We just raised a $30M Series A: Read our story

Securonix Security Analytics OverviewUNIXBusinessApplication

Securonix Security Analytics is the #3 ranked solution in our list of top User Behavior Analytics - UEBA tools. It is most often compared to Splunk: Securonix Security Analytics vs Splunk

What is Securonix Security Analytics?

SNYPR is a next-generation security analytics platform that transforms big data into actionable security intelligence. Built on a Hadoop big data security lake, SNYPR combines an open data model, log management, security incident and event management (SIEM), user and entity behavior analytics (UEBA) and fraud detection into a complete, end-to-end platform that can be deployed in its entirety or in flexible, modular components.

Securonix Security Analytics is also known as Securonix.

Securonix Security Analytics Buyer's Guide

Download the Securonix Security Analytics Buyer's Guide including reviews and more. Updated: September 2021

Securonix Security Analytics Customers

Dtex Systems

Pfizer

Western Union

Harris

ITG

Securonix Security Analytics Video

Pricing Advice

What users are saying about Securonix Security Analytics pricing:
  • "We went in on a three-year agreement which has an annual licensing fee, based upon the number of people that we're monitoring. There have not been any additional costs to the standard licensing fees."
  • "We have a license from our 5.0, so that license just continued. We paid them the extra cloud-hosting costs for a year which were about $300,000."

Securonix Security Analytics Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
JM
IT Project Manager at a manufacturing company with 10,001+ employees
Real User
Behavioral profiles help us identify somebody who is engaging in anomalous behavior

Pros and Cons

  • "The most valuable feature is being able to look at users' behavioral profiles to see what they typically access. One of the key events that we monitor is people's downloading of objects... It's very easy to see people's patterns, what they typically do."
  • "[The solution has] incident-management or case-management functionality. If someone were to download a high number and we decided we needed to investigate it, I could open a case right in the tool. It would be able to directly reference the data that they downloaded and we could open and shut the case directly in the tool, as well as report from it."
  • "We have a lot of users who, because they're engineers and they're bringing down product data - where, at times, a top-level product could be 10,000 or 15,000 objects - it's difficult for us to determine what should be a concern and what shouldn't be a concern. We work with the Securonix folks to try to come up with better ways to identify that."

What is our primary use case?

We use the solution for protection of engineering intellectual property. We currently look at engineering data in two systems, one a commercial system and one which is a homegrown system.

How has it helped my organization?

We've seen a couple of circumstances where people accessed data, especially in our internal application, and we weren't sure how they did it, because they shouldn't have been authorized to access it. We actually found a backdoor on our side. Their access did not go through that backdoor intentionally, but they did find a backdoor way to get the data. We shut that one down as soon as we found it.

The other thing we do, where it's been a big help, is that we people who, from a process standpoint, bring down a ton more data than they should. They aren't doing something malicious, but there are ways to bring down simplified data subsets. We've been able to educate the users to take down simplified sets. In essence, that saves them time and effort in having to bring all that data down and then call it up and use it. It's really tough to put hard numbers on that but we have certainly seen a reduction in the amount of these high-volume downloads and it's really been because of a process change on the part of the users.

What is most valuable?

The most valuable feature is being able to look at users' behavioral profiles to see what they typically access. One of the key events that we monitor is people's downloading of objects, files from either the engineering or the homegrown application. It's very easy to see people's patterns, what they typically do. The system might identify somebody who is engaging in anomalous behavior. Especially with the product's rev 6, there are a lot of tools to go in and do investigations, even without talking to the person, to try to determine what were they doing. Is it a case that they normally don't do something but this looks like a legitimate action, or is it something we need to investigate? That is pretty neat.

What needs improvement?

It's tough in some cases for the solution to do it, but we have a lot of users who, because they're engineers and they're bringing down product data - where, at times, a top-level product could be 10,000 or 15,000 objects - it's difficult for us to determine what should be a concern and what shouldn't be a concern. We work with the Securonix folks to try to come up with better ways to identify that. That's a difficult problem to solve because it's very application-driven and very user-driven, based on what the user's role is.

For how long have I used the solution?

We started our implementation in October of 2016. We are currently on Revision 6.2 of Securonix ( /products/securonix-security-analytics-reviews ) using the SaaS cloud version.

What do I think about the stability of the solution?

The stability has been pretty good. On rev 5, once we got it going, it was very stable. We didn't find very many issues.

As we go from rev 5 to rev 6, the architecture's a little bit different and we have run into a couple of issues which they are in the process of fixing. Once those are fixed, we'll discontinue use of rev 5 and use rev 6 because we feel comfortable with what we're seeing in the data for rev 6.

