LogRhythm SIEM Reviews

We have a lot of use cases. Originally, it started out pulling in a bunch of the logs so we could get some ideas on network traffic. More recently, we have proceeded with pulling in logs from some of our other vendors. This really helped out a lot with our AV, which didn't always notify us as quickly as we wanted it to. LogRhythm made it possible for us to get notifications faster so that we can remediate things faster. We've been expanding it more and more as we've gone through the years to include more traffic, giving us more insight into our network.

LogRhythm really gave us a better understanding of what our overall risk is within our network and has opened our eyes to include other products that helped address different types of issues. Whether it's getting into vulnerability scanners or different pieces of other software, it's opened the door to what's out there. It helped us to turn on different features or other products along the way and helped us to identify what we need to improve on and present it to our executive team.

One of the main features that I like about LogRhythm SIEM is that there are a lot of pre-built pieces. Like with our AV, we didn't have to tell it how to read the logs; they already had it pre-made. So, we essentially just had to follow their guide to get the logs imported in and set up some rules for it. We've only had to manually create the parsing rules for a few of our vendors so that we could interpret the logs correctly. Most of them had already been pre-created for us.

We use the Event Log Filtering feature a lot. We use it for simple troubleshooting tasks like when a user is logged out, to more important tasks like trying to investigate a threat. As far as its effect on productivity, we can go and search instead of trying to troubleshoot and guess what is causing an error. We can identify what the program is or where the hiccup is.

LogRhythm helped us to identify a lot of blind spots. Originally, we didn't have a SIEM tool. We had auditors say that this is something that we should be doing. My management team asked me to go and find a product, and I researched a bunch of them and found LogRhythm. It really opened our eyes to see how much traffic we have, whether it's other IP addresses that are scanning us or external users trying to hit certain ports that could then get closed. It helped us tighten down some of those firewall rules that may have been left open unintentionally through other changes. It helped us a lot early on to identify who was trying to communicate with us or, essentially, who was trying to attack us.

As far as our overall security posture, our SIEM tool was the initial push that really got us going into identifying where all of our threats were. We expanded over the seven years that we've had it, and I implemented at least eight other products that are all security related because the SIEM tool indicated the need to identify other risks. It really helped us as an organization to identify risks and move forward to a more secure environment.

When we originally got LogRhythm, their tech support was fantastic, and I loved them. Now, we don't quite get as quick of a response. I've been disappointed in the more recent tech support. When you call in, they'll say that they will get you somebody, and you'll finally get someone who will contact you back a day or so later. Whereas before, I would get help right away.

We've had LogRhythm for almost seven years now.

It's very stable. We've been on the same system for the seven years that we've had the product. We've had no issues and haven't even had to upgrade any of the systems or increase anything hardware-wise up to this point.

I haven't really had much of a chance to do any scalability because we haven't had to scale anything up. Ours is a virtual instance, and if we needed to scale up, we could just shut the server down, add some more resources, spin it back up, and it would be good to go.

Initially, tech support was a solid ten out of ten when we first started. Over the last couple of years, they have changed how they handle tech support requests, and the response time decreased from what it used to be. You call in, they'll take your information, and then they'll call you back later. That can take 24 hours or more. When you actually do get somebody on the phone, they're very good and know exactly what they're doing. They'll take care of you.

In terms of response time, I'd give tech support a six out of ten, but in terms of how good they are as tech support, I'd give them a seven or eight.

Neutral

We didn't have a designated security person on staff, and our auditors came in and said that we should be doing this. As a help desk person, I looked for something specific that was going to give me the flexibility I need but also allow me to spin up and run while doing the rest of my duties, and LogRhythm was the best one that I found that could do that.

It's pretty complex to set up, in a way. However, now that I've done it and have done an upgrade as well, it doesn't seem as bad.

I did something wrong on one of the initial upgrades, and it threw an error. I called in support, and they immediately jumped in and started working on a lot of the backend pieces that I don't normally touch. It's pretty complicated if you have to get into that, and that's where the tech support comes in.

With this last upgrade, I did not run into any errors, and it went through just fine. I thought that I was going to be doing this for six hours throughout the day, and I got it done within two or three hours.

I set it up and upgraded it twice, once with help from LogRhythm and once all by myself.

We're on a perpetual license, but they're trying to move us to a subscription-based license. We've been with them for so long, and we'd like to keep it the way it is rather than switch to a subscription-based license.

We looked at four products including QRadar and Rapid7 InsightIDR. We did POCs for all four solutions, and LogRhythm was the best solution for our needs.

One of LogRhythm's distinguishing features was its AI engine which analyzed the tools and allowed it to alert for specific events, instead of me having to dig down and create all these rules. It came with pre-created rules.

Another piece that was really important was the implementation. They had a lot of pieces for third-party vendors as well. We could pull in the logs. All we had to do is just create a rule that says, "alert." It came pre-programmed with a lot of alarms that would automatically correlate with our AV, along with our firewall. We didn't have to create them because they just came in pre-made, and that was a big feature that we looked for. Just implementing it or adding to it didn't take up too much time.

