Securonix Next-Gen SIEM Reviews

We are using it for Azure logins outside of US and Azure brute force use cases. We have use cases for our firewalls, like Palo Alto. These are use cases that we created ourselves. These are not the use cases out-of-the-box that Securonix provided us.

Without this product, my organization would not be able to function at all. It is our main monitoring product for our clients. We monitor everything through it. Securonix Security Analytics is the main process of providing services to our client because we are a 24/7/365 security operations center. So, Securonix is helping me out on daily basis all the time, every minute.

Security Analytics helps provide actionable intelligence on threats related to our use cases, which is very important. They are improving it almost on a daily basis. They send it to us and keep it running on the back-end for all the tenants. If anything gets raised, according to the threat intelligence that they have generated, we will get an alert. We will then start digging into those events. After that, we work with clients to respond to that incident.

The product can help increase efficiency. My analysts were working 12-hour shifts when we started. Now, they are working eight-hour shifts. However, it also depends on the person and how efficient they want to be. My analysts are monitoring, training, and doing their certifications all at the same time. This definitely divides their attention.

Features, like Spotter, are the most valuable. Spotter is a wide range of research for any of the incidents that happened under my clients' data. 

They also have a feature that separates violations according to top violators. So, I can go in and see all the use cases that got preserved under them. It is an intensive search type of thing. You can just keep digging in. There are other policies attached to it. There are some remediation steps and recommendations attached to it. 

Securonix’s analytics-driven approach for helping to find sophisticated threats and reduce false positives is pretty good. We are allowed to fine tune according to our requirements and our clients' requirements, which does reduce false positives. In the last 24 hours, the total number of policies with triggers was 233. When I started with this product, the false positives were 561. Therefore, the solution has helped by tuning or reducing false positives.

It helps us find sophisticated threats.

The monitoring, analysis, and visualization of data that Securonix provides is good. However, there are some things that I would love Securonix to change. For example, they don't allow us to make changes on the graphical reports that they have integrated into the platform. We have to create our own. If we just want to take out one thing, our page should allow us to change that template just for our platform. I'm not talking about changing others' platforms; this is just for my platform. They should allow me to make changes according to my scalability. I would like a little bit more changes in the analytics and visual views that they already have out-of-the-box in the platform. They are working on this, but I have not heard from them for a while. I'm satisfied with the visualization that they have, but I would like to get some more out of it. For example, I am taking the report and manually making changes. I want all those changes already integrated and automated, so they are automatically done in the product.

I would not say its threat hunting is easy or difficult to use. It is medium because it totally depends on the data that is coming to you. It does not depend on the platform. It depends on whether you can find the correct attribute that you need to look at, then you can go further on that. They are working on this. They are introducing more features, e.g., they have a couple of updates pending at this time. They are working on it to cut down the steps. If I am doing 28 steps right now just to onboard our data, then they are cutting those steps down. They are also putting more automation in the solution. While they are working on these improvements, it is just a matter of time. 

It ingests 85% of all our log sources already built into the product when investigating threats. If the data sources have the functionality, Securonix will create a custom parser for us on a request. If the functionality is not there in the product, then there is a difficulty, but we can still ingest it through the file base, etc. However, I am not a big fan of the file base because a user is creating a file per day for data that was generated the day before. Specifically for activity that has already taken place, we can prevent it, but we cannot stop the activity.

I have been using it for a year and three months.

It is pretty stable. Out of 100%, I would rate the stability between 80% to 85%. 20% can be unstable for any product. There can be bugs. There can be a failure in the core or a syntax error in the core. When I notify the support of these types of issues, they quickly fix the problem for me.

We have experienced a few performance issues, about 10%, when Security Analytics is ingesting our log sources. This can happen with any product. We informed them that we are facing this issue and get pretty good support on it. 

Scalability is pretty good. It does grow with our license. We work according to EPS. So, as our EPS pool grows, the solution will keep growing.

Cloud Scale is super scalable. You can scale Securonix pretty well. Even if you have too much data coming in, you can figure things out or put more resources on it. Securonix is pretty good at doing these things. For example, they have load balancers already in place, which automatically take care of these things.

There are 12 of us right now using the solution. I'm the senior engineer, and I have eight analysts who are using it. I have a senior manager who is also using it.

Six months ago, if someone asked me about the support, I would say, "Not good." Now, the support is pretty effective. They try to resolve problems ASAP. For example, if it's a critical ticket, they get it fixed within an hour.

I would rate the support as eight out of 10.