The stability issues I mentioned are definitely bug-related. We had a call with Securonix's development management last week and they gave me a very good technical explanation of what was going on. It made sense but it was complicated. It had to do with the sequence of what they were doing and the data sources and how it's different in the architecture. These are just things they didn't expect to run into. Once they understood it, they started fixing it and making sure that it not only fixes our instance but other customers' instances, where they might have run into something similar.

What do I think about the scalability of the solution?

It's certainly extremely scalable. They have a lot of connectors into different data sources. We haven't identified a data it seems we wouldn't be able to read in.

We certainly have plans to increase usage. We started this as more of a pilot with engineering data access on these two systems. Currently, on our homegrown system, there are about 20,000 users a month. On the commercial system, which houses a lot of the engineering model data, there about 13,000 users. That's the number of people whose activities we're looking at. That's internal, customer employees, as well as contract-contingent workers, onsite and offsite.

Which solution did I use previously and why did I switch?

We didn't have a previous solution. On our homegrown system, we made a little bit of a homegrown solution, but the only thing it did was that if somebody had a high number of downloads, it would send us a note. On the commercial system, we were trapping things in the log, but the logs are typically about 1.5 million rows a day, and that's really tough to analyze by hand. That is why I said, "I can't do this. I need an analytics tool to do this." This was really the first analytics tool that we deployed for this particular purpose.

How was the initial setup?

For me, the system setup, itself, was of medium complexity because, for both applications, there were standard connections into them. We had to write our own queries. We learned from that. Our homegrown system was fairly easy because we just look for objects downloaded. Our other application looks for more than just these download events. So it was more complicated to come up with the query and then for us to come up with use cases to have the system analyzed. 

We find that that process is ongoing. From when we started, we've never really stopped improving how we're trying to get results with the system. From my experience, you don't set it up and you're done. It's very much an evolutionary process. As you learn more, you can help feed that into the system. You can say, "Oh, I thought this was a problem. You're saying it shouldn't be. Okay, I'll take care of that now and I won't flag that. Or I'll make a different peer group to analyze data against." For us, it's very much a continuous process so that we can improve and hopefully minimize what we think are things that we need to investigate.

In terms of how long our deployment took, to me, it is still evolving. If I look at the initial one that we did on rev 5, the system was set up in October and just after Christmas we were, for both sources, doing pretty well. We were getting very usable results. The homegrown one was very easy to implement and we got that one going before Christmas. The other one is a little more complicated and took about three months. We've constantly refined ever since. 

The implementation strategy, initially, was to apply it to these two applications but we didn't necessarily know what we would find, what the typical behavior would be. So we really needed to understand what people are doing, with our various use cases. Our strategy has been to continue to improve, to reduce the amount of time we take to look at data to see if something is an issue. And then, we're looking at a reading in more engineering data sources.

Currently, we're in the process of figuring out the best way to read in from a SharePoint Azure site, to get data from our SharePoint on what people are using for accessing documents. Then we're also looking at what we call data "exfiltration," which is: Did somebody take the data once they downloaded, did they send it to a printer, did they email it out? Did the data go somewhere off the computer of the user to somewhere else? Our strategy has included taking that to the next step.

When we move from rev 5 to rev 6, there are new capabilities, new enhancements, and so it took a few months to get ready. The best way to describe the move to rev 6 is that it's a totally different system. It's a SaaS environment. The one we have now is on-premise. What you do is re-set up the use cases that you are currently using and your policies and then re-ingest data, but from a shorter timespan. Because of what we were doing, it is a little more work. But the Securonix folks helped us with the initial setup and the data ingest. From our standpoint, it was just a matter of validating on our internal system for rev 5, how the data was looking in rev 6. It certainly took some time.

What about the implementation team?

The consultants from Securonix are key, from our standpoint. I have almost daily calls with them to talk about what are we seeing, what are we doing, how can we improve things. We actually have a team call with some of the Securonix consultants and management every week. We generate a weekly report of what we have run into that we need help on, what our accomplishments have been, and if there are any issues, what their statuses are. We have excellent communication with the Securonix consultant folks. They're very good.

What was our ROI?

For this kind of solution, unless you find somebody who physically took something and was going to sell it or try to, and you were able to recover it, it's really tough to put a monetary number on intellectual property loss. You would be making an assumption about what might have happened if the competition had it.

Still, I would certainly say that that we have seen a return on investment. We haven't seen a return where we actually stopped our engineering IP from going out the door. Then we would definitely have an ROI because all it takes is stopping one person and you've paid for your investment over and over again.

But what we've been able to do, if nothing else, is to let more people know that we are aware, that we're watching what's going on. We've had factory managers who are actually appreciative and feel more comfortable knowing that someone is watching this information. Again, we're back to these intangibles, but our company very much sees the value in this and, as we move forward, we'll see even more value. It might cost us a little bit more but we'll see more ROI if we find out what's going on with things like data exfiltration.

