Securonix Security Analytics Other Advice

Greg Stewart
Director of Intellectual Property Protection at a pharma/biotech company with 1,001-5,000 employees
The single thing I recommend most is understanding your environment and being able to articulate the risk and threat models. Securonix is very good now, better than when we first bought them, because we were early adopters. We're in the pharmaceutical space and they didn't have very many Pharmas. They were very good at financial institutions, the banks, the credit card companies and that sort of data, but when it came to risk and threat models for Pharma, we were so successful because we knew what we wanted. I had studied insider threat and behavior analysis for quite a while before we brought in Securonix and was able to start out with very accurate models and articulate things like the relationship between sender and recipient of emails. Is there generally a higher risk with one-to-one or one-to-many relationships on either side? If the data is in the body of an email or in an attachment, which is more important to me? Different models, like competitor domain or personal domain, or USB use: What are the most important things to know about your own environment? Be able to tell them in a way that helps them build the risk models. Probably in some environments, again, finance for example, where they've had years of experience, they could probably plug in a box and you could just throw all of your events at it and it would be accurate in at least pointing out the anomalies. But you would still need to be able to say what, in your environment, is bad and what is not. That is the single biggest thing: Know your own environment and they can build it to match your needs. The biggest lesson we've learned using Securonix, in hindsight, is that if we had paid the additional $45,000 to start with, in the cloud, we would have been years farther ahead. We're trying to stay very low-budget. We built the on-prem version and thought that was going to be sufficient, but we ran out of space and the ability to add new data sources and risk and threat models. The on-prem version became limiting. The biggest lesson we learned was that we probably should have spent what was not a lot more money and had the cloud, Hadoop-based version, much earlier in the game than we did. If I had a big enough staff, it would probably be preferable to do some of the back-end, hands-on coding ourselves, but I don't have that kind of talent on hand. Outside of that, we have no complaints about it. When we've asked them to make certain changes to the user interface or to workflow within the tool, they've been very quick to respond and make those subtle changes for us. Outside of that, we're fairly pleased with this platform. We have three intelligence analysts and they look at the events themselves, do the initial assessments, and write up the cases. I direct the team and I have one technical lead. I'm in the compliance division, so my team monitors for compliance with specific corporate policies. In addition, our IT department recently also purchased Securonix and they're building a platform on software risk to complement the insider threat that I have. There are currently five users there. The Securonix team does all of the back-end work because it's housed entirely in their cloud. Overall, I would give Securonix a ten out of ten. We've been extremely happy with them as a company and as a product. The product has been very good for my career. But again, we put the time into making it accurate right from the start so we have found some fairly significant things. I feel the product is accurate. Whenever we have worked with the company, they've been a good bunch to work with. I'm happy to stand up on their behalf. It's been a true partnership with Securonix, more than that we just license their product and use it. View full review »
IT Project Manager at a manufacturing company with 10,001+ employees
The best advice is to make sure that you understand your use cases. For example, we said we want it to trap a high number of downloads, we want to see if people downloaded and then emailed out any of the objects. We came up with the use cases of what we wanted to check for even before we started our implementation. Then the Securonix people were able to better set up the individual threats that we were watching for. The other thing that we do is we categorize our data. We say a given type of intellectual property is high, medium, or low. That way we know what we really want to protect. Somebody taking a nut or a bolt isn't the same thing as somebody taking a turbocharged engine and trying to sell it to somebody. It took us a while to actually come up with a standard for categorizing and then to actually categorize, because there were millions and millions of objects or drawings that we needed to classify. That was a project in and of itself. We did that before we did any kind of analytics with Securonix. The first thing we did was classify our data. When I took this role, they said, "Hey, we want you to protect our high IP." So I smiled and said, "So how can I tell what the high IP is?" And they said, "Oh, well it's in this folder." I said, "What happens when it's out of the folder? How do I know?" I wanted it so that the data could always tell me it's IP level, regardless of what folder it was in or even if it was out on someone's desktop. That's why, to me, that's the first thing that you need to do. Because otherwise, it's just hearsay in terms what's important to protect. If it's important to protect, label it and then we'll understand. We look for ways for us, and for the system, to improve identifying things. For the majority, we've been happy for what's there. With typical software you run into software issues that might slow you down and you have to get them fixed. They've been very good about resolving issues when we find them, especially because we find stuff that is pretty unique because of what we're