Positive

We had a generic system previously, which has none of the things which have helped us by using Security Analytics. This solution automatically detects threats. There is a response bar that we can deploy. There is an email notification. So, if I am not available, then I will get an email that I can respond to pretty quickly. As far as threat detection, we get policy updates every three minutes. Therefore, if anything is detected, it will be right there on my screen.

I have previously trained on FortiGate and Splunk. Securonix and Splunk are not that different. Splunk has a lot of things on one screen. Whereas, Securonix tries to clean it up.

If you follow the documentation, it is straightforward. If you don't want to read, it will be complex. I don't review documentation anymore. I did it twice when I started, then I went in, wrote a batch script, and automated the whole process. Now, I just need to make some changes before running that script.

The deployment takes 35 minutes on the client side.

I am the only person involved in the managing and deployment of the solution.

If there is any kind of setup that needs to be done on the cloud side, Securonix does that for us. I integrate clients with my platform, but Securonix takes care of the back-end.

The Securonix cloud-native platform helps minimize infrastructure management. We don't need that much manpower. If there is infrastructure to maintain, I need an engineer to maintain infrastructure, a software engineer who will look for the application, a security unit who will look for the threats and attacks, and a response person. Now, I don't need a software engineer or infrastructure engineer. That has gone away. Currently, I need only a security engineer and response person, which one person can do. We can also hire two people to do the different jobs. That is no problem. 

We don't have to put more focus on infrastructure, which helps. There is a little bit of an infrastructure included, but that is a one-time setup thing. You don't need to go and maintain it again and again.

Securonix Security Analytics adds contextual information into security events. For example, on a generic system, if I used to put in an hour, now I'm putting in 35 to 40 minutes on this. So, it's saving me about 20 minutes of time.

Compared to the pricing of other products, Securonix's pricing is pretty good. Clients can get half of the price of other companies by going with Securonix. Other products, like IBM and Splunk, have pretty high pricing. Nowadays, we see CrowdStrike as up and coming, and they are pretty expensive. 

Pricing does depend on what model you are looking for, e.g., are you going for an MSP or single tenant?

I don't find a lot of difference between solutions. Everybody tries to improve their product over time. I do free testing for multiple products, and they are basically copying each other's functions.

I like Securonix because I am familiar with it and can do threat hunting in 10 minutes instead of the 30 minutes that it might take if I used other solutions.

According to my clients and the security world, I cannot eliminate all the false positives because you cannot let false positives go. You need to make sure that there are no attacks attached to that false positive. So, we have a team of analysts who monitor it every time. So, if a false positive policy gets an alert, then we just go ahead and make sure to analyze it. That is okay. If it is a false positive, then we mark it as one. We did eliminate a lot of false positives, but not all of them. It is our choice, not Securonix's, what we want to keep or eliminate.

I would rate Securonix as nine out of 10.

We mostly use it for user-behavior analytics. It is used for all the behaviors related to users. In terms of the environment, there are multiple connections at different sites and locations, and there is also integration with other platforms. For some endpoint use cases, I have to do integrations with different customers who already have the platform.

Its deployment is hybrid. The cloud providers are Amazon and Google Cloud Platform.

When we have an endpoint threat, we have to move very quickly. We detect it through another tool that is associated with Securonix, and automatically the endpoint is isolated from the network. We also get some information for investigation and forensics allowing us to understand the type of threat. We get to know whether it is related to the endpoint or user behavior. We can get information on web-application firewalls and other solutions connected to Securonix, which allows us to understand the depth of the threat for a specific use case.

It provides actionable intelligence on threats related to our use case. After the alerts, we can isolate the endpoints and make some modifications. We can also do some searches about the related IP on the internet and intelligence platforms. That's very nice.

This actionable intelligence is pretty important. When we integrate different platforms, Securonix provides a lot of visibility and allows us to see the whole environment, not just a part. I have been working mostly on the endpoint side, but other people who are working on wider use cases can see all the dashboards and improve the security posture with Securonix.

Its analytics-driven approach to finding sophisticated threats and reducing false positives is very important. With other similar tools, we have to work a lot to reduce or manage false positives. We have to improve the rules and integrations because there are a lot of false positives. With Securonix, we have fewer false positives, and there is also automatic recognition for false positives allowing us to move very quickly.

It adds contextual information related to the use cases. My use case is very specific, but my partners and other teams get a lot of contextual information related to the whole company. It provides a lot of analytics related to a threat in terms of user behavior, environment, and target applications, such as databases, which is very important.

It has saved a lot of investigation time. As compared to other solutions, it has saved more than 50% time.

It has improved the threat detection response and reduced noise from false positives as compared to our previous SIEM solutions. The improvement in the response time is dependent on the scenario, but generally, it is about 40% more effective. When it comes to false positives, it is about 60% more effective.

