Netsurion Reviews

We use it for real-time alerts for things like domain admins being added. And we have the managed services provide weekly reports for us for VPN logins, after hours logins and several other similar alerts. 

And of course, at any time I can do individual investigations and searches on interesting traffic that might be reported to me by Netsurion or that we find on our own.

The solution saves me at least half an FTE, some 20 hours a week. If I didn't have the managed services, I would have to have another half an FTE just to do the work that they do for us.

Netsurion has assisted our server administration team as well. If they're having software problems or access problems or the like, they have the ability, with all the logs now centralized in one place, to go to one place and do those searches, rather than to go individually, server by server by server, and try to figure it out. 

It's also tied into our enterprise firewall, which is Palo Alto. It really helps them in their troubleshooting time if they're having an issue. 

There are 3 aspects that Netsurion is very helpful to our organization.  One side is the information security side where it helps us quickly investigate an incident including false-positives. A second aspect is operational efficiency.  It would really take a lot of time to try to figure it out server by server but with Netsurion they can go to one place which has all those server logs. The third aspect is log archives. Once it makes it to Netsurion, they can keep local log storage space pretty low and don't have to burn a lot disk space on the local servers.

I also feel that Netsurion has better integration. Almost any product could integrate with just about anything else, given enough time and resources. But that's part of the managed services that we contract with Netsurion. We have integrations into Sophos (for antivirus), Office 365 (for email) and for our enterprise firewall (Palo Alto), and our Cisco networking equipment. So we've got all the critical infrastructure pieces integrated and all of those were integrations out-of-the-box-that I probably could have figured out if I had enough time. But I tell them what I'm trying to do and either they have a white paper which gives me one, two, three steps to do it, or they actually take over. I give them a service account. They take over, they do it, we do some testing and we go live with it.

Everything we have is a real-time feed. We don't have anything that is just batch and then it reads it in later. Especially on those real-time alerts that I mentioned, I know about each of those literally within minutes after it happens, because it's a real-time feed. The alert fires and sends me an email or a text, whichever I have set up.

We're also very impressed with Netsurion SIEMphonic. That's what they've renamed their SIEM tool. We use it quite a bit now. They've got something called potential insider threats that we look daily. Those are things like account creations and the like. A SIEM tool doesn't necessarily know, just because an account is created, whether it should have been created or if somebody created it to try to hide their tracks. Also, seeing things like logs being cleared on servers has been very helpful to us. We would have no other good way to get visibility into those types of things. An extension of that is the alerts that we talked about. It's really been really invaluable for us to get insight into our environment. There'd be no other way for us to really get that without either SIEMphonic or one of its competitors.

We use Netsurion as our security operation center and also as an SIEM to put together all of our telemetry from various systems and to notify us when we have security events.

Netsurion's additional data source integration provides a unified view of our security posture. This makes it easy to track and see what's happening at a glance. We can also see our security status in real-time, without having to find an all-in-one security platform. Instead, we were able to choose the data sources that we wanted and integrate them into a single platform.

Integrating with our existing security tools was easy. Netsurion did all the work making it so easy for us.

The integration of Netsurion and our security tools gives us a unified view of our threat landscape.

The integrations that extend our detection and response capabilities are now easier to use. I no longer need to flip through the Azure or Office 365 admin centers to view our security alerts, and I don't need to go into Xcitium to see the security issues there. I can simply go to Netsurion's dashboard to see everything in real-time.

Netsurion's SOC does a good job of alert monitoring and threat hunting.

Netsurion's SOC has helped to eliminate recurring false positives. When they occur, we discuss them. If the investigation shows that it is a false positive, we will discuss how to prevent or suppress those types of false positives in the future.

Netsurion's SOC is effective at expediting incident response. I have worked with them on a few real incidents, and they have been outstanding. They handle a lot of the documentation for us, which is helpful. This way, we can refer back to it and what they were able to show us about our problem.

Netsurion takes care of platform management, which makes my job much easier. As a one-person IT department, I don't have the resources or budget to hire more staff to monitor cybersecurity incidents. Netsurion is like having a team of security experts on my side, at a much more reasonable price than hiring even one more person.

Netsurion allows me to focus on other tasks. In previous positions, I did not have this level of automation. I would spend two hours every morning going over logs, or X amount of time every hour checking things to make sure there were no problems. Now, I can focus on all of my other duties because I know that Netsurion will alert me if anything pops up.

Netsurion helped us boost our security operations productivity by decreasing the tedious security operations management tasks.

Netsurion has helped reduce our time to detection.

