Netsurion Reviews

EventTracker analyzes all of the different types of security events, it both aggregates and correlates. They send us a daily report of things like servers that aren't responding that normally respond and any kind of events that they see from the day before. If there is a serious perceived security event, they will call. I have two folks at InfoSec, so they will call directly and say, "Hey, we're seeing something here." Then between the two of them, they'll try and identify whether it is a true event or not, and then monthly, we sit down with them on a call where we talk about what's going on and if there are opportunities for improvement.

If there was an event that we felt they shouldn't have escalated to us then we'll let them know and we'll talk about how it could have been avoided or vice versa or if there was an event that we didn't get escalated but it should have been. We don't get a lot of those, mostly it's about, "Hey, we're adding this new device, we want to make sure it's on the list, so it's getting monitored", and things like that.

EventTracker enables us to keep on top of our work. We're a hospital, so we're 24/7. We don't have enough staff to do that, so they're able to monitor things off-hours, and then even during hours I get two people from InfoSec. They can't be sitting there staring at a screen all the time, they have to go out and do other things and attend meetings, etc. and so they're able to rely on the tool to correlate and then notify them either via pager or phone call if something comes up that is deemed to be important enough to be notified. That's huge for us because we don't have the budget from a staffing standpoint to have people on-site 24/7.

Back in the day, I used to work for Intel and we had a whole room full of people who just sat there and stared at the screen for events. It was in their data center group. We don't have that kind of staff. The only people half staring at a screen all day long are the call center, and they're the ones who take tickets and talk to end-users but they don't have the time to sit there and monitor the event logs and all of the other things. That's the value the tool gives us. I can have people doing real work and then things that need to be escalated are escalated. It saves us roughly two full-time employees. It cuts my team in half. 

EventTracker also helps us with compliance mandates. The tool helps us document that we're following best practice, that we're identifying issues and tracking them, and that we have logs of what issues were identified. That allows us to be able to show a lot of the documentation that we are really doing best practice. I just don't physically have enough team members to do that. This allows me to be able to provide that 24/7.

It's not just a tool, it's a service. The secret sauce is not the tool. I could buy a tool from a dozen vendors. I have a tool to be able to aggregate and correlate all of these events and send something to a screen. But if I still have to have somebody sitting there staring at a screen all day long, that's valuable but not as valuable as someone that has a team, that is an essential SOC, that is aware of what's going on in the world and is saying "I'm seeing this in seven places, including El Centro, let's get ahold of El Centro so they can start taking action on it."

There's nobody that's dedicated to internal incident management. I have two information security folks and they do everything from internal incident management to designing new implementations, to reviews of existing annual information, and security audits. They do all of that, but they don't sit there all day long, staring at a screen, looking at incidents, and trying to figure out what to do. That's the value that we get out of it. That's the extra value.

Monitoring our environment and reporting out different events is important. They perform a suite of services. They monitor all of our servers, all of our key infrastructure, like our DNS, our switches, all that stuff. They aggregate and correlate that quarterly. They'll tell us if we're getting a lot of login failures and something is going on or if something's weird.

I like the dashboard. Our security folks look at it all the time. They have it running, they have a big screen monitor in one of their offices and it's up all the time.

I don't use the UI very much but from what I've been told by the security team, it's very easy to use. Compared to other products, the team found it pretty easy to use. We've got the dashboards published on a large screen TV so they can look at it all the time, and then they typically have it on their desk. It is also available on smartphones.

We import log data into EventTracker. It feeds the overall picture of giving us a good quality view of what's going on in our environment.

Communication is always something that can be improved, but I feel that any time we've had a communication issue, it's quickly addressed when we bring those up at the monthly meetings. Usually, it's an individual that wasn't clear in the communication, it's not the process per se. You always have to be able to segregate if the process didn't work or an individual either didn't say the right thing or my people didn't understand what they were being told. So far, I have not understood or heard of any issues that were more process or tool-related, it's individual-related. 

The industry is changing. The landscape is changing all the time and they seem to do a pretty good job of keeping up with that. That's a challenge in information security. That's a target that doesn't just move. It moves from room to room, to room, not just a few inches, one way or the other. You're constantly changing. You're chasing a moving target that's really moving. It boils it down to here's what we think is going on versus our people. If all they did was keep track of what was going on in the industry, that's all they'd do because I only have two people.