It has been helpful in detecting advanced threats faster and lowering response times, but I don't have the metrics. 

Its console is very easy to use and configure. It is very intuitive for our use cases. App integrations are also pretty nice. 

It could be improved a little bit more for admin users. There should be more administrative options related to security for admin users. For example, for forensic purposes, the admin should be able to stop a specific user from erasing some information. I would be helpful in certain situations, such as during an internal fraud.

I have used it for two years separately, in 2020 and the last year, 2021.

Its stability is pretty nice because we don't have too many problems with it. The complexity is related to what we want to see. There are no issues with the performance. We have not experienced any performance issues when the solution is ingesting all of our log sources. 

It is 100% cloud. So, its scalability is pretty nice. We have all the capabilities and options to grow. Our environment has more or less four locations with about 1,000 devices. We don't have any plans to increase its usage in the near future.

I have had to call support three or four times, and I would rate them a ten out of ten.

Positive

I have worked with Splunk and LogRhythm. I am using Securonix because, in this company, most of our clients are using Securonix. So, I had to learn how it works and understand its architecture and capabilities. It is very easy to understand for anyone who has worked with similar solutions. It is 90% easier than Splunk, which has a lot of code. Securonix is very radical and intuitive.

I wasn't involved in its setup and onboarding process, but I would assume that it is very quick. That's because it is very simple to use for my use cases, and they have nice support and help.

Its maintenance is pretty lightweight. We have another team that is in charge of that. There are most probably two people who take care of SIEM and cybersecurity solutions.

Securonix cloud-native platform helps to minimize infrastructure management. It allows us to focus on threats versus engineering or managing the platform.

We have surely seen an ROI when we look at multiple threats that we have been able to prevent.

It improves analysts' efficiency to do more with less time. By using the contextual information that it provides, we can be more accurate in our investigation. It has saved about 30% time.

Its pricing is quite similar to others and is very competitive. The other solutions have different types of licensing, but when you do the math, it is competitive.

You should know your environment and connectivity requirements very well. You should understand the analytics that Securonix is providing for the team. You can make a lot of improvements based on those analytics.

I would rate it a ten out of ten.

We use Securonix Next-Gen SIEM primarily for managed SOC, focusing on threat detection, baselining, and ensuring the maturity of our SOC security operations. 

It is integrated with threat intelligence and utilizes frameworks like MITRE ATT&CK and the Cyber Kill Chain. 

The solution helps in threat detection, especially with use cases like brute force attacks, port scans (both horizontal and vertical), other insider threat activities, Privileged access abuse, Ransomware detection and Data exfiltration prevention. We also customize and fine-tune these use cases based on our requirements.

Securonix Next-Gen SIEM has significantly improved the visibility of tools and technologies within the environment. 

It enhances our security posture by providing comprehensive oversight of users and devices, aiding in threat detection and prevention. 

Additionally, its scalability and ease of onboarding new devices and technologies have streamlined our security operations.

The most valuable feature of Securonix Next-Gen SIEM is its advance analytics, flexibility and scalability. We ingest billions of logs without worrying about resource allocation. This makes it a robust and cost-effective solution for our needs. Its user entity and behavior analytics (UEBA) are also integral for detecting insider threats and lateral movements within the organization. These features help organizations strengthen their security posture, protect sensitive data, and maintain compliance with strict regulatory requirements.

The dashboards in Securonix Next-Gen SIEM need more customization and informational capabilities. 

The reporting features also require improvements. 

Additionally, the multi-tenancy functionality should be enhanced to allow individual consoles for different customers, which is currently a limitation. This feedback has been given to Securonix for future improvements.

I have previous experience with Securonix Next-Gen SIEM for almost three years in deployment management and baselining in my past experience.

Securonix Next-Gen SIEM is very stable and reliable, but like any sophisticated security platform, its stability depends on several factors, including deployment architecture, environment, and proper maintenance. It handles billions of logs efficiently, along with the managed service, ensure its reliable performance especially when deployed in the cloud. However, to maintain long-term stability, it's important to ensure the platform is well-resourced, updated regularly, and properly configured. When implemented correctly, Securonix SIEM delivers reliable performance and security monitoring without significant interruptions.

The scalability of Securonix Next-Gen SIEM is seamless. We don't have to worry about resource allocation as long as we have the required EPS licenses. The solution is designed to scale according to our needs without any hassle.

