Elastic Security Reviews

This is a log aggregation tool and we are using it for security purposes.

There are 145 pre-built use cases, but we are still making some ourselves. One we built is an alarm for log deletion. For example, if a hacker tries to delete the log from a bank machine then it will raise an alarm immediately. A second use case is an alert for too many false login attempts, perhaps indicating a brute-force attack.

The most valuable feature is the speed, as it responds in a very short time. I think that the alerts are generated in less than a minute.

It is very easy to set up and doesn't take much time.

There are sensors called beats that have to be installed on all of the client machines, and there are seven or eight of them. As it is now, each beat needs to be configured separately, which can be quite hectic if my client has 1000+ machines. It would take a considerable period of time for us to complete the installation. They have begun working on this in the form of agents, which is a centralized management tool wherein all beats will be installed in a single stroke.

The training that is offered for Elastic is in need of improvement because there is no depth to it. It hardly takes 15 or 20 minutes to complete a training session that they say will take two hours to finish. Clearly, something is missing. If a new engineer wants to work with Elastic then it is really very hard for them to understand the technology. 

I have been using Elastic SIEM for two or three months.

This is a stable system and it has never crashed.

Elastic SIEM is definitely stable. We have just started working on it, so we have no more than perhaps 100 users at this point. At the same time, we are confident that it can be scaled up to any extent.

I am satisfied with the technical support.

The initial setup is easy. The length of time for deployment on a machine depends on the configuration that is required. If it uses all 145 use cases then it will take a long time. If on the other hand there are only a small set of use cases, it will be very quick. I would say that it takes no more than 30 minutes to install one.

I have personally worked with Splunk in the past, but here at this company, they only use Elastic. I believe that one of the major differences between these two is the pricing model. With Splunk, it depends on how much data we are ingesting. For us, it is approximately 500 GB per day. Elastic has a different pricing system that is ultimately cheaper.

One of the advantages of Splunk is that they offer extensive training that is free of cost.

My advice to anybody who is considering this product is that it is a very competitive tool that is very new in the market and the vendor is doing their best to improve services. I highly recommend it and suggest that people choose it without a second thought.

I would rate this solution an eight out of ten.

We have different use cases. We implement it for the banking and healthcare sectors. It's the most useful for the e-commerce platforms that we deploy it for. The most important feature is Elasticsearch.

They also use it for security. Elastic Security has been deployed in the National Bank of Dubai. They are currently using Elastic Stack and they're also using the security version. 

It's a good platform and the very best in the current market. We looked at the Forester report from December 2022 where it was said to be a leader. 

There are many benefits. It provides log monitoring, synthetic monitoring, real user monitoring, and application performance monitoring. 

These are the four main use cases that most organizations use it for. They want to know the downtime and the errors in the code. They acquire it through my company. It's mainly used by SMB-sized companies but not enterprise.

Elastic has one problem. In the past, Elastic Security was free. Now, they currently only offer the basic license or a certain period of time. 

The platinum and enterprise level features aren't offered in the free version and most organizations use the free version. They don't pay for the paid features. That's a problem in the market from the Elastic side. They should have a way for everybody to be able to benefit from the premium features. 

I have been using Elastic Security for one year. 

I would rate Elastic Security a nine out of ten. 

We use Elastic Security for monitoring. Our client is a financial client, so we detect their infrastructure from that perspective. For example, if there is any unauthorized access to their financial systems, we need to know about that. We monitor all the instances they are using all the storage buckets they use, and then if they have exposed any APIs, we need to monitor those as well. They are using AWS Cloud, and we need to monitor their cloud services.

There is a lot of customizability in Elasticsearch. For example, I can use indices if I want to modify the fields or segregate the logs. I can also use different open-source tools. For example, a tool called ElastAlert can be used for detection on Elasticsearch. Even if you don't have Elastic SIEM, you can still use ElastAlert. Similarly, the APIs they provide are pretty flexible. We use those APIs in our automation to get notified in Slack.

Another good thing about Elasticsearch is that it provides extensive flexibility regarding search. The filters are pretty amazing. You can know, search whatever you want.

There are a lot of things that could be improved. For example, if I talk about Sentinel, the automation of the server component is very cool. But when it comes to Elastic, I don't see that. I think we need to come up with other solutions to make it possible to automate the response. This is easier in Azure Sentinel.