If you are one who thinks that SIEM is an outdated security tool, I would be very curious to know what other solution would be better than a SIEM to accomplish the same goals. A SIEM tool gives you such an open perspective into what is going on in your network and gives you the ability to dig in if you really need to. Whereas if you have a completely managed solution or one that uses AI and does everything for you but doesn't provide you the logs, you might know what's wrong but won't know what else is going on out there. With a SIEM tool, you can dig in as far as you want to, and specifically with LogRhythm, you can be as hands-free as you want to be. It'll tell you what's wrong, and you can address those problems. You have a lot more flexibility with LogRhythm SIEM.

Overall, I'd rate LogRhythm SIEM a nine out of ten. I really enjoyed the solution. If you have to program anything yourself, there is a little bit of a learning curve. They've got lots of guides that you can use, and depending on your skill set, you may be able to figure it out sooner rather than later. The resources are all there, and the community is there to help you, which makes the product really great and easy to use.

The breadth and harvesting of information the SIEM is capable of doing. I've been in this probably going on 30 years, and I've seen the growth. I found a resource that's outstanding in finding information and then the most important thing, distilling it, putting it together, which is a real big challenge in this field.

We're a financial service. As our title implies we deal in mortgages, which means we see a lot of personal information, credit reports, financial instruments. We're really concerned that we are able to monitor the movement of that kind of information and protect it.

LogRhythm has been extremely efficient in helping us find the bad guys, who are really out there, they're targeting businesses like us. They specifically want the findings, the money. If you can get in the middle of a loan you may have to go after 10,000 people trying to find the data, but if you can get four houses at $400,000 or $500,000 apiece, you've just harvested $2,000,000.

For us, LogRhythm has given us the kind of insight we need to understand when those threats either are being recon-ed, found out, or when they're really trying a brute force attack to get at us. It's excellent for that.

I really can't think of a particular one, I've been very satisfied with what's happening. 

I know they're going to get another spike in customer base, hopefully they'll have the ability to ramp up people in support along with the customer ramp up. That's a hard game to play.

I've been part of a number of beta tests, so when CloudAI came out - which is phenomenal: The ability for something to give you information in a SIEM environment, you're often gathering data, writing rules to monitor the data, so you can see what you think you should see. But they're doing inference engine work, where they're looking at what a threat implies, and then presenting it to you.

In our field, false positives versus true positives are a big deal, but they've kind of taken it a step forward. I've come to call it - they may offer me information that I look at, that I didn't know about but I should know about - it's not a false positive because it didn't show a threat. It's a true insight because it showed me something that I wouldn't ever infer myself. 

So features like that, the work that they're doing moving forward in that space, especially with machine learning. The sky's the limit in that, I'm looking forward to them doing it. 

I find it very mature, it's well designed. 

I'm sure if you're speaking with other folks today here at the LogRhythm User conference, you'll find that they're talking about all the new product roll-outs. They think these things through. Since I've been in the industry for many years, I've often found people will roll out products very soon. Often before they're mature enough to be out in the field. LogRhythm doesn't have that problem. I've been very impressed with that.

Except for the experience you often have when you do upgrades - and mostly it's the human, not the software - becoming accustomed to the new material, they've done a really great job.

We tried to size what we purchased, as an appliance, properly. You never realize how much data you're gathering until, of course, you see how much you're gathering. You're thinking maybe 100 million records a month, and you find out it's 100 million records a day. But we've been able to deal with that, understand what we're using. 

They've also been very helpful about throwing away the stuff. There's a lot of information that computers generate, not all of it is relevant. So we've able with it, to look at stuff and begin to filter out, in some cases, 20% to 40% of the content that isn't relevant at all.

I've found through the past two years they've had a few bumps because they've become so popular - I was in customer support years ago, I understand it. When you get a quick rise in customers it's impossible to maintain a support staff at the same time that you're having a fast rise in people who've bought your product. But they've worked through it, they've been responsive to it. 

I've been able to talk to the Director of Training, and the Director of Support on a couple of occasions, we've come to know each other, which is really valuable, especially in our business. Because he can look at me and say, "This is what we're doing." I appreciate the fact they're honest about the situation, they know me well enough now sometimes to be blunt, which is great. It's a good rapport, intelligent people, which is really essential.

None of this is offshore, it's all inside the United States. When I used to do secret cleared work, it was always a requirement that it be carried on within the boundary of the US. I've sort of picked that up as a habit, and these guys are really good at it. It's here, occasionally I go up to Boulder and see them, but it's very satisfactory, very reliable. They get on top of my problems, we usually fix them inside 24 to 72 hours. 

I had to do a proof of concept review two years ago when we were doing a rebid, and LogRhythm was the incumbent. I looked at some other companies. The thing that was essential for me was not only that you could gather data quickly and efficiently, but how you harvested it and how you maintained it. A lot of the other vendors had different ways of doing it, nothing I considered reliable and I was worried about the fact that, as their volume increased, the performance of their appliances would decrease.

What I found with LogRhythm, especially since I picked up one of the newer XMs, is that it has the capability to handle the volume I'm looking at but also, if I want to separate certain parts off onto certain systems, to basically spread those elements out. That was a feature that became really critical for me. Without that I'd be stuck with the pressure of one box, if it fails it takes all my operation out. So I get both, strength and diversity, because I can use multiple systems, they have that flexibility, the others didn't show me that. 

Those were some of the things that were important. 

