LogRhythm SIEM Reviews

The ability to threat-hunt and, being a small staff of five people, we can actually not put a lot of time in administration, the care and feeding of it, and get useful analytics out of it.

We have two facilities, roughly 500 logs per second. Microsoft shop, Cisco stack on the networking side. We run two FortiGate firewalls, and a slew of different security products that we have not integrated into LogRhythm.

We haven't seen the improvements yet. We bought it as a compliance tool, and it's still sitting there. It's part of the reason why came to the LogRhythm User Conference, to figure out what our next steps are. When we had to tackle PCI compliance, one of them was log aggregation, and so that was why we brought it in.

It's met all of our compliance issues, really easy to do. As I said, there's not a lot of admin overhead, so it doesn't cost an FTE for us, which is nice. I think the added benefit is when we start using it for actually doing some analytics and in increasing our security posture, we're just not there yet.

I can't think of any features they should add because we haven't used everything they've already released. They have Office 365 logs integration. They've got this new phishing engine that we haven't used. They've got dashboards we haven't used, so we're basically right at the very bottom, we need to start building with what they're already doing.

In terms of improvement, their community boards, where to go find things, as a customer. As they're growing and they're moving stuff around, and it would be nice if we knew exactly where to find what. They're constantly reinventing how they do things and where they put stuff, that's the one challenge I've run into. I've always found the answer when I got to the right person: "Yeah. That's over here now," but I know other customers have shared that same issue.

Being a small shop, we're in an XM, everything in one appliance, which is really easy for administration, but I think it can get more complex as you get bigger. They've scaled to really large Fortune 500 companies, so that's nothing that we're worried about.

Great, you have almost the service-desk model, where you're going to get a live person. They're going to answer the call. They're going to make sure you get routed to the proper team. They're really good at followup, when "Everybody's busy now," they're really good at scheduling times, when both the technical agent is available and our staff is available, which I really appreciate. You don't have those, "I tried to get a hold of you," going back and forth. Not a lot of vendors understand that. LogRhythm does a good job with that.

It's straightforward, to the point that we brought it. We did a week of engagement with our security value-added reseller, and we were basically shoulder surfing. Everything looked like it made sense and why they were doing it, and it's not that complicated.

Where it can get more complicated, like I said, is if you're a big organization, you didn't have it all on one platform. Those components would have to be put together, and there can be a little bit more to the infrastructure.

The SIEM's a very technical tool, but LogRhythm - that's one of the beauties of it - once you figure out how it's installed, the care and fitting of it, the updating of the SIEM to new versions, and even the monitor agents, it's really pretty straightforward. Good documentation.

ArcSight and Splunk, and that was it.

We went with LogRhythm because of cost, administration, and ease of use when you're in the tool. Those are the top three. The fact that it was the lowest cost one, easiest to use, and easiest to administer. It was a no-brainer for us. It wasn't even really a conversation, other than the fact that we have to shop at the three different vendors.

Right now our focus is on user behavior, and that's part of why we joined the cloud Beta, they are our biggest risk. We don't know what they're going to do when and why, and so we've rolled out some security awareness training, we've rolled out some phishing exercises, and really trying to figure out how we can stop them being their biggest risks. Learning about what we learned today at the conference, with LogRhythm doing their phishing intelligence engine, it's going to be nice to see how we can implement that into the SIEM as well.

Security solution, number one is FTE; being a small shop and how much FTE does it take to run that? If that's a challenge for somebody, so they have co-piloting that you can do. We were able to absorb that in with two different FTEs splitting the duties, and they probably spend 45% of the time doing that. Might be different for a bigger shop, but that's our focus.

The most important criteria when selecting a vendor:

• reputation
• have they delivered on what they say they can do
• are there customers out there that we can talk to, that can validate what they're saying is actually true?

Regarding a solution being a unified end-to-end platform, it's not necessarily so important. Going forward, as we mature, more maybe, but we're really just tacking on the stuff that we go after. It's addressing certain needs, it's a little bit siloed right now, so it's not a huge need for us.

I gave it a nine out of 10 because I hesitate to rate anything a 10, that's perfect. But I think they do a great job, and I think it's more on us to really engage them more. They're always happy to talk to us about where we want to go with it, and it's just us dedicating the time to them.

Talk to people in the industry, make sure it can fit those needs you're buying it for. Proof of concept is huge. Do a proof of concept, especially in a SIEM. You don't want to just buy one and then implement it, and then try to figure out is it going to actually work for me?

