Elastic Security Reviews

It is currently deployed as a single instance, but we are currently looking at clusters. We are using it for a logging solution. I'm a developer and act as a server engineer for DevOps Engineers. It's used by developers and mobile developers. It could be used by quite a few different teams.

It is quite comprehensive, and you're able to do a lot of tasks. It has dashboards and we're able to create a lot of search queries. It is not easy to use, but once you get the hang of it, then it provides good graphs and visuals such as these. The indexes allow you to get your results quickly. The filtering and log passing is the advantage of Logstash.

In terms of query resolution, error searching finding and production issues, we're able to find issues quicker. We don't need to manually obtain the logging reports. All bugs in code are quickly identified in the logs as they are in one centralized logging location.

We're using the open-source edition, for now, I think maybe they can allow their OLED plugin to be open source, as at the moment it is commercialised. We are planning to go into the production to use the enterprise edition, we just wanted to check how this one works first.  I think maybe on the last exercise part, I think the index rotation can be improved. It's something that they need to work on. It can be complex on how the index, all the logs that have been ingested, the index rotation can be challenging, so if they can work on that. In terms of ingestion, I think they should look at incorporating all operating systems. It should be easy to collect logs from different sources without a workaround to push the logs into the system. For example, in AIX, there's no direct log shipper so you do need to do a bit of tweaking there.

We have been using ELK Logstash for three years or so. We believe we are using the latest version. 

The solution is quite stable, although it does need a bit of maintenance, and because there is quite a lot of plugins that come with it. There's a lot of testing that is involved to ensure that nothing breaks.

The solution is scalable. So you're able to extend it and grow it. For example, you're able to put it in a cluster, so it is quite scalable.

I have used the technical support. Their forums are quite good in terms of response. There is quite a big community of forums, where you can get similar question or issues that others have experienced issues previously. Even then direct support is quite good. They also have regional support. 

Logging solution previously, but mainly I've been using Graylog and ELK. Graylog gives you centralized logging. It's built for a logging solution, whereas ELK is designed and built for more big data. If you want to go in deeper into analytics, ELK gives you that flexibility and out of the box models. The two solutions are widely used by a lot of bigger clients in the industry and they've been tried and tested.

With ELK, installation is not really straightforward. There are about three applications to consider. It's quite intense in terms of set up, but once you've done the setup, then it's nice and smooth. The implementation took about 3 weeks, but that is because I was doing it in between other projects. We used an implementation plan. It was deployed to the development environment, then the Point of Concept (POC) environments. It was then deployed into the production environment.

We implemented the solution in-house. There were no third parties involved. For deployment and maintenance, we just need about two to three people and the role is known as maintenance and installation.

We're using the open-source solution, So there are no-cost implications on it, but we are planning to use it throughout the organization. So, we will soon adopt the open-source model and depending on if there is a need for enterprise then we'll go down the enterprise route. If you need a lasting solution, you do need to buy the license for the OLED plugin. The free version comes fully standard and has everything that you need. It is easy to deploy, easy to use, and you get everything you need to become operational with it, and have nothing further to pay unless you want the OLED plugin. 

We also have Graylog, for Graylog we're using it in parallel for a similar solution. At the moment, we're basically just comparing the two and see which one is preferred.

Do a POC first. They should compare solutions and also look at different log formats they're trying to ingest. See how it really fits with the use case. This goes for ELK and Graylog. You can trial the enterprise version. In terms of lessons learned it does need some time and resources. It also needs adequate planning. You need to follow the documentation clearly and properly. I would give this solution 8 out of 10. 

We plan to use it to analyze the data that we're pumping into it from Active Directory and from firewalls, then we'll pass that information onto our own external SOC.

We really haven't had any significant SIEM solutions, so it's all new to us, other than a simple up-down solution. Just the ability to do a lot more than just up-down is nice, which a lot of people take for granted.

The biggest challenge has been related to the implementation. It's a very complex product which, without a lot of knowledge or a lot of training, it's very difficult to get into and make use of. They try and make a lot of the general features very simple to access; a lot of the dashboards are very simple to use and so forth, but a lot of the refined capabilities take serious skills. They're not necessarily the easiest to implement.

We've been trying to implement it and get it up and going for a good three to four months now.

Elastic SIEM is pretty stable. I did have a problem during one of the upgrades, but customer support was able to resolve it for me quickly. Other than that, it's been very reliable and stable.

The customer service is great; not a whole lot of back-and-forth going on.