Also, being able to handle tens of millions, and hundreds of millions of records from a wide variety of resources. They have something called log source types. Log source types let you ingest data from Palo Alto firewall, Cisco firewalls, big F5s, all sorts of environments, draw the data in and make it relevant. 

The other environments - whenever I hear an engineering environment tell me, "Its just a simple matter of programming." It's not. 

When somebody says, "Here's the log source type, and this will do this with your data," and you draw in 10 million records from the firewall, and that afternoon you can make sense of it. That was another reason why.

We've lived through three or four years of the product, so in the early time it was major upgrades, releases had a lot going on. But now things are almost completely seamless. 

LogRhythym uses both the central environment and then sensors that it spreads out. It used to be that you'd have to upgrade the central environment then get all the sensors. As they've moved through things I can now do one upgrade in one place and tell that central environment to upgrade everything else. It cuts down my time from being 12 or 13 hours for an entire operation, to about three or four hours to bring the main environment up, 15 minutes to start up the upgrades. Then it's time for coffee, come back, usually I'm done.

Things that are important: the first time you get a SIEM in your hands you think it's great to gather everything. Then you find out within a couple of days, gathering hundreds of millions of records and trying to make heads and tails... 

Begin slowly, focus on various systems, understand what they mean. 

A lot of people go, show me the perimeters, show me the firewall, show me the network. Pull that data in and when you've got it then turn around, look at all of your Windows servers, your domains, those environments. 

Moving slowly and classifying your data, so you can make the rules you design really specific. It helps you if you've got control on it, you can throttle volume, but also when you have anomalies pop up they don't pop up because you forgot something in a rule. They pop up because there really is something new.

The benefits are almost innumerable. You can't know anything unless you are capturing the data. Once you are capturing the data, you can then make intelligent decisions around what is and is not appropriate, and what is and is not dangerous. It improves the security posture, because you can then know when things are happening that are bad.

Before the LogRhythm solution, if someone was trying to login to a server with a local admin account, I would have no way of knowing that. Nothing would log it, audit it, and it would never show up. Now, I get an AIE alarm every time that happens, because it is considered a pass the hash attack.

If we know when these things are going on in our environments, we can identify rogue admins doing things that they should not be doing, and the questions can be asked, "Why are you using this process? What's failing you that you have to go around the normal procedure to do this?"

Another big one we found was just the ridiculous amount of PSExec running around the environment by non-admins to touch other things, which we have tried to curb. Then, we were able to ingest some custom log sources that have helped us become more proactive in alarming. Some of the stuff that we are using does not do good alerting, or it does not do role-based alerting. So I do not need an IT admin in Georgia to know about a potential issue in China. He does not care.

I need that alarm to go to China, and not to Georgia, but some of our solutions will only send their alarms to one source. So, you either send it to the entire IT organization, every time it happens, or you do not send them at all. It has helped us pair down the noise to our site level admins, and give them more actionable intelligence quicker.

We are a global company. We have 37 locations. China is one big country in Asia. We are on Australia, North and South America, and in Europe, with about 5,000 full-time employees. For the technology stack, we are running a single LogRhythm LR 6403. 2500 NPS license which we are currently hitting the lid on every day, and running a combination of Trend Micro and Malwarebytes. For endpoint, doing Cisco, Firesight for IPS. We are a Cisco shop, a 100% on the network, and we are a VMware shop, 100% for the servers.

Right now, my biggest challenge is distilling the technical data that I am getting out of the LogRhythm appliance, in my reports, and translating that to business value statements to the business units to justify that I need more NPS or I need a bump to NPS, or I need another VX, which is a lot of money to spend. I have to now, instead of making the fear argument of, "Oh my god, the world's on fire." Instead, it is more of, "Here is this device, here is how this solution partners with the business to enable them to make better decisions about risk." Also, they can feel safer in making somewhat more risky decisions, because they know that this solution is behind the scenes, watching, keeping an eye on things, and our team will tell them if something is going wrong.

The ability for me to go into the Web UI, and just learn what's going on in my environment. Being able to go in and show our company's management, "Look, this is what we can see. This is what we can now know about our environment."

Then, using the past several months to baseline what's normal, it has been invaluable, and we have also been able to stop things that were bad, at the same time. We were able to actually show value, while we were still building out the solution.

My biggest challenge always come back to log sources. We are a manufacturing company, so we have a lot of old stuff, and it has been a challenge to get some of our old stuff to light up within LogRhythm in a way that makes sense. I have probably submitted half a dozen log parser requests, and I keep finding more stuff that we need to keep an eye on that doesn't have a definition in LogRhythm. I keep pressing through, and I know they are working hard on it, but that is our biggest challenge.

It has been incredibly stable. I had one minor hardware problem, where it did not reboot at all. It just sat there, but it was just a minor hardware thing, other than that, the software itself has been incredibly stable.

It is near infinite. We are running a single appliance, but I can, even with my current license, break the Web UI off and put it on a VM if I need to, just to relieve some of the pressure. If I need to bring in another appliance, I can bring in another VX, and cluster those, or I can move AIE off onto another machine, it goes vertical and it goes east-west.

Customer Service:

I can't say enough about LogRhythm's tech teams, the staff, the SEs, and even my CRM. They have all been fantastic.

