Securonix Next-Gen SIEM Reviews

I run the intellectual property protection shop for the company and our primary use case is to monitor for DLP.

In terms of detecting cyber and insider threats, my primary focus is insider threats. It's excellent at that. The ability for the system to detect events is incumbent upon knowing your own threats and risks and predefining those, to a large extent. If you know your environment well enough to make up your own rules and define exactly what a risk or threat means in your organization, it's outstanding at detecting them.

While my primary focus is insider threats, one of the reasons we like SNYPR more than other brands is the entity analysis piece. We have picked up unnamed entities - an infected machine or a machine that had been taken over through a fishing attempt and had a bot installed on it. We have been able to detect malicious software with the system without even predefining the threat or risk model.

When it comes to the solution's behavior analytics helping to prioritize advanced threats, as long as you can pre-define what you want it to prioritize, I find it to be excellent at doing that. We have a very small team. It's very important for me to have the Securonix system highlight the most critical threats so that the analyst can see it.

We have two models. There are the people who are reacting to something negative in the company, such as someone sending a lot of things to a USB drive or trying to email out a lot of sensitive documents. Those people are easy to catch because their behavior is anomalous to themselves and to others. But for the advanced threats, we have different models in place that will highlight what we call "low and slow" behavior, where someone might be placed in the organization by a competitor or a foreign country, with the intention of removing small amounts of data over a long period of time. We have successfully built models that detect that, as well. Any system can catch the people who are going to "break the window" and steal as much data as they can in 24 hours. It's the advanced threat that's much more intricate, but we have had success with that model.

The solution benefits our company overall in the sense that we are protecting intellectual property which is the key to the company's success. But there has been a direct benefit to my team as a force-multiplier. At any given time, I have three or four analysts and we have 120,000 end-users. I feel confident in the increase in the value of cases we have found. We bring in fewer cases per year, overall, and that's attributable to the ability to tune Securonix and drop things that might be more of a "coaching-letter" type of event, rather than an investigation. We're able to tune those so that they are less of a priority than the significant data-loss events. We've been successful at catching the data-loss events.

And the functionality within the Spotter tool has helped us eliminate many hours required to create link analysis diagrams, which we used to create by hand.

It has easily decreased the time required to investigate alerts by 30 to 35 percent. The Spotter functionality, where we create link analysis diagrams within Securonix, takes about five seconds to do. We type in the pipe symbol, the word "link," and a couple of arguments and it puts the link analysis diagram right in front of us. Before, it was a manual download from three different systems and we would put things into Excel or i2 Analyst's Notebook and do the link analysis diagram that way. That single step alone is something we do for every single case which an analyst writes up, and it easily represents 30 to 35 percent of their time.

The solution has also helped us to detect threats that would otherwise have gone unnoticed. In the past, when we were using just a SIEM tool, we had reports on things like the top-ten people each day sending email to a competitor's domain, or top-ten people emailing to a personal domain, or the top-ten people copying data to a USB. We looked at six of these lists every day. When we first started using Securonix, they came to us with an event that their system had detected, something which was a fairly significant event. When I went back and looked at why we hadn't caught it ourselves first, what had happened was that Securonix was able to accurately able to identify, with its pattern-matching functionality, two personal email addresses from this person and correlate that with USB use and their sending of emails to a competitor's domain. Out of the four domains, none was high enough to get on the top-10 lists, but all four together - when they were correlated together as a single event - were very significant. That enabled an analyst to see it and react to it.

Securonix has helped to surface high-risk events that require immediate action. The preceding example is a good one. Another good example is correlating events with foreign travel, for instance. One of the things we have programmed in is HR data around a known last-day-worked. We've been able to correlate people whose last day at work was within 48 or 96 hours of having foreign travel booked. Those things, by themselves, don't really mean anything, but as part of a model they add to the score of someone who has data leakage events. We've used those factors successfully to increase the score of someone with leakage events and prioritize them so that we can react before the person has left the company and the country.

We moved to their software as a service and cut over to production, officially, in January of this year (about five months ago). It has significantly reduced the amount of time spent by the technical lead on my team doing hands-on patching, maintenance, and troubleshooting on the host server, as well as fixing the server when there were application incompatibility issues. The previous version we had sat on a standard, company Linux server. Securonix was an application package, a COTS, for the most part, that sat on top of a standard-built server. The server represented a cost to us when purchasing it and there was a cost to maintain it. Moving it to the software as a service model in the cloud has completely cut out all of that. It's a less expensive model for us to operate under.

The Hadoop-based platform has also provided operational benefits. With the on-premise version that we had before, we were limited in the number of data inputs. As soon as we moved it to their Hadoop-based platform, it became unlimited. It's scalable to whatever size we need. We were able to quickly add six data sources to the system, which were impossible to add before.

We are using it for monitoring firewalls, Windows operating systems, some Linux operating systems, active directories, and some of the solutions in the cloud such as Office.

