LogRhythm SIEM Reviews

We have a big issue with our users, they really like to click on links and attachments. The Phishing Intelligence Engine, is a new feature they're releasing, which is really going to have a nice fit for us. Then the CloudAI stuff they built right into the SIEM. There's nothing else you've got to do other than upgrade it to the latest and greatest version. Those would be two really key opportunities for us to really take care of a security vector that we have issues with every day.

Favorite feature of the product is the ease of administration. There's not a lot of overhead. We don't need a FTE dedicated just to admin the product. That was one of the biggest selling features for us.

Have not scaled. Like I mentioned, it was a compliance check-box. We are running what they call an all-in-one, all the features are running all in one box. But you can also take each feature as you grow, and move those features off. For example, if the Web Console is slow, you can extract that out and run it on its own separate system. 

There are Fortune 500 companies running it, so obviously it scales.

We had one issue, self-inflicted wound. We were capturing too many active logs and not archiving them off. We went through a process where we did Professional Services with our VAR; missed that step, that we actually needed to use some archiving. About three months into it, we're saying, "We're out of space. Performance is terrible." 

Quick call to support. Support's great. You have a service manager you talk to, and then they get you to the right team. There's no bouncing around. They do all the schedule coordination, everything like that. Can't say enough about support. We were back up and running within a couple of hours.

The general SIEM was brought in, like a lot of SEIMs are brought in, is to solve a compliance issue. To check a box. That's initially what it was brought in for. Now, I'm investigating where we're going to grow this tool. Because apparently, it's sitting in a state that's getting a little stale.

At this LogRhythm User conference I'm looking to see what additional benefits it can provide. LogRhythm can do a lot. It's just a matter of making the right choices to gradually get yourself going down the path of developing it, because it can get overwhelming, like any SIEM. 

But LogRhythm's got a nice online community to shape your decision making, like, "Here is where you should start." They've got actual tips and tricks every month that you can get on, really easy things to digest over lunch hour. You've got to dedicate the time.

The recommendation from VAR was to actually have Professional Services engagement. That was one week. Basically, that was just building out the SIEM, creating some basic rules, showing it lay of the land, where things are, where you go to administer, how do you create a case. Really basic administration.

Then, what LogRhythm also built into that was a one-week training, which we did online, which was great. That just built on to that first week of here's how it's built out, and then here's how to use it, here's how the administrate it, here's how you use it for analyzing alarms in your environment.

We looked at IBM, and then we also looked at Splunk.

FTE cost. We're a small shop. Infrastructure team is five people, not a dedicated security professional. Cost, being a small shop, ease of maintenance, and ease of use; top four. LogRhythm came in by far the cheapest, was easiest to maintain - this was the initial thought - that's proven out that it is. Then, actually easy to just get in there and look at the logs. It's really easy to use. From not having anybody with any real SIEM experience, to get us off the ground and running was incredible.

From how we use it, I would rate it a 10 out of 10; not knowing exactly where we could go with it, I'd have to give it a nine, because I don't know if there are any challenges inside it. What we're doing is very limited. I would like to, as we continue to grow with the product, see if there are any ceilings on that.

I would highly recommend taking a look at the FTE requirements. They're not all the same. That's huge, depending on the size of your staff, and budget constraints too. There are other SIEM software solutions that have a lot of add-ons that continue to add cost. You need to look at the big picture of what you want it to accomplish. Ours was pretty straightforward with compliance, we didn't have a lot of additional costs. I think those are the two big takeaways I could give somebody.

It has benefited the IT team's security functionality.

Our key challenge is HIPAA compliance. Then obviously, protection against malware, and particularly ransomware, is one vital threat to our organization.

As a healthcare company, what we use it for is compliance, then to protect our data from exaltation.

• The greater AI
• API support

Increased total costs of ownership (TCO): We have had to staff up our SOC. This has required analysts, which has required salary and staffing requirements.

In the next release, I would certainly like to see more HIPAA compliance. I would also like to see more integration with Palo Alto Networks, particularly their Traps, which is their endpoint solution.

In addition, I'd like to see more automation coming in. Whilst they have SmartResponse, it does not yet configure with OpenAPI support. That is something that I feel they need to look at in their next edition.

The scalability is very good. One of the reasons that we bought LogRhythm was because of its scalability. We intend to scale up as we increase our company size.

It is mostly good. We are not always able to reach the right person. We have had a couple of problems that were escalated all the way to Level 3, but they have always been solved.