Technical Support:

We are on a first name basis with most of the technical support.

My company did not get me professional services, so I deployed LogRhythm by myself, with no knowledge. So I probably opened 50 tickets in the first three or four months.

They are amazing. They have an incredible depth of knowledge, even the Level 1 person that answers the phone, and their Level 3 support has been invaluable.

LogRhythm is the first SIEM that my company has ever owned. They never owned one before, and it took a lot of convincing to get them to buy it in the first place.

Definitely do a PoC.

• Get an appliance in your system and your company.
• Get your PoC guys to sign their CTU.
• Then, truly think through the business case for this device.

What is it that the business finds important, and how can this appliance/device enable the business to know more about the solution, and to protect that solution from anything.

Because if you start with what we like in the tech industry and what we want to do, you are going to be talking about red team exercises and hacking attempts, and those are all good things to have, but they just do not translate on that initial ask for $100,000s.

You really need to target the business, find out what is important to them, then focus that stuff in, and try to answer their questions with the PoC. Then, they will sign any check you hand them.

We were actually dead set on using Splunk. I came from a Splunk shop at my previous job, and I am a big fan, but I had never seen the Web UI before. So, it is a combination of a few things: The web UI, price pressure from the business, and dedicated hardware, which made LogRhythm the overriding choice for us.

I have seen the features that are coming in 7.3, and they look incredible.

It has far exceeded what I thought it was going to do for me in my job role. With the Web UI, over like a Splunk solution, it has actually become a tool that is used outside of security. I do not have to have people who have Lucene SQL Query Syntax memorized in order to get a value out of the system. They can jump in, log in as themselves, point and click, build themselves a query, and everything's great, then they love it.

The primary use case is to provide security analytics for the SOC and empowering all of our SOC operations for day to day business.

LogRhythm's improved our organization by allowing all sorts of members of the organization to be able to access this data in a much easier way than they have been able to in the past. So instead of more obscure SIEMs, or things out there like Splunk, where you might have to learn an entire language for how to interact with your data, it's all very visual based.

I'd say that's a big difference right there, but also just the ease of use of getting it into and getting it indexed by the SIEM. The other piece of it that I think is pretty huge for us is just how fast it executes on that data. So in previous SIEMs, I've seen where we've had to take up to three or four minutes for a simple query. I have that back in seconds. That's definitely a huge performance improvement for us.

I would say that the maturity of the organization that I'm with now is it kind of straddles a couple of different zones. On the one hand, we have a security team, and members on the security team that have been doing what they're doing for a very long time, and a couple of them even doing that a very long time at that organization. However, the security landscape has changed just dramatically in the last few years. And that definitely sounds like totally hackneyed, but it's true, especially when it comes to cloud integrations, AI, data science, all of this stuff has changed the game so much. So I would say that we're very much behind the curve in terms of we're a team of six or seven people trying to keep up with the industry. And we really look to these next gen tools like LogRhythm's SIEM to bring us there.

New functionality like playbooks are exactly how we're going to raise the maturity level of our team through automation and playbooks. That's absolutely the direct path that we see getting us to a more mature place. We've got the experience on our team, but we don't have 100 people working for us either. And so, we're really kind of looking for LogRhythm to fill that gap there.

Specific to LogRhythm SIEM, I would say the dash boarding capability is pretty spectacular, so having the advanced UI available to just instantly drag and drop widgets into the browser and get top 'X' whatever field you're looking for just in real time is incredibly powerful. It's very fast. That's one of the things that I love about it is that we can get trending information at a moment's notice for just about anything that we have packed into the SIEM. So it's incredibly quick to get very easy high level information on any field we're looking for in the SIEM, and then be able to drill down into that through the log feature at the bottom.

We are using their AI engine, we're using the actual web console itself. We're using lists in some of their automated list for generating content of blacklisted hosts or known malware sites and things like that.

Most of those features are turned on at this point in time. We're actually pretty new, I think that says a lot to the amount of use we've been able to get out of it. We've only installed it maybe three or four months ago. And the amount of data that we have going into the SIEM at this point in time, which amounts to nearly 20,000 events per second, plus all the different features we have turned on is pretty impressive. So I think that that speaks a lot to the ease of getting it stood up and running, which is something that I've seen be way more difficult in other SIEMs in the past.

We will be using the playbooks immediately, on day one, as soon as they're available. I've attended some of the playbook sessions here already and we're looking at which ones are already out there for use and how we're going to integrate them into our environment. So, playbooks are going to be a huge point of focus for the next year for sure for us.

I think LogRhythm definitely has some opportunity to grow in its documentation space, particularly like if I just use Splunk as an example. Splunk has amazing documentation. It's great. It's almost second to none in terms of the quality of its documentation. I would almost use that as an industry standard and say, "If you can do this ..."

There's no reason someone can't copy that pretty much exactly and say, "Let's do the same thing, but for LogRhythm." That way, when I have a new engineer or even an analyst come on board, I can point them to the documentation and say, "Get to work." That's not really possible today. We definitely need a little bit more hand holding when it comes to administrative features that aren't nearly as obvious when we're using the thick client or something like that. 

We've got a lot of work to do in terms of training people up there. But the documentation, I would say, is probably the biggest, one of the biggest things that I've come across to say, "This definitely needs some improvement here in terms of its clarity and availability."