The initial setup was pretty straightforward.

It's a monthly cost with Elastic SIEM, but I am not sure of the exact cost.

In our case, being a medium-sized business, it takes a lot of resources to learn how to properly use and implement it — you need to have a good understanding. They give you a very good framework and a very good solution to work with, but there's a lot of intuition that's required to actually make it work well. It requires a lot more effort than they would lead you to believe or that you would even expect.

On a scale from one to ten, I would give this solution a rating of eight. This is based on my experiences from the past as we're still implementing it.

We primarily use the solution to have a correlation on all the Windows event logs. We use it more for forensic purposes now. We are looking for something which will be a more proactive product for us and be able to detect any threats and take automatic action.

All of the features on the solution are useful due to the fact that I have the full Stack, therefore I can collect and then visualize. We have the dashboard tutor as well.

The solution has a good community surrounding it for lots of helpful documentation for troubleshooting purposes.

The solution is lacking some features of AI and machine learning. There may be a feature out there we are not using or maybe it's on a different solution, however, having more AI would be so helpful for us.

The solution needs to be more reactive to investigations. We need to be able to detect and prevent any attacks before it can damage our infrastructure. Currently, this solution doesn't offer that.

I know there are some features which are coming, and which is already available. To be honest, I haven't had any time to play around and check what could be the advantages of them. Compared to other products, already the features available - and there are lots of things which are provided - are quite useful. We are not managing it. We're only using it. For us, if we had the technical skills to manage the solution, we might be able to see and understand a few features that we're not already taking advantage of.

I've been using the solution for three years.

The solution is scalable for us now, although it didn't start that way.

We have about 50 users between SecOps and the Microsoft team. The network team of between 50 and 100 people are using it on a regular basis.

I never had to be in contact with technical support. I mainly rely on the communities around the solution and that is where I find almost all of the information I need. They're great. There's lots of information available that helps you troubleshoot issues.

We previously used a product from Quest Software called Change Auditor. We actually didn't switch off this solution. We use both Quest and ELK in our organization.

The main difference is that one you have to pay for, while the other one is much cheaper and if you don't need all the features, you can use it for free.

ELK has much more information, as well. You can grab much more information with ELK than you can with Change Auditor, without adding any additional modules.

The initial setup as I recall was pretty easy. However, I moved to an infrastructure that had a connection to a second ELK instance that I am not managing.

The settings on that instance are more complex than my initial setup. 

I am not a specialist in big data infrastructure. I am a process engineer. You need some dedicated and well-trained people as soon as you have a large infrastructure and you are sending a lot of events to the elastic instance so that it is performed correctly. That's always the challenge you have with on-premise infrastructure.

I'm not sure how much the company pays to use ELK. It's not part of the job that I handle.

We're ELK customers. Mostly I'm a specialist on the infrastructure of the solution.

The solution is perfect as long as you are using it for forensics. In terms of threat detection, it could be better. There could be another product that is more appropriate for that aspect.

I'd rate the solution eight out of ten.

This is a log aggregation tool and we are using it for security purposes.

There are 145 pre-built use cases, but we are still making some ourselves. One we built is an alarm for log deletion. For example, if a hacker tries to delete the log from a bank machine then it will raise an alarm immediately. A second use case is an alert for too many false login attempts, perhaps indicating a brute-force attack.

The most valuable feature is the speed, as it responds in a very short time. I think that the alerts are generated in less than a minute.

It is very easy to set up and doesn't take much time.

There are sensors called beats that have to be installed on all of the client machines, and there are seven or eight of them. As it is now, each beat needs to be configured separately, which can be quite hectic if my client has 1000+ machines. It would take a considerable period of time for us to complete the installation. They have begun working on this in the form of agents, which is a centralized management tool wherein all beats will be installed in a single stroke.

The training that is offered for Elastic is in need of improvement because there is no depth to it. It hardly takes 15 or 20 minutes to complete a training session that they say will take two hours to finish. Clearly, something is missing. If a new engineer wants to work with Elastic then it is really very hard for them to understand the technology. 

I have been using Elastic SIEM for two or three months.

This is a stable system and it has never crashed.

Elastic SIEM is definitely stable. We have just started working on it, so we have no more than perhaps 100 users at this point. At the same time, we are confident that it can be scaled up to any extent.

I am satisfied with the technical support.