I have been using EventTracker since I have been at my company for the past year but it's been at my company for several years. 

It is as stable as a rock. I have not heard of a single outage on it.

We haven't scaled it out to anything other than what we had. They've done a pretty good job of implementing it. Since I've been here, we've had a virtual server primarily here and there, but we have not done a lot of scaling out. There hasn't been a discussion about what limitations there would be.

It monitors all of our infrastructure, all of our servers. It's being very extensively used. As we grow those, we're getting ready to open a new building early next year, all of the equipment that goes into that building will be added to it.

We fully implemented it so I don't know that there's a lot other than organic growth that would need to be done.

My InfoSec team talks to support occasionally. There have been a few cases where they saw something they didn't quite understand, so they would call and ask for information, but it's been few and far between. I have not heard of any issues with support. I heard that their experience with them has been good. 

At a previous company, we used a different tool. It was a much more encompassing tool that does a bunch of different event monitoring, correlation, and aggregation. It was a management suite that did things like backups as well. I know when we implemented it at Intel, it was atrocious. The problem was the process. We had tens of thousands of servers and we implemented the tool and we turned everything on. Events scrolled by the screen so fast, you couldn't even see them. We had to say, "Well, wait a minute. Let's dial this back a little bit." They also didn't do a good job of aggregating or correlating. 

The main difference between that tool and EventTracker is the ease of use. That tool was all CLI based. Everything was command-line based. The syntax that you had to use with that CLI was very challenging and very specific. If you thought you were doing the right thing but something did work and it wouldn't warn you that you didn't do it right.

I have not been told that there were any issues when it was implemented. We have not done any major upgrades since I've been here. We've done incremental patch-type things but I don't know of any issues.

I did hear it was relatively labor-intensive, but that's because of all of the processes around the communication, like what gets communicated and what doesn't. That's to be expected anytime you're doing a lot of workflow work, that takes time.

There's daily maintenance in that they're responding to events or they're working on the tool. There is very little done as far as trying to make changes to the tool itself. Our information security team does respond to events. It's a chunk of their time. We don't have to spend a lot of time at all tweaking the tool. I wouldn't say we spend even an hour a day.

I have two people in InfoSc and a couple of people in my network team that reviews it. My help desk people will review it but they don't really use it per se. They'll see events and that's it. Most of the time that really goes to the information security team.

Our ROI is $160,000 a year before overhead, then adding in the overhead of 30 to 40% with benefits and everything else, it's easily over $200,000 a year.

They've been very fair. I think that we've had to push back a little bit here and there on pricing. 

The biggest lesson I have learned is that the outsourcing of this service has a dramatic impact on the organization. We can't just keep throwing bodies at it internally, we have to leverage somebody else's knowledge.

Some people don't trust outsourcing. I'm not a big outsourcing guy. But I really don't treat them as an outsource, I treat them more as a partner. You're going to have to do this one way or the other, or are you going to get nailed at some point. That's just the way it is. If you're not following these things, you're going to get nailed. If you trust them and you realize that they're doing things that you should be doing or are doing, you're going to save a lot of money out. It's going to be cost-effective for you. It won't just save money, it will be cost-effective.

I would rate EventTracker a ten out of ten. 

Having dealt with a lot of vendors and their sales, they are probably one of the more low-keyed. They're not out there constantly trying to sell me stuff. I don't know if it's because we have everything so there's nothing left to sell or not, but they've been very easy to deal with. Their leadership and their sales organization have been very easy to deal with.

The primary use case is SIEM vulnerability and IDS.

It is protecting us from cyber threats.

We get a lot of information security audits from our larger clients. I wanted to be able to have intrusion detection and prevention, vulnerability scanning, and SIEM because those are always the questions, "Do you maintain your logs? Do you look at them? How do you take proactive action?" EventTracker managed service gives me the right answers for all those questions and has saved me time when answering these questions.

The SIEMs and managed service are its most valuable features. We get a weekly report from them which provides a culmination of them combing through millions of events which are triggered across our network every day and minute. Their information security experts basically boil that down to a report which I get emailed once a week. It identifies potential threats and the remediation that I should take to be able to quell those threats.