We did not have a previous solution.

As a healthcare organization, we obviously have to have HIPAA compliance. This was the main driver for purchasing the solution.

I was involved in the setup. It was mostly straightforward.

Look at your staffing. Do you have highly technical people on your staff? If you do, then you obviously want to buy the product and look at your scalability options. If you don't have your staff, absolutely look into the co-pilot and factor that into your cost evaluation.

The SIEM tool list we considered from included Splunk and SolarWinds.

For LogRhythm against Splunk, it was their pricing model. For SolarWinds, LogRhythm's reputation and scalability.

It is highly important for our solution to be a unified end-to-end platform.

Most important criteria when selecting a vendor:

• Scalability
• The ability to have support.

LogRhythm has their co-pilot, which is absolutely essential, and whilst we do not use co-pilot in our organization, knowing it is there is certainly absolutely valuable.

Well our eCommerce site is very important to our business. So not only NetMon, but also just knowing the traffic that's coming in and out of there, and whether it's coming from bad sources. We have to protect our eCommerce site and it is helping us do that.

• We have been impressed with the data that we're getting back. 
• We have been impressed with the look and feel, ease of use, and things of that nature.

As a security organization, we are constantly attacked, either from disgruntled ex-distributors, as we're a distributor-based company, or just people that don't like distributor-based companies at all. Therefore, we are constantly attacked, and we are pretty confident LogRhythm will put us in a good way that we can deal with this. 

We have got a lot to learn. However, doing the research that we did, it looks like LogRhythm is going to be a great solution for us that we'll be able to monitor external and internal traffic with our SIEM, again with Netmon, and log the sources that we need. 

Better knowledge transfer during implementation.

We definitely thought it was complex when we initially set it up, but that is usually just a single pain problem. It could definitely be more straightforward.

We are a new customer.

We are around 3000 logs per second. We have datacenters in Amsterdam, one in Florida, and some in Salt Lake City. It's a global company, so we get traffic from all over the place.

I don't know that I have much to answer on this yet. We have only purchased a single appliance and the NetMon appliance. I think it will be interesting to see if we need to scale, depending on if we ramp up, how many logs we're actually processing. 

We have come from a separate SIEM, SolarWinds, and just purchased LogRhythm within the past couple of months. 

They switched because they flat out didn't like SolarWinds and their interface or anything like that.

We've had, in the past in our company, ransom attacks. Prior to me being, there there was one that they paid out, and obviously, that is a painful way to go about doing business. We want to secure our data. We want to make sure that does not happen again.

We have implemented the core implementation, but we haven't done any of the onboarding or anything like that yet, but I was there. 

We were overwhelmed at first, and now we're starting to figure out what the capabilities are.

7pace and Nagios.

We chose LogRhythm due to its better interface. We had demos and felt like LogRhythm was the better solution for us. 

Do your due diligence. For the most part, you're dealing with the same data depending on who your SIEM is. It is still the same data that's being returned or that you can pull. Definitely do your research because your SIEM itself may not get you what you need out of that data. 

A unified end-to-end platform is very important to us. We don't want to go to 12 different user portals. We want to know in a quick way what we're dealing with. We want to be able to see the data without having to jump all over the place to get it. 

Most important criteria when selecting a vendor: 

1. We are buying a product that is going to succeed for us.
2. We want to know that we are going to have good support and help when we need it as we won't know anything or everything for a long time. But we have experts that we can lean on, that's a definite benefit.

It is the dashboards. Up until just a couple of weeks ago, we were just using the standard dashboards. We actually had our account manager and professional services team members come out to our Security Operations Center (SOC) and essentially walked through our processes and how the SOC operates. One of the immediate improvements was using the dashboards more effectively, so we just used the standard, out-of-the-box dashboard, and it actually wasn't really telling us much.

Now, the SOC have custom dashboards, showing them a lot more useful information, puts the information in context, and they are actively using it for proactive investigations, rather than just responding to alarms.

It has certainly helped with the visibility. We probably don't use the platform to its full extent. We've expanded the size of our SOC and the number of people in it. We are now starting to use the features, such as SmartResponse, to help automate things. We've probably been guilty of throwing people at the problem, as opposed to leveraging the tool itself. We are now trying to change that.

We host quite a volume of sensitive, personal data. We are a credit reference agency, based in the UK, and we hold records on probably, around about 50 million adults, both personal information and financial information. Our core role is protecting the confidentiality of that, so breaches, such as the Equifax breach, that happened recently, we have absolutely got to avoid that.