The initial setup is easy. The length of time for deployment on a machine depends on the configuration that is required. If it uses all 145 use cases then it will take a long time. If on the other hand there are only a small set of use cases, it will be very quick. I would say that it takes no more than 30 minutes to install one.

I have personally worked with Splunk in the past, but here at this company, they only use Elastic. I believe that one of the major differences between these two is the pricing model. With Splunk, it depends on how much data we are ingesting. For us, it is approximately 500 GB per day. Elastic has a different pricing system that is ultimately cheaper.

One of the advantages of Splunk is that they offer extensive training that is free of cost.

My advice to anybody who is considering this product is that it is a very competitive tool that is very new in the market and the vendor is doing their best to improve services. I highly recommend it and suggest that people choose it without a second thought.

I would rate this solution an eight out of ten.

I was using this product up until recently when I changed companies, but I have been asked to implement logging in my new role and this is one of the options that I am considering.

It was used in conjunction with Kibana to examine our logs and perform debugging. When a user complained about misbehavior in an application, we would research the logs, test, and try to find out where the bug is.

The most valuable feature for me is Discover. I have not used all of the features, so I can't say that this will be best for everyone.

I would like the process of retrieving archived data and viewing it in Kibana to be simplified.

We ran into trouble once or twice regarding problems with timestamps that came about because of issues with memory. Consequently, the correct data was not logged and it had to be done again.

I used this product for about eight months, up until about two months ago.

We were using this solution once or twice every couple of weeks when we encountered a bug. I found that it was stable.

I have not tested scalability. In my previous company, there were 20 people on the team, but only the backend developers were using ELK Logstash. This was perhaps 10 users.

We hosted this solution ourselves, so there was no technical support.

We have used Graylog in the past, but it was self-hosted and the experience wasn't great.

I did not do the initial setup myself.

My colleague deployed this solution for me.

This is an open-source product, so there are no costs.

When my colleague set up this application, it was configured such that every seven days, the data is archived into long-term storage. When I needed something from the archived logs, it was easy to retrieve and I could look through them again. This is something that I would suggest doing.

My suggestion for anybody who is implementing ELK Logstash is to make sure that the entire team knows how to use it. If only one person knows it and takes care of it, then it is not a very productive experience. On the other hand, if everybody is familiar with it, the experience will be much better.

This is definitely a product that I recommend using.

I would rate this solution an eight out of ten.

We have different use cases. We implement it for the banking and healthcare sectors. It's the most useful for the e-commerce platforms that we deploy it for. The most important feature is Elasticsearch.

They also use it for security. Elastic Security has been deployed in the National Bank of Dubai. They are currently using Elastic Stack and they're also using the security version. 

It's a good platform and the very best in the current market. We looked at the Forester report from December 2022 where it was said to be a leader. 

There are many benefits. It provides log monitoring, synthetic monitoring, real user monitoring, and application performance monitoring. 

These are the four main use cases that most organizations use it for. They want to know the downtime and the errors in the code. They acquire it through my company. It's mainly used by SMB-sized companies but not enterprise.

Elastic has one problem. In the past, Elastic Security was free. Now, they currently only offer the basic license or a certain period of time. 

The platinum and enterprise level features aren't offered in the free version and most organizations use the free version. They don't pay for the paid features. That's a problem in the market from the Elastic side. They should have a way for everybody to be able to benefit from the premium features. 

I have been using Elastic Security for one year. 

I would rate Elastic Security a nine out of ten. 

We use Elastic Security for monitoring. Our client is a financial client, so we detect their infrastructure from that perspective. For example, if there is any unauthorized access to their financial systems, we need to know about that. We monitor all the instances they are using all the storage buckets they use, and then if they have exposed any APIs, we need to monitor those as well. They are using AWS Cloud, and we need to monitor their cloud services.

There is a lot of customizability in Elasticsearch. For example, I can use indices if I want to modify the fields or segregate the logs. I can also use different open-source tools. For example, a tool called ElastAlert can be used for detection on Elasticsearch. Even if you don't have Elastic SIEM, you can still use ElastAlert. Similarly, the APIs they provide are pretty flexible. We use those APIs in our automation to get notified in Slack.

Another good thing about Elasticsearch is that it provides extensive flexibility regarding search. The filters are pretty amazing. You can know, search whatever you want.

There are a lot of things that could be improved. For example, if I talk about Sentinel, the automation of the server component is very cool. But when it comes to Elastic, I don't see that. I think we need to come up with other solutions to make it possible to automate the response. This is easier in Azure Sentinel.