I don't have a CISO and don't have the budget to bring a CISO in. Therefore, it basically allows me to outsource the information security officer to EventTracker and have them perform that role for the company.

With the dashboards, I can very quickly see if there are any pending threats or anything that I should take action against. It has a very easy to use interface. Instead of having to go run reports and digging through millions of entries of data, I can have a couple of key metrics brought right up to me through the dashboard and be able to review that information, then either send it on to my networking team to address something or have comfort that we're in a good footing security-wise.

The solution's UI is very good now. It went through a transition phase from four years ago to today. With each iteration, we started on version 6 or 7, then we went to 8, and now we're on 9. Each one has been a large improvement for user usability and the user interface. It is more modern and easier to use. We usually view it on Internet Explorer or Chrome. I use my laptop to view it and find it a comfortable view.

I rely on them to tell me what features should be rolled out and come out. They are always introducing me to new threats and other thing that we need to be looking out for. They say, "By the way, we're looking for these now on the weekly report for you." They are the ones that I just outsourced this to.

The deployment of the agents could be a bit easier. We always seem to have a bit of a challenge with that. A lot of times the agents either don't deploy or they quit responding, then we have to go and redeploy them. That gets frustrating.

It has been very stable for me. I can't say that I have ever known it to be down in the last four years unless we were rebooting it ourselves to do maintenance, like caching on the server.

Version 9 was a tremendous upgrade for the dashboard. The performance of the new version with the Elasticsearch edition is a real improvement. Previously, running reports would take a long time, and now reports are very easy to slice and dice, then look through the data and dashboards. The dashboards are very helpful if I want to add a new widget. I can email the control center, then they will just add it to my dashboard for me.

It has accomplished what I wanted it to accomplish. If anything, I'm downsizing servers by moving it to the cloud. So, I'm not really adding more to what it needs to manage.

A network engineer and I are the two users for this solution. It is currently deployed across all of our desktops, servers, and VMs. I don't have any expectations to expand it, except for if I hire a new employee and put a new desktop in, but I doubt we are going to be putting new servers in.

We are getting on average 1.6 to 1.7 millions events a day.

The technical support is very good and responsive. If I send an email to them, I always get a response within an hour. I don't generally have any emergencies happen. When we've had an emergency situation, they've also been really good to jump on and help remediate the situation. For example, we had a virus that was detected, and they were the ones that identified it early on during their review of the SIEM. They were there to help us through the remediation, getting it blocked, and blocking any exfiltration that the virus was trying to do. Afterwards, during the post-mortem and giving me documentation on what they had seen, how we'd reacted to it so that I can put together a post-mortem for the executive team, they participated in that. Overall, they have a really strong support team.

We did not use another solution prior to EventTracker.

The initial setup was straightforward because they did it. We just had to give them a virtual machine that met their specs, then they installed the software and got it all configured for us. So, it was pretty easy and only took a network engineer from our company.

It did not take more than a couple days to get everything installed, running, tuned, etc. We installed the software first, then we installed the agents second.

We have a network engineer doing the maintenance for it.

Netsurion did the installation. We did not work with a third-party consultant.

I haven't measured the ROI. We don't do normal budgets, as we are not that big of a company. We are mid-sized.

The pricing and licensing seem very reasonable. The managed service part of it feels like it gives me the equivalent of a full-time engineer for a lot less money. So, I feel it's a good value.

I was doing a cursory review of different things by doing a web search, like a Google search, and looking at different options. I came across Netsurion, who are local to us, and I knew the VP of Sales, and I always like to work with people who I have a relationship with.

The solution has been everything that I've asked for from a service standpoint, software standpoint, and support. I have no complaints.

My advice would be to engage them to do the installation. The managed service is great value which saves you a full-time employee on your staff by being able to outsource it to EventTracker to review all the logs and cull through the data to make recommendations and identify threats, then how to remediate them. They provide it to you in your weekly or daily report, depending on how frequently you want to have them do it, which is based on your compliance. If you have compliance requirements for HIPAA, PCI, etc., it is a great benefit to help an organization meet their compliance requirements.

