It's a managed SIEM. It collects our log information, events from different systems. That information gets analyzed to alert us to any problems that are typically security-related issues. We use that database to do our own research as well. For instance, it's handy for figuring out why somebody keeps getting locked out.
Network Engineer at a wholesaler/distributor with 201-500 employees
Circumvents the need to hire and manage 24/7 in-house monitoring/alerting, and gives us actionable threat intelligence
Pros and Cons
- "When it comes to threat detection and response, it does a very good job detecting and blocking on its own. And the SOC is a nice added value because they're doing analysis on things that aren't as obvious, on things that you can't just detect with a signature or behavior. Also, any SIEM will come with a lot of noise, so having them do a lot of the initial analysis to find out what's critical and what issues are false alarms is very good."
- "Everything that I've wanted has been added in. EDR was added, and MITRE was added. Those were two big ones that we didn't even have to push for."
What is our primary use case?
How has it helped my organization?
The 24/7 monitoring and alerting is definitely a positive because we don't have to have it in-house. These days, finding security people and keeping them is even more of a challenge than it was two years ago.
Netsurion also provides us with actionable threat intelligence. If an endpoint visits a site that tries to do a download, a "drive-by" type of situation where it tries to run an obfuscated URL through a PowerShell or the like, we'll get an alert from the SOC so we can take remediation actions for that particular endpoint.
Our detection time is shorter than it was, and they're well within the SLA for both detection time and remediation. Since MITRE was added in, we haven't seen anything take longer than it's supposed to. The detection times are short, and alerting times are also very short. And while the addition of MITRE hasn't increased remediation accuracy, remediation accuracy has always been good with Netsurion. When it's already good, if it only gets a little bit better, it's hard to measure that.
In addition, the fact that this is a managed security solution has definitely freed up my time to work on other responsibilities. If we didn't have the managed component, I would probably have to spend most of my day in the SIEM, personally. Now, I only have to turn to it once in a while. It has freed up most of my time to work on other projects instead of managing the SIEM. It saves close to 75 percent of an FTE in our existing staff and we also haven't had to add staff. To get 24/7 monitoring, we'd have to have at least three people with no vacations for those people. That would add up to a whole bunch of FTEs.
What is most valuable?
The fact that it's a managed solution is very valuable to us, having their SOC do 24/7 analysis and alerting. The SOC is a very important component of the solution. They are responsive when we have questions or when we want something to be analyzed further. We also have periodic reviews with our primary liaison of the state of the solution and the offerings of the SOC.
When it comes to threat detection and response, it does a very good job detecting and blocking on its own. And the SOC is a nice added value because they're doing analysis on things that aren't as obvious, on things that you can't just detect with a signature or behavior. Also, any SIEM will come with a lot of noise, so having them do a lot of the initial analysis to find out what's critical and what issues are false alarms is very good.
An important feature that is more specific to the product itself is the EDR component. We get analysis, blocking, and remediation for endpoints. It also does known and unknown malware blocking on its own. It's nice to have another layer of analysis and security from the agent as well.
What needs improvement?
Everything that I've wanted has been added in. EDR was added, and MITRE was added. Those were two big ones that we didn't even have to push for.
Buyer's Guide
Netsurion
November 2024
Learn what your peers think about Netsurion. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
For how long have I used the solution?
I've been using Netsurion Managed Threat Protection for four years.
What do I think about the stability of the solution?
Other than updates, there has been no downtime. It is very stable.
What do I think about the scalability of the solution?
I'm not concerned about its scalability. It's very scalable. We could grow greatly in size, and it would just continue to work for us. It's now used everywhere, throughout our organization. There are some additional paid features that we don't have, but we're using everything that we have licensed.
How are customer service and support?
Our account representatives within Netsurion, and the handful of people I deal with in the SOC on a regular basis, are familiar with our company and our previous issues. I talk to the same people all the time. Obviously, there has been some turnover throughout the years and people get promoted, but our account manager became a manager in general, and I still talk to him. He still reaches out to me to see how things are going. It's not just a bunch of different names being thrown at you every time.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Using Netsurion has not meant we have consolidated cybersecurity technologies. We haven't eliminated anything. We added Netsurion into the environment, because nothing catches everything. We were not even looking for something that would replace everything else we had. We wanted the enhancements that we would get from a managed SIEM, versus keeping everything in-house.
Additional layers and different technologies are looking for different things. Netsurion deploys a technology and algorithms that we didn't already have. And the 24/7 monitoring with the SOC was another reason to add it to our environment.
How was the initial setup?
The setup was pretty straightforward. They needed to learn about our environment and I needed to provide a fair amount of information for that. We set up a system for them, and they did the configurations, primarily, and have continued to maintain them. We had an account rep, not a sales rep, but an actual Netsurion manager, who worked with us and their SOC and did the project management on their end. He worked directly with me and we had a number of web meetings and phone calls until it was up and going. Anytime there's a new version or new features, I'm still talking to the same guy.
