We just raised a $30M Series A: Read our story

Securonix Security Analytics OverviewUNIXBusinessApplication

Securonix Security Analytics is the #3 ranked solution in our list of top User Behavior Analytics - UEBA tools. It is most often compared to Splunk: Securonix Security Analytics vs Splunk

What is Securonix Security Analytics?

SNYPR is a next-generation security analytics platform that transforms big data into actionable security intelligence. Built on a Hadoop big data security lake, SNYPR combines an open data model, log management, security incident and event management (SIEM), user and entity behavior analytics (UEBA) and fraud detection into a complete, end-to-end platform that can be deployed in its entirety or in flexible, modular components.

Securonix Security Analytics is also known as Securonix.

Securonix Security Analytics Buyer's Guide

Download the Securonix Security Analytics Buyer's Guide including reviews and more. Updated: October 2021

Securonix Security Analytics Customers

Dtex Systems

Pfizer

Western Union

Harris

ITG

Securonix Security Analytics Video

Archived Securonix Security Analytics Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
JM
IT Project Manager at a manufacturing company with 10,001+ employees
Real User
Behavioral profiles help us identify somebody who is engaging in anomalous behavior

Pros and Cons

  • "The most valuable feature is being able to look at users' behavioral profiles to see what they typically access. One of the key events that we monitor is people's downloading of objects... It's very easy to see people's patterns, what they typically do."
  • "[The solution has] incident-management or case-management functionality. If someone were to download a high number and we decided we needed to investigate it, I could open a case right in the tool. It would be able to directly reference the data that they downloaded and we could open and shut the case directly in the tool, as well as report from it."
  • "We have a lot of users who, because they're engineers and they're bringing down product data - where, at times, a top-level product could be 10,000 or 15,000 objects - it's difficult for us to determine what should be a concern and what shouldn't be a concern. We work with the Securonix folks to try to come up with better ways to identify that."

What is our primary use case?

We use the solution for protection of engineering intellectual property. We currently look at engineering data in two systems, one a commercial system and one which is a homegrown system.

How has it helped my organization?

We've seen a couple of circumstances where people accessed data, especially in our internal application, and we weren't sure how they did it, because they shouldn't have been authorized to access it. We actually found a backdoor on our side. Their access did not go through that backdoor intentionally, but they did find a backdoor way to get the data. We shut that one down as soon as we found it.

The other thing we do, where it's been a big help, is that we people who, from a process standpoint, bring down a ton more data than they should. They aren't doing something malicious, but there are ways to bring down simplified data subsets. We've been able to educate the users to take down simplified sets. In essence, that saves them time and effort in having to bring all that data down and then call it up and use it. It's really tough to put hard numbers on that but we have certainly seen a reduction in the amount of these high-volume downloads and it's really been because of a process change on the part of the users.

What is most valuable?

The most valuable feature is being able to look at users' behavioral profiles to see what they typically access. One of the key events that we monitor is people's downloading of objects, files from either the engineering or the homegrown application. It's very easy to see people's patterns, what they typically do. The system might identify somebody who is engaging in anomalous behavior. Especially with the product's rev 6, there are a lot of tools to go in and do investigations, even without talking to the person, to try to determine what were they doing. Is it a case that they normally don't do something but this looks like a legitimate action, or is it something we need to investigate? That is pretty neat.

What needs improvement?

It's tough in some cases for the solution to do it, but we have a lot of users who, because they're engineers and they're bringing down product data - where, at times, a top-level product could be 10,000 or 15,000 objects - it's difficult for us to determine what should be a concern and what shouldn't be a concern. We work with the Securonix folks to try to come up with better ways to identify that. That's a difficult problem to solve because it's very application-driven and very user-driven, based on what the user's role is.

For how long have I used the solution?

We started our implementation in October of 2016. We are currently on Revision 6.2 of Securonix ( /products/securonix-security-analytics-reviews ) using the SaaS cloud version.

What do I think about the stability of the solution?

The stability has been pretty good. On rev 5, once we got it going, it was very stable. We didn't find very many issues.

As we go from rev 5 to rev 6, the architecture's a little bit different and we have run into a couple of issues which they are in the process of fixing. Once those are fixed, we'll discontinue use of rev 5 and use rev 6 because we feel comfortable with what we're seeing in the data for rev 6.

The stability issues I mentioned are definitely bug-related. We had a call with Securonix's development management last week and they gave me a very good technical explanation of what was going on. It made sense but it was complicated. It had to do with the sequence of what they were doing and the data sources and how it's different in the architecture. These are just things they didn't expect to run into. Once they understood it, they started fixing it and making sure that it not only fixes our instance but other customers' instances, where they might have run into something similar.

What do I think about the scalability of the solution?

It's certainly extremely scalable. They have a lot of connectors into different data sources. We haven't identified a data it seems we wouldn't be able to read in.

We certainly have plans to increase usage. We started this as more of a pilot with engineering data access on these two systems. Currently, on our homegrown system, there are about 20,000 users a month. On the commercial system, which houses a lot of the engineering model data, there about 13,000 users. That's the number of people whose activities we're looking at. That's internal, customer employees, as well as contract-contingent workers, onsite and offsite.

Which solution did I use previously and why did I switch?

We didn't have a previous solution. On our homegrown system, we made a little bit of a homegrown solution, but the only thing it did was that if somebody had a high number of downloads, it would send us a note. On the commercial system, we were trapping things in the log, but the logs are typically about 1.5 million rows a day, and that's really tough to analyze by hand. That is why I said, "I can't do this. I need an analytics tool to do this." This was really the first analytics tool that we deployed for this particular purpose.

How was the initial setup?

For me, the system setup, itself, was of medium complexity because, for both applications, there were standard connections into them. We had to write our own queries. We learned from that. Our homegrown system was fairly easy because we just look for objects downloaded. Our other application looks for more than just these download events. So it was more complicated to come up with the query and then for us to come up with use cases to have the system analyzed. 

We find that that process is ongoing. From when we started, we've never really stopped improving how we're trying to get results with the system. From my experience, you don't set it up and you're done. It's very much an evolutionary process. As you learn more, you can help feed that into the system. You can say, "Oh, I thought this was a problem. You're saying it shouldn't be. Okay, I'll take care of that now and I won't flag that. Or I'll make a different peer group to analyze data against." For us, it's very much a continuous process so that we can improve and hopefully minimize what we think are things that we need to investigate.

In terms of how long our deployment took, to me, it is still evolving. If I look at the initial one that we did on rev 5, the system was set up in October and just after Christmas we were, for both sources, doing pretty well. We were getting very usable results. The homegrown one was very easy to implement and we got that one going before Christmas. The other one is a little more complicated and took about three months. We've constantly refined ever since. 

The implementation strategy, initially, was to apply it to these two applications but we didn't necessarily know what we would find, what the typical behavior would be. So we really needed to understand what people are doing, with our various use cases. Our strategy has been to continue to improve, to reduce the amount of time we take to look at data to see if something is an issue. And then, we're looking at a reading in more engineering data sources.

Currently, we're in the process of figuring out the best way to read in from a SharePoint Azure site, to get data from our SharePoint on what people are using for accessing documents. Then we're also looking at what we call data "exfiltration," which is: Did somebody take the data once they downloaded, did they send it to a printer, did they email it out? Did the data go somewhere off the computer of the user to somewhere else? Our strategy has included taking that to the next step.

When we move from rev 5 to rev 6, there are new capabilities, new enhancements, and so it took a few months to get ready. The best way to describe the move to rev 6 is that it's a totally different system. It's a SaaS environment. The one we have now is on-premise. What you do is re-set up the use cases that you are currently using and your policies and then re-ingest data, but from a shorter timespan. Because of what we were doing, it is a little more work. But the Securonix folks helped us with the initial setup and the data ingest. From our standpoint, it was just a matter of validating on our internal system for rev 5, how the data was looking in rev 6. It certainly took some time.

What about the implementation team?