What's my experience with pricing, setup cost, and licensing?

I can't say anything from a numbers standpoint, but we went in on a three-year agreement which has an annual licensing fee, based upon the number of people that we're monitoring. There have not been any additional costs to the standard licensing fees.

Which other solutions did I evaluate?

We did evaluate other options. The main competitor was Exabeam. My manager was the one who did a lot of the investigation of the various tools.

At the time, the competitor's system was extremely limited in the number of data sources it could read in, whereas Securonix had a lot of pre-made connectors. In our cases it had out-of-the-box connectors to the two data sources that we needed. We had to write our own query, but it could at least connect directly into the logs that we had.

The other thing that Securonix had, and the other one didn't, is incident-management or case-management functionality. If someone were to download a high number and we decided we needed to investigate it, I could open a case right in the tool. It would be able to directly reference the data that they downloaded and we could open and shut the case directly in the tool, as well as report from it. Since it was all integrated, it was extremely helpful. That was one of the things that we liked. 

Also, at the time, Securonix was the most mature in the user and entity behavioral analytics, among the groups which offered that kind of functionality and software.

What other advice do I have?

The best advice is to make sure that you understand your use cases. For example, we said we want it to trap a high number of downloads, we want to see if people downloaded and then emailed out any of the objects. We came up with the use cases of what we wanted to check for even before we started our implementation. Then the Securonix people were able to better set up the individual threats that we were watching for.

The other thing that we do is we categorize our data. We say a given type of intellectual property is high, medium, or low. That way we know what we really want to protect. Somebody taking a nut or a bolt isn't the same thing as somebody taking a turbocharged engine and trying to sell it to somebody.

It took us a while to actually come up with a standard for categorizing and then to actually categorize, because there were millions and millions of objects or drawings that we needed to classify. That was a project in and of itself. We did that before we did any kind of analytics with Securonix. The first thing we did was classify our data.

When I took this role, they said, "Hey, we want you to protect our high IP." So I smiled and said, "So how can I tell what the high IP is?" And they said, "Oh, well it's in this folder." I said, "What happens when it's out of the folder? How do I know?" I wanted it so that the data could always tell me it's IP level, regardless of what folder it was in or even if it was out on someone's desktop. That's why, to me, that's the first thing that you need to do. Because otherwise, it's just hearsay in terms what's important to protect. If it's important to protect, label it and then we'll understand.

We look for ways for us, and for the system, to improve identifying things. For the majority, we've been happy for what's there. With typical software you run into software issues that might slow you down and you have to get them fixed. They've been very good about resolving issues when we find them, especially because we find stuff that is pretty unique because of what we're doing with application monitoring. It's so specific and it's really customized for how we've set this up.

There are just a handful of users of the solution. I'm the main one who works with the consultants. Otherwise, it's a group of just under ten people who are even able to get into Securonix and look at the information. Like me, most are in IT. There's one person in insider-threat security who helps with coordinating investigations. There's also someone on the business side, even though he is, in a way, more IT-related. He works for the engineering standards group on the business side.

In terms of deployment and maintenance of the product, we certainly rely on the Securonix folks. There was one main person we used for the deployment of Securonix. Sometimes that person had a second, and I was involved as well. Only three people, from our side, were involved in the actual deployment, although I needed people to write the query to ingest the data. But once that was done, I didn't need those people anymore.

Maintenance is done by me and the Securonix consultant. Since it's a SaaS environment, I have no idea how many people they have on their side, making sure that the system's working fine.

For what we're doing and what it can do, on a scale of one to ten, I would put it in the nine to ten range. The only reason I wouldn't say ten is that means it's always perfect. There are always issues. But I'd say it's at least a nine.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Amit Chopra
CEO/Executive Director at Iconic Engines
Real User
Top 20
Employee exit report helps us take preventive measures while cloud monitoring gives us SharePoint and Azure visibility

Pros and Cons

  • "One of the most valuable features it has is the thread chaining. One of the common issues that we always had was the number of anomalies that we used to get and the number of alerts that we used to get. But with this approach of thread chaining, we've found the false-positive rate has decreased very significantly. That was something that we never could have achieved before."
  • "One of the things they can improve on a little bit is the usability side, to make some things simpler... The tool does have a lot of knobs, you can turn a lot of things on and off and you can change things. Sometimes, it can become a little overwhelming. They should remove some confirmation options and make it simpler for the less mature customers and people who are still trying to grasp it."

What is our primary use case?