We have internal staff resources for internal incident management. We leverage the EventTracker SOC team. When we detected the virus, we kept in contact with the EventTracker SOC team and sent them emails, and they would call me and say that they see it on this server or that desktop, and we'd go and take it off of the network and clean it. Then, we would put it back on and they'd watch to see if they saw any traffic that was not supposed to be coming from that server. For the whole remediation process, they were sort of part of the team.

Data is all configured to automatically go in. We deployed their agents, and those agents just send the log data directly to the SIEM. We don't manually upload anything.

We did not integrate it with any other solutions.

We use Netsurion as a managed SOC provider for them to be able to do visibility scanning on all of the devices within our network and to look through the log events that we have coming out of the devices and SaaS products that we have. They are looking at the logins through Microsoft Azure and Google Workspace, aggregating all that, and doing some investigative work to see if there are any incidents where there might be a possible malicious activity or any possible intrusions into the network. If there are any problems or issues that may occur and if they do find things, they are able to notify our team of those things or those findings that may be a problem for us. They send us an email to let us know what to look into and how to remediate things. That is how we have been using them.

We do not have a security team. By implementing Netsurion, we could utilize an external team to be able to investigate those things where we do not have the expertise or people to do that. That was the number one reason why we went to them and asked for help from them. We purchased their services to monitor all those things.

The integration of Netsurion with our security tools gives a unified view of our threat landscape. It brings everything into one single pane of glass type of view. We can see everything going on in our infrastructure. It is pretty important for us to be able to see everything in a single report rather than going through ten different tools, which can be a bit annoying. Having Netsurion describe everything in detail in one report has been pretty valuable.

Netsurion has been a pretty flexible solution for helping us protect our entire IT environment. For everything that I have asked from them in terms of adding certain SaaS products, devices, or anything like that, they usually had a solution to get them integrated into their product. It might not be the best integration, but they have figured out a way to get our security stuff into Netsurion.

There have been some incidents in the past where we had a scare of a possible virus infecting one of our machines or of possible intrusion. We pushed it up to their SOC team. They did investigative work and came back and told us their findings, such as things being fine on those devices and so on and so forth. Their SOC team has been pretty good in the sense of being able to jump on things and be able to work with us on possible issues that crop up.

Netsurion's SOC is pretty good for eliminating false positives. They have done a pretty good job of going through a lot of the log data that we have. They go through hundreds of tickets in a month, but we only see the reports. They only come up with critical or warning items. We get a handful of those compared to all the tickets that they create on their side that may look like suspicious things on their end. They do a pretty good job of looking and working out a lot of false positives on their end.

Netsurion has helped to boost our SecOps productivity by decreasing tedious SecOps management tasks. They have been able to provide a way of monitoring things so that we do not have to do that. They have been watching the environment and only bringing things to our attention when we really need to. That is something that we did not have in the past. We never had a security team, and we needed someone to watch everything. They are able to watch everything and look through everything that we have on our infrastructure, such as SaaS products and other products. They have shown value by only bringing up the cases that truly need interaction from our side. My team is able to go into a system or one of the SaaS products that we use and take action on certain things. They do the investigative work, and they do the penetration scanning and things like that and notice things. They bring anything they find to our attention. They have steps or procedures to take action on those things. Once we get all that information, our team goes into those devices or services to make changes based on their recommendations for the issues they found. In the case of a security incident, Netsurion has improved our ability to remediate.

They have a number of integrations with different products. Google Workspace is one of them, and Microsoft Azure is another one. They integrate with a number of other things, such as Duo for multi-factor authentication. They can pull the logs from Duo to see if users are coming from bad repeatable IPs or if there are malicious known IPs that may be popping up in the logs. They are able to see that, and they can identify that. Some of the other integrations they do are from inside your network. For firewalls, they can integrate with SonicWall, Cisco, Fortinet, etc. They have a pretty wide variety of things to integrate with and be able to pull the logins from those devices.

Integration-wise, there is a pretty vast area of things that they are able to integrate with, but some of the tools they have are not so great. One of my pet peeves right now is the maturity of the agents that you install on Windows and Linux devices. On the Linux side, it has not been a great experience. They support CentOS and Ubuntu, but the client tends to be a little bit cumbersome and not so great. It is just okay. It is not so great because the agent that they use is basically like a SysLog forwarder of the log system of the Linux system. When it gets pushed out, they do not receive the data as a hostname. It just comes back as an IP, so they are not able to detect the hostname. There are little tedious things here and there that I have not been happy about. This is one of them.

