LogRhythm SIEM Reviews

Absolutely. It has helped us gain visibility into events that we didn't have before at all. We have a lot of remote locations. We manage national parks and point-of-sale devices on ships, at the top of mountains and little cabins, gas stations in the middle of Death Valley; we have a lot of difficulty around trying to keep an eye on things, and LogRhythm lets us have agents running almost anywhere we want.

It also has provided us ways to do compensating controls for systems that we couldn't otherwise secure, because of different product upgrade paths and costs. LogRhythm helps us on the compensating control side as well.

I think we're right around 1000 to 1500 (peak) logs per second, which is not a lot, but we've tuned it heavily in the last few months. We've added compression and we've turned off verbose logging, and just try to get the important things. We've been working with LogRhythm to tune what we collect, to make it is more useful or applicable. I wouldn't say that we're one of the higher end users or higher logs-per-second users, but we have 15,000 employees in peak season. We have six ships and we manage most of the national parks, so there's a lot of locations around the world. I don't have a number on buildings or assets though, but maybe 4,000 endpoints total, if you include routing and switching servers, desktop PCs.

Up until recently, I would speak with LogRhythm and they would ask me, "What do you want to do?" I'd say, "I don't know. What can you do?" "We can do anything. What do you want to do?" It's hard for us to know what we want. We just know that we want to be secure. We know we need to collect logs, we know we need to do basic things. But recently, LogRhythm came out with a package to help us tune our system for PCI compliance, like industry best practices. We don't know what all those are, so we're working with them to turn on all the bells and whistles that will make us more targeted in our strategy and collecting information, so that we're not just looking for things at random, or it's dealing with a crisis.

When we have a crisis we know what we're not getting, but we don't know how to predict that, we're fairly new into the maturity phases, so I think that they've compiled a lot of that for us, and I'm very happy that we're able to work with them now to get that hammered out.

The PCI compliance pieces that help us produce reports for our external auditor, and their support.

I constantly sing the praises of their support group. It's a complicated, vast product with a lot of breadth and depth. Things go wrong. But when I have a problem their support group will get a hold of me within minutes to hours, at the most. If it takes a group of people to solve the problem they pull a group of people together. They will create remote sessions. I don't have any other vendors with the same level of support that LogRhythm does.

Global management for registry integrity monitoring. Right now you have to apply what they call RIM policies, Registry Integrity Monitoring policies, one agent at a time. If you have thousands of endpoint agents, you have to touch each one of those one at a time. That is a pain in the rear, so I would really like to see some type of group or global management for RIM policies, like they have already for FIM, the File Integrity Monitoring. You can grab hundreds of agents at one time, and apply them across the board. I don't know why you can't do that with the registry piece.

It'll scale forever, and especially in the VM and cloud environment; so the time and money, those are the only two things. But it fit's our needs, where we are.

Like I said, we're not a really high volume user at this time, but that could change. We're owned by Philip Anschutz, he's always incorporating companies that he thinks will make us bigger, better, and more marketable; so that could change overnight.

But right now, where we're at, it meets our needs, I'm happy that it can scale anywhere that we need to go. There's no limitations there, as far as I know, and there are lots of options, with hardware, clusters, distributed environments, cloud-based environments, VM-based environments, combinations of all those things, so there's no problem with scalability.

They're a 10 - out of five stars! I have great success with them, very pleased. Love working with them, they're funny. They're also right here in Colorado, so when we need somebody on site it's not difficult. But it's rare that we can't solve problems with GoToMeeting or WebEx.

We used AlienVault, and before that Splunk, but neither one of them worked, and even their pro-services people couldn't get the products to really perform well in our environment. I understand the LogRhythm sales engineer who came out the first time to demo or do a proof of concept, was doing things in minutes that the other folks were trying to do in weeks, and my boss said, "That's what we want. I want that."