doing with application monitoring. It's so specific and it's really customized for how we've set this up. There are just a handful of users of the solution. I'm the main one who works with the consultants. Otherwise, it's a group of just under ten people who are even able to get into Securonix and look at the information. Like me, most are in IT. There's one person in insider-threat security who helps with coordinating investigations. There's also someone on the business side, even though he is, in a way, more IT-related. He works for the engineering standards group on the business side. In terms of deployment and maintenance of the product, we certainly rely on the Securonix folks. There was one main person we used for the deployment of Securonix. Sometimes that person had a second, and I was involved as well. Only three people, from our side, were involved in the actual deployment, although I needed people to write the query to ingest the data. But once that was done, I didn't need those people anymore. Maintenance is done by me and the Securonix consultant. Since it's a SaaS environment, I have no idea how many people they have on their side, making sure that the system's working fine. For what we're doing and what it can do, on a scale of one to ten, I would put it in the nine to ten range. The only reason I wouldn't say ten is that means it's always perfect. There are always issues. But I'd say it's at least a nine. View full review »
Chief Technology Officer at a tech vendor with 51-200 employees
If you're looking for an analytics-based system, which is what everybody should look at, and if you are thinking of something that provides a quick return on investment, then you should definitely look at Securonix, in addition to doing your due diligence with other products. Definitely have Securonix in the mix if you're looking for actionable threats, flat pricing, and a cloud-based solution. The biggest eye-opener is how wonderful the cloud environment is. There is a whole new universe of threats that get exposed by moving to the cloud. It has all these benefits, but it also reveals a lot of risks. So there's a lot of work. Businesses will continue to adopt the cloud, and security has a lot of catch-up work to do to secure data in the cloud. But Securonix is bringing those issues to the front and we are coping with them, one thing at a time. This is our single pane of glass for monitoring threats to our environment. It's being used companywide for monitoring purposes. It's our 24/7 eyes on glass. There are certain applications that we have not integrated yet and there are new applications that we continue to onboard. As we grow, and as we bring in more devices, we will want to integrate them into this platform. It is always a work in progress. Our analyst who goes in and looks at the threats is the primary user of the system. There are also secondary users. For example, the compliance team looks at all the compliance reports that they need to meet the requirements we are bound by. They have their own use-cases that they look for. As the CTO, I have dashboards that I look at to monitor the overall health of our security posture. We also have investigators who look at specific investigations. If there is something that involves HR or our legal team, that becomes a case that we need to track. From a deployment perspective, we had one person working part-time with the Securonix PS team for the first four weeks. After that, Securonix went away and that part-time resource continued to work on it. The part-time resource for deployment is a point of contact for Securonix. We need to send them data. We can tell them, "Hey, these are the data sources that we want to prioritize," in the first four weeks, for example, and this is the data we are going to send you. This person is the point of contact for them to coordinate with our internal teams to make sure the data is fed correctly and that we have scheduled the imports, etc. In terms of maintenance, there is none for us because they do it. View full review »
Find out what your peers are saying about Securonix Solutions, Splunk, Exabeam and others in Security Information and Event Management (SIEM). Updated: February 2020.
397,408 professionals have used our research since 2012.
Edward Ruprecht
Lead Cyber Security Engineer at a insurance company with 1,001-5,000 employees
From a positive standpoint, with Securonix, or with any UEBA vendor, but specifically Securonix as that's the one that we're using, it definitely overcomes a lot of the challenges with trying to understand what's normal and what's not normal in an environment. With the traditional SIEM rules, it's very difficult to tune some of the policies to understand what is normal for your environment. That's really helped us quite a bit. Another thing that might be helpful regarding understanding the platform is that it takes a little bit of time to come up with the behavior profiles. It might take 30 days, depending on what you're trying to look at, before you start seeing some alerts trigger, because you're looking at things over a longer period of time. The biggest lesson I've learned using Securonix is that with behavioral analytics, and any UEBA vendor, it does reduce some of the alerts but it also has the potential to create additional volume or additional alerts, which could be good or bad. So just understand that there definitely is the potential to get a lot more security alerts as a result of using the product. The way we try to work around the increase is through the ability to tune some of the policies to remove some of the few things that produce known noise. The biggest thing is just tuning things out, where applicable. Another is by leveraging their threat models. Correlating several different policies together, which are part of a threat model, might provide a little bit more context. As an example, if two of these three policies fire within a certain period of time, it might be a little more interesting