They have their programs and tools that you have to put into your own environment. We basically ingest all the log data and then push it out to them. I wish it was a little bit different than that where we just push directly towards them. I do not know if that is a function that they thought would be better in terms of security, but I wish that instead of doing that, it should go from the device to them and not from the device to another system and then out to them. There seem to be some drawbacks to doing that.

They need to work on the tools they have. The UI of EventTracker, which is a proprietary piece of software that they built, needs improvement. It is not the friendliest thing in the world. Those are the things that they should probably work on. I know that a lot of their tools have been specifically built around their team, and their team is very familiar with it, but that is an area they probably need to work on to get their customers or even get more clients. They need to work on the UI of EventTracker.

I have been using Netsurion for a little over two years.

I have not seen anything that has been detrimental in using the services. However, using the tool tends to be slow sometimes.

It is pretty scalable. They can handle a pretty large environment if they want to. Our environment is comparatively small compared to other corporate environments out there.

We have not necessarily contacted them. We probably only sent them emails a couple of times in the beginning when we had some issues with getting some of the integrations done. I would rate their support team an eight out of ten.

Positive

We did not use any other solution previously.

Some of it is a bit tedious. I am trying to get everything integrated for a lot of our servers and devices. That is a part of getting any managed SOC and intertwining them into our environment so they can start watching things.

In terms of maintenance, client-wise, when they do send out patches or any sort of client updates, we have to push them.

It is a bit expensive as compared to some of the other products that have come out in recent years. Expense-wise, the only downside is that it is not cheap.

We looked at a couple of solutions.

If you want a team that is pretty devoted to making sure your environment is secure, you should go for Netsurion. They have been on top of a lot of things. We have constant emails coming in. They jump on things. Their support team has been pretty good to work with for working through issues. However, on the software side, they are just okay. They need to work on some of their tools. They need some work on that side, but if you are looking for a pretty devoted team to watch your environment, they are pretty good.

Overall, I would rate Netsurion an eight out of ten.

Since we can't have 24/7 operations for our SOC, we hire out for that and have it as a managed service. This makes much more sense and allows us to focus on the day-to-day activities of the company.

Since it is a managed service, they take care of everything for us and just reach out when they have a question, there is an incident, or an important alert. That is the most important part for me because that allows me to focus elsewhere.

It allows us to avoid needing to employ people to stay during evening hours, which is a positive.

The solution provides an embedded MITRE ATT&CK framework. The framework is relatively new. I like that it is a curated knowledge base now. It is very important because it lets everyone know what is going on and being observed in the real world. It definitely helps in the analysis of whatever threat is found. Remediation is already built into the framework.

Their SOC team manages vulnerability management and IOC reviews. They stop bad processes when they happen. The best thing is their weekly reviews of what has been going on in the infrastructure as well as the things that they see and what we should look out for.

We haven't had any incidents, which is a good thing. It is a valuable product.

The solution provides actionable threat intelligence. It is not a passive service. They go in and perform mitigations on whatever they find. It is timely. They provide context, so it is understood by anyone who receives these reports.

It is important that Netsurion Managed Threat Protection has enabled us to consolidate cybersecurity technology, including SIEM, network traffic analysis, and endpoint security.

I would like faster responses when things are found. For example, when they inform me, it is usually when they begin to respond.

The MITRE ATT&CK framework could be faster when identifying and understanding sophisticated threats. Whenever something happens, we usually get notified a couple hours later.

Their SOC team can't understand our network because they haven't worked in the actual company. This does negatively affect security posture, e.g., if you don't have knowledge about the network, then you will miss things.

Personally, I would have deployed it on its own independent server. It uses a lot of IOPS and resources. Now, we have contention between our other servers on the same cluster.

I have been using it for at least three years. It was installed at the company before I joined.

It scales fine.

It is being used throughout all our systems non-stop, so we don't have plans to increase the usage or utilize it in different ways.

One person can maintain and work with the solution.

The SOC component is the most important part of the solution. I know who the SOC team is, so it is not someone different every time. I have seen changes in the team. However, for the most part, the team is usually steady. They are professionals in this and do a good job. 