Their assistance in the onboarding process certainly helped with the product's time to value. It would have taken a lot more time to set it up if we were doing it by ourselves. The setup required about 20 hours of my time and we had data coming in and being analyzed within a week, maybe a little longer, of the beginning of the project. It didn't take very long to get the core system up and going. After that, it was a matter of configuring all the systems in our environment to start reporting to it.
They maintain the system itself, but we have to make sure that clients are reporting to it. You get a report, and depending on the service level, a report you can run yourself, anytime you want. It's very easy to run, and you get a list of non-reporting systems. For example, we can see that Bob has been on vacation for two weeks, so it makes sense that his computer hasn't reported in in two weeks. But Joe has been working every day from the office for the same two weeks, and his computer hasn't reported for the last three days, so something probably needs to be looked at on Joe's computer.
What's my experience with pricing, setup cost, and licensing?
We haven't been hit by any surprises when it comes to pricing and licensing. You are paying for different levels, especially as far as the monitoring goes and how often you review it with the team. The other factor that figures in is how many nodes are on your network, such as clients, network equipment, servers, etc. There are some additional pieces on top of that, but it's laid out pretty simply, as far as how much you're going to pay for a node. And if you want an additional feature, they tell you how much you pay per node to add that on.
Which other solutions did I evaluate?
We looked at a few solutions but we narrowed it down quickly to Netsurion. The features offered by the various solutions were pretty close in parity, but Netsurion, at least at that time, had an edge on pricing, and we liked the initial conversations that we had with them.
Netsurion didn't integrate the MITRE ATT&CK Framework when we brought it on, but it was added afterward. But as MITRE solidified into a pretty important framework, I reached out to Netsurion and asked when it was coming, and it was coming in the next release. They were on top of it.
What other advice do I have?
As for someone being concerned that the solution's SOC is outside of the US, it hasn't been a concern for us. It's 24/7. If the concern is more national or regulatory, you have to follow what your rules are. But if you don't have any regulations or laws restricting you, I wouldn't hesitate just because the SOC isn't in the US.
If a colleague at another company said he's not sure that they need managed services, part of that conversation would be about what kind of staffing levels they already have and if they already have 24/7 in-house security monitoring. If not, do they think the bad guys only work from 8:00 to 5:00 Eastern?
It's reliable. It works. With the managed component, we get that personal attention and that consistent team to deal with. To some extent, it's like they're part of our IT team. They're not in our buildings or working with us directly day-to-day, but in some respects, it's close to that.
Which deployment model are you using for this solution?
On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Senior Director of Information Security at a healthcare company with 5,001-10,000 employees
Its 24/7 monitoring has enhanced the overall security of the company
Pros and Cons
- "Netsurion's 24/7 monitoring has enhanced the overall security of the company. They have someone looking at the data 24/7 who will call us as needed. If their team spots a malicious process after hours, they notify the appropriate person by phone. We get a lot of actionable threat intelligence from Netsurion. For example, if a user clicks on a malicious link in a web page and starts an unusual process that isn't on the white-list, Netsurion's team can detect it and prevent it from executing. Afterward, they'll notify us by telephone, so we can respond and clean up whatever damage has occurred."
- "Netsurion's threat detection and response aren't quite mature. I would expect a little more."
What is our primary use case?
We use Netsurion to meet our HIPAA and PCI compliance requirements and to implement best security practices. Before we implemented Netsurion, our company had no visibility into the environment. We use it to alert us about unusual processes that may be executed. After an investigation, we whitelist or blacklist those processes. It also helps us manage our asset inventory and respond to threats as they arrive.
How has it helped my organization?
Netsurion's 24/7 monitoring has enhanced the overall security of the company. They have someone looking at the data 24/7 who will call us as needed. If their team spots a malicious process after hours, they notify the appropriate person by phone. We get a lot of actionable threat intelligence from Netsurion. For example, if a user clicks on a malicious link in a web page and starts an unusual process that isn't on the white-list, Netsurion's team can detect it and prevent it from executing. Afterward, they'll notify us by telephone, so we can respond and clean up whatever damage has occurred.
With Netsurion, we've also consolidated a lot of our cybersecurity technology. Case in point, Netsurion can aggregate the log files from a Meraki wireless access point, which correlates that data, so that minimizes the time necessary to investigate. They have already taken care of the heavy work. With Netsurion, I take their data, and I know where to start.
Any security professional will agree that if you don't have a solid understanding of your inventory of assets, it's going to haunt you. In this case, it provided me the opportunity to see what's out there. This is especially crucial given that we have some BYOD devices that are not allowed onto the network. I was able to spot those devices and enable conditional access through our Azure Active Directory.
It has reduced the amount of time it takes to identify and respond to constantly evolving threats. We don't know everything. So we could have something that we've never seen before and it requires research on my part, which can be very time-consuming. I like to have the reference readily available.
The managed security solution has freed up IT staff time to work on other things. Our IT team is tiny. I am the only security person in a company with more than 5,000 employees. I don't have to focus on security 24/7, which frees up a lot of time and lets me have a work-life balance. It's equivalent to saving us the cost of three full-time employees at 40 hours a week. The SOC is an essential component. It's crucial to have those individuals correlating and reporting on alerts or taking care of events that don't need to be reported. That's a lot of manual work.