The consultants from Securonix are key, from our standpoint. I have almost daily calls with them to talk about what are we seeing, what are we doing, how can we improve things. We actually have a team call with some of the Securonix consultants and management every week. We generate a weekly report of what we have run into that we need help on, what our accomplishments have been, and if there are any issues, what their statuses are. We have excellent communication with the Securonix consultant folks. They're very good.

What was our ROI?

For this kind of solution, unless you find somebody who physically took something and was going to sell it or try to, and you were able to recover it, it's really tough to put a monetary number on intellectual property loss. You would be making an assumption about what might have happened if the competition had it.

Still, I would certainly say that that we have seen a return on investment. We haven't seen a return where we actually stopped our engineering IP from going out the door. Then we would definitely have an ROI because all it takes is stopping one person and you've paid for your investment over and over again.

But what we've been able to do, if nothing else, is to let more people know that we are aware, that we're watching what's going on. We've had factory managers who are actually appreciative and feel more comfortable knowing that someone is watching this information. Again, we're back to these intangibles, but our company very much sees the value in this and, as we move forward, we'll see even more value. It might cost us a little bit more but we'll see more ROI if we find out what's going on with things like data exfiltration.

What's my experience with pricing, setup cost, and licensing?

I can't say anything from a numbers standpoint, but we went in on a three-year agreement which has an annual licensing fee, based upon the number of people that we're monitoring. There have not been any additional costs to the standard licensing fees.

Which other solutions did I evaluate?

We did evaluate other options. The main competitor was Exabeam. My manager was the one who did a lot of the investigation of the various tools.

At the time, the competitor's system was extremely limited in the number of data sources it could read in, whereas Securonix had a lot of pre-made connectors. In our cases it had out-of-the-box connectors to the two data sources that we needed. We had to write our own query, but it could at least connect directly into the logs that we had.

The other thing that Securonix had, and the other one didn't, is incident-management or case-management functionality. If someone were to download a high number and we decided we needed to investigate it, I could open a case right in the tool. It would be able to directly reference the data that they downloaded and we could open and shut the case directly in the tool, as well as report from it. Since it was all integrated, it was extremely helpful. That was one of the things that we liked. 

Also, at the time, Securonix was the most mature in the user and entity behavioral analytics, among the groups which offered that kind of functionality and software.

What other advice do I have?

The best advice is to make sure that you understand your use cases. For example, we said we want it to trap a high number of downloads, we want to see if people downloaded and then emailed out any of the objects. We came up with the use cases of what we wanted to check for even before we started our implementation. Then the Securonix people were able to better set up the individual threats that we were watching for.

The other thing that we do is we categorize our data. We say a given type of intellectual property is high, medium, or low. That way we know what we really want to protect. Somebody taking a nut or a bolt isn't the same thing as somebody taking a turbocharged engine and trying to sell it to somebody.

It took us a while to actually come up with a standard for categorizing and then to actually categorize, because there were millions and millions of objects or drawings that we needed to classify. That was a project in and of itself. We did that before we did any kind of analytics with Securonix. The first thing we did was classify our data.

When I took this role, they said, "Hey, we want you to protect our high IP." So I smiled and said, "So how can I tell what the high IP is?" And they said, "Oh, well it's in this folder." I said, "What happens when it's out of the folder? How do I know?" I wanted it so that the data could always tell me it's IP level, regardless of what folder it was in or even if it was out on someone's desktop. That's why, to me, that's the first thing that you need to do. Because otherwise, it's just hearsay in terms what's important to protect. If it's important to protect, label it and then we'll understand.

We look for ways for us, and for the system, to improve identifying things. For the majority, we've been happy for what's there. With typical software you run into software issues that might slow you down and you have to get them fixed. They've been very good about resolving issues when we find them, especially because we find stuff that is pretty unique because of what we're doing with application monitoring. It's so specific and it's really customized for how we've set this up.

There are just a handful of users of the solution. I'm the main one who works with the consultants. Otherwise, it's a group of just under ten people who are even able to get into Securonix and look at the information. Like me, most are in IT. There's one person in insider-threat security who helps with coordinating investigations. There's also someone on the business side, even though he is, in a way, more IT-related. He works for the engineering standards group on the business side.

In terms of deployment and maintenance of the product, we certainly rely on the Securonix folks. There was one main person we used for the deployment of Securonix. Sometimes that person had a second, and I was involved as well. Only three people, from our side, were involved in the actual deployment, although I needed people to write the query to ingest the data. But once that was done, I didn't need those people anymore.

Maintenance is done by me and the Securonix consultant. Since it's a SaaS environment, I have no idea how many people they have on their side, making sure that the system's working fine.

For what we're doing and what it can do, on a scale of one to ten, I would put it in the nine to ten range. The only reason I wouldn't say ten is that means it's always perfect. There are always issues. But I'd say it's at least a nine.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Amit Chopra
CEO/Executive Director at Iconic Engines
Real User
Employee exit report helps us take preventive measures while cloud monitoring gives us SharePoint and Azure visibility

Pros and Cons

  • "One of the most valuable features it has is the thread chaining. One of the common issues that we always had was the number of anomalies that we used to get and the number of alerts that we used to get. But with this approach of thread chaining, we've found the false-positive rate has decreased very significantly. That was something that we never could have achieved before."
  • "One of the things they can improve on a little bit is the usability side, to make some things simpler... The tool does have a lot of knobs, you can turn a lot of things on and off and you can change things. Sometimes, it can become a little overwhelming. They should remove some confirmation options and make it simpler for the less mature customers and people who are still trying to grasp it."

What is our primary use case?

Our primary goal is insider trespass. We have also been using the product for account privilege misuse as well as intellectual property and data theft. Going into the cloud, we have expanded our scope to cloud applications. We never supported the cloud but now that we are using SaaS we've been able to cover cloud applications and cloud infrastructure. That use case is picking up a lot of speed. But, traditionally, it's been used for insider threat and account misuse.

How has it helped my organization?

One example of how it has helped our organization is with people who are exiting. We had a lot of issues when people were leaving the organization regarding what documents they were taking and what systems they had access to before they left. There were concerns about whether they did any sabotage or created any backdoors before they left. 

One of the very big areas of help from the solution is its exit report. Before a user leaves, it provides us with a 90-day report on that user; everything that user has done, what his behavior looked like, what systems he accessed, what data he took out. It gives us a complete picture and we are now able to provide that to HR. Our security team is also able to look at it, and it helps us in making sure that, before anybody leaves our organization, we have taken all the preventative measures and have made sure they're not taking any data. That has been a very crucial use case. 

The cloud has been a tremendous advance as well. We had no visibility into our cloud. Something that we never had with our traditional SIEM or any of our previous backbones was visibility into what people were uploading on our SharePoint, what people were accessing on our Azure. Cloud has definitely helped us with a lot of visibility and we are getting some good results. We hope they will get even better.

What is most valuable?

One of the most valuable features it has is the threat chaining. One of the common issues that we always had was the number of anomalies that we used to get and the number of alerts that we used to get. But with this approach of thread chaining, we've found the false-positive rate has decreased very significantly. That was something that we never could have achieved before. 

It also has the ability to detect low and slow stuff. Whenever we've had any dormant issues or dormant malware - dormant processes which get executed much later - it has tremendously helped us with that.

What needs improvement?

One of the things they can improve on a little bit is the usability side, to make some things simpler. Maybe it's because of their customer base, but the tool does have a lot of knobs, you can turn a lot of things on and off and you can change things. Sometimes, it can become a little overwhelming. They should remove some confirmation options and make it simpler for the less mature customers and people who are still trying to grasp it.

For how long have I used the solution?

We were one of the early adopters of the product, so we've been using it for about eight years now. We just moved to version 6. We were on their previous version and we then migrated to 6.0. Currently, we are on the 6.2. release, and we are on their SaaS platform.

What do I think about the stability of the solution?

Regarding stability, one of the very big improvements between the previous version and this version of the product is that the current version has been a lot more stable. We've not had any downtime as of yet, except for maintenance windows. We've not seen any reports of the environment being down or data not being accessible. The current SaaS platform is pretty stable.