We need stability, ease of use, ease of investigation, so we had looked at a number of products in the past. Again, that was mostly before I came on board, but I understand the challenges with them included having to write a lot of custom parsing, and you either had to have Linux gurus on staff, coding gurus on staff, to make those products sing. LogRhythm has all that built in, and you just need to let them know what you want to turn on. They have all the features and policies and alerts that you could ever hope for, so you just have to know what you want to do.

The only other SIEM tool company that was even close to LogRhythm was QRadar, IBM's SIEM solution, in performance and cost and features. Actually, not cost. I think they're very expensive, and that company makes a lot of people nervous. LogRhythm is, like I said, local, and stable, growing, aggressive, helpful. IBM is a big monolithic company, which I have a lot of respect for and they've come a long way, but they're constantly splitting off and selling pieces, and you never really know where that product's going to be in a few years. LogRhythm hasn't had that problem.

It's effective, it's like a Ferrari. You have to have a lot of mechanics, and you have to fine tune it, and when it's running well it runs very well, but there are a lot of things that can go wrong too. I'm pretty much a one-man shop, and it's difficult for me, but that goes back to having good support and good communication with them. It's a struggle, but the product is strong and we just need to continue growing with it, in our understanding, in our use of it, so we'll get where we want to go. But it's a partnership, so we appreciate that.

I already mentioned some of the most important criteria when selecting a vendor, but the main ones for us were

• local presence: so we have a door to kick down when we need help
• support: LogRhythm has very strong support features
• scalability and cost: LogRhythm had a higher initial cost, but it had almost everything built in that we needed, there were no additional or hidden costs later, so it was much easier for us to plan ahead.

Also, our company likes to spend capital dollars, so the hardware option was more attractive to us. I like the VM and cloud, and I'd like to move in that direction, but having the multitude of options that they have was a big plus for us.

It's very important for us to have a unified end-to-end platform because we have so many different locations and we have such a small team. Having 50 different products and 50 different interfaces doesn't help anyone, even if they're good products. Having one single product that can do a lot of things is very important.

It's a 10 our of 10 for sure. Even 11. I love it.

Don't just look at cost because, as I said, LogRhythm was a little bit higher in the beginning, but look at the features that they have and the support, everything, especially in this field. It's a complicated business, so everybody's going to have problems. Can they fix those problems, and will they work with you to grow? Look at the big picture. Long term.

LogRhythm SIEM is used for monitoring events. Analysts can click on events, drill down, analyze source IP, destination IP, time, country, and other details.

LogRhythm decreases breaches and monitors all activities inside the organization. It allows for monitoring 100 assets integrated with LogRhythm, enabling efficient security operations.

The first valuable feature is the dashboard. LogRhythm's dashboard is very good compared to other SIEM solutions since it shows many details. The operation is also very smooth, allowing easy drill-down into events and effective analysis.

The integration is slightly difficult with other assets, like EDR technologies or firewalls. Also, the back end is not as user-friendly as other solutions like IBM QRadar. The technical support is also not as good compared to some other products.

LogRhythm is a new technology. I have been using the IBM SIEM solution for almost ten years, and LogRhythm for almost three years.

LogRhythm is stable once integrated. It requires very little maintenance post-deployment, needing just monitoring.

LogRhythm is scalable and covers many endpoints, possibly more than 100.

Technical support for LogRhythm is not strong, rated five out of ten.

Neutral

IBM QRadar was used previously. LogRhythm's dashboard and ease of analysis are seen as benefits compared to QRadar, though QRadar offers better integration.

Setting up LogRhythm is complex, especially for integration. The setup itself, without integration, could take one or two days.

I was part of the deployment team and faced some complexities.

Pricing depends on the number of modules you want to purchase.

Other solutions considered include IBM QRadar.

If there is no competitor, LogRhythm would be rated one hundred as there is no choice then.

I'd rate the solution eight out of ten.

It's our primary threat-hunting tool. We use it to look for anomalies. We use it for investigations. We use it for just about everything security related. If we find it in another tool, we use the SIEM to cross reference what activity we would see either from that user or from that machine that we saw in the other tool.

It's improved our organization in a number of ways. 