What is most valuable?
I'm new to the company and the environment, so it's valuable for me to see what is deployed and what processes are being executed in the environment to ensure that nobody is running something that may have malware or infections. Netsurion's log aggregation feature is something I use heavily. They use Elastic as their SIM tool. I'm able to take the numbers that they provide and correlate events.
Netsurion also integrates the MITRE ATT&CK framework. Every alert includes a reference to the MITRE number that you can research yourself. I have experience with the MITRE framework, so this is valuable to me. The company did not previously have an understanding of MITRE, so it's essential to me as the security person responsible. This framework has definitely helped us identify threats that we might have missed otherwise. With the MITRE ATT&CK number, I can research in the right direction.
What needs improvement?
Netsurion's threat detection and response aren't quite mature. I would expect a little more. Instead of an Excel spreadsheet with a log output, I would rather have a web portal that I could log into and see the event live. In all fairness, they may have that, but they have not provided that to us. They send me an Excel spreadsheet, and I have to aggregate the data manually to find out what I want to look at. It would be better to have a web portal where the data is already aggregated, and I can see where the hotspots are. They could do something like Arctic Wolf, which has a web portal or page we can log into.
For how long have I used the solution?
I have been using Netsurion since approximately June of 2020.
What do I think about the stability of the solution?
Stability has been okay. We've only had one instance where specific endpoints were not reporting in. During the discovery, we found that devices were pointed to the wrong collector on the Netsurion side, and they fixed that.
What do I think about the scalability of the solution?
With Netsurion, we're covering more than 5,000 endpoints without any real difficulties, and I think we could grow even further with that, so I don't have any concerns with scalability. However, I don't know how far they can go.
How are customer service and support?
I would give Netsurion support a nine out of 10. Their technical support has been outstanding. There have been some challenges on the administrative side getting the phone tree updated. That's an area where they need a little bit of work. But I have no complaints on the technical support side. They've been accommodating. Their SOC is also excellent. They're working on a mature model, and I think they're going to raise the bar. We also have five other managed service providers that the SOC needs to work with across different time zones. Everybody just needed to get on the same page and align the timing. After that, it went fine.
How would you rate customer service and support?
Positive
How was the initial setup?
I joined the company while they were in the middle of deploying Netsurion, and I actually led the last phase of implementation, which was getting the agents installed through the endpoint. In my opinion, it was pretty straightforward, and the deployment took about 90 days. The only issue was getting their agent to work on some of the Apple products. The developers had to go back and tweak the agent to get it running on these systems. Netsurion's SOC helped walk us through the onboarding process. Without their support, we would've probably been extremely frustrated and unhappy.
What other advice do I have?
I would rate Netsurion eight out of 10. While there is room for improvement and maturity, I have no complaints about their services. To anyone thinking about adopting Netsurion, I would advise them to research and get references. You should also do a cost-benefit analysis of a managed solution. Doing this work in-house is extremely expensive compared to offshoring it to someone already established who can do the work you need.
If someone is concerned about Netsurion's SOC being outside the United States, I would say that this hasn't been a problem for us, given the compliance spectrum we're working with. Some companies may have another view of that, but I work with that team and trust them. They meet all my expectations. I'm pretty satisfied with their service and how it was managed during implementation.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Netsurion
November 2024
Learn what your peers think about Netsurion. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,406 professionals have used our research since 2012.
Chief Technology Officer at G&G Outfitters, Inc.
Identifies potential threats and the remediation that I should take to be able to quell those threats
Pros and Cons
- "The SIEMs and managed service are its most valuable features. We get a weekly report from them which provides a culmination of them combing through millions of events which are triggered across our network every day and minute. Their information security experts basically boil that down to a report which I get emailed once a week. It identifies potential threats and the remediation that I should take to be able to quell those threats."
- "The deployment of the agents could be a bit easier. We always seem to have a bit of a challenge with that. A lot of times the agents either don't deploy or they quit responding, then we have to go and redeploy them."
What is our primary use case?
The primary use case is SIEM vulnerability and IDS.
How has it helped my organization?
It is protecting us from cyber threats.
We get a lot of information security audits from our larger clients. I wanted to be able to have intrusion detection and prevention, vulnerability scanning, and SIEM because those are always the questions, "Do you maintain your logs? Do you look at them? How do you take proactive action?" EventTracker managed service gives me the right answers for all those questions and has saved me time when answering these questions.
What is most valuable?
The SIEMs and managed service are its most valuable features. We get a weekly report from them which provides a culmination of them combing through millions of events which are triggered across our network every day and minute. Their information security experts basically boil that down to a report which I get emailed once a week. It identifies potential threats and the remediation that I should take to be able to quell those threats.
I don't have a CISO and don't have the budget to bring a CISO in. Therefore, it basically allows me to outsource the information security officer to EventTracker and have them perform that role for the company.
With the dashboards, I can very quickly see if there are any pending threats or anything that I should take action against. It has a very easy to use interface. Instead of having to go run reports and digging through millions of entries of data, I can have a couple of key metrics brought right up to me through the dashboard and be able to review that information, then either send it on to my networking team to address something or have comfort that we're in a good footing security-wise.