We are not leveraging the tool to its fullest extent at the moment. We had a focus session with our SOC, the other week, and we've got a defined roadmap now to make things a lot better.

We are at a good place now. We have just started using things, such as case management, whereas previously we were just responding to individual alarms.We're starting to use things a little bit more intelligently now, so not just using the technology, but also helping improve our processes through the use of the technology.

There are enough features that we are not using, and not to their fullest extent, at the moment.

The company has been using the platform for seven years. I joined the company three years ago.

We tend to struggle. We do see performance issues fairly regularly. I think part of this is the stress that we're putting it under, with the volume of events that it is receiving. When we put the new appliances in, which is imminently, we're hoping that it will solve a number of issues: the number of the performance issues that we see.

It seems to be scaling well.

We have currently just got a single platform manager that's been carrying out the role of the web console and AIE server. We've probably thrown too many events at it, and we are now, effectively, putting in a DR solutions, a second platform manager, and then spinning off individual components, so appliances for the web console and AIE server.

We are effectively doubling the size of the platform, at the moment, to cope with the volume of logs that we're throwing at it.

A couple of the team do tend to find that certainly the initial contact with support slows things down a little bit. I think their support has their script or their route to follow to triage the issue, whereas we've already done that because we know the platform, we've been there and we know what to do when something happens. Generally, we contact support when all else has failed. For us, we probably need to hop down the line a little bit, rather than just hit the initial support function (the first line).

When we do reach the right level, they are knowledgeable.

The risk appetite changed. We are in quite a regulated organization, and having something like LogRhythm in place gives us the visibility and the comfort that we've got the monitoring required in place.

I would not know.

Technology's important, but it is the support you get as well. Don't just focus on, necessarily, the features and technology, but also consider the support and the engagement you get with the organization.

Most important criteria when selecting a vendor: the relationship. I would not want to work with an organization that just sells you the technology, then disappears or only ever speak to when there is a problem. It is starting to look a little bit more like a partnership now with LogRhythm, that's exactly what we want to maintain.

• The integratedness
• The parsing
• Their partnerships with various device manufacturers

They keep it up to date, you don't have to worry about that when their products change.

I think as an aggregator it works very well, and as a case management tool it works very well. I think it works reasonably well for parsing. I think there's always room for improvement there; I'm thinking any solution that I've seen, it's just a difficult problem to solve.

We're an MSSB, we have about 10 or so different customers that all host with us. Currently we're licensed for 15,000 MPS, average, and we use about 8000 MPS average, consistently, and we're growing.

Among our key challenges is getting everybody on the same page about the value of security, and why it's worthwhile to pay for security solutions, and the people to staff them.

LogRhythm has absolutely helped improve the security of our organization. We're able to respond to potential threats in a unified system, where that was impossible before. This is our first SIEM product.

I would like to see more focus on it being a data lake. We have around 100 terabytes of data stored in LogRhythm, machine data, sensor data. That all could be used for operations tasks as well. It would really be awful to have to stand up another Splunk instance at 100 terabytes alongside of it.

Also, seeing more analytics features, and more flexibility around that, and their schema.

Bringing it out completely horizontally scalable, and also continued focus on supporting lots of different vendors, for a lot of data sources.

Scalability is not great, at the moment. That's changing with newer releases, and I know that's been a focus of the team. It's actually the purpose of my coming to the LogRhythm user conference, to learn more about that.

They're moving towards a horizontally scalable system, and frankly a lot of their competitors don't have this yet either, so it's kind of a wash in that. I think once they get to that point where they're completely horizontally scalable in all components, they'll have a leg up on the competitors, at least for a little while, until they get there as well.

Great in some areas, not so great in others. We had a lot of challenges during our initial deployment, self-inflicted in some ways. Others, we didn't have the right support, and the technical services team was stretched pretty thin when we used them.

It was hard to schedule time with them and get pre-deployment meetings, a proper architecture review on time, so we knew that our environment was ready for the deployment.

We used EiQ. It was terrible. Just straight up, they didn't fulfill support promises. They pivoted from being a self-hosted company to hosting in the cloud and offshore, using offshore analysts. So, it just wasn't a fit anymore. And their product didn't scale.

We needed something that would give us a single pane of glass, that visibility over our whole organization - and correlate all the data - without too much staffing needs.