than just, say, this one stand-alone policy triggering by itself. The behavior analytics probably doesn't help us to prioritize advanced threats. It's just the nature of UEBA, I don't think it's necessarily a reflection of Securonix. But one of the challenges with being able to detect a lot of rare activity or anomalous activity is that you tend to find there's a lot more rare stuff happening in your environment than you would expect. It helps us, but sometimes it has the potential to create a little bit more noise as well. With SNYPR, they have what's called SNYPREye which monitors the cloud solutions of SNYPR to detect if there is any type of operational issue. We have five people on our team who use Securonix. They're security threat analysts. They all have the same feelings that I do: That it's very helpful with security monitoring, and that it also provides threat-hunting and investigations on users. We have shared roles, so I wouldn't say we have dedicated focus on just Securonix. We're a small team that does a little bit of everything. At a minimum, if we didn't have that shared focus, maintenance of Securonix would take one full-time resource. View full review »
Amit Chopra
CEO/Executive Director at Iconic Engines
My advice is that you should want the new, best product. I don't want to say there is no other way, but it scales and it works. If you don't have the manpower, if you don't have the technical skills to have it deployed on-premise and manage - like us, we did not - I would definitely recommend going SaaS. The cloud-offering is a game-changer. It would have been tough for us to deploy Hadoop on-premise and manage it and maintain it. We're not mature enough to handle Hadoop. So I would definitely recommend SaaS to anybody who's looking that Securonix. The other thing I would recommend is monitoring cloud if you're going with SaaS. We didn't know there were so many things to a monitor in our cloud infrastructure until we actually started monitoring it and figuring out the monitoring gaps. Most of our security is running on Securonix. It's the backbone of our security so we are running quite a lot on it. We do plan to expand it. We are planning to see if it makes sense to add app data on it. We don't currently have a lot of application data flowing in. We have SAP and other applications that we are looking to add to this. We are also looking at if it makes sense to explore a little bit more on the network analytics side. One of the key things they have improved on recently, when they moved from version 5 to version 6, is that version 5 was not scalable. It was running on a relational system and it was also a little complex to manage and run. Version 6 is a lot smoother and has a much better user interface. There is less operational overhead, because we don't have to manage it, at all. It's completely remotely managed. We have six or seven people, specifically, who log in to the solution, not all at the same time. They are actively using it. Their roles vary from SOC to insider threat. We also have our response guys who log in, and then we have about two people who take action on threats. In terms of deployment and maintenance, this is all SaaS. In 5.0 we had about one to one-and-a-half people dedicated to it, but now we don't have any dedicated people. We just have one point of contact available on our ops side to look at any issues with the collector or if one of our data feeds has any issues. Again, it being SaaS, we have no administration overhead. The tool has matured and it has definitely helped our program mature over time. View full review »
Leader - Investigations, Insider Threat at a tech services company with 1,001-5,000 employees
The biggest lesson we have learned from using Securonix is to start small. Don't throw everything at it. Start with one single use case and build out. Don't throw all the use cases into it at once. Otherwise, it's too much work, you get flooded with too much data, you can't focus on what's important, and you can't clean it as quickly. You can clean it, but it will take a lot of time. My advice is to go with the cloud solution and, as I said, start small. Don't try to ingest everything at once. And don't create use cases for everything under the sun. Because we're on-prem, we've had to both focus on threats and on the engineering of the platform. They provide support, but we still have some engineering overhead on our side. We have five users using it and they're all investigator-analysts. We deployed with the help of four people who are security engineers, and maintenance is pretty much done by the two Securonix support people we have. Overall, I would rate Securonix at eight out of ten. We're still going through it, developing, learning, and we find issues. View full review »
Practice Head-CyberSecurity at a tech services company with 1,001-5,000 employees
On a scale of one to ten I would rate Securonix an eight. View full review »
SVP Insider Threat at a financial services firm with 10,001+ employees
I'm not an engineer, I'm a consumer of the tool. It's doing what it's been asked to do. It's really all about use cases and having the data. You have to have your use cases well-defined and make sure you can feed Securonix the data. You should definitely do a PoC. Never buy anything without checking it out first. I wouldn't say the solution's behavior analytics has helped to prioritize advanced threats. Regarding the Hadoop piece, I would compare it to the way I drive a car. I put gas in it and I don't care what kind of engine is in there, how the engine works. I just turn the key and the car starts. The users are our security operations team, which has about a dozen people. We use it on a day-to-day basis. We'll increase the use cases. View full review »
Find out what your peers are saying about Securonix Solutions, Splunk, Exabeam and others in Security Information and Event Management (SIEM). Updated: February 2020.
397,408 professionals have used our research since 2012.