Our primary goal is insider trespass. We have also been using the product for account privilege misuse as well as intellectual property and data theft. Going into the cloud, we have expanded our scope to cloud applications. We never supported the cloud but now that we are using SaaS we've been able to cover cloud applications and cloud infrastructure. That use case is picking up a lot of speed. But, traditionally, it's been used for insider threat and account misuse.

How has it helped my organization?

One example of how it has helped our organization is with people who are exiting. We had a lot of issues when people were leaving the organization regarding what documents they were taking and what systems they had access to before they left. There were concerns about whether they did any sabotage or created any backdoors before they left. 

One of the very big areas of help from the solution is its exit report. Before a user leaves, it provides us with a 90-day report on that user; everything that user has done, what his behavior looked like, what systems he accessed, what data he took out. It gives us a complete picture and we are now able to provide that to HR. Our security team is also able to look at it, and it helps us in making sure that, before anybody leaves our organization, we have taken all the preventative measures and have made sure they're not taking any data. That has been a very crucial use case. 

The cloud has been a tremendous advance as well. We had no visibility into our cloud. Something that we never had with our traditional SIEM or any of our previous backbones was visibility into what people were uploading on our SharePoint, what people were accessing on our Azure. Cloud has definitely helped us with a lot of visibility and we are getting some good results. We hope they will get even better.

What is most valuable?

One of the most valuable features it has is the threat chaining. One of the common issues that we always had was the number of anomalies that we used to get and the number of alerts that we used to get. But with this approach of thread chaining, we've found the false-positive rate has decreased very significantly. That was something that we never could have achieved before. 

It also has the ability to detect low and slow stuff. Whenever we've had any dormant issues or dormant malware - dormant processes which get executed much later - it has tremendously helped us with that.

What needs improvement?

One of the things they can improve on a little bit is the usability side, to make some things simpler. Maybe it's because of their customer base, but the tool does have a lot of knobs, you can turn a lot of things on and off and you can change things. Sometimes, it can become a little overwhelming. They should remove some confirmation options and make it simpler for the less mature customers and people who are still trying to grasp it.

For how long have I used the solution?

We were one of the early adopters of the product, so we've been using it for about eight years now. We just moved to version 6. We were on their previous version and we then migrated to 6.0. Currently, we are on the 6.2. release, and we are on their SaaS platform.

What do I think about the stability of the solution?

Regarding stability, one of the very big improvements between the previous version and this version of the product is that the current version has been a lot more stable. We've not had any downtime as of yet, except for maintenance windows. We've not seen any reports of the environment being down or data not being accessible. The current SaaS platform is pretty stable.

What do I think about the scalability of the solution?

Scalability-wise, it's great. I had some doubts when we started because they're using Solar and I heard some colleagues say that Solar would not be so scalable. But I was amazed at how they architected it. The scalability has been pretty good. We looked at a bunch of solutions, including Splunk. The search speed is pretty fast. We are able to search for data much faster than we were able to when we looked at Splunk Cloud.

The elasticity part is very helpful. If we give them a huge peak in EPS once in a while, or if our EPS drops down, it elastically grows very quickly, without any downtime or any issues. When our EPS increases the solution does not drop any data.

My team has raved about how well we are doing with searching and threat-hunting on it.

How are customer service and technical support?

We work with a lot of vendors and a lot of companies, but the support that we have gotten from Securonix, from their support and customer success teams, has been tremendous. They've always been able to help, and that's not just coming in, deploying the product, and going home. They've always been there to advise us, to help us out, and guide us.

We had a lot of issues with our data, in terms of how we were logging it, which attributes and which fields we were logging, and what information was available to the teams. They were very good about coming out and letting us know that we had all these data gaps and how we could fill them in, as well as with suggestions on how they could provide us with better value. 

They work with us to enable our teams to get them up and running. Overall, they've done some good hand-holding to get us where we are today.

Which solution did I use previously and why did I switch?

We used ArcSight. We started off by using ArcSight and Securonix in parallel. Over the years, once Securonix came up with the cloud offering, that was our main pivot point to move to Securonix. 

There were a lot of other reasons for the move. There was a lot of fatigue from the teams in terms of having to build the content, maintain the platform, manage it - the rules and everything else. In addition, we were going for a cloud-first strategy and we had a lot of cloud infrastructure that we were not able to manage. We were using machine learning, we were on of the early adopters of it. One of the most beneficial things we saw was the combination having UBA, the SIEM, and data lake in a single platform. It used to be that our analyst would get an alert out on out of UBA and then go back into ArcSight, try to find the event for it, extract the event, investigate, and go to a different ticketing system to do the incident management. We wanted to combine all of it and have one product or one location for all.

How was the initial setup?