It is the dashboards. Up until just a couple of weeks ago, we were just using the standard dashboards. We actually had our account manager and professional services team members come out to our Security Operations Center (SOC) and essentially walked through our processes and how the SOC operates. One of the immediate improvements was using the dashboards more effectively, so we just used the standard, out-of-the-box dashboard, and it actually wasn't really telling us much.

Now, the SOC have custom dashboards, showing them a lot more useful information, puts the information in context, and they are actively using it for proactive investigations, rather than just responding to alarms.

It has certainly helped with the visibility. We probably don't use the platform to its full extent. We've expanded the size of our SOC and the number of people in it. We are now starting to use the features, such as SmartResponse, to help automate things. We've probably been guilty of throwing people at the problem, as opposed to leveraging the tool itself. We are now trying to change that.

We host quite a volume of sensitive, personal data. We are a credit reference agency, based in the UK, and we hold records on probably, around about 50 million adults, both personal information and financial information. Our core role is protecting the confidentiality of that, so breaches, such as the Equifax breach, that happened recently, we have absolutely got to avoid that.

We are not leveraging the tool to its fullest extent at the moment. We had a focus session with our SOC, the other week, and we've got a defined roadmap now to make things a lot better.

We are at a good place now. We have just started using things, such as case management, whereas previously we were just responding to individual alarms.We're starting to use things a little bit more intelligently now, so not just using the technology, but also helping improve our processes through the use of the technology.

There are enough features that we are not using, and not to their fullest extent, at the moment.

The company has been using the platform for seven years. I joined the company three years ago.

We tend to struggle. We do see performance issues fairly regularly. I think part of this is the stress that we're putting it under, with the volume of events that it is receiving. When we put the new appliances in, which is imminently, we're hoping that it will solve a number of issues: the number of the performance issues that we see.

It seems to be scaling well.

We have currently just got a single platform manager that's been carrying out the role of the web console and AIE server. We've probably thrown too many events at it, and we are now, effectively, putting in a DR solutions, a second platform manager, and then spinning off individual components, so appliances for the web console and AIE server.

We are effectively doubling the size of the platform, at the moment, to cope with the volume of logs that we're throwing at it.

A couple of the team do tend to find that certainly the initial contact with support slows things down a little bit. I think their support has their script or their route to follow to triage the issue, whereas we've already done that because we know the platform, we've been there and we know what to do when something happens. Generally, we contact support when all else has failed. For us, we probably need to hop down the line a little bit, rather than just hit the initial support function (the first line).

When we do reach the right level, they are knowledgeable.

The risk appetite changed. We are in quite a regulated organization, and having something like LogRhythm in place gives us the visibility and the comfort that we've got the monitoring required in place.

I would not know.

Technology's important, but it is the support you get as well. Don't just focus on, necessarily, the features and technology, but also consider the support and the engagement you get with the organization.

Most important criteria when selecting a vendor: the relationship. I would not want to work with an organization that just sells you the technology, then disappears or only ever speak to when there is a problem. It is starting to look a little bit more like a partnership now with LogRhythm, that's exactly what we want to maintain.

The product was easy to deploy and easy to learn how to use. The web console is the best I’ve seen when compared to other SIEMs.

This product has made it easier for our team to correlate security events and react quicker to incidents.

Retrieving logs that have been archived can be a difficult and time consuming process. The module which performs this, called the Second Look Wizard is not very well integrated into the rest of the product. It would be nice if you had the ability to right click on a log and search the archives for more data like it (you can do this with non-archived logs) and then after restoring archived logs, easily pivot to an investigation for that data. Currently, those 3 steps all have to be run separately.

I've used it for five months.

The deployment was very smooth.

There were occasional stability problems, but they were resolved by support in a timely fashion.

No issues encountered.

Excellent, everyone I have worked with at LogRhythm has been courteous and helpful.

Technical support has been very good, and they will often go out of their way to help correct an issue, even if it is not a technical issue with the product.

This is our first SIEM.

The initial setup was done with the help of LogRhythm Professional Services and was fairly straightforward. Our version of the software is integrated into one hardware unit which made it easy to setup and understand.

We implemented with LogRhythm Professional Services and the engineer I worked with was very thorough and knowledgable.

Pricing was on the higher end when compared to other products we looked at. However, we felt the advantages with LogRhythm justified the price premium. Licensing is fair and straightforward. We evaluated SIEMs from AlienVault, Tripwire, and Solarwinds.

We evaluated SIEMs from AlienVault, Tripwire, and Solarwinds.