What do I think about the scalability of the solution?

Scalability-wise, it's great. I had some doubts when we started because they're using Solar and I heard some colleagues say that Solar would not be so scalable. But I was amazed at how they architected it. The scalability has been pretty good. We looked at a bunch of solutions, including Splunk. The search speed is pretty fast. We are able to search for data much faster than we were able to when we looked at Splunk Cloud.

The elasticity part is very helpful. If we give them a huge peak in EPS once in a while, or if our EPS drops down, it elastically grows very quickly, without any downtime or any issues. When our EPS increases the solution does not drop any data.

My team has raved about how well we are doing with searching and threat-hunting on it.

How are customer service and technical support?

We work with a lot of vendors and a lot of companies, but the support that we have gotten from Securonix, from their support and customer success teams, has been tremendous. They've always been able to help, and that's not just coming in, deploying the product, and going home. They've always been there to advise us, to help us out, and guide us.

We had a lot of issues with our data, in terms of how we were logging it, which attributes and which fields we were logging, and what information was available to the teams. They were very good about coming out and letting us know that we had all these data gaps and how we could fill them in, as well as with suggestions on how they could provide us with better value. 

They work with us to enable our teams to get them up and running. Overall, they've done some good hand-holding to get us where we are today.

Which solution did I use previously and why did I switch?

We used ArcSight. We started off by using ArcSight and Securonix in parallel. Over the years, once Securonix came up with the cloud offering, that was our main pivot point to move to Securonix. 

There were a lot of other reasons for the move. There was a lot of fatigue from the teams in terms of having to build the content, maintain the platform, manage it - the rules and everything else. In addition, we were going for a cloud-first strategy and we had a lot of cloud infrastructure that we were not able to manage. We were using machine learning, we were on of the early adopters of it. One of the most beneficial things we saw was the combination having UBA, the SIEM, and data lake in a single platform. It used to be that our analyst would get an alert out on out of UBA and then go back into ArcSight, try to find the event for it, extract the event, investigate, and go to a different ticketing system to do the incident management. We wanted to combine all of it and have one product or one location for all.

How was the initial setup?

It was amazing how straightforward the SaaS product was. I did not expect that. The 5.0 that we had deployed was not that straightforward. It took some time and took some back and forth. But the current version was very smooth. All we had to do was spin up a VM and put one of their collectors on it. Somebody from one of our teams reported to me that it took about an hour or so to set it up.

We were able to do the upgrade of the collector ourselves. Their cloud operations team sent a notification letting us know and we just download the file and it was a simple upgrade. When there are issues, of course, we reach out.

With the previous, on-prem version, the 5.0, we used to need a lot more help because there were more steps involved. But in the last one-and-a-half years, we've mostly done it ourselves. Because it's SaaS we don't have to worry about most of the components.

From what I understand, this current version is much faster to set up, when compared to the previous version.

In terms of our implementation strategy, we took the route that most people take: crawl, walk, run. We started off with two very simple use cases: people copying data to USBs, and uploading data over the web. Over time, we matured and kept on adding more sources, cleaning up our data, figuring out how UEBA works. It's been a journey.

What was our ROI?

We have definitely seen return on our investment. We've been using the solution for quite a while now, and ROI was one of the reasons we expanded the scope. We've definitely seen quite a lot of value. 

Our response time has gone down. We have also received a lot of benefit from their research team. We were recently exposed to their Threat Research Team. We got a lot of new indicators and a lot of new threats, that were not there previously in our environment, that their team had researched and come up with. 

We are getting quite good value. We have a lot better feedback from our SOC in terms of the usability when compared to ArcSight. We have a lot more visibility. We are getting a good return on our investment.

What's my experience with pricing, setup cost, and licensing?

We have an annual cloud license. We have a license from our 5.0, so that license just continued. We paid them the extra cloud-hosting costs for a year which were about $300,000. That's basically the whole cost.

The licensing fee is based on the number of identities and, other than that, it's just the hosting cost.

What other advice do I have?

My advice is that you should want the new, best product. I don't want to say there is no other way, but it scales and it works. If you don't have the manpower, if you don't have the technical skills to have it deployed on-premise and manage - like us, we did not - I would definitely recommend going SaaS. The cloud-offering is a game-changer. It would have been tough for us to deploy Hadoop on-premise and manage it and maintain it. We're not mature enough to handle Hadoop. So I would definitely recommend SaaS to anybody who's looking that Securonix.

The other thing I would recommend is monitoring cloud if you're going with SaaS. We didn't know there were so many things to a monitor in our cloud infrastructure until we actually started monitoring it and figuring out the monitoring gaps.

Most of our security is running on Securonix. It's the backbone of our security so we are running quite a lot on it. We do plan to expand it. We are planning to see if it makes sense to add app data on it. We don't currently have a lot of application data flowing in. We have SAP and other applications that we are looking to add to this. We are also looking at if it makes sense to explore a little bit more on the network analytics side.

One of the key things they have improved on recently, when they moved from version 5 to version 6, is that version 5 was not scalable. It was running on a relational system and it was also a little complex to manage and run. Version 6 is a lot smoother and has a much better user interface. There is less operational overhead, because we don't have to manage it, at all. It's completely remotely managed.

We have six or seven people, specifically, who log in to the solution, not all at the same time. They are actively using it. Their roles vary from SOC to insider threat. We also have our response guys who log in, and then we have about two people who take action on threats. In terms of deployment and maintenance, this is all SaaS. In 5.0 we had about one to one-and-a-half people dedicated to it, but now we don't have any dedicated people. We just have one point of contact available on our ops side to look at any issues with the collector or if one of our data feeds has any issues. Again, it being SaaS, we have no administration overhead.

The tool has matured and it has definitely helped our program mature over time.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Learn what your peers think about Securonix Security Analytics. Get advice and tips from experienced pros sharing their opinions. Updated: October 2021.
543,089 professionals have used our research since 2012.
AV
Chief Technology Officer at a tech vendor with 51-200 employees
Real User
Gives us actionable results - every finding is worth investigation

Pros and Cons

  • "When we were looking for products for our security monitoring needs, our biggest requirement was that we wanted something based on machine-learning and analytics. If you go with rules, it can raise a lot of noise. Securonix, with its UEBA capability, had the best analytics use-cases."
  • "We have compliance needs. We have investigation needs. And we have situations where an analyst needs to look at threats. These three things require a different view of how they look at the threats. What would be good is to have Securonix create three different views of their Security Command Center so that, depending on the persona of the person logging in, they'd get the relevant data they need and not see everything."

What is our primary use case?

Our primary use case is monitoring attacks on our cloud environment.

How has it helped my organization?

The solution's behavior analytics, in terms of detecting cyber and insider threats, are very effective. We are getting actionable results. When I say actionable results, not every finding is going to be a threat, but every finding is worth investigation. Depending on the investigation, some of them are real threats, some are just bad hygiene, and some are a good finding but not a threat for us. So there is work we still need to do. But whatever they are pointing us to is worth investigating. And that is what I expect from the product.

The solution's behavior analytics help to prioritize advanced threats. That's exactly what I mean by "actionable threats." One of the key pain points for us, previously, was that the solution we were using was giving us a lot of low-value indicators which we couldn't even act on. With this solution we have fewer alerts but they're actionable alerts.

From there on, it is on our analyst to then decide which ones are threats. And based on that, what we have done with a few things. In some cases we have changed our security policies so that we can have more rules in place to give us stronger access control and better governance around our workstation usage policy. There were certain things we could do to improve our employee behavior and it enabled us to take those steps. Based on some of the cyber-related threats it identified, we were able to upgrade the software we were using for our endpoints so that we had the strongest possible defense. There are certain things that are real threats and certain things that are bad hygiene and in both cases it's still valuable for us to take action.