Even just finding the right documentation that you're looking for can be tricky sometimes. My best bet is usually just to do a search of the forums and hope that I can find something and get lucky on the first try, as opposed to having every part of the system thoroughly documented out in an almost open source like way, in the way that open source projects have often gone about documenting and Wiki-izing, if you will, their content. I would love to see LogRhythm do something like that.

I would say that stability for us, overall, considering we're a brand new customer of LogRhythm, it's been very stable. We've had a couple of things come up, and I'd say those are more than anything just a "Oh, we didn't know that this should be tuned to a particular way or that the database wouldn't auto grow on its own". And there've been a couple of things like that, but there's been no major issue of, "Oh no, we threw too much data at it and the whole thing just died."

That's one thing that I'm pretty grateful for is that the whole thing hasn't come crumbling down upon us. And that can happen with a SIEM, particularly when you've got multiple data streams feeding in. As one piece of the puzzle breaks down, there's a downstream effect of killing every other part of the SIEM further on down the line. That hasn't happened yet. So, we haven't had any cascading failures or anything like that. It's actually been really stable so far and we've enjoyed that.

Scalability has been good. We have general guidelines on how far we can take it with with the hardware that we've purchased and installed. And we can sustain even above a little bit, we've found, a little bit above what we're even scoped out for our hardware. So, we've been able to really expand the scope of logging to the endpoint level, so we can take logs from every end point in the company and throw that at LogRhythm for the installation that we've set up. And it can keep up with that and we haven't had any issues of it just starting to drop stuff or anything like that. And so I would say it's definitely a top tier vendor in terms of being able to handle scale in my experience.

I've personally used a bunch of them and we've also, in just our QA process, we've interviewed several before settling on LogRhythm. Splunk would be the big one. And I think in that case the, the licensing mechanism kind of disqualified them. And it's a good system with a large community around it. But the ease of use for the end users wasn't quite there as it was with LogRhythm. Plus the licensing scheme felt a little bit out of date and cumbersome in comparison to LogRhythm.

I have only needed support a couple of times so far, we've opened a few cases with tech support. I can't sing too many praises of tech support so far. And they definitely have a tendency to want to try to lead you towards professional services, which isn't completely unusual in these cases, especially for new users.

I would say that the information is out there somewhere, but they don't have the best support site. They just don't. A lot of the information is just kind of in a forum somewhere buried somewhere in that forum probably, or in somebody's head. The documentation isn't quite as greater or spectacular as Splunk for example. But LogRhythm Community does have a passionate community. And if you find the right person, chances are you're going to be able to get your question answered.

I was hired just after they did the initial setup. But I immediately, because I'd missed that, set up a dev environment for us using all of the same components, so the differentiated data indexers and the platform manager and all that. So I set up a whole version of that on my own in virtual environment after the fact. And I did it by myself without too much help. So, that really did go pretty smoothly. I only needed to contact support once for that whole process. So it wasn't too bad.

A couple of others that we've considered, IBM QRadar that's actually one that we had in house previously, and we'd had stability issues with that platform. And so it was one that we were kind of looking at the market to see what we could replace that with. And I would say again that the ease of use of LogRhythm, for new analysts as well as management people, and the licensing scheme were two things that made it pretty attractive for us

We do have quite a few log sources. Currently we've got around 30 or 40 completely different kinds of log sources and roughly six or 7,000 different devices currently reporting in. We set it around 20,000 events per second sustained for our new infrastructure. That's kind of a lot for us. We've gotten that up relatively quick, up and running. So the stability for that has been great. And as far as parsing goes, we have generally stuck to platforms that we know would parse out of the box. And now, we're just starting to get our feet wet with, okay, what are some platforms where maybe it doesn't have out of the box support for the parsing messages" Or we might want to write our own parser or something along those lines.

We know that it supports things like common event format. And so generally, I'm pretty confident that we'll be able to get everything in there that we want. I wish we had that information. Unfortunately we don't have mean time to detect or any of those soft things. Prior to LogRhythm, it wasn't even an option for us to get those sorts of things. Now with playbooks coming out and some of the new tagging features and case management features that are going to be in seven point four for LogRhythm, that's our first target is to start actually putting numbers around that. And we just haven't had LogRhythm in house long enough to stand up a program around getting those metrics.

As far as the rest of 2018 and 2019 goes, that's one of our number one goals is to get those metrics in place. And certainly, the case management features and seven four are what we're looking to get us there. 

I can tell you for sure that that saves at least an hour of analyst time every single time that occurs and that might happen three or four times a day even for just potentially unwanted software and things like that. So we know that we're saving a lot of time. I have no idea how much exactly we're saving just yet, but I know it's going to be a lot more in the future because we're really starting to get sped up with smart response options and automation, especially when it comes to playbooks. So we'll see a lot of that in the future and that's another one of the big reasons that we've looked to LogRhythm to say, "Okay, we know that we still have yet to see some of what we've invested in here, but we're confident that we're seeing it already."