The solution's UI is very good now. It went through a transition phase from four years ago to today. With each iteration, we started on version 6 or 7, then we went to 8, and now we're on 9. Each one has been a large improvement for user usability and the user interface. It is more modern and easier to use. We usually view it on Internet Explorer or Chrome. I use my laptop to view it and find it a comfortable view.
I rely on them to tell me what features should be rolled out and come out. They are always introducing me to new threats and other thing that we need to be looking out for. They say, "By the way, we're looking for these now on the weekly report for you." They are the ones that I just outsourced this to.
What needs improvement?
The deployment of the agents could be a bit easier. We always seem to have a bit of a challenge with that. A lot of times the agents either don't deploy or they quit responding, then we have to go and redeploy them. That gets frustrating.
For how long have I used the solution?
Three to five years.
What do I think about the stability of the solution?
It has been very stable for me. I can't say that I have ever known it to be down in the last four years unless we were rebooting it ourselves to do maintenance, like caching on the server.
Version 9 was a tremendous upgrade for the dashboard. The performance of the new version with the Elasticsearch edition is a real improvement. Previously, running reports would take a long time, and now reports are very easy to slice and dice, then look through the data and dashboards. The dashboards are very helpful if I want to add a new widget. I can email the control center, then they will just add it to my dashboard for me.
What do I think about the scalability of the solution?
It has accomplished what I wanted it to accomplish. If anything, I'm downsizing servers by moving it to the cloud. So, I'm not really adding more to what it needs to manage.
A network engineer and I are the two users for this solution. It is currently deployed across all of our desktops, servers, and VMs. I don't have any expectations to expand it, except for if I hire a new employee and put a new desktop in, but I doubt we are going to be putting new servers in.
We are getting on average 1.6 to 1.7 millions events a day.
How are customer service and technical support?
The technical support is very good and responsive. If I send an email to them, I always get a response within an hour. I don't generally have any emergencies happen. When we've had an emergency situation, they've also been really good to jump on and help remediate the situation. For example, we had a virus that was detected, and they were the ones that identified it early on during their review of the SIEM. They were there to help us through the remediation, getting it blocked, and blocking any exfiltration that the virus was trying to do. Afterwards, during the post-mortem and giving me documentation on what they had seen, how we'd reacted to it so that I can put together a post-mortem for the executive team, they participated in that. Overall, they have a really strong support team.
Which solution did I use previously and why did I switch?
We did not use another solution prior to EventTracker.
How was the initial setup?
The initial setup was straightforward because they did it. We just had to give them a virtual machine that met their specs, then they installed the software and got it all configured for us. So, it was pretty easy and only took a network engineer from our company.
It did not take more than a couple days to get everything installed, running, tuned, etc. We installed the software first, then we installed the agents second.
We have a network engineer doing the maintenance for it.
What about the implementation team?
Netsurion did the installation. We did not work with a third-party consultant.
What was our ROI?
I haven't measured the ROI. We don't do normal budgets, as we are not that big of a company. We are mid-sized.
What's my experience with pricing, setup cost, and licensing?
The pricing and licensing seem very reasonable. The managed service part of it feels like it gives me the equivalent of a full-time engineer for a lot less money. So, I feel it's a good value.
Which other solutions did I evaluate?
I was doing a cursory review of different things by doing a web search, like a Google search, and looking at different options. I came across Netsurion, who are local to us, and I knew the VP of Sales, and I always like to work with people who I have a relationship with.
What other advice do I have?
The solution has been everything that I've asked for from a service standpoint, software standpoint, and support. I have no complaints.
My advice would be to engage them to do the installation. The managed service is great value which saves you a full-time employee on your staff by being able to outsource it to EventTracker to review all the logs and cull through the data to make recommendations and identify threats, then how to remediate them. They provide it to you in your weekly or daily report, depending on how frequently you want to have them do it, which is based on your compliance. If you have compliance requirements for HIPAA, PCI, etc., it is a great benefit to help an organization meet their compliance requirements.
We have internal staff resources for internal incident management. We leverage the EventTracker SOC team. When we detected the virus, we kept in contact with the EventTracker SOC team and sent them emails, and they would call me and say that they see it on this server or that desktop, and we'd go and take it off of the network and clean it. Then, we would put it back on and they'd watch to see if they saw any traffic that was not supposed to be coming from that server. For the whole remediation process, they were sort of part of the team.
Data is all configured to automatically go in. We deployed their agents, and those agents just send the log data directly to the SIEM. We don't manually upload anything.
We did not integrate it with any other solutions.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Lead Security Analyst at a leisure / travel company with 1,001-5,000 employees
Provides us with detailed search responses and concise alerts that are not overwhelming
Pros and Cons
- "We have also integrated our endpoint security into the Netsurion SIEM. That's important because we have all the events in one place; we don't have to manage them in multiple places. In addition, the embedded MITRE ATT&CK Framework was paramount in our decision to choose Managed Threat Protection because the MITRE Framework is the industry standard for threats."