Moving from on-prem to cloud, our analyst's time and effort have been reduced by half. I had to have two people working on the product before we got Securonix. We are a small company so we had two people dedicated: One was creating use cases, maintaining the application; the other was the analyst who was investigating. When we moved to the cloud, the operations part was taken care of by Securonix. They manage the use cases, they manage the upgrades. Now I don't need to have a dedicated person to do that. And my analyst gets higher-value threats to investigate.

In summary: First, I have been able to reduce my overhead by half. And second, my analyst is a lot more efficient and the noise in my environment is reduced by at least 70 percent. I was getting seven times more alerts to look at to get to the same results. Now my analyst can go deeper, versus having to rule out seven other things which are not useful.

Also, there were a couple of instances of insider threats where we had employee accounts compromised through phishing. Someone got an email from an email address that looked like a valid email address but it was not. It had the first name and last name correct, but the company name was misspelled. The employee clicked on it and his account was compromised. That compromised account was then used to access intellectual property in our environment. Securonix was able to detect that threat. If that data had been leaked, that would have been millions of dollars in losses for us because everything we do is our intellectual property. Securonix, with its behavior analytics, was able to detect that this account was behaving differently, that it was trying to scan all our shared folders and access a lot of documents in a very short period of time. They were all source code files and the employee whose account was compromised was not even a developer. That was one of the biggest threats it detected.

The other thing it is very good at identifying is that now, with everything in the cloud, there are no firewalls involved. People can, through social engineering, find out what your email address is and then try to guess your password and access your cloud environment. We see a lot of these brute-force types of activities in the cloud, and Securonix is able to detect a lot of those threats as well. We have some automation in place where we can block or challenge the user with additional credentials. We were able to put that in place as well, as a preventative measure, to stop our cloud environment from being compromised. That's is a big area of concern for us.

In terms of operational overhead, one of the benefits is configuration. With our previous product, the issue was that we had to figure out the use case. It was "do-it-yourself." But Securonix is providing us with packaged "apps" for insider threats or cyber threats. So now I don't have to create my own content. In addition, when we were doing this on-prem, we had to have hardware, to worry about patching the hardware. Then we had to worry about patching the operating system. Then we had to worry about patching the Securonix application. All of that, maintaining compliance, was a full-time job. Now, with SaaS, we don't need to do any of that. Securonix maintains it. The third advantage is availability. With on-prem, if you have a network issue, you tend to lose the data for that period of time. With the cloud solution, we have SLAs with Securonix for 99.9 percent uptime. That means I don't have to worry about an outage in the data center or a loss of data. I can hold the vendor accountable for that. So another overhead that I don't need to worry about is disaster-recovery planning for my implementation internally. That is something that the vendor takes care of and I can just focus on monitoring the SLAs that I have with them.

What is most valuable?

When we were looking for products for our security monitoring needs, our biggest requirement was that we wanted something based on machine-learning and analytics. If you go with rules, it can raise a lot of noise. Securonix, with its UEBA capability, had the best analytics use-cases.

Our number-two criterion comes from the fact that we are a cloud-first company, so we needed a solution that would work in the cloud and work with the cloud. Working in the cloud means it would be a service, a SaaS offering. And working with the cloud means it would integrate with our cloud applications and monitor our cloud environment. Their product was the most-ready SaaS product in the industry.

The solution's cloud-monitoring functionality is the only thing we use, because we are a cloud company. Our Office is Office 365, our HR system is BambooHR. Everything we use is hosted in the cloud. So cloud monitoring is the number-one use case for us. In addition to those applications, the solution monitors Salesforce, which our sales team uses, Concur, which is our time and expense system, and it monitors our own application that we use for providing service to our customers. And finally, it monitors our AWS environment.

They have done a great job building the API-based connectors so they can automatically pull data from these applications. They have packaged use-cases that they provide us and, in certain applications, those use-cases are still a work in progress. But I feel confident that the content they have is good and they're improving on it continuously. There's a lot of development that happens on the cloud front. For example, Office365 changes every three months. Cloud applications are new so there's a lot that goes on with these applications. So vendors have to keep updating their content to align with where the cloud application is. Securonix is doing a good job of staying abreast with the latest and greatest developments on the cloud-vendor side and updating their content. A lot of their competition is very poor. We had QRadar in our environment but it couldn't even connect to Office365. From there to where we are today, it's a huge improvement.

What needs improvement?

The UX could be simpler. I know they're working on it. I would like to have one dashboard that has everything in it. We have compliance needs. We have investigation needs. And we have situations where an analyst needs to look at threats. These three things require a different view of how they look at the threats. What would be good is to have Securonix create three different views of their Security Command Center so that, depending on the persona of the person logging in, they'd get the relevant data they need and not see everything.

For how long have I used the solution?

I've been using the solution since 2017, about two years.

What do I think about the stability of the solution?

It is a SaaS solution. We are looking at 99.9 percent availability. If there's anything less than that, it's an issue for us. So far, they've been able to deliver that. I don't know what they do in the background, but they keep the lights on and that's what I care about.

What do I think about the scalability of the solution?

The good thing about being in a SaaS solution is that we are agnostic to the platform. We don't see the Hadoop platform at all, but it provides benefits in terms of scalability. If we are sending 10,000 events per second and I want to scale that to 15,000 events per second next year, I know the platform can scale. That means I don't have to come up with a different deployment or start from zero again. That is definitely a benefit. I don't have to worry about the complexity, but I get the benefit of it being able to scale.

Which solution did I use previously and why did I switch?

We used QRadar. We switched to Securonix because we wanted something in the cloud. There was just too much work to maintain the previous system. Second, we wanted something that was analytics-based so that it would give us actionable threats, versus noise. Number three was that we wanted something that could integrate with our cloud applications faster.

How was the initial setup?

The initial setup was straightforward for us because it is SaaS. For us, it was just a matter of forwarding the logs to them. Within two days we were able to start seeing our data in their environment. Our previous deployment took us six months. That's what the cloud is. It is so much easier. It's someone else's problem to manage and maintain it.

In terms of our implementation strategy, for us the key was is to prioritize: What was the number-one thing we wanted to start sending and get visibility into? We prioritized our applications and created a multi-phased approach. We specified, in the first three weeks, the three applications that were business-critical which need to be monitored. Then we added some more, then we added some more. Overall, over the course of six months, we had all our data sources integrated, fine-tuned, and ready to go. It was important to follow a phased approach. If we had started to put everything in at once, we would have had too much noise to manage.

What about the implementation team?

We deployed it with the help of Securonix. When we bought the solution we also bought Professional Services from them for four weeks. We needed that help in the first four weeks because we are not product experts, they are. At the end of four weeks, that PS turned into support. We did not need Professional Services, we just needed support when we had questions.

Professional Services were very hands-on and very committed to us. That's the best thing about them: Their customer success team cares about making you successful. I've worked with others, like IBM, in the past. You ask them something, it takes a week, sometimes two weeks, for their PS and support people to get back to you. Working with a smaller company, the good thing is that these guys are motivated, hungry, wanting to make sure they have a reference client. We had a great experience with them.

What was our ROI?

From all the benefits I have talked about, there has been a return on investment. And it was quick return on investment as well. With my previous experience, it took us six months to even get up and ready, so we weren't even talking about an ROI until then. Whereas with Securonix, in two days we started seeing our data in their environment. It was definitely a quick ROI.

What's my experience with pricing, setup cost, and licensing?

A good thing about Securonix is that they don't charge by volume of data or number of devices. I don't have to think twice about what I bring into the system. That was a big pain point for me before because every time I brought something in I had to pay extra. They charge by the number of employees, which is a much more predictable number for me, versus data. Our costs are in the $100,000 range over a three-year subscription. There are no additional costs to the standard licensing fees.

Which other solutions did I evaluate?

Rapid7 was one we looked at because it is also cloud-based. From a SIEM perspective, it was not where we expected it to be. We also looked at Splunk but it was too expensive. Capability-wise, Securonix was far ahead of them.

What other advice do I have?