Netsurion has helped us improve our ability to remediate security incidents. In the past, we had to manually collect logs and analyze them to identify the source of an incident. Netsurion has simplified this process by providing us with pre-analyzed logs and after-reports that help us track down and remediate incidents more quickly.

Netsurion takes a holistic and proactive approach to security. They are proactive in that they give us advance notice of potential threats, such as when they have patches available. They recommend that we apply these patches immediately, rather than waiting for our regular patch day. They also notify us of other security-related matters. Additionally, they take a holistic approach by helping us with all of our systems.

I manage 13 companies that have 300 to 400 companies underneath them altogether. We're a private equity company, so we manage one company, and they control 10 to 20 companies themselves. Our operations are decentralized, so there aren't many existing products suitable for our use cases. 

When we initially deployed, Netsurion didn't seem like a particularly robust solution. We had the reporting, and if I told them to look for something specific, they could look for it and report on it. We haven't given them anything outside of the box to look at. It tells us everything that you see. We haven't whittled it down to specific events yet.

Netsurion is on the endpoints. You install it, and it speaks to a web server. We have it on workstations and servers on AWS, Google Cloud Platform, Azure, and everything else. We're using it as a decentralized SIEM product, and it's one of the only ones out there. We use Netsurion for things like log forwarding, and we deploy it on every workstation. It's a manual process. There is an installed agent, and as long as it has internet connectivity, it goes and talks to the centralized server, and Netsurion's SOC monitors the logs for all those devices.

Because we don't have a centralized enterprise network, there are a lot of different companies involved, and they could be anywhere. They could be working from home, or there could be several employees in a coworking space. The Netsurion agent has to be installed on every endpoint and allowed to communicate directly to the internet.

We don't have the security staff needed to monitor log data constantly. It's too much data. You have to send it to a third party like Netsurion that specializes in that, and they have a 24/7 security operation center. We don't have the in-house staffing or the time, so we offloaded the task to a third party, and they only report on critical incidents. Then they have reporting criteria, so if it's urgent, they call us. If it's not so critical, then they email us. We don't have the capacity to do that ourselves.

Netsurion has allowed us to consolidate cybersecurity technology, including SIEM and network traffic analysis. It's not a decisive factor, but it's important. Having multiple tools keeps it centralized.

We are a small company located in Bermuda with a team of 42 people. Specializing in reinsurance, we offer a range of reinsurance products from around the world. During a recent cybersecurity gap analysis, it became apparent that we needed to enhance our network and security monitoring capabilities beyond the capacity of our current 42-person team. Within the company, only three individuals work in the IT department, making it impractical to assign someone to security log monitoring around the clock.

To address this challenge, we have implemented Netsurion Managed XDR. This product, previously familiar to me from past professional experience, aggregates logs from our various devices including workstations, servers, switches, routers, and firewalls. These logs are then centralized on our on-premise servers, which are linked to Netsurion Managed XDR's security operations center. This center is staffed with experts who analyze the collected data, providing us with valuable insights. They promptly alert us through email, phone, and text if any unusual or critical activities are detected. These activities could range from unauthorized access attempts to anomalous Internet or firewall activities.

The system also offers weekly observation reports, categorizing activities using color codes ranging from red to green. This report covers a spectrum of information such as account lockouts and Internet activity. I have also specifically requested alerts for any usage of administrative passwords. Additionally, we engage in monthly review meetings where we assess the previous month's data, including a Power BI report that delves into trends and various monitoring aspects.

Another key service we utilize from Netsurion is their vulnerability assessment scanner. This monthly assessment involves scanning all our systems within the network to identify security vulnerabilities and needed updates. It's comparable to having a simulated penetration test, ensuring our systems are robust against potential threats. The resulting report provides valuable insights into our security posture.

In essence, Netsurion Managed XDR fills the crucial role of network and security monitoring that our internal team cannot handle alone. It's akin to having a dedicated 24/7 security team constantly scrutinizing our network for threats. The system not only detects immediate issues but also assists us in enhancing our security measures for the long term. For instance, based on their recommendations, we have successfully blocked requests originating from certain countries, such as the Russian Federation, China, North Korea, and Iraq. This proactive measure has significantly reduced the unnecessary traffic targeting our network.

Our experience with Netsurion's services has been exceptional. Their expertise and support are of the highest quality. As I had worked with them at a previous company, I sought them out again for our current needs. Particularly for a smaller company lacking a dedicated security team, this solution has proven to be one of the most effective ways to bolster our cybersecurity defenses. Their capabilities align perfectly with our requirements, and their professionalism makes them an ideal partner in safeguarding our digital environment.