If implementing a SIEM for the first time, it is very important to have members of the network and server teams involved from the beginning. Also, strong change management policies are necessary to keep the SIEM implemented properly.

We have a lot of distributed offices and no visibility into any of them. The use case for this product is to collect and integrate logs from all the machines at all the different sites and get better insight into the security areas that we need to tighten up.

I am hoping that we will be able to response to threats and gain visibility into our environment that we don't currently have.

The AI Engine.

I would like to see our vulnerabilities counter. We will be using Tenable to fill that void right now.

It seems like it will scale easily with the way our environment is set up.

We have not used LogRhythm's tech support yet.

We were using an MSP and were dissatisfied with its performance. What we started to do was figure out what we could bring in-house and what we needed from a security standpoint, and this SIEM kept coming up as something we should look at.

The initial setup is complex.

We are using a LogRhythm partner, at least for the first three years, to help with the monitoring and the deployment of it. We are not a big enough environment where we have people that we can dedicate to it right now.

We require one person for deployment and maintenance.

I would recommend LogRhythm. I am really impressed with it, though we haven't start using it yet.

We are just in the middle of deployment of the full-spectrum analytics capabilities. We haven't finished the configuration of the product yet.

We do plan to use the built-in playbooks.

We have approximately 931 log sources at this point.

Most important criteria when selecting a vendor: 

1. The reputation of the vendor. 
2. The quality of the product. 
3. The integration into the environment that we have right now.

The most valuable feature to me is certainly the CloudAI, which I have been a beta tester of, and also the SIEM capabilities and automation.

I see CloudAI expanding greatly. It's obviously a new product for them. It will be able to give contextual evidence of people's behavior which, at the moment, whilst the SIEM does that, AI actually is that specification and concentration on people's behavior, which is a huge component in cybersecurity.

The benefits at an organizational level would certainly be that for my company, which is in healthcare, certainly a huge compliance, but also it gives me visibility of all the departments in my company, not just the IT department. I'm able to see the actions and behaviors of the whole company, not just on my campus, but remotely as well.

What still needs improvement is automation. The SmartResponse obviously does not use open APIs at the moment, so we're having a lot of problems connecting it with things like Palo Alto Traps and some other systems, things like Cisco. I know that it's on the roadmap, but at the moment that is where the weakness lies.

For myself, I would like a HIPAA configuration out of the box where I can switch on various HIPAA rules. Obviously, HIPAA has 18 very exact identifiers and I'd like those to be already in the box ready to be switched on.

My impressions of stability are exceedingly, that I've not heard any down-time. We have had to contact support a few times, but just to see how to do a few configuration settings.

It's actually been scaling incredibly well. We have put more memory in the box and we've taken some of the Websense traffic and put it onto VMs. We can take more hardware and daisy-chain them up, so we know that when we do need to have physical hardware scalability, that feature is there.

Exceptional. One of our tickets had to go all the way to level three, but it was exceptionally covered well and the resolution was incredibly timely.

It was our very first log management solution. When I joined, we did not have a cybersecurity program. My employment was to build a cybersecurity program right from scratch, right from the start. Whilst I evaluated a couple of other programs, LogRhythm came to me, through the evaluation of those, to be the clear winner.

The criteria certainly was scalability. Our company, within a year, has gone from $600 million of revenue to $1.3 billion. At that point, I knew that we had to have that scalability function.

I've been very lucky that some of my staff have very high technical knowledge on configuration of LogRhythm. If I didn't have those staff available to me, I would certainly recommend the Co-Pilot, which is an option that LogRhythm provides. I think that gives you the confidence that you've not only bought a product but, at that point, how to configure it and use it.

Very happy. Yes.

As a guidance and recommendation, I would ask them, what is your level of comfort in configuring LogRhythm? If they say to me, "Not so much," I would say, "Well, then you have to budget not just for the product, but for the Co-Pilot solution as well." If, however, they say, "No, I'm very happy. I have the skills already in-house," then I would say obviously to buy the product with the Professional Service hours.

Key challenge, of course, is how the threat situation changes every day. LogRhythm is on top of that and very helpful. Another challenge, of course, like many other companies, staffing is not where it should be, money is not where it's supposed to be, but we do well.

We service the University of Massachusetts, but we also have other customers, all higher-end. It's up to the customer what they want us to look at and LogRhythm, absolutely, has the tools that we need to find the data threats that the customers are interested in.