If you're looking for an analytics-based system, which is what everybody should look at, and if you are thinking of something that provides a quick return on investment, then you should definitely look at Securonix, in addition to doing your due diligence with other products. Definitely have Securonix in the mix if you're looking for actionable threats, flat pricing, and a cloud-based solution.

The biggest eye-opener is how wonderful the cloud environment is. There is a whole new universe of threats that get exposed by moving to the cloud. It has all these benefits, but it also reveals a lot of risks. So there's a lot of work. Businesses will continue to adopt the cloud, and security has a lot of catch-up work to do to secure data in the cloud. But Securonix is bringing those issues to the front and we are coping with them, one thing at a time.

This is our single pane of glass for monitoring threats to our environment. It's being used companywide for monitoring purposes. It's our 24/7 eyes on glass. There are certain applications that we have not integrated yet and there are new applications that we continue to onboard. As we grow, and as we bring in more devices, we will want to integrate them into this platform. It is always a work in progress.

Our analyst who goes in and looks at the threats is the primary user of the system. There are also secondary users. For example, the compliance team looks at all the compliance reports that they need to meet the requirements we are bound by. They have their own use-cases that they look for. As the CTO, I have dashboards that I look at to monitor the overall health of our security posture. We also have investigators who look at specific investigations. If there is something that involves HR or our legal team, that becomes a case that we need to track.

From a deployment perspective, we had one person working part-time with the Securonix PS team for the first four weeks. After that, Securonix went away and that part-time resource continued to work on it. The part-time resource for deployment is a point of contact for Securonix. We need to send them data. We can tell them, "Hey, these are the data sources that we want to prioritize," in the first four weeks, for example, and this is the data we are going to send you. This person is the point of contact for them to coordinate with our internal teams to make sure the data is fed correctly and that we have scheduled the imports, etc. In terms of maintenance, there is none for us because they do it.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
HB
SVP Insider Threat at a financial services firm with 10,001+ employees
Real User
Identifies threats that would not have otherwise been identified, but needs better integration with ServiceNow

Pros and Cons

  • "The machine-learning algorithms are the most valuable feature because they're able to identify the 'needle in the haystack.'"
  • "There is room for improvement in the product's integration with ServiceNow and in the reporting features."

What is our primary use case?

We use it for information security.

How has it helped my organization?

It's helped identify risky and/or malicious behavior that otherwise would probably have been overlooked. An example would be flight-risk behavior, meaning employees who are planning to leave the firm and/or who are possibly exfiltrating data. It has identified alerts or threats that would not have originally been identified.

While I wouldn't necessarily say it has surfaced high-risk events that require immediate action, but it has surfaced events that require action.

What is most valuable?

The machine-learning algorithms are the most valuable feature because they're able to identify the "needle in the haystack."

Also, the solution's behavior analytics in terms of detecting cyber and insider threats is fairly good.

What needs improvement?

There is room for improvement in the product's integration with ServiceNow and in the reporting features.

For how long have I used the solution?

We've been using this solution for close to two years.

What do I think about the stability of the solution?

The solution's stability has improved over time. Early on, we had issues with stability, but over the last three to six months, it's been relatively rock-solid.

What do I think about the scalability of the solution?

My understanding is that it's scalable, but I don't get into that piece.

How are customer service and technical support?

Technical support is fairly good. I meet with them on a weekly basis. I give them any concerns, issues, use-case changes, etc. Usually, the following week, they have fixed whatever needed to be fixed or enhanced things according to my requests. It's an acceptable turnaround time, for the most part.

Which solution did I use previously and why did I switch?

We did not have a previous solution.

What about the implementation team?

I believe it was Securonix themselves who did the deployment.

What was our ROI?

We're probably approaching the break-even point.

Which other solutions did I evaluate?

The only other solution that I believe we looked at was Splunk's UBA. It wasn't Splunk at the time and it wasn't mature enough at the time.

What other advice do I have?

I'm not an engineer, I'm a consumer of the tool. It's doing what it's been asked to do. It's really all about use cases and having the data. You have to have your use cases well-defined and make sure you can feed Securonix the data. You should definitely do a PoC. Never buy anything without checking it out first.

I wouldn't say the solution's behavior analytics has helped to prioritize advanced threats.

Regarding the Hadoop piece, I would compare it to the way I drive a car. I put gas in it and I don't care what kind of engine is in there, how the engine works. I just turn the key and the car starts.

The users are our security operations team, which has about a dozen people. We use it on a day-to-day basis. We'll increase the use cases.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Edward Ruprecht
Lead Cyber Security Engineer at a insurance company with 1,001-5,000 employees
Real User
Open platform allows us to modify policies and tune policies as needed

Pros and Cons

  • "The feature that is most valuable is the fact that it's an open platform, so it allows us to modify policies and tune policies as needed. There's also a feature called Data Insights which allows us to create different dashboards on specific things of interest for us."
  • "Securonix implements risk scores based on different policies that are triggered. We've seen some challenges with the risk scores and how they trigger. These are things that Securonix has recognized and they've been working with us to help improve things."

What is our primary use case?

Our primary use case is privileged-account monitoring. We wanted the ability to monitor what privileged accounts do, what time of day they typically log in, what machines they log in from, what type of configuration changes they make, etc.

We're using the SNYPR Cloud UEBA.

How has it helped my organization?

The areas where behavior analytics helps in terms of advanced threats are around some of the rarity-based policies. An example would be if someone is logging in to a machine for the first time, someone who has never logged in to that machine before. Another would be a rare time of day when somebody is logging in. Policies such as rare suspicious-process also help. We have a list of processes that we typically don't expect many users to run, so if somebody's running one of them in the environment for the first time, it helps us understand that something potentially malicious or at least suspicious is taking place.

We had a recent internal penetration test to try to simulate attacker activity, and Securonix really stood out regarding some of its detection capabilities versus our traditional SIEM, with a lot of the policies that we have for rare-process running on a machine. The enumeration-type activities, where it's looking for an increase in the number of, say, accounts that are accessed, or the number of machines or file share that are accessed, was something that stood out significantly for us.

An example where the solution detected a threat that would otherwise have gone unnoticed recently was a Word document that launched PowerShell and tried downloading a malicious file. We have a policy which is looking for a rare process launched from a child process, and that detected a specific type of malware.

Also, given that the solution is offered as a cloud platform, it probably reduced the potential need for additional headcount. Had we gone with an on-premise solution - because it would have a lot of the administrative tasks of maintaining the hardware and doing updates, and some operational costs - we probably would have required an additional headcount. By going with the cloud, it didn't require us to add to our headcount, and yet we were able to add this new technology.

The solution has also enabled our team to focus on threats rather than on engineering of the platform. We're a very hands-on organization. We've done some of the engineering, whether it be to create new policies specific to our environment or specific to a threat that we're looking for. So it has helped us to focus on threats, but we also do a decent amount of engineering.

Securonix has decreased the time required to investigate alerts or threats. A lot of the information is right there for us, so it's easy to search and try to help with an investigation. In terms of how much time it has saved us, it's really a case-by-case scenario. It would be difficult to pinpoint an exact time on it.

As for the solution surfacing high-risk events that require immediate action, Securonix correlates different policy-violations together into what it calls threat models. There have been a few examples of threat models that have been triggered which gave us a high degree of confidence that there's a threat that we want to investigate right away. Using the threat models has really helped prioritize events of interest for us.

What is most valuable?

  • The feature that is most valuable is the fact that it's an open platform, so it allows us to modify policies and tune policies as needed. 
  • There's also a feature called Data Insights which allows us to create different dashboards on specific things of interest for us. 
  • Finally, there is Spotter. Spotter allows us to search and investigate different events of interest for us.

In terms of behavior analytics, we're using cyber more than insider threats. With UEBA being a relatively new space when we looked at it close to two years ago, we were concerned about how well it worked and whether they were truly behavioral-based rules or if that was just marketing terminology for the "latest greatest system." But it exceeds what our initial expectations were for being able to detect different cyber threats. We're doing a lot around the network firewall and endpoint detection for rare process connections, rare network connections, etc.

What needs improvement?