One of the primary benefits of using Netsurion for our organization is that, due to a mandate from our regulator, we are required to have robust monitoring platforms in place. We now possess our own monitoring platforms, which allow me to oversee various aspects. Moreover, we have implemented a 24/7 monitoring platform, ensuring complete compliance with regulatory standards.

Netsurion offers a flexible solution that assists us in safeguarding our entire IT environment. This has significantly enhanced its robustness over time because they have been able to identify trends. Subsequently, we can adjust settings. Initially, when we implemented the product, we noticed more issues that, with time, would turn red or become more critical. These included instances where certain activities were not being blocked or when excessive permissions were granted to users in terms of access rights and similar matters. By analyzing trends over time, we have been able to refine the network, thereby achieving a higher level of overall security based on the insights provided by their monitoring.

The way the SOC service operates is by providing us with a dedicated team. This team usually consists of around four to five individuals participating in monthly calls. Essentially, this team, which is assigned to various companies, including ours, remains consistent. The individuals we interact with are familiar with our environment, and over time, we establish a rapport with them. Their contributions are highly valuable. It's akin to having a specialized team solely dedicated to handling our security concerns. Unlike a situation where we would interact with random support personnel for each inquiry or ticket, these individuals possess a deep understanding of our company as they consistently work with us. This arrangement eliminates the need to repeatedly transfer knowledge. They are well-versed in our history, the current state of our environment, and the specifics of our network. This setup operates 24/7, ensuring that meetings and communications align with my schedule. Furthermore, we receive updates even outside of regular working hours. This SOC service is available to us, and in my opinion, it's an excellent setup. The continuity of interacting with the same group of professionals allows us to establish relationships, not only with the individuals themselves but also with the company as a whole. This dynamic significantly enhances the trust we place in their services.

The SOC handles alert monitoring and threat hunting extremely well.

Reducing false positives is a crucial aspect of the tuning process we engage in. At the outset, we receive alerts for all activities, treating everything as a potential issue. However, we gradually refine this approach. For instance, we develop custom applications for our company. In collaboration with Netsurion, we've integrated their system to whitelist specific processes associated with our proprietary applications. To Netsurion, some of these processes might seem suspicious, such as activities involving the SQL database, potentially appearing as hacker activity. Nevertheless, this is not the case, and these actions should be permitted since they originate from our authorized service. It's highly beneficial to maintain this collaborative relationship. This allows us to fine-tune our system, minimizing the occurrence of false positives.

The SOC plays a crucial role in incident response. When issues arise, they are promptly prioritized. We have a specific prioritization process that feeds directly into our service desk. This enables us to initiate our incident response testing promptly. Additionally, the SOC identifies other potential concerns. For instance, we are currently investigating a situation involving suspicious DNS queries originating from specific IP addresses. Presently, we are actively examining this issue. While it appears suspicious at the moment, it has not been confirmed as an exploit or an actual event. Our standard procedure involves thoroughly investigating the matter and documenting all actions taken. Any actions we take become part of our response protocol. If the situation warrants, it might be escalated to the IT committee. Regardless, all actions and findings are meticulously logged in our service desk for future reference.

I appreciate that the SOC handles platform management. It's pleasant not to be directly involved with managing the tools themselves. Essentially, what we do is utilize an agent. This involves configuring an agent that is deployed universally. Additionally, they handle the configuration of SysLog services and similar tasks. Apart from these aspects, they take care of everything else. They provide the server and are responsible for updates, including those related to the internet. When it comes to integrations, they've established connections with our firewalls, antivirus, and email security gateway. This facilitates the retrieval of logs and security details, which they collaborate with us on. I'm relieved that I don't have to concern myself with updating their software. In our monthly meetings, they discuss new exploits they've come across, often with amusing names like "monkey dine," and their efforts to identify telltale traces of potential threats within systems. This proactive approach is commendable. Their management of these aspects allows us to concentrate on using the platform. For me, it's comparable to owning a car. When I buy a car, I can operate it, but I don't need to understand its engine intricacies. In the same manner,  Netsurion Managed XDR has been a boon for us. It has consistently proven beneficial across the various companies I've worked with. Unlike setting up our own monitoring systems, which can be time-consuming, Netsurion Managed XDR's implementation is relatively swift. While there's an initial learning curve, within a few months, the value becomes evident. The insights provided are exceptional. Certain reports are even presented to the IT committee I report to, serving oversight purposes. These reports are also instrumental for compliance and audits.  Netsurion Managed XDR is a third-party solution, impartial in its reporting. They provide compliance reports alongside their software tools. From my perspective, it's one of the essential tools. Over the course of my professional experience, there are a handful of products and services that I've found indispensable, and Netsurion Managed XDR is one of them. I used to use the Netsurion Managed XDR in my previous company, which was a relatively larger company.