Before we got the current SIEM, for example, the previous SIEM was not our primary threat-hunting tool. It was a data point we would go to occasionally.  Today, LogRhythm SIEM is our primary threat-hunting tool thanks to the user-friendly interface, which is much better compared to what we've had previously.

The ability to return relevant information from a search to provide either corroborating evidence for an investigation we were already undergoing or just being in a better place to go hunt for threats has made me feel that the environment is safer than what we had previously. 

Previously, with McAfee SIEM, we had no confidence that it would help us in an investigation, so we frequently did not lean on it. It let us down so many times. LogRhythm SIEM gives us a sense of confidence that, during an investigation, it's a solid source of information that we can use to complement the investigation or perhaps complete the entire investigation within the SIEM.

Our previous SIEM did not have dashboards, so there wasn't a starting point. With our previous SIEM, we had to have a specific thing we were looking for, and only then we could find it. 

The dashboards in the LogRhythm SIEM really help us as a starting point. It gives us a starting point we can go to every day. We walk through several dashboards to see anomalous activity for further investigation. The dashboards, therefore, are our favorite feature of the SIEM.

The solution helped with productivity and the ability to process logs. We do Event Log Filtering for certain log types, which we don't want in our SIEM as they're just too noisy. Having too much noise in the SIEM makes it harder to find relevant things. Therefore, we use Log Filtering to limit the noise. It's also given us the ability to bring more logs in, so we bring them all from all of our workstations and servers. Doing the log filtering this way allowed us to bring in other log sources and keep the noise manageable.

It's helped reduce our administrative overhead. Before we started doing the log filtering, we exceeded our license capacity for what we were licensed in terms of logs in our SIEM. The filtering allowed us to bring the noise down and helped us with the removal of junk logs that are not useful. We have a lot of firewalls, and anytime you're traversing internally inside of the firewall, it generates a lot of traffic. That kind of traffic is the type of traffic we took out, allowing us to bring our workstation traffic logs in to give us a better view of our environment.

It's very big for us that the solution is out-of-the-box. To have the solution be turnkey was significant as it enabled us to ramp up and get the logs onboarded immediately. There wasn't a lot of configuration to get to a point where we could bring logs in. It was essentially turnkey.

We use Windows Event Forwarding to collect the logs from our Windows clients, and the logs get aggregated as one data source on that collector. Therefore, finding logs specific to one particular Windows system requires some creativity in how we search the SIEM. 

I've heard that in a future release, it may come to a point where the Windows systems would be dedicated log sources, so you can choose just that log source. That would greatly improve our ability to threat hunt with our SIEM.

We've been using this LogRhythm SIEM for about three and a half years.

The solution's been very stable for us. We bought a high-availability solution, so we have two systems in a high-availability pair. That redundancy gives us resilience. It comforts us to know that if we lose one data center, we've still got logs going into our SIEM in the second data center.

The hardware we bought has the ability to process logs at twice the limit that we are licensed for, and we've not had to increase that. We've had it for three and a half years, and it's robust and keeps up with our needs.

I've had to engage LogRhythm technical support on many occasions. They've always been quick to respond and are very knowledgeable, professional, and helpful.

Positive

The previous SIEM we have was McAfee Nitro. There were a couple of reasons why we switched. We switched due to the fact that it wasn't easy to just stumble into finding things. You had to know what you're looking for and we didn't like that aspect of it. Also, we had a really bad support case that was the catalyst for making the move to a different SIEM.

We have a different setup, and we keep the SIEM in our PCI environment to limit our PCI scope. We had to think through the architecture so that we had the logs in the places we needed them without having our firewalls wide open. It was very quick to deploy since we used Windows Event Log Forwarding. We were able to use a GPO to have logs sent to a centralized server and, from there, ingested directly into the SIEM, so we were onboarded in less than a week's time. We were able to onboard the majority of our log sources quickly.

When we bought the SIEM, we bought a block of professional service hours that we utilized to help implement the SIEM. They were a tremendous help with adding dashboards and getting our fingers in it enough to where we learned our way around it before we actually even got training. It was LogRhythm professional services, and I highly recommend them. They were excellent.