Securonix is generally regarded for its strong customer service and support, which is a critical factor in ensuring the success of complex security solutions like SIEM. Overall, Securonix offers solid and responsive support with a team that is technically proficient and helpful, especially in complex deployments. The proactive guidance, customization support, and strong documentation make it easier for organizations to implement and maintain their SIEM effectively. However, for critical issues, it's advisable to escalate promptly and ensure you're engaging the appropriate level of support for your organization's needs. 

Positive

Prior to Securonix, we evaluated LogRhythm and IBM QRadar. Based on our company’s requirements, reduced operational overhead, lower TCO and improved threat detection Securonix Next-Gen SIEM was the best fit.

The initial setup includes evaluating technology that fits our organizational needs, signing NDAs, scoping, providing inventory, and EPS calculation. Once we procure the licenses, there is an expectation setting for onboarding, followed by workflows for exchanging guides, documents, and prerequisites. After the environment is ready, we proceed with onboarding.

I was closely working with the internal team and the vendor, leading the project. Including me, there were four people involved in the onboarding and baselining part.

From a business point of view, it can be assessed in both quantitative and qualitative terms. The ROI may vary depending on the organization’s size, security needs, and how well the platform is utilized and is highly positive in environments with high compliance requirements, frequent security incidents, or large amounts of data to process. By reducing incidents, improving operational efficiency, and simplifying compliance, the cost savings and protection against expensive breaches can quickly outweigh the initial investment.

The pricing of Securonix Next-Gen SIEM is reasonable, especially considering the package they provide. If we went with the same package with another vendor, it would be significantly more expensive. It’s value for money.

Before choosing Securonix, we evaluated LogRhythm and IBM QRadar. Based on our requirements need for more advanced analytics, scalability, better cloud integration, and automated threat detection., Securonix Next-Gen SIEM was found to be the best fit.

My recommendation would be to evaluate the solution precisely based on the company's requirements to avoid scalability issues in the future. Careful calculation of the EPS during initial sizing is crucial as it can become costly to procure additional EPS licenses later.

I'd rate the solution eight out of ten.

Securonix or SNYPR is a UEBA tool. It has all the features. It can work as a traditional SIEM as well as do behavior-based analysis. 

In terms of deployment, it is on the cloud. It is hosted with Securonix. We are using it as a service, however i have worked on premise deployements as well.

We have this tool to monitor all types of log activities. It can monitor whatever is happening. It can monitor traffic-related things, and it can monitor EDR and all types of logs. It has a set of use cases, and it can alert us if any abnormal activities are happening and if there is any suspicious and malicious traffic. It definitely does 24x7 monitoring of the activities happening in our environment and the type of possible attack that can happen in any of the environments.

It provides a lot of analytics. For handling alerts, we have a manual approach, and it is a team effort. Whenever there is a flag or violation, we check the behavior in the tool or in the UI itself. We can check each and everything in the tool itself. On the basis of that, we identify whether something is a false positive or not. If it is a false positive, we work on the policy condition.

An analyst's efficiency is all about the analytics present in the tool. They provide sufficient analytics. Recently, they have added one more analytics. They already have more than 15 analytics for threat detection purposes. They definitely help us to do more in less time. 

In our environment, we do not have external TPI integrated. So, we don't have any external sources for IOCs. With Securonix, all the IOCs are available in their Threat Lab. We are using that feature, and we are also receiving the reports. They check our environment against the IOCs available in their lab and provide us with the report. So far, we haven't got any high severity or medium severity issues. Whatever we got has been of low severity. Sometimes, we see traffic coming from a particular IP address continually, which is blocked in our fiber. We get to know that we have to be very careful about this external, malicious IP address that is trying to hit our environment. Because we do not have the external IOCs or TPIs integrated, we find this report very useful. 

It adds contextual information to security events, which is very helpful.

SNYPR has a bundle of features. It has the UEBA feature that tells you about the behavior of a person or entity. In the tool itself, there is an incident management feature, which is definitely valuable. It is a value-added item. It also has third-party TPI.

SNYPR is valuable for any organization because it is not only a traditional SIEM. It is also a UEBA tool. It does behavior analytics. As a UEBA tool, it has a lot of features. You can see a lot of things in the UI itself. It provides a lot of analytics. You can see how a policy is working and how it is giving you the flags if you want to reduce false positives. You can have all the visibility in the UI itself. You don't need to check anything in the backend for this.

It has a feature called Threat Model to identify a threat. For intelligence, it has a feature called Autonomous Threat Sweep that is valuable. 

Sometimes, there is instability in the data in terms of the customization of the time. They should work on stability on tool. However 6.4 jupiter version is much more stable.

I have been working with this tool since 2018 till today.