In terms of deployment, everything is in the cloud. Our licenses are on the cloud. We don't deploy anything on premises except the RIN.

We are a managed service provider, and we offer this service to third-party clients. Most of our clients are very happy with the solution. We can detect a lot of threats, which are not false positives, and we can describe the threats very well. A lot of information can be obtained from this SIEM, and we can provide very good incident reports to our clients.

We were using another solution previously. The other solution couldn't compete with the features and functionality that we were looking for as a managed service provider. Some clients ask for specific features, and we couldn't complete those needs with other products. They were more about calculations, such as events per second (EPS). With Securonix, it is easier to sell the product and make quotes for our clients. It has helped us a lot at the administration, commercial, and operation levels.

It provides actionable intelligence on threats related to our use cases. It can detect violations and reduce false positives. This actionable intelligence is one of the most important parts because we have suffered with some of the other solutions in terms of receiving a lot of events and alarms where most of them were false positives, which made it a bit difficult for us to investigate and generate incident reports. Securonix is handy for engineers and the security operations center.

Its analytics-driven approach is pretty good at finding sophisticated threats and reducing false positives. When it comes to monitoring network devices, such as firewalls, it can detect behaviors that would be difficult for other solutions to detect or for normal engineers to detect manually. It has a lot of violation policies, and it is very handy and helpful at this level.

It adds contextual information to security events, which is one of the most important points. We can fill a lot of information into our reports for our clients.

Everything is saved for us and indexed. We can review any event we need within three or six months. We can review even when the data is in the cold phase. We never faced any case where we lost any event data. When clients asked about some events in the past, we could find them very easily and without any issues by using the queries.

It improves analysts' efficiency to do more with less time. Spotter is one of the best tools for me for searching and visualizing various things such as policies. With the Spotter language, you can search for whatever you need. You can search for any endpoint, any IP, any hostname, or any violation name. Even though it is not very fast, it is fine for us. Splunk or Elasticsearch is faster than Securonix because this is their job. Even though Spotter is not as fast, it has been helpful for us.

We use the solution for protection of engineering intellectual property. We currently look at engineering data in two systems, one a commercial system and one which is a homegrown system.

We've seen a couple of circumstances where people accessed data, especially in our internal application, and we weren't sure how they did it, because they shouldn't have been authorized to access it. We actually found a backdoor on our side. Their access did not go through that backdoor intentionally, but they did find a backdoor way to get the data. We shut that one down as soon as we found it.

The other thing we do, where it's been a big help, is that we people who, from a process standpoint, bring down a ton more data than they should. They aren't doing something malicious, but there are ways to bring down simplified data subsets. We've been able to educate the users to take down simplified sets. In essence, that saves them time and effort in having to bring all that data down and then call it up and use it. It's really tough to put hard numbers on that but we have certainly seen a reduction in the amount of these high-volume downloads and it's really been because of a process change on the part of the users.

We use Securonix to monitor attempted malware attacks. It sends us alerts, so we can investigate suspicious entities. We'll refer it to the consent team, who will give their solution or comments. 

We have a server where all the data is stored. The Securonix people will take the data from that server, encrypt it, and send it back to the application. From there, we can work on the alert and monitor the data.

The product reduced our investigation times by about 85 percent. Data and geolocation enrichment are the two essential components of the detection part. When there is an IPS alert, we generally need to check to see where the IP is located. Securonix will tell you where the IP is located in the city and country. Securonix helped a lot when the Log4j cybersecurity attack broke out last year. It enabled us to investigate that threat deeper. 

The behavioral analytics features reduce our false positive rate compared to traditional antivirus and cut the time spent detecting and responding to threats by about two hours each week. 

Next-Gen SIEM provides valuable contextual information about security events. We are adding all the information, like user data, from Active Directory. Whenever a user is terminated or retires, we will get an alert stating that the user has separated. 

The built-in management tool improved our security teams' efficiency. You can raise a ticket with one click when you see something suspicious. You can work on it and do your analysis in the backend. It will open a ticket and send it to the teams. 

The analysis will be completed in 15 to 25 minutes. The solution will email the consent team to tell them they need immediate action. In other tools, we have to go to another third-party tool to raise a ticket, and we need to escalate the issue ourselves. There is typically another procedure, but Securonix has a built-in management tool. This reduces a process that would typically take an hour to about 15 or 25 minutes.

It also helped us avoid data loss because we integrated SharePoint into Securonix. We get a notification when someone deletes files in Sharepoint that reports the SharePoint link, the user, deleted files, etc. We will investigate whether it's a legitimate activity or something else. 

Our primary goal is insider trespass. We have also been using the product for account privilege misuse as well as intellectual property and data theft. Going into the cloud, we have expanded our scope to cloud applications. We never supported the cloud but now that we are using SaaS we've been able to cover cloud applications and cloud infrastructure. That use case is picking up a lot of speed. But, traditionally, it's been used for insider threat and account misuse.