We've absolutely seen an ROI. We felt it immediately since the out-of-the-box dashboards gave us visibility into our environment that we had not seen before, as we didn't have a SIEM that presented the data in a usable manner.

The license model is similar to other SIEM solutions that we looked at, which is a log volume pricing model. That pricing model works well, especially being able to filter the logs and get less important logs in so we have the ability and the headroom to put in other log sources.

We evaluated a few other options. Since we're a government entity, procurement rules limited us to just a handful of options, and of the options that we had, LogRhythm was clearly the better choice for us. 

We had the option to renew and get a refreshed McAfee SIEM, which we didn't feel good about. The other two options that we were able to use were IBM and Rapid7. IBM was just another vendor I've not had good luck with in the past. Rapid7 was a smaller player. We didn't feel they had the ecosystem, the robust ecosystem, to support what we were looking to implement.

I'm a senior security analyst. I work at a government organization that employs between 500 and 1000 people.

We are on-prem with high availability, so we have two self-contained systems, sequel logs, and everything, and they can run either box.

In terms of helping us manage workflows and cybersecurity exposure, we haven't leveraged smart responses in the SIEM. It looks like a powerful asset. We have some automated responses with a different tool for ransomware detection and prevention. However, the workflow ability in the SIEM is actually quite powerful. We just haven't leveraged it since we haven't felt that the right use case presented itself to us yet.

When it comes to affecting our rate of efficiency, we don't measure those metrics, so it's kind of hard to say there's a measurable amount or how much it's improved. It has given us a threat-hunting tool previously unavailable to us. We are very happy to have the SIEM be our primary threat-hunting tool.

Those who say SIEM is an outdated security solution should note that SIEM technology has been around for a very long time. It's still relevant thanks to the continual development that companies have done to bring more usability to extracting threats from logs. That's timeless. That's not something that's going to go away over time. The LogRhythm SIEM continues to add features, and improvements and makes finding and presenting data from raw logs easier. Digging through logs before we had a SIEM was tedious and very time-consuming. It's made it a big-time saver. To have the way it presents the logs in a usable manner has been a tremendous help for us.

I'd rate it a solid nine out of ten.

I am a security architect, so I don't develop the use cases with the customers if they deliver a team who is in charge of these activities. Depending on the case of the customer, we define something with the customers, according to the technical sessions that we have with them. I prepare all the documentation for the delivery team and present the project.

LogRhythm is deployed on-prem. There are about 60 people using this solution in my organization.

SOAR is integrated with the dashboard that we use for threat management. Because it's all integrated, it is useful for us when we deploy something on-prem.

I don't think the cloud model in LogRhythm is developed enough. This is one of the reasons they changed the position in a negative way in the Magic Quadrant Gartner for SIEM in the recent report. The cost of UBA is also high when you compare it with Securonix.

I would like to have a different cost model for cloud. If that happens, I think LogRhythm could be competitive in other cases with the customers.

The virtual machines require a high computer power, and sometimes customers say it's expensive. There are specific requirements from this solution. LogRhythm has a specific requirement when implementing in virtual machines, which is a very complicated issue. The best solution is in the cloud, most of the time.

I've been using this solution for more than five years.

It's stable.

When we are using LogRhythm in the cloud, it is scalable, but it's more expensive than other solutions. When we are on-prem, it's a little complicated and has a lot of challenges that the customer doesn't want.

It is scalable in the cloud, but not on-prem. It is not easy. It takes more time and money. I would rate it 3 out of 5.

I would rate the presale support 3 out of 5. They could be in contact more and give more information. It's average. I have heard that post-sale support is good.

It's simple because you only need to consider one component and that's it. But if you have a customer with different companies and each company has different subsidiaries and all of them want one only service, all of them will be sending the logs into one single SIEM, so you need a distributed architecture. You need to think about how to include new components and how that will be impacting the architecture in the near future, because we don't know the cost. In some cases, it's complicated if we don't know the new versions or the changes that the vendor will be publishing.