We undersized the environment from a hardware perspective, which led to the system not performing well.

I'd say the requirements weren't really well defined, in our particular situation, but from what I've heard, other customers don't necessarily have that same issue. I think it was more so that LogRhythm was just growing at that time, and they had more customers than they knew what to do with.

We looked at RSA, we looked at Alien Vault, we looked at a vanilla ELK Stack homegrown solution. We actually evaluated that one. And we also looked at McAfee/Intel at the time, security.

We went with LogRhythm because aligning with the critical security controls, SAN security controls, was important for us. Also, the price was good, MSSP support was good. I think ultimately it was the combination of their willingness to partner with us, and the price.

I would say for us, being an MSSB, when selecting a vendor, scalability is paramount. And the support ability. If we're going to drop a lot of money on a solution, it needs to be easy for our analysts to get up to speed with it. That's worth a little bit extra, versus going with something that requires months of training just to do the basic running of the system.

If I were to advise a colleague looking at this or a similar solution, I would say take a look at all the options, figure out what you need out of a solution first, and then just make sure you evaluate it. If possible, test drive it. See what it can do, not in a sales presentation. Don't just look at a PowerPoint, actually test drive it.

• SIEM
• File Integrity Monitoring
• Danned compliance reports (PCI, GLBA, HIPAA).

The solution has significantly reduced the time and effort necessary to manage and review logs and produce reports for regulatory compliance.

No current suggestions.

I've used it for six years.

No issues encountered.

No issues encountered.

No issues encountered.

8/10

10/10

No previous solution was in place.

Our entire implementation was completed in one day.

The vendor team was one of the best we have ever worked with. They were able to work through issues not covered in their implementation manuals quickly, and without further support.

No ROI. The solution is in place to meet PCI compliance and improve our overall security posture.

While LogRhythm's professional services are one of the best we have ever worked with, their hourly rate is generally quoted at a much higher rate than the industry standard. Additionally, the hours necessary for an engagement are also regularly over estimated.

Several other solutions were considered including Q1 Labs (now IBM), EMC, and HP.

There were two primary reasons we selected LogRhythm. First was the ease of implementation, which was extremely simple and straight forward. Second, was the integration of file integrity monitoring. LogRhythm at the time, and I believe still today, was the only vendor that provided a solution that included integrated SIEM and FIM.

The software needs to work on its pricing. 

I have been using the tool for five years. 

The product is very stable. I would rate its stability a nine out of ten. 

I would rate the tool's scalability a ten out of ten. 

The tool's support is good. They support us 24/7. 

Positive

The tool's setup is very straightforward. I would rate the tool's setup a ten out of ten. The tool's deployment depends on the use cases, environment, etc. The tool's deployment takes one month to complete. 

I would rate the tool's pricing around eight out of ten. 

I would rate the product a ten out of ten. The solution is very user-friendly and straightforward. The tool's report customization is interesting. 

Our primary use case for LogRhythm is using the log ingestion and analytic features.

LogRhythm improves our organization by giving us insight into user activity and potential security threats.

Our mean time to detect and respond has really improved with LogRhythm. We've got more people, more visibility, and on our team, looking at security incidents, and we're able to act on things more quickly.

I see room for improvement in the log ingestion. Customizing a log source is very technical, probably more technical than it has to be.

Our security program's maturity is, I would say, fairly advanced. LogRhythm uses a maturity model of crawl, walk, run, and I think we're just about to move from walking to running.

The most valuable features, for me as user, is probably the AI engine rules and dashboards, which give us a lot more insight into our security.

The playbooks functionality will be valuable down the road, but right now my team is too small to really take advantage of it.

Our messages per second right now is probably about 4,500.

I see room for improvement in the log ingestion. Customizing a log source is very technical, probably more technical than it has to be.

Stability of the products is mostly pretty good. Like anything else, there are incidents that we have to respond to. Some very small amount of downtime, some system administration that goes along with any implementation like that.

Scalability, for us, has been very good. We've had two appliances in five years. We've been able to upgrade without too much of a problem.

We have to use tech support pretty regularly and it is sometimes not very good. We've had issues where we can't get immediate responses that we need, and cases are open for far too long.

I was not involved in the initial setup. I inherited it from a previous admin.

We probably had close to 2,000 log sources at this time. Setup for them is variable. Some are straightforward, supported out of the box, some take a little more technical expertise.

If I had to rate LogRhythm on a scale of one to 10, I would probably give it a solid eight.