They could improve by having faster communications. They always get back to us on the same day, but it is usually a few hours later. It would be nice if it was within an hour.

Neutral

We have seen time and cost savings. It prevents us from having to hire specialized people for this type of work. We would need to hire six staff members to accommodate the same service.

If you are not going to go for their managed service, then you will need to hire a SOC team, and if you are not going to hire a SOC team, then you are messing up.

I am sure that other companies have their own SOC teams instead of having a SOC-managed service, but this solution makes it cost effective for us.

I would rate it as a six out of 10.

We use it to monitor our firewall logs for all of our locations, all of our network logs, and alerts. We also monitor any new users added to the network or who are locked out, any new installs or uninstalls of applications on servers. And we have reports generated for any types of processes or hashes that have been run on computers or servers.

It gives us a real idea of our network environment, VPN access, alerts and more. We are able to identify where we're getting scanned externally from potentially malicious IP addresses. We can react to those a lot quicker than we could previously.

EventTracker has increased productivity and saved us time, absolutely. We would have to hire a full-time person to review logs if we didn't have EventTracker. I get daily and weekly reports that I review within an hour or two, each day, versus having to go look at logs on each machine. It would take me three or four times as long to review all those logs if they weren't all in the same dashboard report or alert.

The network alert is the most valuable feature. That way, we in the IT department are aware of user lockout and invalid password attempts way before a user ever even calls in. We can resolve the issue a whole lot quicker than waiting for the user to call us and figure out that they're locked out of the network or need some assistance with their password or the like.

The system's UI is pretty good, intuitive, and user-friendly.

EventTracker SIEMphonic has been a good add-on piece because doing all the logs can be time-consuming. Having a nice, weekly summary report, and the supplemental logs with them, in the event that you need to dive in any further, is helpful. Having somebody else reviewing those logs as well, on their team, is very helpful and beneficial to us.

There are some issues with searches taking a long period of time, but they assured me that they have implemented a new search function that's available in version 9, but which requires a solid-state hard drive. So we have upgraded to the solid state hard drive, but we are waiting for them to migrate over to the new drive, and then we'll see if our search results improve. Depending on how many logs you have it could take a long time to return the results if you're looking back prior to the last 30 days for, say, auditing purposes.

In other areas, it meets or exceeds our expectations.

It's really stable. It's pretty low-maintenance, once you get it set up, as long as the server that it's hosted on is up. We haven't really had any issues with a system problem with EventTracker since we implemented it.

It's definitely scalable. You can get all the way down to endpoints. They support multiple devices, applications, different firewalls, desktop, laptop. You have the ability to add in those logs. We have chosen not to do that at this time because we're mainly concerned about our servers and our domain, and it captures a lot of those logs. We have some offices that don't have a domain. For them, we just get their firewall logs because we are not too concerned about their individual workstation logs.

They are very responsive. They're monitoring stuff as well, with that SIEMphonic piece. They're monitoring your logs and if there's anything you have deemed critical, they're making you aware of it, to make sure that you're aware of it. They do a really good job of following up and trying to do as much as they can to assist you in any way possible.

We did not have a previous solution. They had already purchased this product before I came into the organization. There are a couple systems out there where people have reached out to me throughout the years and said, "Will you do a demo or evaluate our system?" But in my opinion, there's nothing that really stands out that would make me want to leave EventTracker. 

Even cost-wise, if somebody is cheaper - and I don't believe that they are - it's not significant enough to make that change and go through that whole design and implementation process again, just to save a little bit of money. We are familiar with EventTracker and we're getting the good service that we expect. We really don't have any desire to go with any other vendor at this time.

The initial setup is complex. It really depends on what alerts and reports you're looking at and what you want to filter it down to. It really depends on how much data you're looking at capturing and how to get that configured, working with their team on getting that configured for you. It was a long process from start to finish.

Now that it's in place, there are hardly ever any issues or any hiccups with it. But the initial setup can be a little time-consuming. You have to make sure you have adequate time if you're going to implement SIEM or an event-log correlation system.

Our deployment took a good 60 to 90 days from start to finish, working through all the reports and filtering it down to what we wanted. That included our firewall logs and deploying it on all the machines.