Deployment commonly takes three months but can take up to six months.

We use about six people for maintenance.

We deploy the solutions on our own.

I would rate the pricing 4 out of 5. There are no additional costs to the standard licensing fees.

The customers commonly want to know what is the price for the service in different bands. So we work on a banded price model, and it is something that is complicated. We include the UEBA, which is sized and quoted in terms of the number of users and entities. So we need to make a price banded model for the SIEM and a price banded model for the UEBA. We need two of them and they are related. 

If you increase the number of users, you are increasing the cost of the service of the SIEM. Sometimes we don't know the exact relationship between these two components. In the case of other solutions in the cloud, like Securonix, you just need to say to the customer, "This is the price of the different bands."

I've evaluated solutions that can be deployed in the cloud and have other features or components, like the UEBA. In the case of Securonix, it is included. We need to decide if we are going to propose something that is on-prem or in the cloud, depending on the requirements of the customer. The architecture is more complicated when you deploy something on-prem, so you want to increase the number of EPS, the events per second. You need to consider the architecture.

With Securonix or Splunk, we just need to go to the partner and say, we need an increase in the number of EPS. We also don't have to provide maintenance to the solution because it is in the cloud. Our specialist is more focused on the security aspects instead of providing maintenance to the components.

I would rate this solution 8 out of 10.

My advice is that if the requirement is to have someone on-prem, for example, someone that is working in a financial entity, it is a requirement to have all the information in their own data centers and using specific connections. If you have that case, you can use it. It is convenient. And you can use it if you have a case where the evolution of the environment is not going to change for the next three years. Otherwise, if you have a lot of changes during the time that you are going to be using this solution, you need to include different components that will probably be complicated to architect.

It takes good log sources. We have investments in endpoint protection and Mail Gateway, and our firewalls are going to be catching up soon. To have all the logs centralized, we haven't had that before across the enterprise. We had it logging at one or two locations, but this is the first time this year that we actually had all the logs go to one spot and be able to have alerts and alarms set up.

We use CrowdStrike as our endpoint, so we are in the process of getting those logs into the SIEM and we haven't got that done yet, but that's going to be a real big win for half our logs are on the endpoints that the employees have. To have that visibility is really important.

Provides visibility into the network. We got it for PCI compliance for the most part, and we also do SOC 1 and SOC 2 compliance, so we can show that we're secure to our clients. We have a lot of financial and other customers that care about security with the kind of business that we do. But we're looking at it to do SOC Light, not 24/7, but we want have a visibility into everything that is going on in our network, be able to respond, and do incident response using LogRhythm as our main console.

Our key challenge is working with disparate IT groups. We are a brand new security team within our organization. It's a pretty small company. They have grown their infrastructure by acquisitions, so they have a lot of separate naming conventions at each location, different staff, different log sources, and firewalls, which are different at each location.

It is has been a challenge. This has been one of the first applications that we've had. This and a couple others that security teams brought in recently that works across the enterprise. So, we've had a lot of challenges just getting AD or DNS to work, real basic stuff.

Then, also the log sources for the servers, we didn't have a lot of the logging enabled, so we had to kind of go back and then we had to enable a lot of logs using GPOs, working with our IT, and actually doing a lot of the work ourselves, because challenges are resources. There is so much work to do and not enough staff.

I did see a lot of the web console features coming up. I think those dead on, exactly what's needed. A lot of them had to do with better case management and more sorting, going through your alarms, and drilling down in different ways. I think that is really important.

In terms of improvements, I would probably look for more things to go into the web console that is currently on the fat client. I think that is the trend. I think that is what LogRhythm is doing. I find myself going back and forth between the web console and the client console and I probably spend more time in the thick client and it'd be nice to just be in one.

LogRhythm is really on track and they're doing a lot of things very well. In some other areas, particularly with the UI, how things are done administration-wise and a little bit on LogRhythm University, some improvements are needed. There are some challenges with registering for classes and taking them.