I give it a nine out of ten right now. The only only minus being for documentation, that's it. But I think that they can get there. So I have faith in them. The advice I would give to somebody looking for a new SIEM or to invest in SIEM technology would be obviously they have to keep in mind the price. We always have to work within that constraint. As a technology person, I hate to think from that perspective, but it's our reality and so things like Splunk really work against that in terms of being able to have to pay for ingestion of data. LogRhythm is great in that area. And that's one of the reasons why we've definitely looked towards LogRhythm for that. A couple of the other things that I look at for them is automation capabilities and API's. 

Everything these days has to have an API. So how good is your SIEMs API? And LogRhythm definitely seems committed to continuing developing their API out, particularly with playbooks and automation. And so, generally, I'm going to say that's where you should be looking for SIEM right now is automation. Most of the SIEM software solutions can do 99 percent of what's out there. Can It parse a message? Can it store it? Can it index it? All of those things, they all generally check that box somewhere along the lines. But how closes is that ecosystem? How available is the API? How good is the support gonna be and things like that, that not necessarily every SIEM does equally? I would say that's where they need to look to find their value.

Primary use case for the SIEM would be for log collection and threat identification.

We're still in the beginning stages of our security solution, as far as maturity. Two years ago, this security program didn't exist. 

Its benefits are broad. The solution isn't necessarily made to do any one thing, but it can do anything you tell it to. It is able to tackle any different type or size of job.

The analytics that it does.

Full-spectrum analytics capabilities, which we use for:

• User behavior.
• Watching and monitoring for login events or any anomalies. 
• Going through and watching trends. 
• Knowing what activities endpoints are doing, where they're going, what websites they visit, then making sure that they're in the normal or making sure they pick up on any outliers.

I would like to see APIs well-documented and public facing, so we can get to them all.

When it comes to a single version, it is rock solid. We haven't had any major bugs or flaws that haven't been involved with upgrading or going to another version. As long as you're on the same version, it is rock solid.

It works. The biggest thing with scalability is looking at how much data you have to ingest, so if you have to build the DX to be a specific size then you have to plan out how big its going to be. Therefore, it doesn't necessarily scale easily, but you can add additional data indexers at any point.

The technical support is very good. They are in the top two to three companies that we work with.

Its very complex. As with anything, it takes time to get it working and know all the different nomenclature with it.

I do the deployment and maintenance of the solution myself.

I have seen a measurable decrease in the mean time to detect and respond to threats. We went from not detecting them to detecting them. We can actually pick up what is anomalous in our network now.

The solution has provided us with consistency and increased staff productivity through orchestrated automated work flows by at least 20 percent. 

Our top choices were LogRhythm and Splunk. 

Splunk is a data lake that doesn't necessarily do any analytics. Whereas, with this solution, we're looking at all the analytics. We can quantify data, we can drop data, and we can do what we need to, plus the pricing model is better.

Know what you want it to do. If you buy a SIEM because its called a SIEM or someone says it's a SIEM, you're gonna end up with what someone else believes they need. Figure out what you need beforehand and make sure that those bullet points are covered because there are a lot of options.

We're currently using the built-in manual playbooks. So far, the features are very good. They are growing. I am looking forward to seeing how they expand upon it.

The automation is coming. The API access and everything else we're looking for to be able to deeply automate a lot of common tasks is still being built-in. Right now, we can do automation on simple tasks. E.g., if it sees something bad, it can take it off the network and put it in our remediation subnet. However, it does not have the capability for complex investigative actions yet.

Right now, we have about 3000 log sources and 3000 messages per second.

LogRhythm works within the core of our SOC. It's where our analysts work every day and where we do all of our investigatory work for security incidents.

It created our security posture. It is the central component of all of our security tools and it is the heartbeat of our SOC and our daily operations. It sets the tone for everything that we do.

This solution improves our organization daily. It saves us countless hours doing correlation work and reduces our investigatory process from days to hours. It routinely brings issues to the forefront using the AI engine and the use cases that we've built that need investigating. We constantly find new sources of logs to bring into the system to continue to make it better. 

LogRhythm does a very good job of helping SOCs manage their workflows. Our SOC is very young and we're not leveraging that feature yet. I've seen other companies' SOCs and watched them use the workflow features and it's incredibly well done. We're not mature enough yet to use it. 

For cybersecurity exposures, the one downside from LogRhythm's perspective is that it can only tell me about use cases that I've already defined. It cannot identify unknown cases at this time. However, we have just recently purchased the NDR solution and that does have this capability.

This solution is our principal mechanism for doing all investigatory work. When we get alerts from LogRhythm, we'd go back to the logs and trace those events back to their source. This is is how we shut down attacks. 

One of the features that we use the most and find the most valuable includes the Web Console. My analysts really like the interface and the ability to build queries using point-and-click without having to write Query languages. My favorite feature is the actual Admin Console and the ability to monitor all aspects of the SIEM's health and the ability to build new use cases for my analysts to work with.

We also use the Machine Data Intelligence feature for classifying and contextualizing logs. It does struggle with unknown log sources and we've had some challenges over the years getting new log sources incorporated into the MDI Fabric.

The ability to authenticate successes and failures using MDI is incredibly easy. For the log sources that we bring into the SIEM, that work is pretty much done for us by the MDI. We don't have to do any additional work.