- "The weekly reporting could use some improvement. For example, when we handed them our landscape document, it took longer than I would have liked for those details to become noticeable within the reports."
What is our primary use case?
We use it for security incident and event management, and we use Netsurion's hosted SOC service, meaning their SOC team also assesses our events.
The solution is on-premises. We have the agent running on our Windows systems, and we have the Linux systems pumping the syslog data to the Netsurion server.
How has it helped my organization?
The 24/7 monitoring and alerting have positively affected our security maturity because now we have people with eyes on our security events 24/7. They are monitoring our security incidents and alerting us to any incidents that need action on our end. Overall, the SOC component of the Netsurion solution is very important because without it we would need to hire more people internally to do that work. With the hosted SOC, we don't need to have a large team on our side. While their SOC doesn't know our company and what is unique about our environment entirely at this time, they are learning it now.
What is most valuable?
All the features are valuable, so far. Some examples are the detailed responses that you find within the searches. The alerts are also valuable because they're concise and not overwhelming. The dashboard layout is also a feature I like, because it's very clear. It's not cumbersome.
When it comes to threat detection and response, Netsurion is very good. They're good at incident detection and responses. For example, they found some tools that are used by hackers, tools that were running on a system, and they immediately alerted us to that fact. We investigated it and it turned out it was an administrator using that tool. But it was a good process.
Managed Threat Protection also provides actionable threat intelligence. For example, when there was a vulnerability in the Exchange platform, they alerted us that this new threat had become known, and we were able to take action by patching our Exchange servers to secure them.
We have also integrated our endpoint security into the Netsurion SIEM. That's important because we have all the events in one place; we don't have to manage them in multiple places.
In addition, the embedded MITRE ATT&CK Framework was paramount in our decision to choose Managed Threat Protection because the MITRE Framework is the industry standard for threats. While it hasn't yet helped to identify threats we might have missed without it, we're still early on in our deployment, but eventually, once we are more mature, it will. And I believe it has helped with the time it takes Netsurion's SOC to identify and understand sophisticated threats.
What needs improvement?
The weekly reporting could use some improvement. For example, when we handed them our landscape document, it took longer than I would have liked for those details to become noticeable within the reports.
For how long have I used the solution?
I have been using Netsurion Managed Threat Protection for about 10 months.
What do I think about the stability of the solution?
It is very stable.
What do I think about the scalability of the solution?
Scaling it would be slightly complex because you would need to consciously keep track of the ports where the logs are being ingested. Scalability is not as straightforward as it could have been.
We are using it to monitor about 2,500 endpoints and we have two analysts within our organization's security department who work with the solution.
How are customer service and support?
Some of the technical forethought for the deployment was not as good as I would have expected. Some of the technical blocks that can exist in an organization of our size, issues that needed to be thought about, were not taken into account at their end. That required more input on our side, so that is why I would rate their support at eight out of 10 overall. But regarding the product itself, their technical skills are a 10. It was more when it came to the difficulties in a more complex environment that they were slightly lacking.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We did not have a previous solution.
How was the initial setup?
The initial setup was straightforward. They provided us concise instructions on how to deploy the agents. They provided us packages that we could then deploy within our package deployment mechanisms, and they supplied us with the necessary tools to be able to deploy the agents quickly and easily.
Netsurion's support during our deployment process was very good. They were very helpful and attentive to us as customers. Their assistance in the onboarding process certainly helped with the product's time-to-value because we were able to deploy the agents in a short period of time and to start getting actionable intelligence pretty quickly.
Within a couple of weeks of their providing us the packages, we started deploying agents and, within a couple of months, we already had enough logs being ingested to have at least some initial, actionable intelligence.
The implementation strategy was, first of all, to have enough collectors around our network to ingest the logs from the sources, and enough log source ports to be able to handle the quantity of log sources coming in. After that came the preparation of the agents and the mechanism through which the agents were to be deployed. This strategy helped to make the deployment faster and easier.
What about the implementation team?
It was handled internally by our IT operations.
What was our ROI?
We have seen ROI in the fact that we had actionable intelligence within six months of deployment.
What's my experience with pricing, setup cost, and licensing?
The amount we pay for the service that we get is good. If it were to be much more expensive, it would not have the same value for the money.
Which other solutions did I evaluate?
We evaluated McAfee Managed Detection and Response, Splunk, and Rapid7 against Netsurion Managed Threat Protection. The biggest difference was the cost.
What other advice do I have?
If you're concerned about Netsurion's SOC being located outside of the US, I would say that location of the SOC is irrelevant. Rather, you should evaluate the skills of the SOC and the SOC management.
And if someone at another company said they are not sure that they need managed services, I would say to them that they had better make sure they have enough money to have their own internal team.
My other advice would be to make sure that Netsurion gives you a good deal compared to the other vendors.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Information Technology Coordinator at Magnolia Bank, Incorporated
Gives us a picture of our network environment, including VPN access and real-time alerts
Pros and Cons
- "The network alert is the most valuable feature. That way, we in the IT department are aware of user lockout and invalid password attempts way before a user ever even calls in."