We're MSSP and we've only been using LogRhythm this past year and we've actually found several instances where we've benefited our customers with the data that we have found, that we've collected. We were able to find out what was wrong, deep dive into it, and suggest to our customers what they need to do.

I would say the amount of data that it collects and the way it correlates it, extracts it, and makes it easy for an analyst to look at it and deep dive into it. I had another SIEM before LogRhythm and it was nowhere near what LogRhythm does.

The idea to me is collecting all this data and then extrapolating all that data, and it's phenomenal.

From what I saw yesterday here at the conference, they seem to be right on track with making the Web Console much easier, case management much easier.

When you're searching on something, you see something that you think may be a threat, you have to keep threat-hunting, deep diving, and from what I saw yesterday, it looks like it's going to get a lot easier and more helpful.

Unbelievable! Very good.

Very good. I was very impressed, especially yesterday, here at the LogRhythm User Conference, I did the 7.3 session, what's coming out. We've been around, as I said, less than a year and within that time frame - and from what I saw yesterday - it's unbelievable the way LogRhythm is moving forward.

If I look back to my other SIEM solution providers, the one we had before this, it's light years difference. LogRhythm support is very, very helpful, very knowledgeable. There's always somebody there. If they don't know the answer, they're going to go find someone who knows the answer. So it's very good.

We used their Professional Services, I was one of a group of three - and the professional services - that helped roll out. It was pretty straightforward. Of course, it was different because it was all new to us, and using the Professional Services was very helpful.

The driving factor in searching for a security solution would be, in this day and age, the threats that are out there are incredible. I think LogRhythm addresses a lot of the issues that are out there. Again, it's on us to make sure LogRhythm is a solution. It's a tool. If we don't use it properly it's pretty useless at that point. It's on us.

I would say it's very important that a solution be a unified, end-to-end platform, especially in a higher-end environment.

My nine out of 10 rating is based on what they offer, and what I saw yesterday at the conference, what they're coming out with. They seem to be on top of things.

Among the different SIEMs that are out there, the companies, I would definitely recommend LogRhythm.

I use the solution for logistics and metrics. We use LogRhythm SIEM for our company and our clients. The solution is deployed on separate machines.

The log correlation is the most valuable feature.

Our clients enjoy having one dashboard to monitor their environments in real time.

The coordination and load bussing has room for improvement. 

There is room for improvement with separate running sources or better integration.

I would like to have a better way to investigate the logs by adding correlations to the dashboard.

I have been using the solution for one and a half years.

The solution is stable.

The solution is scalable.

The technical support is responsive and always resolves our issues.

I previously used IBM Security QRadar and switched to LogRhythm SIEM because it is the best in the market.

The initial setup is straightforward. The deployment takes between nine to twelve hours.

I give the solution an eight out of ten.

The solution is for medium and large organizations.

Mostly, the use cases involve detecting lateral movements, malware infections, and insider threats.

We serve small, medium, and large companies, mostly in the finance sector, here in Sri Lanka.

It's very easy to create the correlation rules with LogRhythm, and there are some advanced features like SIEM and UEBA, which are also very valuable.

LogRhythm NextGen SIEM is currently based only on the Windows platform. This means that some of our customers have to purchase a Windows license elsewhere. If LogRhythm can move to a Linux platform or a proprietary platform, it would be very helpful.

I've been working with LogRhythm NextGen SIEM for around five years now.

We have deployed both to the cloud and on-premies, but we've mostly deployed on-premises.

It's very stable, unless something happens on the Windows storage side.

The performance is good, and we don't often get any complaints from our customers.

LogRhythm NextGen SIEM is horizontally and vertically scalable, so scalability is not an issue.

We have six people working with LogRhythm directly in our organization.

The technical support has been very good. They are very supportive, and I'd give them a rating of ten out of ten.

Positive

When compared to other SIEM solutions, LogRhythm is very easy to use, and I like the correlation rule building.

The initial setup is a bit complex because we need to be certified first. Otherwise, we have to get their PS for the deployment process. Even if you're certified, they shadow us. There are some processes for which we need to obtain their advice.

The initial setup and configuration can take around half a day. That is, a single box deployment can take 6 hours.

If I were to rate my deployment experience, I would give it a four out of five.

LogRhythm's licensing is based on MPS. There are some add-on features like advanced UEBA, the cloud component for advanced UEBA, and SIEM.

When you implement, you need to know LogRhythm's architecture because it is quite difficult and different from that of other SIEM solutions. So, you need to know the architecture, how the processes work, and how the logs are processed.

Overall, I would rate LogRhythm at eight on a scale from one to ten.