One of the challenges of the SIEM for the LogRhythm 7 platform is the amount of time it takes to bring new log sources into the MDI. We've waited a couple of years on some sources before they were incorporated. Writing our own custom MDIs is very challenging because it requires expert-level regex in order to write those rules and to make them efficient. Bringing in sources that aren't natively understood is where we've struggled the most.

We have been using LogRhythm SIEM Solution for six years.

The stability of the solution, if it's deployed properly with the right resources, is rock solid. We have not experienced any performance issues. When we first bought the SIEM, we undersized it, and the performance was compromised. 

This is a scalable solution. I've load-tested the SIEM at its current resource allocations up to four or five times as much as my daily ingest and the system handled it just fine.

Their technical support is second to none and is one of the reasons why we continue to invest in and consider LogRhythm as a strategic partner. Their support team are really good at their jobs and they always come through when we need them. I would rate their support a ten out of ten. 

Positive

LogRhythm is the first SIEM I have used and the only SIEM I have a lot of experience with. I've demoed other SIEMs and we've gone to market twice to look at whether LogRhythm was still the right decision. Both times we concluded that it was.

The setup of the SIEM is complex in its own right. LogRhythm typically recommends professional services assistance to deploy the SIEM properly. My company did not purchase those professional services so I had to figure it out for myself. Their support structure was so good and they helped me so much that we were able to get it working without professional help. 

LogRhythm is an out-of-box solution and this was why we bought it. I had no experience with SIEM when we bought it six years ago. I needed something that I could plug into the network, get up and running and get value out of immediately.

We get a vast amount of ROI from this solution. We get way more out of it than we put into it. One of the metrics that I track pretty closely in our SOC is the mean time to detect. Prior to the SIEM, the mean time to detect was measured in weeks and it's now measured in minutes.

LogRhythm's pricing and licensing are extremely competitive and it's one of the top three reasons we continue to invest in the platform. 

We looked at Securonix, Azure Sentinel, IBM's QRoC, and QRadar on Cloud. What really won us over with LogRhythm was the ease of use of the interface and the simplicity of the underlying architecture. It really lends itself to being a low-cost solution to own over time.

The nice thing about LogRhythm is that they continue to innovate and come up with new capabilities like their NDR solution that we recently invested in. They continue to stay relevant. 

I would rate LogRhythm a nine out of ten. The on-prem version of the solution is fantastic and is the core of my SOC. It's our daily tool for all of our investigations. 

Our primary use case for bringing on a SIEM in general was the need to correlate our data across dozens of different solutions that were spitting out logs. We got to a level of complexity where it became mandatory.

This solution has been almost like a transformative change in how we detect and then respond to incidence. Quite honestly before, we didn't know what was going on and we couldn't detect anything other than  a random virus that sent an email from our AV solution. For us, it really took off when I was a little onboard the Office 365 logs and then we were able to start monitoring locations of login and we actually detected multiple accounts that were logging in from countries that had no business being there.

That led to some investigatory work and actually led to some password resets. It was really positive and we continued to detect that type of activity and enhanced the rules, changing here and there. That was a big one for us because we had never even looked at the Office 365 audits because we didn't have a way to do it. LogRhythm brought that in and within a day or two, we're like, "These three accounts are popped and we need to get these guys off the network now." It was amazing.

We're currently processing about 3,500 messages per second. We have experienced a massive decrease in our mean-time to detect. It's actually hard to improve on nothing. It's hard to get worse than no detection, so we went from being able to like, "Oh, a virus happened," to, "This user went to a weird website. We got that from your DNS logs and then 10 minutes later, their antivirus fired on something." And now we know that we can go over there and triage that system quickly as opposed to maybe not getting the virus log for a day. The other thing is detecting when we think breaches are happening, which is something we just didn't have the capability to do before we brought in LogRhythm.

When it comes to our security maturity, I was the first person at my company to do security, and the company had been around for 30 years. I bet that started from scratch, and I started where we were bleeding which was our endpoint detection for malware and ransomware. And then be added on more layers. We added on like IPS and we added on a lot of perimeter type stuff.

While LogRhythm was probably the last component that I have onboarded in like first two-year time frame, it's now the center of the program. Everything feeds into it and that's where I go for just about everything. There are a few solutions that I still have to go out to those solutions to look at stuff but even like from a purchasing perspective, even my IT operations team, my IT applications team, my company asks vendors two questions right out of the gate. Do you have a cloud offering, and do you natively support LogRhythm? And those two are heavy, heavy hitters when it comes to whether or not we're going to put you in the running to buy your software.

The most valuable features in LogRhythm, honestly for me, the single most valuable feature is the web console. That is actually the primary reason we chose LogRhythm over some of these other solutions because I was able to leverage web console usage across multiple layers of IT, and I didn't have to sit back and teach everybody complex SQL queries. Just that point-and-click interface, it's nice and bouncy and it's beautiful to look at has really driven the adoption of the use of the software. Secondarily, I think another really great feature is the LogRhythm community. And the content that that provides has enhanced our adoption over the years.

We don't use the full-spectrum analytics capabilities of the SIEM mainly because I'm a lone wolf in running it. It's just a matter of timing and focus. We do a lot of analytics around user behavior although we're not a cloud AI customer yet. We're doing a lot of what they call the AI engine to do user behavioral modeling and we're starting to onboard some network behavior modeling analytics as well.