- "There are some issues with searches taking a long period of time, but they assured me that they have implemented a new search function that's available in version 9, but which requires a solid-state hard drive... Depending on how many logs you have it could take a long time to return the results if you're looking back prior to the last 30 days."
What is our primary use case?
We use it to monitor our firewall logs for all of our locations, all of our network logs, and alerts. We also monitor any new users added to the network or who are locked out, any new installs or uninstalls of applications on servers. And we have reports generated for any types of processes or hashes that have been run on computers or servers.
How has it helped my organization?
It gives us a real idea of our network environment, VPN access, alerts and more. We are able to identify where we're getting scanned externally from potentially malicious IP addresses. We can react to those a lot quicker than we could previously.
EventTracker has increased productivity and saved us time, absolutely. We would have to hire a full-time person to review logs if we didn't have EventTracker. I get daily and weekly reports that I review within an hour or two, each day, versus having to go look at logs on each machine. It would take me three or four times as long to review all those logs if they weren't all in the same dashboard report or alert.
What is most valuable?
The network alert is the most valuable feature. That way, we in the IT department are aware of user lockout and invalid password attempts way before a user ever even calls in. We can resolve the issue a whole lot quicker than waiting for the user to call us and figure out that they're locked out of the network or need some assistance with their password or the like.
The system's UI is pretty good, intuitive, and user-friendly.
EventTracker SIEMphonic has been a good add-on piece because doing all the logs can be time-consuming. Having a nice, weekly summary report, and the supplemental logs with them, in the event that you need to dive in any further, is helpful. Having somebody else reviewing those logs as well, on their team, is very helpful and beneficial to us.
What needs improvement?
There are some issues with searches taking a long period of time, but they assured me that they have implemented a new search function that's available in version 9, but which requires a solid-state hard drive. So we have upgraded to the solid state hard drive, but we are waiting for them to migrate over to the new drive, and then we'll see if our search results improve. Depending on how many logs you have it could take a long time to return the results if you're looking back prior to the last 30 days for, say, auditing purposes.
In other areas, it meets or exceeds our expectations.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
It's really stable. It's pretty low-maintenance, once you get it set up, as long as the server that it's hosted on is up. We haven't really had any issues with a system problem with EventTracker since we implemented it.
What do I think about the scalability of the solution?
It's definitely scalable. You can get all the way down to endpoints. They support multiple devices, applications, different firewalls, desktop, laptop. You have the ability to add in those logs. We have chosen not to do that at this time because we're mainly concerned about our servers and our domain, and it captures a lot of those logs. We have some offices that don't have a domain. For them, we just get their firewall logs because we are not too concerned about their individual workstation logs.
How are customer service and technical support?
They are very responsive. They're monitoring stuff as well, with that SIEMphonic piece. They're monitoring your logs and if there's anything you have deemed critical, they're making you aware of it, to make sure that you're aware of it. They do a really good job of following up and trying to do as much as they can to assist you in any way possible.
Which solution did I use previously and why did I switch?
We did not have a previous solution. They had already purchased this product before I came into the organization. There are a couple systems out there where people have reached out to me throughout the years and said, "Will you do a demo or evaluate our system?" But in my opinion, there's nothing that really stands out that would make me want to leave EventTracker.
Even cost-wise, if somebody is cheaper - and I don't believe that they are - it's not significant enough to make that change and go through that whole design and implementation process again, just to save a little bit of money. We are familiar with EventTracker and we're getting the good service that we expect. We really don't have any desire to go with any other vendor at this time.
How was the initial setup?
The initial setup is complex. It really depends on what alerts and reports you're looking at and what you want to filter it down to. It really depends on how much data you're looking at capturing and how to get that configured, working with their team on getting that configured for you. It was a long process from start to finish.
Now that it's in place, there are hardly ever any issues or any hiccups with it. But the initial setup can be a little time-consuming. You have to make sure you have adequate time if you're going to implement SIEM or an event-log correlation system.
Our deployment took a good 60 to 90 days from start to finish, working through all the reports and filtering it down to what we wanted. That included our firewall logs and deploying it on all the machines.
We really didn't have an implementation strategy at that point. We were just trying to get it implemented as quickly as possible on our domain server. Then we expanded it to all of our servers inside our network and then all of our firewalls.
What about the implementation team?
They provided assistance and they do with that SIEMphonic piece. We purchased training from them and then worked with them directly on what we wanted configured and how to configure it. They did most of the heavy lifting of actually configuring the reports and all the alerts. If you want filtering you can ask them, or you have the ability to go in there yourself. I personally don't have a lot of time and resources to do that, so using their staff and the resources has been very beneficial.
Overall, they are very professional and good to work with. Some of their trainers were difficult to understand, as there was a language barrier. Some other staff from outside of the US, some of their training people, the technicians who provided training, were very difficult to understand. Others were not hard to understand. It was a case-by-case issue. But we did have some issues with trying to understand them during the training. We expressed our concerns and, of course, they addressed that. It was a process we worked through.
What was our ROI?
We have absolutely seen a return on our investment in EventTracker.
What's my experience with pricing, setup cost, and licensing?
The solution is fairly expensive, but in my experience, all of the SIEM applications that I've evaluated or looked at cost about the same. It's just what a system like that costs.