It was amazing how straightforward the SaaS product was. I did not expect that. The 5.0 that we had deployed was not that straightforward. It took some time and took some back and forth. But the current version was very smooth. All we had to do was spin up a VM and put one of their collectors on it. Somebody from one of our teams reported to me that it took about an hour or so to set it up.

We were able to do the upgrade of the collector ourselves. Their cloud operations team sent a notification letting us know and we just download the file and it was a simple upgrade. When there are issues, of course, we reach out.

With the previous, on-prem version, the 5.0, we used to need a lot more help because there were more steps involved. But in the last one-and-a-half years, we've mostly done it ourselves. Because it's SaaS we don't have to worry about most of the components.

From what I understand, this current version is much faster to set up, when compared to the previous version.

In terms of our implementation strategy, we took the route that most people take: crawl, walk, run. We started off with two very simple use cases: people copying data to USBs, and uploading data over the web. Over time, we matured and kept on adding more sources, cleaning up our data, figuring out how UEBA works. It's been a journey.

What was our ROI?

We have definitely seen return on our investment. We've been using the solution for quite a while now, and ROI was one of the reasons we expanded the scope. We've definitely seen quite a lot of value. 

Our response time has gone down. We have also received a lot of benefit from their research team. We were recently exposed to their Threat Research Team. We got a lot of new indicators and a lot of new threats, that were not there previously in our environment, that their team had researched and come up with. 

We are getting quite good value. We have a lot better feedback from our SOC in terms of the usability when compared to ArcSight. We have a lot more visibility. We are getting a good return on our investment.

What's my experience with pricing, setup cost, and licensing?

We have an annual cloud license. We have a license from our 5.0, so that license just continued. We paid them the extra cloud-hosting costs for a year which were about $300,000. That's basically the whole cost.

The licensing fee is based on the number of identities and, other than that, it's just the hosting cost.

What other advice do I have?

My advice is that you should want the new, best product. I don't want to say there is no other way, but it scales and it works. If you don't have the manpower, if you don't have the technical skills to have it deployed on-premise and manage - like us, we did not - I would definitely recommend going SaaS. The cloud-offering is a game-changer. It would have been tough for us to deploy Hadoop on-premise and manage it and maintain it. We're not mature enough to handle Hadoop. So I would definitely recommend SaaS to anybody who's looking that Securonix.

The other thing I would recommend is monitoring cloud if you're going with SaaS. We didn't know there were so many things to a monitor in our cloud infrastructure until we actually started monitoring it and figuring out the monitoring gaps.

Most of our security is running on Securonix. It's the backbone of our security so we are running quite a lot on it. We do plan to expand it. We are planning to see if it makes sense to add app data on it. We don't currently have a lot of application data flowing in. We have SAP and other applications that we are looking to add to this. We are also looking at if it makes sense to explore a little bit more on the network analytics side.

One of the key things they have improved on recently, when they moved from version 5 to version 6, is that version 5 was not scalable. It was running on a relational system and it was also a little complex to manage and run. Version 6 is a lot smoother and has a much better user interface. There is less operational overhead, because we don't have to manage it, at all. It's completely remotely managed.

We have six or seven people, specifically, who log in to the solution, not all at the same time. They are actively using it. Their roles vary from SOC to insider threat. We also have our response guys who log in, and then we have about two people who take action on threats. In terms of deployment and maintenance, this is all SaaS. In 5.0 we had about one to one-and-a-half people dedicated to it, but now we don't have any dedicated people. We just have one point of contact available on our ops side to look at any issues with the collector or if one of our data feeds has any issues. Again, it being SaaS, we have no administration overhead.

The tool has matured and it has definitely helped our program mature over time.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Learn what your peers think about Securonix Security Analytics. Get advice and tips from experienced pros sharing their opinions. Updated: September 2021.
540,884 professionals have used our research since 2012.
Adam Fousek
VP Engineering at a financial services firm with 501-1,000 employees
Video Review
Real User
Top 20
Puts a lot of contextual information into the events, eliminating individual searches and reducing case research time

Pros and Cons

  • "Customer support and making sure that we're successful has been one of the best features, one that we weren't even looking for during evaluation, but that's what we have found."
  • "Some of the user experience when doing threat-hunting, such as being able to see multiple types of analytics from different log sources in one view, would be beneficial. Right now, there are some limitations around that."

What is our primary use case?

Securonix is a SIEM solution for us. In our deployment, it's a software as a service model, so it's a hosted solution. We are feeding several log sources to it and correlating logs, searching, building alerts. It's our primary tool for analyzing logs and alerts for our entire environment.

How has it helped my organization?