The SOC has enabled us to fully concentrate on everything else that we need to do. Knowing that the segment, the monitoring, the event tracking, and the alerting are taken care of by someone else gives us the confidence that if something happens, we will be notified. This allows us to focus on tasks that are more aligned with our experience and the size of our IT departments. If an issue arises and it's critical, I will receive prompt notification. If it's not critical, I will receive an email from them the following day, or it will be included in an observation report. It will definitely be discussed in the monthly review meeting.

If we didn't have Netsurion Managed XDR, I would be looking at logs, and we'd be relying on antivirus and our own monitoring to see if something was untoward. We just wouldn't have the insight and visibility we have now. And I didn't have it before. We had monitoring, but nothing as in-depth as we have with Netsurion. So has it decreased the amount of time we spend on it? I would say it would have if we'd been able to do some of the stuff that they do, but we really couldn't do it. We didn't have the time. We didn't have the tools to do it. For us, it's been a total value add in terms of the capability, rather than the time saved because we were unable to do the tasks before.

Our main concern is IT security. We are looking at it from a point of view of making sure that we are fully PCI compliant. PCI is the compliance driver for us above all others. The log management, event management, and managed services are all fairly pricey services for a small business like us, but we felt the need to be able to take all the logging traffic that we are storing, then make some sense out of it. We needed someone with that expertise because we don't have a dedicated, trained security professional in our organization or in our small group. We turned to Netsurion for that service and have been happy with it.

It takes the load off of our systems administrator from having to manage, vet, and analyze logs. Even though they come out in a good format and we have reports from them, there is still an incredible amount of data moving through that system. 

When I looked last week, we probably averaged about 20 million log entries a day. So, we certainly can't individually manage that. Just looking at the reports, then trying to go back and find anything that was questionable, was a challenge. Therefore, the managed service has been invaluable to us in terms of being able to narrow the scope of what really needs to be looked at and bringing those things to our attention to be dealt with.

The solution provides 24/7 monitoring and alerting. When we have third-party security assessors come in and do our annual pentest and security review, they have ranked us as being a very mature small business compared to others that they deal with. So, we rank fairly high in terms of cybersecurity maturity compared to other small businesses with 75 employees, such as ourselves.

We don't do a lot of network analysis, but it certainly meets all of the correlation requirements that we have so we can be able to spot logins at unusual times. Or, I just got a report, not 30 minutes ago, and called one of my guys, saying, "Hey, go check on this PC because it is showing 15,000 incorrect password attempts to get to the file server. What is going on?" Obviously, it's not necessarily an indication of a breach of any kind. It is an indication of some kind of software malfunction. So, we were able to look at that and get those reports, and say, "Hey, we have something that needs our attention. I have one user account hitting a file server from one PC, and we know that a password was changed on the day that started, but we also know that the password is not locked out. This helps us analyze what the real problem is, then we are able to eliminate that it is not an Active Directory problem nor a Windows problem. We know what caused it, and it's not an intrusion attempt. However, this narrows down all those issues so we can focus on where the problem might really be.

Having a managed SOC reach out and contact us when something pops up is useful, since we're not, as IT staff, able to have eyeballs watching for things. We are dealing with staff, devices, services, etc. all the time, so we are not able to watch for things. There is also not the expertise available all the time for all our escalations of threat management. Having someone who can notify us, "This is urgent. I will call (or email) them based on the runbook that we have," and, "I need to follow up in however many days," depending on the urgency of the issue, has been really helpful.

Given that the solution is passive, it hasn't had much impact other than occupying space on our server infrastructure.

They offer 24/7 monitoring and alerting with the understanding that our boots-on-the-ground staff are not 24/7. Being that it is passive, if they are calling us to do something, then depending on the time of day or even the day, our staff aren't working. We don't have a 24/7 rotation, given that there are only two IT staff positions for the entire organization.

Netsurion gathers the logs from our Sophos cloud provider, amalgamating it all into our on-premise SIEM. Then, the SOC is performing all the analysis, reporting, and alerting for us. This is pretty important given that we have very limited staffing, so we need to be able to have that handled for us.

There haven't been a lot of incidents in the last six months, which has been nice. Most of the incidents that we have reported have been false positives in the last few months. It has been quiet since August.

Its threat detection and response is pretty good.