Which other solutions did I evaluate?
I've looked at AlienVault. That's the only one that I can recall looking at extensively. But cost-wise it really wasn't worth it to us to switch to that system. It might have had a few more features, but EventTracker has done really well on constantly adding features and changing their UI and adding dashboards and getting more data on there that you want. I have no reason to make a switch.
What other advice do I have?
If it's your first SIEM event-correlation system, be prepared for a long process. That's not just because it's EventTracker. That seems like that's what that process takes. Again, it really depends on what data you want to capture and how much data you want to capture and how you want to review that data. That configuration process can be very time-consuming.
We're on EventTracker 8, but we're getting ready to upgrade to the most recent version of nine, but we have not upgraded yet.
I don't typically use the dashboard widgets. I have everything configured in daily, weekly, and monthly reports. We have real-time alerts configured as well. So I'm not really utilizing the dashboard widgets. I know it has a lot of features and options but I manage the system from the reports and real-time alerts. In terms of the screens we use to view the solution, we mostly use the Excel reports that are generated daily and weekly. I access them, as well as the real-time alerts, from all devices. You can view them and see the details from any type of device. But I'm looking at the alerts through my email client on whatever device I'm on.
We have logs coming from our firewall configured to auto import log data, but we are not manually importing any log data.
Currently there are only two users in EventTracker: myself, as the information security officer and another gentleman here at the bank who is the backup information security officer. He functions more as a backup, but he's never had to step into that role and use the system. He received the training, but I handle the whole system. I'm the only one deploying and maintaining the system.
We have internal staff resources for internal incident management but we do not use the EventTracker SOC team. We handle the incidents internally, leveraging the reports and alerts.
We don't have any plans to increase usage, unless we add one or two offices as we do naturally in our mortgage division.
The difficulty with the language barrier at times with their training and technical support staff is a problem. That's why I'd rate it an eight out of ten.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Information Technology - Business Process Analyst at a financial services firm with 51-200 employees
Enables us to track account creation and deletion and the number of errors in a given system
Pros and Cons
- "The most important feature is keeping track of when accounts are created and deleted, when permission groups are changed, and memberships are changed in groups; and overall, how many errors are occurring on the various systems that we're monitoring."
- "I'd like to see improvement in the ease of generating reports. It seems fairly cumbersome whenever you decide to start tracking new categories of events. It seems a little kludgy when trying to generate those reports."
What is our primary use case?
We're getting some daily reports out of it for different systems regarding passwords expiring, accounts locked out, and a number of events in different categories. We're probably not using it to its fullest potential.
We import log data into the solution from Windows Servers and switch-logs from the Cisco switches. Those are the main things that we feed into the system. We don't have any Linux or any other external systems that we feed into it.
How has it helped my organization?
We use those standard reports every day and monitor them. It does save us some time from having to go out manually and pull that information together. With the daily reports that we get, we can easily scan through them and find any anomalies that are occurring. If a system suddenly starts getting thousands of more errors than it did previously, we know we need to look at something on that system.
The solution has also saved us time due to the fact that it's doing the consolidation of the log files for us. It probably saves us three hours a day.
What is most valuable?
The most important feature is keeping track of when accounts are created and deleted, when permission groups are changed, and memberships are changed in groups; and overall, how many errors are occurring on the various systems that we're monitoring.
The ability to import log data into the solution is very good. It consolidates that information and stores it in a compact manner. It doesn't use a huge amount of disk space to store the history of the logs but still gives us the ability to pull various reports as we need them.
What needs improvement?
I'd like to see improvement in the ease of generating reports. It seems fairly cumbersome whenever you decide to start tracking new categories of events. It seems a little kludgy when trying to generate those reports. Other than that it's fine.
For how long have I used the solution?
More than five years.
What do I think about the stability of the solution?
It's very stable. We put it in place and have ignored it except, for pulling the reports.
What do I think about the scalability of the solution?
In our environment, it works perfectly fine.
How are customer service and technical support?
I've used the technical support a couple times. I've had very good results. In generating those reports, they were able to provide the methods in order to collect the information we needed to collect.
What was our ROI?
I don't know exact numbers on ROI, but in my mind it saves us a lot of time. I have six or seven reports that I can peruse through each day, quickly and efficiently, instead of having to go out and collect that data manually.
What's my experience with pricing, setup cost, and licensing?
Licensing is very easy. Our CIO takes care of the billing, but in terms of price point, he hasn't complained, so it must be good.
What other advice do I have?
Go through some training to know the ins and outs of the application. It has changed quite a bit in the seven years I've worked with it, and it would be a good idea to do some more training to learn all the new features and to make sure you can utilize all the capabilities.
The UI is okay. As I said, we're probably underutilizing the product compared to what we should be using it for. We don't view the information from it on screens. We more go off of the reports that we get daily out of the system.
In our company there are only three people using the system. We're all IT managers. We're only monitoring about 30 systems and we don't have plans to increase usage. Total time for deployment and maintenance would be a part-time IT manager, ten hours a year. In terms of internal staff resources for internal incident management, it's the same three IT specialists.