Securonix implements risk scores based on different policies that are triggered. We've seen some challenges with the risk scores and how they trigger. These are things that Securonix has recognized and they've been working with us to help improve things.

For how long have I used the solution?

We've been using Securonix for a year-and-a-half now, as a production customer. We started a pilot back in July of 2017, so if you consider the pilot time, it's about two years in total.

What do I think about the stability of the solution?

Initially, within the first six to eight months, we had some issues with stability. In the last year we've really had no stability issues. There's been no downtime. Any time there are updates, we're always notified when they will take place, with adequate notice. After the updates, there's very minimal downtime as a result.

The earlier instability was growing pains. At the time, we were one of the largest customers going to their cloud solution. It was just a matter of some of the growing pains as they were trying to scale to handle the quantity of logs that we were sending to it.

They've also added additional features and enhancements, and we haven't had any issues with it or any downtime as a result of that.

What do I think about the scalability of the solution?

We haven't had any issues with scalability. We've been able to send more log sources to it and we haven't had any issues with them being able to handle the volume.

We have close to 6,000 employees. We have about 9,000 servers and workstations in total, and we're sending about 5,000 events per second.

We have plans to increase our use of Securonix. Right now we use a different vendor for SIEM, LogRhythm, and we use Securonix for UEBA. We're looking at potential options to consolidate to one platform.

How are customer service and technical support?

Their technical support has been pretty helpful. We have a lot of direct contacts with some of the higher-level support, people who help with the integration. A lot of times, when we have issues, we may email them directly and they're able to work on a resolution relatively quickly. 

That being said, we do have a technical account manager and that person does a really good job of prioritizing resources to make sure that, if we do have any issues, they get addressed in a timely fashion.

Which solution did I use previously and why did I switch?

We piloted Exabeam but we didn't go forward with them.

How was the initial setup?

The initial setup was a little complex, but going into it we knew it's a complex solution. We didn't expect that it would be out-of-the-box. Our expectation was that it was going to take a little bit of time to get it set up and integrated and then to learn different profiles on users. It was somewhat complex, but it wasn't anything that we weren't expecting.

Our case is a unique situation where we aren't using Securonix as our SIEM so we had to send logs from our SIEM over to Securonix. There was some tweaking of the parsing that we had to do; how they were able to normalize the log and stuff like that. That took a little while to get up and running.

Overall, our deployment took about two to three months.

In terms of an implementation strategy, we had Professional Services from Securonix help with the implementation. They did a lot of the heavy lifting for us.

What about the implementation team?

Our experience with Securonix Professional Services was very good. They were able to do the integration. It didn't really require a heavy amount of effort from us to work with them. It was just time-consuming. They were updating the parses to support our environment for several weeks.

What was our ROI?

We have definitely seen ROI using Securonix.

Which other solutions did I evaluate?

We piloted Exabeam but we didn't go forward with them. We looked a little bit at LogRhythm's UEBA capability as well. At the time they were in the beta stages, so we didn't feel comfortable going with them. 

One of the things that we really liked about Securonix was that it is very open-platform, where we have the ability to tune and tweak and create new policies as needed. With Exabeam, everything required us to go through their Professional Services to make some of those changes. The real benefit that we liked with Securonix over Exabeam was the reporting capabilities. Exabeam pretty much removed almost all their reporting and threat-hunting capabilities. I think there was some bug that was taking place. The other thing that Securonix does that I really like is that they give you the raw log message so you can see all the details. Exabeam was only providing parts of the log message, parts they thought were relevant for an investigation, but they didn't provide everything.

LogRhythm versus Securonix is not one-to-one. We're using LogRhythm for our SIEM, long-term retention, being able to look at things over a 90-day period of time. We're using Securonix more just for the UEBA capabilities. Based on how we're using them today it would be difficult to say the pros and cons of either one. We've had some challenges with LogRhythm support and some of their feature enhancements. Some of the things they've rolled out don't necessarily work as expected or we've experienced a lot of bugs with their product. We haven't had the same issues with Securonix.

What other advice do I have?

From a positive standpoint, with Securonix, or with any UEBA vendor, but specifically Securonix as that's the one that we're using, it definitely overcomes a lot of the challenges with trying to understand what's normal and what's not normal in an environment. With the traditional SIEM rules, it's very difficult to tune some of the policies to understand what is normal for your environment. That's really helped us quite a bit. Another thing that might be helpful regarding understanding the platform is that it takes a little bit of time to come up with the behavior profiles. It might take 30 days, depending on what you're trying to look at, before you start seeing some alerts trigger, because you're looking at things over a longer period of time.

The biggest lesson I've learned using Securonix is that with behavioral analytics, and any UEBA vendor, it does reduce some of the alerts but it also has the potential to create additional volume or additional alerts, which could be good or bad. So just understand that there definitely is the potential to get a lot more security alerts as a result of using the product.

The way we try to work around the increase is through the ability to tune some of the policies to remove some of the few things that produce known noise. The biggest thing is just tuning things out, where applicable. Another is by leveraging their threat models. Correlating several different policies together, which are part of a threat model, might provide a little bit more context. As an example, if two of these three policies fire within a certain period of time, it might be a little more interesting than just, say, this one stand-alone policy triggering by itself.

The behavior analytics probably doesn't help us to prioritize advanced threats. It's just the nature of UEBA, I don't think it's necessarily a reflection of Securonix. But one of the challenges with being able to detect a lot of rare activity or anomalous activity is that you tend to find there's a lot more rare stuff happening in your environment than you would expect. It helps us, but sometimes it has the potential to create a little bit more noise as well.

With SNYPR, they have what's called SNYPREye which monitors the cloud solutions of SNYPR to detect if there is any type of operational issue.

We have five people on our team who use Securonix. They're security threat analysts. They all have the same feelings that I do: That it's very helpful with security monitoring, and that it also provides threat-hunting and investigations on users.

We have shared roles, so I wouldn't say we have dedicated focus on just Securonix. We're a small team that does a little bit of everything. At a minimum, if we didn't have that shared focus, maintenance of Securonix would take one full-time resource.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
GS
Director of Intellectual Property Protection at a pharma/biotech company with 1,001-5,000 employees
Real User
Spotter tool has helped us eliminate many hours required to manually create link analysis diagrams

Pros and Cons

  • "What I like most is that the threat models and risk scoring are very accurate and very helpful to the analysts on my team. They help highlight the most important things for them to look at."
  • "The second feature is that within the SNYPR product there is a functionality called Spotter. We use that for link analysis diagrams and to run the stats command. That's extremely useful because it replaces a tedious, manual process we used to use, using Microsoft Excel and a couple of other methods, to bring data together."
  • "A helpful feature would be an event export. A way to create more substantial summary reports would be nice."

What is our primary use case?

I run the intellectual property protection shop for the company and our primary use case is to monitor for DLP.

How has it helped my organization?

In terms of detecting cyber and insider threats, my primary focus is insider threats. It's excellent at that. The ability for the system to detect events is incumbent upon knowing your own threats and risks and predefining those, to a large extent. If you know your environment well enough to make up your own rules and define exactly what a risk or threat means in your organization, it's outstanding at detecting them.

While my primary focus is insider threats, one of the reasons we like SNYPR more than other brands is the entity analysis piece. We have picked up unnamed entities - an infected machine or a machine that had been taken over through a fishing attempt and had a bot installed on it. We have been able to detect malicious software with the system without even predefining the threat or risk model.

When it comes to the solution's behavior analytics helping to prioritize advanced threats, as long as you can pre-define what you want it to prioritize, I find it to be excellent at doing that. We have a very small team. It's very important for me to have the Securonix system highlight the most critical threats so that the analyst can see it.

We have two models. There are the people who are reacting to something negative in the company, such as someone sending a lot of things to a USB drive or trying to email out a lot of sensitive documents. Those people are easy to catch because their behavior is anomalous to themselves and to others. But for the advanced threats, we have different models in place that will highlight what we call "low and slow" behavior, where someone might be placed in the organization by a competitor or a foreign country, with the intention of removing small amounts of data over a long period of time. We have successfully built models that detect that, as well. Any system can catch the people who are going to "break the window" and steal as much data as they can in 24 hours. It's the advanced threat that's much more intricate, but we have had success with that model.

