our environment so they can start watching things.

In terms of maintenance, client-wise, when they do send out patches or any sort of client updates, we have to push them.

I have not been told that there were any issues when it was implemented. We have not done any major upgrades since I've been here. We've done incremental patch-type things but I don't know of any issues.

I did hear it was relatively labor-intensive, but that's because of all of the processes around the communication, like what gets communicated and what doesn't. That's to be expected anytime you're doing a lot of workflow work, that takes time.

There's daily maintenance in that they're responding to events or they're working on the tool. There is very little done as far as trying to make changes to the tool itself. Our information security team does respond to events. It's a chunk of their time. We don't have to spend a lot of time at all tweaking the tool. I wouldn't say we spend even an hour a day.

I have two people in InfoSc and a couple of people in my network team that reviews it. My help desk people will review it but they don't really use it per se. They'll see events and that's it. Most of the time that really goes to the information security team.

The initial setup was very straightforward. They stood it up, we started pointing log sources to it, and away it went.

They built the infrastructure, the receiving side of things, within a week. We were up and shipping logs within two weeks of the contract being signed.

In our particular case, and it's not a product issue but an operational issue, it took us until June or July of this year to get the logs rolled out or captured from the systems, after we started using it in February. The effective time window is that we've probably only had it for about three months. That was not because of the product. It took us that long to get the logs forwarded over to them.

The reason it took us so long was that we were, at the time, a pre-stage pharma. We didn't have product on the market yet. Just as we were bringing EventTracker into production here, we got approval for our first medication, which changed the nature of our operations from a research community to a fully controlled FDA manufacturing firm, as well. Change-control became a much stricter event. We missed the window to be able to push this out quickly, but it's nice to be commercial.

In terms of our deployment strategy, we had built a timeline or a set of change-controls that went through those several months to start rolling out. At the time we were doing this, we were getting to roll out Windows 10. So one of the first things we did was to build the logging into the core golden image. As Windows 10 boxes rolled out, they automatically started logging. We rolled out doing upgrades from Windows 2008 Servers. We did the same thing and put that into the image. On Active Directory it was pretty straightforward. The servers that were part of production, as far as manufacturing goes, those had to go in very specific windows based on production protocols. 

Overall, we built a project plan out such that every week and every month, from a production perspective, we would have windows where we could start to deploy. That's why it took so long.

The setup was pretty straightforward. They needed to learn about our environment and I needed to provide a fair amount of information for that. We set up a system for them, and they did the configurations, primarily, and have continued to maintain them. We had an account rep, not a sales rep, but an actual Netsurion manager, who worked with us and their SOC and did the project management on their end. He worked directly with me and we had a number of web meetings and phone calls until it was up and going. Anytime there's a new version or new features, I'm still talking to the same guy.

Their assistance in the onboarding process certainly helped with the product's time to value. It would have taken a lot more time to set it up if we were doing it by ourselves. The setup required about 20 hours of my time and we had data coming in and being analyzed within a week, maybe a little longer, of the beginning of the project. It didn't take very long to get the core system up and going. After that, it was a matter of configuring all the systems in our environment to start reporting to it.

They maintain the system itself, but we have to make sure that clients are reporting to it. You get a report, and depending on the service level, a report you can run yourself, anytime you want. It's very easy to run, and you get a list of non-reporting systems. For example, we can see that Bob has been on vacation for two weeks, so it makes sense that his computer hasn't reported in in two weeks. But Joe has been working every day from the office for the same two weeks, and his computer hasn't reported for the last three days, so something probably needs to be looked at on Joe's computer.

I joined the company while they were in the middle of deploying Netsurion, and I actually led the last phase of implementation, which was getting the agents installed through the endpoint. In my opinion, it was pretty straightforward, and the deployment took about 90 days. The only issue was getting their agent to work on some of the Apple products. The developers had to go back and tweak the agent to get it running on these systems. Netsurion's SOC helped walk us through the onboarding process. Without their support, we would've probably been extremely frustrated and unhappy. 

The initial setup was straightforward. They provided us concise instructions on how to deploy the agents. They provided us packages that we could then deploy within our package deployment mechanisms, and they supplied us with the necessary tools to be able to deploy the agents quickly and easily.

Netsurion's support during our deployment process was very good. They were very helpful and attentive to us as customers. Their assistance in the onboarding process certainly helped with the product's time-to-value because we were able to deploy the agents in a short period of time and to start getting actionable intelligence pretty quickly.

Within a couple of weeks of their providing us the packages, we started deploying agents and, within a couple of months, we already had enough logs being ingested to have at least some initial, actionable intelligence.

The implementation strategy was, first of all, to have enough collectors around our network to ingest the logs from the sources, and enough log source ports to be able to handle the quantity of log sources coming in. After that came the preparation of the agents and the mechanism through which the agents were to be deployed. This strategy helped to make the deployment faster and easier.

The initial setup was straightforward because they did it. We just had to give them a virtual machine that met their specs, then they installed the software and got it all configured for us. So, it was pretty easy and only took a network engineer from our company.

It did not take more than a couple days to get everything installed, running, tuned, etc. We installed the software first, then we installed the agents second.

We have a network engineer doing the maintenance for it.

The initial setup is complex. It really depends on what alerts and reports you're looking at and what you want to filter it down to. It really depends on how much data you're looking at capturing and how to get that configured, working with their team on getting that configured for you. It was a long process from start to finish.

Now that it's in place, there are hardly ever any issues or any hiccups with it. But the initial setup can be a little time-consuming. You have to make sure you have adequate time if you're going to implement SIEM or an event-log correlation system.

Our deployment took a good 60 to 90 days from start to finish, working through all the reports and filtering it down to what we wanted. That included our firewall logs and deploying it on all the machines.

We really didn't have an implementation strategy at that point. We were just trying to get it implemented as quickly as possible on our domain server. Then we expanded it to all of our servers inside our network and then all of our firewalls.

The initial setup was straightforward.