I was not completely satisfied. I wasn't really sure what classes to take. I did not feel like I had the direction initially to understand how to deploy LogRhythm. When you get LogRhythm out-of-the-box, there are so many knobs to turn and so many things to configure and set up, that it's almost impossible to do it on your own, as an enterprise senior engineer. I have a lot of experience with a lot of advanced tools and I find LogRhythm very challenging. I do not think we really could have gotten where we are without Optiv coming out for a week and spending time setting up the appliance and optimizing it the way it should.

There are some improvements that could be made to make it easier to use.

We haven't had any issues. I believe we had an alarm for a service restart, it kind of self-corrected itself. Something I noticed, but other than that, it has been rock solid.

I am not even using a quarter of the resources on the appliance today, and that's good, but we still have some log sources that we are still enabling.

We got our biggest ones in there, except for Mimecast and CrowdStrike, so that will add quite a bit. Hopefully, it won't be an issue for us right away. My impression is that there's all sorts of ways to expand and build out.

We have an all-in-one appliance, but I'm fully aware that you can spread out the functionality, so we'll keep an eye on it. I feel like for our size organization, we're growing fast. We had double-digit revenue growth year-over-year for the last seven years. We are growing really fast, so I anticipate it will be a problem eventually, but not in the foreseeable future.

If they're a super, large enterprise company, they might want to weigh having a LogRhythm infrastructure that is spread out.

I am not completely convinced that LogRhythm scales to the highest, largest size enterprises. I really do like IBM QRadar, I think it is one of the best SIEM solutions. If it was a larger enterprise, I would maybe have them go head-to-head.

We have used technical support. The last issue that I opened was because I didn't have the correct parsing support for our Fortinet firewall at our main locations.

The version of firewall we're on, not very new. It's actually a year and a half going on two years, and it wasn't supported. We opened up a ticket, but it was already a known issue, and they did eventually release the parsing. We're seeing all our logs now.

We get pretty much same day response from them. I've opened up a total of two or three tickets, and each time it was right away. Their support is good.

We did buy the XM appliance, the 5GB, I forget the model number. We just got it, the largest one that they would sell us.

We are not using it completely, but it's a single appliance for the LogRhythm. We have a mixture of Microsoft clients, Linux, and Mac on the PC, the laptop side. We also have a lot of 12U servers, which is a little bit of a challenge getting support.

The other change that we made recently was upgrading to Mimecast. They don't have the integration with LogRhythm yet but it's coming. I just talked to the Mimecast SE a couple times in the last few days, and it's not here yet, but it'll be here soon.

I had a little bit of experience with QRadar and a customized SIEM solution at my last job where we had used an MSSP environment, so really a lot different scenario, and you didn't really get to work with the clients directly upfront and control the log sources. Now, I work an enterprise that is slowly gaining control of everything, and that is a lot better.

We chose LogRhythm because in the Minneapolis area, the security community is pretty close and there are a lot of other customers and associates, like my manager and myself, who know a lot of people using LogRhythm. So, we got a lot of good feedback.

I was involved in the initial deployment and setup.

We had some challenges. The problem that we ran into is that without doing a lot of due diligence was management decided that let's deploy LogRhythm on the cloud on AWS because we're going in that direction for a lot of things, so we had Optiv come out and do the installation and setting it up for us, letting us drive, control the mouse, the keyboard, and so on. We ended up discovering that it would be $100,000 a year to have the virtual appliance in AWS just for the spec requirements and we pulled back on that. It was cheaper just to buy an appliance basically. The cost for one year almost paid for the appliance that we got.

We lost a few days of consulting time. Because of that, we had to delay the project a little bit and start over. Then we realized that once we did start getting all of the agents and logs coming in, we were not seeing all the logs that we needed. Then a lot of the log sources that we really needed weren't there yet because of our infrastructure challenges.

That was a learning experience, knowing what it takes to install a SIEM from scratch:

1. Have your inventory down.
2. Understand your network infrastructure challenges upfront.
3. Having the appliance versus the cloud and really understanding the pros and cons of that.