I would give the solution an eight out of ten. I'm not giving it a ten because of a lack of understanding of the system and some of the kludginess in the generating of reports.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Assistant LAN Administrator at a non-profit with 10,001+ employees
Notifies us about disk space as well as event log errors we need to look at
Pros and Cons
- "The most valuable feature is that we get the events: the alerts about disk space and the security reports that we get once a day, including user lockouts and the like."
- "I would like to see the dashboard come up more quickly."
What is our primary use case?
We use it for Windows event logs, disk space, and other alerts.
How has it helped my organization?
It gives us a heads-up about the disk space and any errors in any event logs that we have to look at. There are times where that saves us time.
What is most valuable?
The most valuable feature is that we get the events: the alerts about disk space and the security reports that we get once a day, including user lockouts and the like. The reports are fine the way they are.
The dashboard is also fine. We haven't configured the dashboard widgets; we just basically go with the default that was there. The dashboard helps by organizing things for us.
Overall, the UI is very helpful. It's user-friendly and relatively intuitive.
What needs improvement?
I would like to see the dashboard come up more quickly.
For how long have I used the solution?
I've been using EventTracker ( /products/eventtracker-reviews ) for about ten years.
How was the initial setup?
The initial setup was straightforward.
What other advice do I have?
Overall, it's very straightforward.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Consulting Engineer at a tech vendor with 10,001+ employees
We can search all event logs and domain controller security events
Pros and Cons
- "The product satisfies our compliance, and thus, all of our auditors. All of the data that we use and store for all security events is required by our auditors to be kept in a central storage location."
- "If we need to do a search for user lockouts, we can go, search, and find locations where they have been locked out, then keep track of those events, historically."
- "The biggest problem is that we have too many domain controllers. So, we have to keep all the clients and main system updated with the latest versions along with making sure all the firewalls are open."
What is our primary use case?
We are using it for audit compliance. Because when we have audits, we are required have a central event log storage location. If we need to do a search for user lockouts, we can go, search, and find locations where they have been locked out, then keep track of those events, historically.
How has it helped my organization?
It was purchased so we would be in compliance. That is our main reason, and it works very well.
The product satisfies our compliance, and thus, all of our auditors. All of the data that we use and store for all security events is required by our auditors to be kept in a central storage location.
EventTracker provides a great place to do our searches for certain types of events. We can go there, run the search engine, and it runs extremely fast, especially compared to the version that we previously used. E.g., instead of connecting to each individual domain controller to search events, we can go to one location.
What is most valuable?
We can search all event logs and domain controller security events.
The dashboard is laid out very well. I handle all the group policy compliance settings, and I get to play the bad guy who locks everybody down.
The UI is fairly good. I have a laptop that I use to connect remotely. I use the simple console, which is sitting at work, and connect to it directly.
What needs improvement?
The biggest problem is that we have too many domain controllers. So, we have to keep all the clients and main system updated with the latest versions along with making sure all the firewalls are open.
For how long have I used the solution?
More than five years.
What do I think about the stability of the solution?
It is very stable. The product has been very smooth to work with recently. I am extremely happy with the way that it is right now.
We have had issues with it in the older versions (7.2). Because of our number of events that we generate, it used to stall and take a long time to do searches. Once we upgraded to 8.2, it pretty much resolved those issues. It was around 2015 when we upgraded.
What do I think about the scalability of the solution?
I have not seen any issues with it scaling.
We have close to 40 users in our organization: security administration, help desk, and sysadmins.
How are customer service and technical support?
Usually whenever we call the technical support, it's a big issue. I've not had any problems with them. They have been very responsive.
Which solution did I use previously and why did I switch?
For the compliance, this is probably one of the first product that we got for our Windows side.
What was our ROI?
EventTracker has increased the productivity in our organization.
What's my experience with pricing, setup cost, and licensing?
The upfront costs have increased, and we have been locked into this contract. The cost of changing over from it is way too high.
Going forward, we have to get more licenses for our domain controllers.
Which other solutions did I evaluate?
We are always evaluating new tools. We decided on Netsurion because of its UI and ease of use. My team agrees that the solution is reliable and easy to use.
What other advice do I have?
Get the preferred support. This is for the guy who uses and maintains the back-end of the system. Because if you don't have your firewall configurations configured correctly, you will need to have that support.
All of our domain controller event logs are consolidated and stored on the server. Right now, we are sitting at 101 domain controllers, which is way too many. However, this was one of the main reasons why we purchased it, and it is performing well. The product version that we are on right now is much faster than the version that we were previously on.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Download our free Netsurion Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Managed Security Services Providers (MSSP) Security Information and Event Management (SIEM) SOC as a Service Managed Detection and Response (MDR) Extended Detection and Response (XDR)Buyer's Guide
Download our free Netsurion Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- Do we need to use both EDR and Antivirus (AV) solutions for better protection of IT assets?
- What types of Security Operations Center (SOC) deployment models do exist?
- When evaluating Managed Security Services, what aspect do you think is the most important to look for?
- How Managed Security Services (MSS) secure your organization?
- Why is Managed Security Services important for companies?