One example of how it has helped our organization is with people who are exiting. We had a lot of issues when people were leaving the organization regarding what documents they were taking and what systems they had access to before they left. There were concerns about whether they did any sabotage or created any backdoors before they left. 

One of the very big areas of help from the solution is its exit report. Before a user leaves, it provides us with a 90-day report on that user; everything that user has done, what his behavior looked like, what systems he accessed, what data he took out. It gives us a complete picture and we are now able to provide that to HR. Our security team is also able to look at it, and it helps us in making sure that, before anybody leaves our organization, we have taken all the preventative measures and have made sure they're not taking any data. That has been a very crucial use case. 

The cloud has been a tremendous advance as well. We had no visibility into our cloud. Something that we never had with our traditional SIEM or any of our previous backbones was visibility into what people were uploading on our SharePoint, what people were accessing on our Azure. Cloud has definitely helped us with a lot of visibility and we are getting some good results. We hope they will get even better.

We use Securonix for alert generation by feeding events from different data sources and creating policies. Based on policy violations, we manage alerts. It's essentially a SIEM system for what we do with Securonix.

One of the valuable features of Securonix is the auto-incident creation, which was not available two or three years ago. Previously, we had to create incidents manually when a violation was triggered. Now, the process is automatic, reducing our workload. Additionally, behavioral analytics is a useful function, even though it sometimes triggers due to legitimate actions. It requires fine-tuning but correctly detects abnormal behavior.

We use it for user behavior analytics in a hospital. Consider patient health information. We use the product to understand where the information is, who's using it, who's accessing it, whether the access is authorized or unauthorized, and whether there is a possible risk of someone stealing that data. There are many such use cases.

Additionally, we can find who's accessing the data at a particular time in the hospital network. It is flagged as a potential risk if it is an unlikely behavior. When unauthorized access is made, an investigation is launched. There are similar use cases of Securonix that we built in hospitals in the US over the last six or seven years.

The big data security analytics platform, structured and unstructured data analytics, and user and entity behavior analytics provided by the product are probably the best in the industry.

We were using it for data loss prevention and data acceleration. We wanted a platform with a proper ticketing facility, and as and when we reviewed a user, we also needed a proper documentation setup. Securonix provided that. We were able to integrate playbooks and a lot of other modules so that we not only looked at a particular problem area but also at other factors. We didn't only want to look at exfiltration but also at any lateral movement inside the company by a user. We wanted to look at the outliers in a better way, not only in terms of a user's activity but also in relation to the peer activity to show that it is not a team; it is just a team member doing something wrong.

We most probably were using version 6.0.

It was very easy for us to do our manual threat hunting. We had a lot of instances where we found our internal users exfiltrating data. We were able to see that they were exfiltrating data. We could confirm that through the platform by taking a deeper look, which was very nice. It is user-friendly and handy. It allowed us to look at all kinds of activities and logs.

It provides actionable intelligence on threats related to the use cases. After you have done the configuration, it triggers an alert for any incident. This actionable intelligence is very important because it allows us to respond in time without missing the window of being able to take an action. Sometimes, threats are small, and the indicators do not pop up, but with manual analysis, we can get a complete view. So, it is very important to have real-time triggers.

We have been able to find a few true positives. Based on the triggers from the tool, we got to know that people have been exfiltrating data over a period of time. They had been doing it in small amounts, and that's why it went unnoticed. After the tool notified us, we discovered that one or two users have exponentially exfiltrated data over a period of time. Without the solution, just by looking at the logs, we wouldn't have known that. The tool understood the behavior and triggered a notification, and we got to know that. The users were not just sending our data to themselves but also to another vendor. They were contractors, and they were exfiltrating the data to another vendor. They were about to leave the company, and we were able to catch them before they left.

It reduces the amount of time required for investigations. If I had to check logs from different log sources or tools from different vendors and create tickets, it would have taken time. With SNYPR, we were able to perform a lot of actions within the same platform, and we were also able to push tickets to our SOAR management tool. Everything was in one place. We didn't have to navigate between different things. It was helpful for incident management. It took time for analysts to check whether an alert was a false positive or not and provide the right evidence. Having incident management within the tool reduced time in creating and closing some of the incidents. Instead of 30 minutes before, it was reduced to 10 to 15 minutes per incident. We didn't have back-and-forth navigation. Everything was in one place. 

It saved us a couple of hours of our day-to-day activity because everything was consolidated. Once I logged in, one or two hours were enough for me to look at everything and identify things to take an action on.

It has definitely helped us with threat management. Because of the sample use cases that we saw from Securonix, we were able to design a few of our own use cases. We would not have thought of those use cases in the past. We were able to add use cases that were helpful for our data internally. We were able to understand logs even better and create our specific use cases. It was good learning.