Then if I come to integration, for example, there is a product from IBM called QRadar. They provide a very managed way to manage your integrated log sources. For example, you will get a list in one pane where you can segregate logs based on their log type. For example, it could be based on Windows or Linux. Even within them, you can segregate them based on their application. You can tag them. But in Elasticsearch, you will get all of these in one place, in a raw form which is not very presentable. You cannot visualize those log sources pretty well. Although you can visualize logs pretty well through dashboards and graphs, when it comes to integrated devices, management for those devices is missing. And wherever I use Elasticsearch, it takes a lot of time to reload or load. It is very time-consuming.

I've worked with this solution for more than seven years.

Stability is a tough question with Elastic Security. Some of my clients have found this solution pretty stable, but two or three clients have a lot of real-time data, and it has been a pain in the neck while dealing with Elasticsearch because it takes a lot of time to load. Even if my client has increased their resources like RAM and storage, they might still put that into a load-balancing infrastructure without scaling enabled. The stability depends on how well you deploy it from the start. For example, if your design is good, and you have implemented it as it should be deployed, then you will not face those complications. But if you have deployed it wrong and don't have a completely planned architecture. After that, it is not easy to correct those mistakes because it has already been deployed and integrated, and now there's no time to fix those errors in the architecture.

It depends, but the solution is overall reliable.

The solution is scalable. But again, it depends on the deployment. If you're deploying it in an auto-scaling infrastructure, it will automatically scale as per the demand. For example, if it's a service on AWS, they provide Elasticsearch but call it OpenSearch. If you use that, it will automatically scale as per the demand, and you will only be paying for the resources you use. But if you are deploying it on-prem, it's only as scalable as the infrastructure.

Three of my customers are using the solution currently.

The initial setup is straightforward. But since I've been using it for seven years, I could be comfortable with the solution, so I'm saying it's straightforward. However, my team, including new people, found that the documentation was not complex. They find it easy to understand and deploy the solution.

The time it takes to deploy the solution depends on the kind of resources you will utilize. For a basic deployment, I don't think it should take more than one day. Also, consider that if you face any error, you must troubleshoot, even basic errors. It should not take more than one day. I'm only talking about basic deployment, not integration, fine-tuning, or configuration.

The steps taken during the deployment process depend on various factors. If you're deploying the cluster base, you must deploy Elasticsearch and Logstash. If you're using it, you can even deploy Wazuh, and on top of it, Kibana which would be used for all your graphical user interfaces. If it is an all-in-one deployment, the steps taken are simple. Just a bunch of commands from the documentation you can see. But if it is a cluster deployment, it's different. If it's on a cloud, you have to deploy different instances for each server, like Logstash, Elasticsearch, and Kibana. But if you're using the solution on the cloud, you will use different instances. Or, if you're going to deploy a cluster on-prem, you might want different servers or VMs.

I am a security engineer and I have a team of security engineers. We are an MSSP that provides security services to different clients. For example, a customer might need us to monitor their infrastructure, so they'd provide us access to their SIEM and monitoring tools. Similarly, one of our clients in UAE approached us to monitor their infrastructure, and I learned that they are using Elastic Security as an SIEM. I wanted to ensure that my team and I were comfortable using this solution to get clients to use this product.

I rate Elasticsearch a six-point five out of ten.

To anyone planning on choosing Elasticsearch, I advise you to know your infrastructure first and then plan how many instances you'll need. Consider how the number of devices and your business will grow, and plan accordingly. Then, deploy the solution according to the best practices. Once deployed, make sure you organize your integrations so that the solution is easy to manage in the long run because when you have more than 200,000 or 300,000 log sources feeding logs into your ELK, it will be very tough to manage.

The solution is compatible with the cloud-native environment and they can adapt to it faster. 

Elastic Security's maintenance is hard and its scalability is a challenge. There are complications in scaling and upgrading. The solution needs to also provide periodic upgrade checks. 

I have been working with the solution for four years. 

The product is stable. 

The product's initial setup is straightforward but experts need to do it. 

The base product is open-source but if you need advanced security features then you need to pay for the subscription. Elastic Security's price is reasonable in some cases and in other cases it's not. 

I would rate the tool a seven out of ten. The solution has a very active community with troubleshooting cases. You need to consider the growth rate and environmental complexity when buying the product. If you need to use a multi-node or cluster version, then install it during initiation itself. So that you don't need to do the same procedure in the next three to six months. 

We use Elastic Security to manage logs and time series data. More recently, we have used it for NetFlow data. 

We like Elastic Security because it's a REST API-based solution. That's the primary reason we use it. 

I would like more ways to manage permissions and restrict access to certain users. 

We started using Elastic Security four years ago. 