I know when we spoke to our sales engineer (SE) that there were very few cloud implementations. It is still pretty new. They tried steering us away from it and we didn't listen. We probably should have listened a lot better.

We use Optiv, and I understand its LogRhythm's largest partner for third party support, and we have had good experiences working with Optiv.

LogRhythm is successfully employed in a lot of organizations. We tried using another large SIEM, I won't name it, but we weren't able to even get it deployed. It was just too complex, and this was at CenturyLink.

QRadar, it's really easy to use, but for our size organization, we only have about 270 employees. That is not a whole lot of log sources, so it seemed like LogRhythm fit into that profile a lot better for our needs.

When it comes to the SIEM, LogRhythm was pretty much our go-to. We really wanted to go with LogRhythm and we were hoping that there wasn't any reason not to. Because my manager and myself had some experience with some other SIEMs and knowing what the success rate of those, and then just knowing people who use LogRhythm and who have said good things about it. At that point it turns into, "Is the financial investment going to work out for us?" It turned out that it did. We wanted to go with LogRhythm and we're glad that we're able to make it work out.

Smaller, medium-sized companies, I would actually steer them towards LogRhythm and have them look into it, then I would share my lessons learned.

It is important to have a unified end-to-end platform, but you also do not want to get vendor locked in. Its from a value perspective and a productivity perspective, that is where it is very important.

You do not want to be stuck with one product that then changes course or evolves. You always want to be with the leader in the market that is innovating. You want to be able to maintain that flexibility and be nimble to switch up when needed but having a real good go-to vendor, and LogRhythm seems like they are developing into that.

There are a lot of different firewalls out there. There are a lot of different network devices and different servers. They fit their niches, and it is important from a staffing and training perspective to have fewer products and technologies to support, because it is just hard to find people that are experienced.

You have to balance it out with having the best tools to do your job, because the challenges we face and all the security threats that are out there, you got to take advantage of what's available. If you're using multiple vendors, then so be it, but it is a balance.

Most important criteria when selecting a vendor:

• Interoperability with our partners and the rest of our stack that we have.
• Usability and access to support and documentation are really key.
• Being able to get the value out of your investment in a security product.

There are so many security products out there and so many tools. To be successful, you have to understand how the product works, have the documentation, and training available. That is really key. LogRhythm does a pretty good job.

We've been working with LogRhythm for a few weeks. We had Splunk and we're replacing it LogRhythm.

It's a general SIEM system for us, gathering the logs into one area.

We integrated Azure logs with it and that makes it simpler. Rather than having to log into the portal, we can just check everything in one place. We can compare those to our Windows and host logs to see if any problems correlate between them.

It just makes it simpler for analysts to find everything in one place. We don't have to give everyone access to ten different things, it's just one area where we can see everything.

We like the alerting features. They seem a little more hands-on and easier to set up.

It seems like a stable product. We haven't had any downtime yet. All the network monitoring seems to be going smoothly.

We have about 20,000 logs per second as our ceiling and we're at about 6,000 to 8,000 now, so we're okay. It looks like it's going to meet our needs for many years.

They're hard to get a hold of. We've tried to work with a couple of engineering department guys there. We've called them and called them but we never hear anything back.

We moved away from Splunk because we were not happy with it. Workstation monitoring seemed a little more complex than it is with LogRhythm. It's much simpler to search for issues and get alerts through it.

The setup was pretty straightforward. They sent us the appliance, we tailored it to our needs, made sure our network met everything it was looking for. We worked with their support a little bit on what they recommend for setting everything up.

We had a kick-off meeting before they sent the appliance to us and they handed all the documentation to us. That aspect's good. But working with the engineering support has lacked.

We looked at AlienVault, that was one we demo'ed. LogRhythm does seem better.

I'm not sure that we're hands-on yet with the full-spectrum analytics capabilities and we don't use any of the built-in playbooks. We have plans to use them in the future. We want to integrate everything into it and make it more automated.