We really didn't have an implementation strategy at that point. We were just trying to get it implemented as quickly as possible on our domain server. Then we expanded it to all of our servers inside our network and then all of our firewalls.

They provided assistance and they do with that SIEMphonic piece. We purchased training from them and then worked with them directly on what we wanted configured and how to configure it. They did most of the heavy lifting of actually configuring the reports and all the alerts. If you want filtering you can ask them, or you have the ability to go in there yourself. I personally don't have a lot of time and resources to do that, so using their staff and the resources has been very beneficial.

Overall, they are very professional and good to work with. Some of their trainers were difficult to understand, as there was a language barrier. Some other staff from outside of the US, some of their training people, the technicians who provided training, were very difficult to understand. Others were not hard to understand. It was a case-by-case issue. But we did have some issues with trying to understand them during the training. We expressed our concerns and, of course, they addressed that. It was a process we worked through.

We have absolutely seen a return on our investment in EventTracker.

The solution is fairly expensive, but in my experience, all of the SIEM applications that I've evaluated or looked at cost about the same. It's just what a system like that costs.

I've looked at AlienVault. That's the only one that I can recall looking at extensively. But cost-wise it really wasn't worth it to us to switch to that system. It might have had a few more features, but EventTracker has done really well on constantly adding features and changing their UI and adding dashboards and getting more data on there that you want. I have no reason to make a switch.

If it's your first SIEM event-correlation system, be prepared for a long process. That's not just because it's EventTracker. That seems like that's what that process takes. Again, it really depends on what data you want to capture and how much data you want to capture and how you want to review that data. That configuration process can be very time-consuming.

We're on EventTracker 8, but we're getting ready to upgrade to the most recent version of nine, but we have not upgraded yet.

I don't typically use the dashboard widgets. I have everything configured in daily, weekly, and monthly reports. We have real-time alerts configured as well. So I'm not really utilizing the dashboard widgets. I know it has a lot of features and options but I manage the system from the reports and real-time alerts. In terms of the screens we use to view the solution, we mostly use the Excel reports that are generated daily and weekly. I access them, as well as the real-time alerts, from all devices. You can view them and see the details from any type of device. But I'm looking at the alerts through my email client on whatever device I'm on.

We have logs coming from our firewall configured to auto import log data, but we are not manually importing any log data.

Currently there are only two users in EventTracker: myself, as the information security officer and another gentleman here at the bank who is the backup information security officer. He functions more as a backup, but he's never had to step into that role and use the system. He received the training, but I handle the whole system. I'm the only one deploying and maintaining the system.

We have internal staff resources for internal incident management but we do not use the EventTracker SOC team. We handle the incidents internally, leveraging the reports and alerts.

We don't have any plans to increase usage, unless we add one or two offices as we do naturally in our mortgage division.

The difficulty with the language barrier at times with their training and technical support staff is a problem. That's why I'd rate it an eight out of ten.

We're getting some daily reports out of it for different systems regarding passwords expiring, accounts locked out, and a number of events in different categories. We're probably not using it to its fullest potential.

We import log data into the solution from Windows Servers and switch-logs from the Cisco switches. Those are the main things that we feed into the system. We don't have any Linux or any other external systems that we feed into it.

We use those standard reports every day and monitor them. It does save us some time from having to go out manually and pull that information together. With the daily reports that we get, we can easily scan through them and find any anomalies that are occurring. If a system suddenly starts getting thousands of more errors than it did previously, we know we need to look at something on that system.

The solution has also saved us time due to the fact that it's doing the consolidation of the log files for us. It probably saves us three hours a day.

The most important feature is keeping track of when accounts are created and deleted, when permission groups are changed, and memberships are changed in groups; and overall, how many errors are occurring on the various systems that we're monitoring.

The ability to import log data into the solution is very good. It consolidates that information and stores it in a compact manner. It doesn't use a huge amount of disk space to store the history of the logs but still gives us the ability to pull various reports as we need them.

I'd like to see improvement in the ease of generating reports. It seems fairly cumbersome whenever you decide to start tracking new categories of events. It seems a little kludgy when trying to generate those reports. Other than that it's fine.

It's very stable. We put it in place and have ignored it except, for pulling the reports.