We had a staff member who downloaded something, and I can't remember if they had had the authority to install it in this scenario. Anyhow, they downloaded something and were running something that was connecting to services in Europe which had a bad public reputation. The database or listing that they had referenced was either malware class or spyware. The visibility of seeing somebody had downloaded something that they weren't supposed to, and they weren't following organizational procedures for software procurement, was very helpful and useful. 

We use Netsurion to find out what's going on in our environment. It lets us know if we have strange actions acting out. It's a deny-all policy, so there's an access list on each machine. It was effortless to tune it for our software because we have four pieces of intellectual property used in-house, and that was super easy to get up and running compared to some of the other solutions I've seen. For the most part, it's set-it-and-forget-it protection.

We've been under attack since the day we opened. Our company has a web base that hosts more than 100 different websites, and we're constantly facing attacks — our mail servers too. Of course, we knew we were under attack, but Netsurion provides excellent visibility into how often it's happening and what services they were using. We had a relatively decent idea of that ahead of time, but it solidified a lot of issues we thought we had and allowed us to tailor some solutions to mitigate those issues a little bit easier than it had been when we didn't have all the actionable intelligence.

You can't protect against what you don't know. My instincts told me certain issues were happening. There were a couple of records of it here and there, but it's easier to zero in on what you need to do if you can see what attacks are occurring and how often. It helps you identify gaps you may not be aware of. Netsurion helped shore up our security posture by verifying that some of the initial steps I had taken to protect us against some of these outside attacks were correct. I don't want to go into it too deeply, but it also showed us the usefulness of some best practices out there that many people aren't following. 

It also gave me some insight into what the attacker is going through. When I looked at the thousands of logins we get a day, and I was surprised to see the different languages attackers were using. I thought that was kind of interesting, but for the most part, it showed that many of the early countermeasures we put in place 20 years ago were still protecting us effectively versus a lot of the threats out there. 

We've been able to consolidate cybersecurity technology for our endpoint security. It's a deny-all policy. We reinforce it with other products behind it to ensure that nothing's getting through, but it was still a paradigm shift for us. Instead of just using signature-based threat protection methodology, it allowed us to really get a better grip on what was running inside of our network. That includes some attacks that aren't even nefarious, but just some chatty stuff. We were able to clean up our network a little bit based on some of the things we had seen.

It helps that everything's in one pane of glass by limiting the number of dashboards we have to look at. Consolidating services really helped us gain C-level buy-in. This wasn't just to monitor logs and check for some malicious entries — it was a complete solution that allowed us to recoup monies in other areas because we could consolidate everything in one product.

Neturion's managed security didn't reduce the amount of time we had to devote to everything else, but it supplemented our visibility, giving us the ability to see more than we could on our own. They also got us up and running in a week, whereas we would've probably spent months trying to get this running with the resources we had at the time. Even if I were fully staffed, this would have been a difficult task for us to pull off on our own. So while I won't say that it freed up my staff to do other tasks, it saved me from having to assign staff or take staff away from current projects they were working on to get this implemented and keep it running. I know it would've taken a lot of my time — at least two to three weeks — plus the time of my techs.

It's a managed SIEM. It collects our log information, events from different systems. That information gets analyzed to alert us to any problems that are typically security-related issues. We use that database to do our own research as well. For instance, it's handy for figuring out why somebody keeps getting locked out.

The 24/7 monitoring and alerting is definitely a positive because we don't have to have it in-house. These days, finding security people and keeping them is even more of a challenge than it was two years ago.

Netsurion also provides us with actionable threat intelligence. If an endpoint visits a site that tries to do a download, a "drive-by" type of situation where it tries to run an obfuscated URL through a PowerShell or the like, we'll get an alert from the SOC so we can take remediation actions for that particular endpoint.

Our detection time is shorter than it was, and they're well within the SLA for both detection time and remediation. Since MITRE was added in, we haven't seen anything take longer than it's supposed to. The detection times are short, and alerting times are also very short. And while the addition of MITRE hasn't increased remediation accuracy, remediation accuracy has always been good with Netsurion. When it's already good, if it only gets a little bit better, it's hard to measure that.

In addition, the fact that this is a managed security solution has definitely freed up my time to work on other responsibilities. If we didn't have the managed component, I would probably have to spend most of my day in the SIEM, personally. Now, I only have to turn to it once in a while. It has freed up most of my time to work on other projects instead of managing the SIEM. It saves close to 75 percent of an FTE in our existing staff and we also haven't had to add staff. To get 24/7 monitoring, we'd have to have at least three people with no vacations for those people. That would add up to a whole bunch of FTEs.