The setup is comparable to similar products. It isn't too easy or hard. We deployed it in-house. 

We tried Graylog and a few other things, but I found Elastic Security is easier to understand. There's a lot of documentation available, and their forums are great. Another advantage is greater scalability. 

I rate Elastic Security nine out of 10. 

We are using Elastic Security as part of the Elastic Search component. The solution provides us with security, such as threat protection.

The most valuable features of Elastic Security are it is open-source and provides a high level of security.

Elastic Security could improve the documentation. It would help if they were more simple and clean.

I have used Elastic Security for approximately two years.

We have one person using this solution.

I have used the community support for Elastic Security. Sometimes the support is helpful and sometimes it is not.

I have used other similar solutions in the past.

The initial setup of Elastic Security is straightforward. However, the documentation could improve. The deployment can be done in approximately 15 minutes.

I have seen a return on investment using this solution.

The solution can take up to 20 minutes to maintain when needed.

I rate Elastic Security a seven out of ten.

Basically, we are using this product for monitoring and for developing the processes for our company.

I like that there is a knowledge base. There's the possibility for technical people to develop this product and to know much more. However, they do not need additional certifications from the vendor side or to pay a lot of money for their courses and certifications. We don't need to rely on vendors. We can handle the product ourselves. 

It's open-source and free to use.

The solution isn't really recognized in the market. They need to do a better job when they are marketing the solution. We'd like customers to have more visibility of it, and we'd like them to see how secure and highly effective it is. There needs to be more brand awareness. 

We have faced some obstacles when handling the implementation process. 

There are no templates available when integrating with other products. We sometimes need to find some workarounds. 

We'd like to see some more artificial intelligence capabilities.

I've been using the solution for four and a half years. 

The solution is stable and reliable. We found the product to be very usable. There are no bugs or glitches, and it doesn't crash or freeze. 

The solution can scale. Integration with other products may be a bit difficult, yet it is doable. 

If we need assistance, we tend to use the community. There is always somebody in the world who can help us if we have a question. There are many people that can provide good tips and useful advice. Typically, many people have faced the same problems and they can help us solve things. 

I'm also aware of Curator. 

Compared to Curator, customer awareness isn't as strong. From the price perspective, this product is better, however, many customers don't want to change their own CM and their products if they already have something in place.

The initial setup wasn't overly complex or difficult. That said, it wasn't simple either. It's somewhat moderate in terms of implementation.

I'd rate the solution three out of five in terms of ease of setup. 

This is an open-source solution. It is free to use. 

For new customers, this is a perfect choice. For older customers, it's very difficult to change solutions.

I'd rate the solution eight out of ten.

My customers use Elastic Security for security monitoring, threat hunting, and threat identification.

What customers found most valuable in Elastic Security feature-wise is the search capability, in particular, the way of writing the search query and the speed of searching for results.

An area for improvement in Elastic Security is the pricing. It could be better. Right now, when you increase the volume of logs to be collected, the price also increases a lot.

I've been working with Elastic Security for four to five years now.

Elastic Security is a stable solution.

In terms of scalability, Elastic Security is pretty scalable.

I haven't escalated any issues with the Elastic Security technical support team.

In comparison with other similar solutions in the market, customers go with Elastic Security because of its scalability and its good performance. The solution has a good search feature, especially when a large volume of logs needs to be collected. Elastic Security also gives you pretty good results compared to other solutions.

The initial setup for Elastic Security is quite straightforward. For the cloud version of the solution, it's easy because it requires no installation. If you're setting up the on-premises version of Elastic Security, then it would take around three to four days to complete.

The licensing cost of Elastic Security is based on the daily ingestion rate. I can't recall the exact figure, but for 10GB of log action daily, it would cost around $20,000.

I've had customers for Elastic Security in the last twelve months.

Elastic Security requires maintenance, especially in a scaled-up environment, because you have multiple machines that work in a cluster environment, so you'll need some advanced skills to maintain that cluster. The solution becomes harder to maintain once it's scaled up.

Elastic Security is a pretty straightforward solution I'd recommend to others, though you'd need a person who'll pick up the query or search language because Elastic Security requires a lot of query language, so you can search for data on it. There's a special search query pattern you have to remember before you can do the search or for you to do a better search. You can always do a normal search on Elastic Security, but if you want to have better search results or more accurate results, you need to learn the query language first.

My rating for Elastic Security is eight out of ten because of its good performance and scalability. Its good search feature is very important for the use cases of my customers, but I deducted two points because the pricing for Elastic Security could still be improved.