It honestly comes back to me for log sources. The time to get support to onboard a log source runs about 18 months, and that's just too long. Like I said, I'm a lone wolf running the system. I don't have a lot of free time to write ReGex and build out my own policies, and I tend to write bad ones that are very inefficient. It is tough when I get a critical source or when a part of the business went out and just bought something, never consulted IT, and now we have to audit it and it doesn't support LogRhythm or it doesn't even like have a function that gets us the logs. We have a cloud solution where we can't even get the logs out of it. It's crazy bad. But when we do get those logs in, it would be really helpful if we could get a supported log source policy from LogRhythm in a shorter amount of time

I have had a lot of trouble with stability, perfect timing. We onboarded way too many log sources on the get-go and overran our appliance's capabilities. And I've spent probably the last 12 months working to stabilize the damage that I caused the system when I did that. It's been a rough year for stability. Even just before I came to this conference, I think I got it finally stabilized. I'm cautiously optimistic that I can take a deep breath and start focusing more on the logs instead of the appliance itself.

We've scaled the solution twice. I haven't done a whole lot of like large-scale build-outs. We're still a single appliance. What we did scale was we scaled the memory and we scaled our NPS license and then I added in some external storage. And all of those things went great. We're to a point now where they're recommending that we buy what they call a data indexer separately. My leadership is more interested in moving it to the cloud than buying more hardware, so I'm working to get a POC started up to get it up into Azure and see if we can scale horizontally in Azure as opposed to buying more hardware. I might have a lot more to say about scalability next year.

Tech support LogRhythm is one of my favorites. Of all the solutions I deal with, those guys and girls are insanely good at their jobs. And so when we bought the solution, my leadership did not buy professional services to help me deploy it. I did it blind, basically, with the user guide. And I think in the first year, the number was about 75 tickets that I opened in the first year. And they still answer me when I call them, so that's great. And they're very willing to stick with you as long as you need.

The only challenge I do have with their tech support is the time shift because their tech support is all based here and I'm on the East Coast. They want to meet it like 5:00 p.m. Denver time, it's like, "Oh, no. I'm at 7 o'clock, dude. I'm done for the day." One little annoyance but it's well worth it in the end to get the support that we get.

The support for log sources is fantastic. It is challenging because you're always going to come up stuff that you need that is not recognized, and writing my own policies has been very challenging. As far as log sources, the last time I checked on Friday, I think we were at 2,900 log sources. It's a lot for this little appliance.

When we went shopping for a SIEM, I had come from a Splunk shop. I was very familiar with Splunk the interface. I like the software, so Splunk was number one on my list. And who was number two? SolarWinds had a SIEM solution that we had played with a little bit at my company, so they were also in the running. And then actually one of my partners talked to me about LogRhythm because I'd never even heard with LogRhythm before and so we did a demo.

And ultimately, it was two big factors. From a Splunk perspective, cost. Cost to build it out and then cost of licensing, it's just unattainable for us. And number two, LogRhythm's WebUI and the speed with which you can run searches in it was hands down my primary reason for going with LogRhythm.

I'm going to give them an eight. It's a fantastic solution and I totally support what they're doing and I like where it's going. But there is room for improvement, and there are some pain points and honestly I've had a rough year. That kind of influences it too. It's been a lot of time on the phone with support this year.

I will tell them what I wished I have known the day I started onboarding logs, and that is when you're looking for a SIEM, put all the features and everything to the side. Go talk to your business people and find out what's important to them because that's how you're going to know what to bring on initially. And once you know those things that are critical and the things you have to do, then you can evaluate the different solutions to see who has the native support because we didn't do that.

We bought it simply because it was awesome and fast and less expensive than Splunk. And then I onboarded 1,500 log sources in a week and brought the system to its knees. And I'm even now today still cleaning up and removing log sources that just bring no value. It's just noise.

Take the time and plan that out before you even go talk to vendors. Figure out what logs are out there, which ones are meaningful to you and the business and then find the solution that fits best with that.

It is for security monitoring.

It has helped us centralize and have better visibility into devices on our network. We are better able to respond to threats in a timely manner.

• Out-of-the-box features, like widgets and dashboards.
• The content in the LogRhythm Community is very helpful and useful for new users.

I would like to have threat indexing and a cloud version.

When we had version 7.2.6, there were a lot of issues deploying that version and with the indexing. The indexer was unstable. So, we were not able to use the platform when we were on that version until we were able to upgrade to 7.3.4. That is when it became more useful to us.

Now, the stability is good. Right now, it is more a matter of fine tuning the alerts and rules that we have, then we can reduce the hit on the XM performance.

In terms of capacity, we have the same XM appliance. We still haven't touched it (going beyond having that appliance), deployed another indexer, or moved to a distributed architecture.

Tech support has been good. They have fixed whatever has been bothering me when I contact them.

I do the deployment and maintenance for the solution.

We have seen a measurable decrease in the mean time when detecting and responding to threats.

Definitely consider LogRhythm. There are a lot of players in the market, but LogRhythm is a solid solution.

We don't have the playbooks. They are on version 7.4. We just upgraded to version 7.3.4. We are going to wait before we upgrade again due to performance issues.

We have around 22,000 log sources and average 5000 messages per second.