The solution benefits our company overall in the sense that we are protecting intellectual property which is the key to the company's success. But there has been a direct benefit to my team as a force-multiplier. At any given time, I have three or four analysts and we have 120,000 end-users. I feel confident in the increase in the value of cases we have found. We bring in fewer cases per year, overall, and that's attributable to the ability to tune Securonix and drop things that might be more of a "coaching-letter" type of event, rather than an investigation. We're able to tune those so that they are less of a priority than the significant data-loss events. We've been successful at catching the data-loss events.

And the functionality within the Spotter tool has helped us eliminate many hours required to create link analysis diagrams, which we used to create by hand.

It has easily decreased the time required to investigate alerts by 30 to 35 percent. The Spotter functionality, where we create link analysis diagrams within Securonix, takes about five seconds to do. We type in the pipe symbol, the word "link," and a couple of arguments and it puts the link analysis diagram right in front of us. Before, it was a manual download from three different systems and we would put things into Excel or i2 Analyst's Notebook and do the link analysis diagram that way. That single step alone is something we do for every single case which an analyst writes up, and it easily represents 30 to 35 percent of their time.

The solution has also helped us to detect threats that would otherwise have gone unnoticed. In the past, when we were using just a SIEM tool, we had reports on things like the top-ten people each day sending email to a competitor's domain, or top-ten people emailing to a personal domain, or the top-ten people copying data to a USB. We looked at six of these lists every day. When we first started using Securonix, they came to us with an event that their system had detected, something which was a fairly significant event. When I went back and looked at why we hadn't caught it ourselves first, what had happened was that Securonix was able to accurately able to identify, with its pattern-matching functionality, two personal email addresses from this person and correlate that with USB use and their sending of emails to a competitor's domain. Out of the four domains, none was high enough to get on the top-10 lists, but all four together - when they were correlated together as a single event - were very significant. That enabled an analyst to see it and react to it.

Securonix has helped to surface high-risk events that require immediate action. The preceding example is a good one. Another good example is correlating events with foreign travel, for instance. One of the things we have programmed in is HR data around a known last-day-worked. We've been able to correlate people whose last day at work was within 48 or 96 hours of having foreign travel booked. Those things, by themselves, don't really mean anything, but as part of a model they add to the score of someone who has data leakage events. We've used those factors successfully to increase the score of someone with leakage events and prioritize them so that we can react before the person has left the company and the country.

We moved to their software as a service and cut over to production, officially, in January of this year (about five months ago). It has significantly reduced the amount of time spent by the technical lead on my team doing hands-on patching, maintenance, and troubleshooting on the host server, as well as fixing the server when there were application incompatibility issues. The previous version we had sat on a standard, company Linux server. Securonix was an application package, a COTS, for the most part, that sat on top of a standard-built server. The server represented a cost to us when purchasing it and there was a cost to maintain it. Moving it to the software as a service model in the cloud has completely cut out all of that. It's a less expensive model for us to operate under.

The Hadoop-based platform has also provided operational benefits. With the on-premise version that we had before, we were limited in the number of data inputs. As soon as we moved it to their Hadoop-based platform, it became unlimited. It's scalable to whatever size we need. We were able to quickly add six data sources to the system, which were impossible to add before.

What is most valuable?

There are a number of things that are very useful.

What I like most is that the threat models and risk scoring are very accurate and very helpful to the analysts on my team. They help highlight the most important things for them to look at.

The second feature is that within the SNYPR product there is a functionality called Spotter. We use that for link analysis diagrams and to run the stats command. That's extremely useful because it replaces a tedious, manual process we used to go through, using Microsoft Excel and a couple of other methods, to bring data together.

The third feature is the ability to create watch lists that highlight specific predefined events in a separate window - or widget, as they call it. If I want to highlight something of interest without changing the risk score, or affecting any of the threat or risk models that we have in place, I can create a watch list. It moves those events to an area where an analyst will see them, first thing, without changing any scores or any other manipulation of data. I can highlight events that way.

What needs improvement?

A helpful feature would be an event export. A way to create more substantial summary reports would be nice.

For how long have I used the solution?

We've been Securonix customers for about six years now. We've been on the SNYPR module for about seven months.

What do I think about the stability of the solution?

We've never had a problem with it. They're responsive around the clock. We've never experienced a system outage and we've never experienced their being unavailable to help. It's highly stable.

What do I think about the scalability of the solution?

Now that we are on the cloud-based version, scalability is limited only by what we want to spend. The more events per second we add, the more the cost goes up. But that's the same with any model, anywhere. We're limited only in budget. They appear to be scalable to handle anything we can put into it.

How are customer service and technical support?

I would give them a ten out of ten on technical support. In the past, we did have some issues with their technical people, but they were quickly resolved as soon as I brought them to someone's attention. 

They don't really offer a service where they just plug it in and leave and you're on your own. They do semi-annual data scientist reviews of the events we have and the scoring behind them. They make recommendations to us on new models we can implement or ways we can change the scoring slightly to make sure we're seeing the most appropriate things. That part has been really nice.

Which solution did I use previously and why did I switch?

We used ArcSight. The IT department had ArcSight deployed as a SIEM, so that was the system I used to create lists like top-ten emails to competitor domains, top-ten events for USB, top-ten people going to job-search domains through the web proxy, etc.

ArcSight was not very sophisticated. It was just six PDF files a day that were representative of top-ten events in some predefined rule. There was no way to prioritize or score or, even better, correlate events. Securonix, in one example, as I mentioned, pulled together four events and chained them together, which would not have made any of the top-ten lists and that were significantly more important than anything on any of those top-ten lists that day.

How was the initial setup?

The initial setup was very straightforward. We used Professional Services and we had three meetings a week in the build process. It dropped to two meetings a week as we were migrating from one system to the next. Then we went to weekly and then biweekly break-fix meetings until everything was up and running.

Within two weeks they had it pretty fully in place and then we spent about another two weeks fine-tuning different details, because it processes data differently than the on-prem version. We were up and fully in production on the new system inside of a month.

We created the cloud-based version in parallel and we kept the on-prem solution up and running until we cut over, 100 percent, to the cloud-based solution. We kept them running in parallel for an additional month so that we could check risk scores back and forth between the two systems, to make sure one was not capturing events that the other didn't, with the exception of "net-new." As I said, when we put in the new cloud version, that enabled six more data inputs which, obviously, didn't exist in the on-prem version. But for the things that were identical, we made sure it was up and running and accurate. Then we just cut away from the old one all-together.

What about the implementation team?

The fact that we used Professional Services made a big difference because they did the heavy lifting. We just presented threat and risk models to them and data sources. Our experience with Professional Services was very good.

What was our ROI?

We have seen return on investment many times over. There have been data-loss events that we've prevented which, had they left the company, would have represented billions of dollars of intellectual property. If you look at the $250,000 a year as a percentage of a billion dollars, that's not too bad an ROI.

What's my experience with pricing, setup cost, and licensing?

We have an annual license. We pay $200,000 for the base licensing and we pay another $50,000 for the software as a service.

In terms of any additional costs, it depends on how extensively we use the Professional Services. I might spend another $45,000 to $50,000 a year on them, but that's because we're always coming up with new things and changes. If I wasn't asking them to make coding or application changes, then that cost would be unnecessary because the additional cost for the software as a service includes the maintenance, 24/7 monitoring, etc. Because the Hadoop version is new to us, we're expanding into new data sources and new threat and risk models. For that, there's an additional cost for the coding.

Which other solutions did I evaluate?

We looked at a product from Lockheed Martin which was very analyst-centered. It produced a lot of CSV files as output and required having an analyst who could really pull together Excel spreadsheets and do a lot of manual work. 