The benefit we've seen is in reducing the number of alerts from stuff that we can tune out easily. Previously, in the solution we used, there wasn't that flexibility, so we received a lot of alerts that we knew were false positives that we easily just dismissed. But it took somebody's time to look at all of those and mark them as false positives. With Securonix the alerts are easier to tune. We can exclude certain log source types. That option wasn't available in solutions we've seen in the past. The ability to tune out stuff that we don't want to see allows the team focus on real events. That's been the biggest benefit.

One example of detection of a threat would otherwise have gone unnoticed is that they have an alert for randomly generated domains. It's using our web gateway information to look at domains that our users are going to. It has the ability to look at randomly generated domains and investigate what those are and if anyone actually submitted anything to them. Phishing domains are very popular and we have seen users clicking on phishing emails and going to randomly generated domains that are spoofing login sites. Those are things that we found that we hadn't seen in the past.

The way that a Securonix is able to put a lot of the contextual information into the events is very helpful. That has reduced the amount of time required for investigating, "Hey, this might be something I need to look at," and then doing further research. It puts all of those violations in one event or case, so that you can look at different types of violations that all correlate. That has reduced the amount of time for researching some of those cases. It's dependent upon the scenario, but in some cases it could save an hour of going out and doing a bunch of individual searches.

What is most valuable?

The most important feature is for it to be reliable and scalable so it is able to ingest the amount of logs we need in a timely manner, and then make those logs available to us for search in a very quick, reliable way.

Also, since it is capable of doing UEBA — the anomaly detection, with easy-to-create rules — as we build those rules, in some products we've used in the past, they would cause performance issues. But with Securonix that hasn't been an issue. So the ability to create rules and alerts in a viable way is also very important.

What needs improvement?

Some of the user experience when doing threat-hunting, such as being able to see multiple types of analytics from different log sources in one view, would be beneficial. Right now, there are some limitations around that. So some of the user experience when doing threat-hunting could be improved. That's the main point that I've seen that we're working with them on. 

How are customer service and technical support?

Technical support has been amazing. We have a lot of different security companies that we work with and with most of them it's very difficult to get competent folks to help. That's been a non-issue with Securonix. We meet regularly. Any issue we've had, they've had prompt resolutions. Customer support and making sure that we're successful has been one of the best features, one that we weren't even looking for during evaluation, but that's what we have found.

How was the initial setup?

The fact that we're using software as a service, so Securonix is hosting the infrastructure, has been a huge win for us. Before, we managed all of our SIEM on-premise. We had an appliance and we had to perform operating-system patches and upgrades to the system itself. 

Getting it set up was easy. We had nothing to do. They just told us when it was ready. Then we had to set up all of our log collection to their remote ingestion node and then send that up to the cloud. Setup was definitely easy and we've been able to onboard a lot of our log sources in the first month. It's just a lot of tuning from there. So the initial setup was much easier than in our previous experience.

What was our ROI?

Return on investment is having my security team focus on their jobs and not have to maintain a SIEM. That has definitely provided a lot of value.

In addition, not having issues with the base functionality is part of the ROI. We ran a different SIEM for over five years, and if anything was tweaked then we'd end up having support tickets and spending time resolving them and making the thing work. Not having to deal with that, it's hard to measure exactly the value, but it's been very refreshing that we're actually focusing on improving our security instead of just making the log system function.

What other advice do I have?

I would say Securonix is a nine out of 10. The core functionality is the best that I've seen in the market. Being able to execute on ingesting logs, building alerts, looking at anomalies, providing fast search, and being able to provide an extensive history available to search is a huge win for us. We're often investigating stuff that happened a long time ago. The only thing that we could work on is the user experience when doing threat-hunting, and they've been open to looking at that and exploring options. So I think that will improve also.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
GarySingh
Cyber Security Team Lead at Avalara
Video Review
Real User
Top 20
SaaS solution enables us to move away from tool management and still have a full-featured SIEM

Pros and Cons

  • "I was looking for software as a service rather than having issues with managing hardware, upgrades, updates. I was trying to step away from that. Those were the key factors when looking at Securonix as a full-feature SIEM with next-generation capabilities available."
  • "There is slight room for improvement in terms of the initial deployment. What I see is that Securonix is more focused on their product. They are expanding, in a big way, the number of customers. So there has to be a number of dedicated teams to jump on and speed up the deployment process."

What is our primary use case?

I work for Avalara. It's a tax technology company based in Seattle with offices all across the world: North Durham, California, Sao Paulo Brazil, Brighton UK, Pune India, and we are expanding right now.

We have a list of use cases, like brute force attacks. Our top executive team wanted to see — whenever we are under a serious attack — on their dashboard that the attack is happening, so that the corrective measures can be taken. That is the primary use case: to have that transparency for a number of security use cases like brute force, phishing, and others, and for our executives and our team to see that attack is happening so that we can counter-measure it and save our company from any data exposure or any security incident.