We're at about 6,000 logs per second. In terms of a measurable decrease in the meantime to detect and respond to threats, we haven't gotten there yet. We are still implementing, still learning. We have to get to all our logs correlated.

So far we're pretty happy with the overall functionality of the system. It's going to meet everything we're looking for.

The recognition of many device types, log message formats, and the most common device types out there. Then, the ability to quickly display data, and do the classification on it. That is the big value.

I have used it a lot. I have used it against other SIEMs. I have used it in conjunction with other SIEMs, and it is the easiest to use and makes the most sense to me.

• Being able to gather the data into one central location.
• Being able to leverage alarm and case management features through there on that centralized single pane of glass. That lets us work through those issues that we find from all those disparate device types, fairly quickly and efficiently using that stuff.

Key challenges and goals are retaining talent. Guys tend to do really well in this field, oftentimes monetize those skills pretty quickly. So, there is always someone willing to pay a premium out there for those skills and that talent. Therefore, you find a lot of churn from that.

I would like to see additional features around alarm management. We are producing alarms right now, and we are able to change statuses on them. But, I would like to see more details around having timers on those alarms. So, if I have a new alarm that has been sitting there for 15 minutes and no one has gotten to it, I would want some sort of alert to tell me that or a threshold I can set.

I was not involved in this particular deployment, but have deployed about 25 LogRhythm deployments previously.

It is straightforward. Not too bad.

It scales well. It can go from 1,000 messages per second to 50,000 messages per second fairly easily.

I have used a lot of tech support, and I think it's the best out of other SIEMs that I have worked with: McAfee ESM and IBM QRadar. LogRhythm definitely has the best support.

Go ahead and do the evaluation with their other competitors out there. Understand each of the SIEMs capabilities by sitting down with them. I think you will find that LogRhythm will win out.

A unified end-to-end platform is extremely important, because as we get going to this more holistic security model, we will be looking at minimizing the number of tools that we have to have in our environment, and trying to centralize a lot of that work into one platform, which LogRhythm is definitely one of those platforms that does that.

Most important criteria when selecting a vendor: Selecting a vendor is pretty important. We go through a lot of things, a lot of due diligence. We like to put them up against their main competitors in the market. That is generally a step we take when evaluating different vendors for a solution.

LogRhythm SIEM is primarily utilized for cybersecurity analysis and incident management.

Its most valuable features include robust dashboards and effective alerts. I find LogRhythm's log management capabilities to be beneficial.    

We integrate multiple credentials and feeds from various sources to enrich customer data. However, we haven't extensively explored its capabilities for compliance reporting as it hasn't been a priority for our clients.

Regarding identifying potential security incidents, LogRhythm's preconfigured alerts are quite effective in detecting vulnerabilities. As for the impact of LogRhythm's log management capacity on security posture, it largely depends on the deployment type. The analytics and intelligence features, particularly the correlation functionalities, have proven valuable in catching complex cyber security threats.

I have been using LogRhythm SIEM for 1.5 years.

We haven't encountered any significant problems, so it effectively keeps our processes running smoothly. I'd rate it an eight. It's generally stable, though we haven't faced any major stability issues.

I'd give it a 6 because appliance-based setups can sometimes pose scalability issues, but otherwise, it's fine. 

We have specialists, and whenever we need technical support, we can easily get it.

Positive

LogRhythm SIEM is a factor in our capabilities, particularly for incident response and insurance management.

The incident response times have improved since implementing LogRhythm SIEM.

On a scale of one to ten, I'd rate the pricing of this solution as a seven - not too expensive but not cheap either.

Regarding licensing costs, it varies depending on factors like being a partner or an end user, but there are no additional costs aside from standard licensing fees for the basic SIEM solution.

My advice for someone considering implementing LogRhythm SIEM would be to start with proper controls and understand the value it provides.

Before installing the solution, users should consider factors like EPS calculations and endpoint support to ensure proper sizing, especially if not going for an appliance.

Overall, I'd rate this product an 8 and would recommend it to others due to its cost-effectiveness, value for money, and user-friendly nature.