We had looked at Securonix for a couple of years at trade shows and we knew we liked the concept of an UEBA. But then when we did a demo with them in a bake-off with the Lockheed Martin product, and the Securonix user interface was hands-down better and the event correlation and the behavior analysis pieces were what really sold us. We have a number of static, pure analysis rules built for behavior analysis, but now that we've had it in place for a few years, it's far more sophisticated in the dynamic behavior analysis, through the machine-learning the system does. That has been far more beneficial to us than the static rules.

In those respects, they were hands-down better than the other product we put them in the bake-off with. Quite honestly, it has worked so well in the six years we've had Securonix in here that I haven't gone back into the market to even looked at what the competition has. It saves me a lot of stress. 

Looking for a new product and evaluating takes so much time and there's so much cost in swapping them out. For example, if you had invested in a server infrastructure and have to take that down because it doesn't match up, there's a cost to that. There's software licensing. There's also the fact that my team has five years of experience in navigating the Securonix user interface. With a new product, they'd have to start from scratch, learning something new.

What other advice do I have?

The single thing I recommend most is understanding your environment and being able to articulate the risk and threat models. Securonix is very good now, better than when we first bought them, because we were early adopters. We're in the pharmaceutical space and they didn't have very many Pharmas. They were very good at financial institutions, the banks, the credit card companies and that sort of data, but when it came to risk and threat models for Pharma, we were so successful because we knew what we wanted.

I had studied insider threat and behavior analysis for quite a while before we brought in Securonix and was able to start out with very accurate models and articulate things like the relationship between sender and recipient of emails. Is there generally a higher risk with one-to-one or one-to-many relationships on either side? If the data is in the body of an email or in an attachment, which is more important to me? Different models, like competitor domain or personal domain, or USB use: What are the most important things to know about your own environment? Be able to tell them in a way that helps them build the risk models.

Probably in some environments, again, finance for example, where they've had years of experience, they could probably plug in a box and you could just throw all of your events at it and it would be accurate in at least pointing out the anomalies. But you would still need to be able to say what, in your environment, is bad and what is not. That is the single biggest thing: Know your own environment and they can build it to match your needs.

The biggest lesson we've learned using Securonix, in hindsight, is that if we had paid the additional $45,000 to start with, in the cloud, we would have been years farther ahead. We're trying to stay very low-budget. We built the on-prem version and thought that was going to be sufficient, but we ran out of space and the ability to add new data sources and risk and threat models. The on-prem version became limiting. The biggest lesson we learned was that we probably should have spent what was not a lot more money and had the cloud, Hadoop-based version, much earlier in the game than we did.

If I had a big enough staff, it would probably be preferable to do some of the back-end, hands-on coding ourselves, but I don't have that kind of talent on hand. Outside of that, we have no complaints about it. When we've asked them to make certain changes to the user interface or to workflow within the tool, they've been very quick to respond and make those subtle changes for us. Outside of that, we're fairly pleased with this platform.

We have three intelligence analysts and they look at the events themselves, do the initial assessments, and write up the cases. I direct the team and I have one technical lead. I'm in the compliance division, so my team monitors for compliance with specific corporate policies. In addition, our IT department recently also purchased Securonix and they're building a platform on software risk to complement the insider threat that I have. There are currently five users there.

The Securonix team does all of the back-end work because it's housed entirely in their cloud.

Overall, I would give Securonix a ten out of ten. We've been extremely happy with them as a company and as a product. The product has been very good for my career. But again, we put the time into making it accurate right from the start so we have found some fairly significant things. I feel the product is accurate. Whenever we have worked with the company, they've been a good bunch to work with. I'm happy to stand up on their behalf. It's been a true partnership with Securonix, more than that we just license their product and use it.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
AH
Leader - Investigations, Insider Threat at a tech services company with 5,001-10,000 employees
Real User
With a lot of data in one console, the time we require to investigate alerts and threats has decreased

Pros and Cons

  • "The customizability of the tool is valuable. We are able to customize the use cases and create them easily without a large amount of Securonix assistance. It's very flexible. We do not have to rely on Professional Services to modify or create a new use case."
  • "Other than issues with the training, there have been issues with the encryption. There have also been issues with some of the reporting, minor glitches that they have fixed as they've gone along."

What is our primary use case?

Data loss protection and account misuse are our primary use cases. We're utilizing it to help identify and correlate user behavior to identify potential data loss as well as to detect certain types of fraud.

How has it helped my organization?

The behavior analytics of Securonix has helped to prioritize advanced threats for us. We're still working through it, but it has helped. For example, it enables us to customize widgets, risk scores, and dashboards to identify what we want to see and gives us the ability to base the risk score on our business model and what we consider to be a high priority.

While we would have detected the threats that we do without the solution, it helps us have a central point to manage and detect those threats. It would have taken a little bit more work or additional tools to identify them after the fact. For example, it helps us in identifying and detecting fraud in the early stages.

The solution has decreased the time required to investigate alerts and threats because a lot of the data is in one console. We're not having to go to three or four different consoles. It also helps to surface high-risk events that require immediate action, such as identification of penetration testing.

What is most valuable?

The customizability of the tool is valuable. We are able to customize the use cases and create them easily without a large amount of Securonix assistance. It's very flexible. We do not have to rely on Professional Services to modify or create a new use case.

The solution's behavior analytics, in detecting cyber and insider threats, are good. The tool does what it's supposed to, as long as the data coming in is accurate.

What needs improvement?

Other than issues with the training, there have been issues with the encryption. There have also been issues with some of the reporting, minor glitches that they have fixed as they've gone along.

I think they have fixed the encryption piece and they have supposedly fixed training. I haven't seen the new training modules yet. The reporting and metrics will be improved in the next release, from what I understand.

For how long have I used the solution?

I have been using Securonix for two years.

What do I think about the stability of the solution?

The solution is very stable. We haven't had any issues.

What do I think about the scalability of the solution?

We were able to increase it. It's scalable, but with some work on-prem; we're not cloud. But it is scalable. The issues were mostly from our environment: networking and support.

My team only is the only team that's using it and it's one hundred percent part of our daily functions. We have plans to increase usage, and extensively. We're about 50 percent of the way to where we want it to be.

How are customer service and technical support?

Technical support is excellent.

Which solution did I use previously and why did I switch?

We did not have a previous solution.

How was the initial setup?

The setup was complex. The data mapping was complex because of our own structure and environment. From start to finish, it took us about three-and-a-half months before we went to production.

In terms of an implementation strategy, we worked with Securonix to develop a statement of work and we followed that. It included development and identification of data sources, implementing or ingesting those data sources, and applying use cases to those data sources as we fed them in.

What about the implementation team?

Securonix helped us to deploy the solution. Our experience with them was very good; excellent.

What was our ROI?

So far we have seen ROI. We would like to see even better ROI. 

What's my experience with pricing, setup cost, and licensing?

We pay yearly.

Which other solutions did I evaluate?

We did a PoC between two solutions and we chose Securonix. The other solution was Exabeam. One of the reasons we went with it is that someone had used Securonix at a different company. The scalability, the interface, and the results that it provided were also factors in our decision to go with it.

What other advice do I have?

The biggest lesson we have learned from using Securonix is to start small. Don't throw everything at it. Start with one single use case and build out. Don't throw all the use cases into it at once. Otherwise, it's too much work, you get flooded with too much data, you can't focus on what's important, and you can't clean it as quickly. You can clean it, but it will take a lot of time.

My advice is to go with the cloud solution and, as I said, start small. Don't try to ingest everything at once. And don't create use cases for everything under the sun.

Because we're on-prem, we've had to both focus on threats and on the engineering of the platform. They provide support, but we still have some engineering overhead on our side.

We have five users using it and they're all investigator-analysts. We deployed with the help of four people who are security engineers, and maintenance is pretty much done by the two Securonix support people we have.

Overall, I would rate Securonix at eight out of ten. We're still going through it, developing, learning, and we find issues.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Download our free Securonix Security Analytics Report and get advice and tips from experienced pros sharing their opinions.