What is most valuable?

I see Securonix as a full-featured SIEM. I was looking for a SIEM tool that has traditional SIEM as well as UEBA, and found Securonix to be a good fit for our company, Avalara.

Another good thing is that I was looking to move away from tool management. I was looking for software as a service rather than having issues with managing hardware, upgrades, updates. I was trying to step away from that. Those were the key factors when looking at Securonix as a full-feature SIEM with next-generation capabilities available.

What needs improvement?

There is slight room for improvement in terms of the initial deployment. What I see is that Securonix is more focused on their product. They are expanding, in a big way, the number of customers. So there has to be a number of dedicated teams to jump on and speed up the deployment process. We would like to partner with different teams that can implement and deploy it faster, whose only job is just to go to the client's site and deploy. Just do it. That's one improvement, based on my experience, that would definitely help them go a long way. Because the way they are expanding they need to focus, because the first impression is the last impression. During the initial one to two months of deployment, that momentum and that support you provide a client is very important. That first two months after a client buys it, how the deployment goes, leaves a long-lasting impression on the client and the team.

How are customer service and technical support?

In the initial setup itself we needed to dive deep into this. We had some deep technical questions and we were lucky that Securonix provided us with another technical resource. He really seemed knowledgeable.

And myself, I'm personally in touch with some of the technical people. We are getting that good support from them.

How was the initial setup?

For the initial setup a team was assigned and a command was set up, so it was pretty straightforward. We had already gone through a PoC. Coming from a SIEM background, I understand the whole architecture and the process that takes place. We were looking at reducing the timelines and, as we go through it, we are seeing that. The log integrations are pretty fast and, as I said, tool management is done at the backend. So, the initial setup is pretty good. We got logins the day we wanted them. They were assigned, and we are proceeding ahead with the deployment, and we're pretty close to it.

The strategy was to shorten the timeline. My COO and our company didn't want to waste time in long processes. So the strategy was to first have a list of log sources, prioritize them, and integrate the important ones, and the ones that could be integrated fast, immediately into the system. The second step was to streamline the rules, to baseline the rules initially. We already had our team to work on the alerts. The strategy was to get it up and running as fast as possible. We're doing it in phases. We have already done the first phase and with the second phase we are almost there. Within the first two months, we'll have most of the SIEM organization done as well as baselining of the rules done.

What other advice do I have?

I would rate the product at eight out of 10 right now, because there are scopes for improvement, operationally as well as technically. But they have definitely come a long way in a very short time, so I really give them eight-plus. There's definitely some scope for improvement operationally, and there are some technical features which need to be added.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Balamurali Vellalath
Practice Head-CyberSecurity at a tech services company with 1,001-5,000 employees
MSP
Top 5
Analytics platform has open security data-links and it is easy to deploy

Pros and Cons

  • "The feature that I have found most valuable is their analytics platform where they have the open security data-link, which they introduced. This is typically different from the other vendors."
  • "The pricing. I'm not sure how they are proceeding with the identity based pricing compared with DB pricing which most of the vendors are using today."

What is our primary use case?

In our organization, we handle cybersecurity. As an IT services company, we are limited to setting up the security operations center in different forms for our customers' requirements.

We are in the business of setting up the security operation center for the customers and we also provide other stock services for many of the customers. We do have a lot of service offerings on our stock management platform.

We do MDR via cloud security and its monitoring services, so we are very familiar with the leading platforms in the market today like QRadar and Splunk. We use them in our environment today. I have been searching out the next-gen SIEM. Then I brought Securonix to my board. I came to learn that Securonix is leading in the innovative ideas and innovations on the SIEM platform side. Particularly because my role is a security practice in Veeam SM. If you evaluate the market trends you understand the products released into the market and how best to leverage that integration and make sure that there is no bounce back to the customer in these situations. That's why I started evaluating the Securonix in a typical lead evaluation.

We are not partnered, we have just done a couple of initial discussions with some of the folks here in India. We are still in the stage of evaluating these products, including Securonix.

I noticed that this is more on the open data platform when it comes to managing the locks from a different angle and for different assets. That's one area which is more interesting for us.

Compared to other competitors in the market, what I have seen is that their module is the UEBA, User and Entity Behavior Analytics, module. That is something different which they are offering today.

These are some of the differences I see. Additionally, is the pricing issue. They are moving from DB pricing to the identity-based pricing. But I'm still confused about that identity pricing. I still have to get more clarification from the products.

What is most valuable?

The feature that I have found most valuable is their analytics platform where they have the open security data-link, which they introduced. This is typically different from the other vendors.

What needs improvement?