Then if I come to integration, for example, there is a product from IBM called QRadar. They provide a very managed way to manage your integrated log sources. For example, you will get a list in one pane where you can segregate logs based on their log type. For example, it could be based on Windows or Linux. Even within them, you can segregate them based on their application. You can tag them. But in Elasticsearch, you will get all of these in one place, in a raw form which is not very presentable. You cannot visualize those log sources pretty well. Although you can visualize logs pretty well through dashboards and graphs, when it comes to integrated devices, management for those devices is missing. And wherever I use Elasticsearch, it takes a lot of time to reload or load. It is very time-consuming.

I've worked with this solution for more than seven years.

Stability is a tough question with Elastic Security. Some of my clients have found this solution pretty stable, but two or three clients have a lot of real-time data, and it has been a pain in the neck while dealing with Elasticsearch because it takes a lot of time to load. Even if my client has increased their resources like RAM and storage, they might still put that into a load-balancing infrastructure without scaling enabled. The stability depends on how well you deploy it from the start. For example, if your design is good, and you have implemented it as it should be deployed, then you will not face those complications. But if you have deployed it wrong and don't have a completely planned architecture. After that, it is not easy to correct those mistakes because it has already been deployed and integrated, and now there's no time to fix those errors in the architecture.

It depends, but the solution is overall reliable.

The solution is scalable. But again, it depends on the deployment. If you're deploying it in an auto-scaling infrastructure, it will automatically scale as per the demand. For example, if it's a service on AWS, they provide Elasticsearch but call it OpenSearch. If you use that, it will automatically scale as per the demand, and you will only be paying for the resources you use. But if you are deploying it on-prem, it's only as scalable as the infrastructure.

Three of my customers are using the solution currently.

The initial setup is straightforward. But since I've been using it for seven years, I could be comfortable with the solution, so I'm saying it's straightforward. However, my team, including new people, found that the documentation was not complex. They find it easy to understand and deploy the solution.

The time it takes to deploy the solution depends on the kind of resources you will utilize. For a basic deployment, I don't think it should take more than one day. Also, consider that if you face any error, you must troubleshoot, even basic errors. It should not take more than one day. I'm only talking about basic deployment, not integration, fine-tuning, or configuration.

The steps taken during the deployment process depend on various factors. If you're deploying the cluster base, you must deploy Elasticsearch and Logstash. If you're using it, you can even deploy Wazuh, and on top of it, Kibana which would be used for all your graphical user interfaces. If it is an all-in-one deployment, the steps taken are simple. Just a bunch of commands from the documentation you can see. But if it is a cluster deployment, it's different. If it's on a cloud, you have to deploy different instances for each server, like Logstash, Elasticsearch, and Kibana. But if you're using the solution on the cloud, you will use different instances. Or, if you're going to deploy a cluster on-prem, you might want different servers or VMs.

I am a security engineer and I have a team of security engineers. We are an MSSP that provides security services to different clients. For example, a customer might need us to monitor their infrastructure, so they'd provide us access to their SIEM and monitoring tools. Similarly, one of our clients in UAE approached us to monitor their infrastructure, and I learned that they are using Elastic Security as an SIEM. I wanted to ensure that my team and I were comfortable using this solution to get clients to use this product.

I rate Elasticsearch a six-point five out of ten.

To anyone planning on choosing Elasticsearch, I advise you to know your infrastructure first and then plan how many instances you'll need. Consider how the number of devices and your business will grow, and plan accordingly. Then, deploy the solution according to the best practices. Once deployed, make sure you organize your integrations so that the solution is easy to manage in the long run because when you have more than 200,000 or 300,000 log sources feeding logs into your ELK, it will be very tough to manage.

The solution is compatible with the cloud-native environment and they can adapt to it faster. 

Elastic Security's maintenance is hard and its scalability is a challenge. There are complications in scaling and upgrading. The solution needs to also provide periodic upgrade checks. 

I have been working with the solution for four years. 

The product is stable. 

The product's initial setup is straightforward but experts need to do it. 

The base product is open-source but if you need advanced security features then you need to pay for the subscription. Elastic Security's price is reasonable in some cases and in other cases it's not. 

I would rate the tool a seven out of ten. The solution has a very active community with troubleshooting cases. You need to consider the growth rate and environmental complexity when buying the product. If you need to use a multi-node or cluster version, then install it during initiation itself. So that you don't need to do the same procedure in the next three to six months.