In our environment, it works perfectly fine.

I've used the technical support a couple times. I've had very good results. In generating those reports, they were able to provide the methods in order to collect the information we needed to collect.

I don't know exact numbers on ROI, but in my mind it saves us a lot of time. I have six or seven reports that I can peruse through each day, quickly and efficiently, instead of having to go out and collect that data manually.

Licensing is very easy. Our CIO takes care of the billing, but in terms of price point, he hasn't complained, so it must be good.

Go through some training to know the ins and outs of the application. It has changed quite a bit in the seven years I've worked with it, and it would be a good idea to do some more training to learn all the new features and to make sure you can utilize all the capabilities.

The UI is okay. As I said, we're probably underutilizing the product compared to what we should be using it for. We don't view the information from it on screens. We more go off of the reports that we get daily out of the system.

In our company there are only three people using the system. We're all IT managers. We're only monitoring about 30 systems and we don't have plans to increase usage. Total time for deployment and maintenance would be a part-time IT manager, ten hours a year. In terms of internal staff resources for internal incident management, it's the same three IT specialists.

 I would give the solution an eight out of ten. I'm not giving it a ten because of a lack of understanding of the system and some of the kludginess in the generating of reports.

We are using it for audit compliance. Because when we have audits, we are required have a central event log storage location. If we need to do a search for user lockouts, we can go, search, and find locations where they have been locked out, then keep track of those events, historically.

It was purchased so we would be in compliance. That is our main reason, and it works very well.

The product satisfies our compliance, and thus, all of our auditors. All of the data that we use and store for all security events is required by our auditors to be kept in a central storage location.

EventTracker provides a great place to do our searches for certain types of events. We can go there, run the search engine, and it runs extremely fast, especially compared to the version that we previously used. E.g., instead of connecting to each individual domain controller to search events, we can go to one location.

We can search all event logs and domain controller security events.

The dashboard is laid out very well. I handle all the group policy compliance settings, and I get to play the bad guy who locks everybody down.

The UI is fairly good. I have a laptop that I use to connect remotely. I use the simple console, which is sitting at work, and connect to it directly.

The biggest problem is that we have too many domain controllers. So, we have to keep all the clients and main system updated with the latest versions along with making sure all the firewalls are open.

It is very stable. The product has been very smooth to work with recently. I am extremely happy with the way that it is right now.

We have had issues with it in the older versions (7.2). Because of our number of events that we generate, it used to stall and take a long time to do searches. Once we upgraded to 8.2, it pretty much resolved those issues. It was around 2015 when we upgraded.

I have not seen any issues with it scaling. 

We have close to 40 users in our organization: security administration, help desk, and sysadmins.

Usually whenever we call the technical support, it's a big issue. I've not had any problems with them. They have been very responsive.

For the compliance, this is probably one of the first product that we got for our Windows side.

EventTracker has increased the productivity in our organization.

The upfront costs have increased, and we have been locked into this contract. The cost of changing over from it is way too high.

Going forward, we have to get more licenses for our domain controllers.

We are always evaluating new tools. We decided on Netsurion because of its UI and ease of use. My team agrees that the solution is reliable and easy to use.

Get the preferred support. This is for the guy who uses and maintains the back-end of the system. Because if you don't have your firewall configurations configured correctly, you will need to have that support.

All of our domain controller event logs are consolidated and stored on the server. Right now, we are sitting at 101 domain controllers, which is way too many. However, this was one of the main reasons why we purchased it, and it is performing well. The product version that we are on right now is much faster than the version that we were previously on.

We use it for Windows event logs, disk space, and other alerts.

It gives us a heads-up about the disk space and any errors in any event logs that we have to look at. There are times where that saves us time.

The most valuable feature is that we get the events: the alerts about disk space and the security reports that we get once a day, including user lockouts and the like. The reports are fine the way they are.

The dashboard is also fine. We haven't configured the dashboard widgets; we just basically go with the default that was there. The dashboard helps by organizing things for us.

Overall, the UI is very helpful. It's user-friendly and relatively intuitive.

I would like to see the dashboard come up more quickly.

I've been using EventTracker ( /products/eventtracker-reviews ) for about ten years.

The initial setup was straightforward.

Overall, it's very straightforward.