As far as what can be improved, again it is the pricing. I'm not sure how they are proceeding with the identity-based pricing compared with DB pricing which most of the vendors are using today. Some of them are dealing with EPS based pricing.

What do I think about the stability of the solution?

There is still a need to evaluate the stability because we are very new to this platform. So we need some more time to do that.

How was the initial setup?

The initial setup is straightforward, it is easy to deploy.

Which other solutions did I evaluate?

We did evaluate other options before choosing Securonix. As an MSSP we use many products. It all depends on the kind of requirements we get from the customer. We evaluated QRadar and Splunk. As an MSSP, we use a combination of tools.

The major difference between Securonix and the rest is that their security data-link is very open and the hosting of that platform is much simpler compared to other vendors.

Because there is no proprietary thing involved here the log management should be much easier compared to others.

What other advice do I have?

On a scale of one to ten I would rate Securonix an eight.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
RP
Regional Director, Customer Success (GTM Solutions & Services) at a tech services company with 51-200 employees
MSP
Top 5Leaderboard
Bad integration and a very immature product with two failed attempts at implementation

Pros and Cons

  • "There aren't any positive aspects of the solution. It was a complete failure. There are no redeeming features."
  • "We thought they were going to be a great product, however, they're actually not great at all as an MSP."

What is our primary use case?

It was supposed to be good for security to provide as a SOC-as-a-Service, however, it failed.

How has it helped my organization?

The solution did not improve our customer's organizations at all. The implementation attempts were a complete failure. We had to move them to another product.

What is most valuable?

There aren't any positive aspects of the solution. It was a complete failure. There are no redeeming features.

What needs improvement?

We thought they were going to be a great product, however, they're actually not great at all as an MSP.

The integration is very bad.

The initial setup failed in both use cases.

The technical support is terrible and completely unhelpful.

The product itself needs a lot of work; it's very immature.

The stability isn't great.

For how long have I used the solution?

We never really properly used the solution. We tried, however, on the two clients we attempted to have to use the solution, it completely fell flat.

What do I think about the stability of the solution?

The stability of the solution is not good. 

How are customer service and technical support?

Technical support is terrible. they are very bad. They are not helpful or responsive, and we were quite disappointed with the level of service on offer. 

Which solution did I use previously and why did I switch?

We ended up moving out clients over to QRadar as this solution did not end up working for either of them.

How was the initial setup?

The initial setup failed. We had to move to a different solution completely. The installation process was terrible. It was not straightforward. 

What about the implementation team?

The implementation was done with the vendor, and the vendor failed on a number of areas to implement it.

What's my experience with pricing, setup cost, and licensing?

We did not pay a licensing fee. We moved away from the solution.

What other advice do I have?

We tried to implement it and we've taken it out. We've tried it with two clients, it failed, and therefore we moved them now to QRadar. It was terrible. It offered bad support and was a bad product, and everything that was promised wasn't able to be delivered.  

We canceled our partnership with them, and we've actually reverted the two clients that were supposed to go onto the Securonix, on to QRadar now.

We were trying to onboard two customers, and we ended up implementing this solution with neither of them.

I'd rate the solution at a five out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Implementer
Flag as inappropriate
Sanjay-Kulkarni
Manager Security Operation Center at a tech services company with 51-200 employees
Real User
Top 10
A stable and scalable solution for small and medium sized companies

Pros and Cons

  • "The solution is stable and scalable."
  • "We would like to see better integration with other products."

What is our primary use case?

We are a services company, so we provide services for our clients' companies.

What needs improvement?

We would like to see better integration with other products. 

For how long have I used the solution?

We have been using Securonix Security Analytics for around six months.

What do I think about the stability of the solution?

The solution is stable. 

What do I think about the scalability of the solution?

The solution is scalable.

How are customer service and technical support?

The technical support is okay. 

Which solution did I use previously and why did I switch?

We work with different SIEM solutions, including IBM QRadar and LogRythm. Although I prefer IBM QRadar to Securonix Security Analytics, there are no features of this product that I wish to see included in it, as these two platforms are disparate. 

The reason I prefer IBM QRadar is because we already utilize this solution with our customers, whereas with Securonix Security Analytics we are talking about a process which we have yet to complete. 

How was the initial setup?

The initial setup was relatively uncomplicated. It basically involved operations, with which we had some issues. 

What's my experience with pricing, setup cost, and licensing?

I cannot comment on pricing as this is not within my purview. 

What other advice do I have?

Our clientele includes small and medium sized companies, not enterprise.

I rate Securonix Security Analytics as an eight out of ten. 

Disclosure: My company has a business relationship with this vendor other than being a customer: partner
Flag as inappropriate
Buyer's Guide
Download our free Securonix Security Analytics Report and get advice and tips from experienced pros sharing their opinions.