They have improved it a lot over time. We don't see a lot of issues related to stability in our environment. Sometimes, we see instability issues, but they are not very regular.

Performance-wise, it is good. It has a lot of analytics. We see the value in having this tool. Our management is also happy with the tool. It is reliable. We had a lot of configuration mistakes in our environment, and we could detect them with the tool.

It is scalable. We have 1,500 active users. We are operating in the US at three locations.

In terms of the integration of the data sources or the log sources with the Securonix tool, if the connectors are available, we never see any difficulty. I have integrated more than 50 log sources with Securonix. However, if they don't have a connector, we won't have any option for integration. This is common to all the SIEM tools. It isn't something that's specific to this. In any of the SIEM tools, if the connector isn't available, you won't have any option to integrate.

Their support has improved it a lot, They do support us or they do reply to us, but they need to be very fast. They need to be very quick. I would rate them nine out of ten in terms of support.

Positive

I started with Securonix itself. I have read about other solutions such as QRadar and Splunk, but I did not get a chance to work on these tools.

It was not at all difficult for me to use Securonix's interface. This is the first tool that I used. It was not difficult for me to learn. Its interface is very user-friendly, and I don't think anyone will face difficulty operating the tool. Everything is displayed nicely.

When we have a cloud deployment or we take it as a service, we don't get involved in the deployment of the SNYPR application, but we do get involved with on-prem Remote Ingester. So, application deployment is done by Securonix, but the integration with other sources is done by us. We don't have any difficulties with the integration because we have been working with it for a long time. So, we're aware of the backend and how to integrate. It is quite simple and easy. We also have a call with Securonix SME twice a week.

The maintenance is handled by Securonix themselves. They sometimes do the monthly maintenance. We only get the notification, and we know of the maintenance window. After maintenance, we check everything. We just validate that everything is working fine. They also validate from their end, but we also validate. We haven't had any difficulty after the maintenance or upgrade. It always works fine. There are no issues.

The Securonix cloud-native platform helps minimize infrastructure management. We don't need to buy a server. We don't need to manage it. 

It is a good solution, but it definitely requires some improvements. It has already improved a lot. They are upgrading it in every build, and it is getting better. They work on policy decommission. Whenever a policy gets old or replicated, they remove the policy. They work on the content refresh. For example, last year when we had the Log4j vulnerability, they immediately updated their content and applied the policy. They provided an update for the Log4j vulnerability.

I would definitely recommend this tool. It is really a good tool. It has all the features available. I don't know anything about the pricing. I don't know if it is more expensive or cheap as compared to the other tools, but as a UEBA tool, I would definitely recommend it to everyone.

Overall, I would rate it an 9.5 out of ten.

We have customized the uses of the platform for our benefit. In general, we use it for failed access attempts, network issues, and allowed/blocked, and we have use cases for platforms such as Windows Server.

We are a service company and partners of various vendors. We provide support to customers. Our strategy is that each piece of equipment sold to customers comes with value-added service, and Securonix protects our customers.

It is an excellent tool that helps us optimize threat-hunting operations, detect intrusive events on the network, and respond to security incidents. It is a tool that helps debug false positives and eliminate noisy alerts. It helps us focus on the alerts that we should take into account for analysis.

Using old, traditional SIEMs did not provide us with the same responsiveness and ability to operate. And if they did provide us with something similar, we needed more staff to review things, event by event. That meant some risky events could occur unnoticed. With Securonix, those issues no longer exist. Securonix shows us information that we must consider as a threat and helps us know when to start an investigation to avoid an incident.

It's very good at adding contextual information to security events. It has reduced the time spent by admins on the dashboard. They can now see information connected to attack risks or even users. The single dashboard alerts them and quickly reports if there is any threat.

It has helped us to better understand what is happening in our network through the indicators of compromise. We have saved days of work. And it optimizes the time that analysts take to review events, compared to other tools that do not have as much intelligence and as many indicators. With Securonix, the information automatically enters and adds intelligence to the indicators. This saves a lot of time that would otherwise be spent reviewing noisy data. It saves our analyst between four and eight hours when analyzing events.

When it comes to advanced threats, it shows us the threats or events that have been detected, with their risk level. It shows us a vulnerability bar and that helps us see who is looking at us, who is trying to deliver certain information to our systems, who exploited us, or if there is any alert due to someone extracting certain information. The automation of information delivery has facilitated everything, saving us three or four days.

For optimization and data analysis, it has a good evaluation engine for repeat offenders and that has helped us to detect, on time, what other basic SIEMs did not detect. Those other solutions needed more time to detect at that same level.

We can customize our use cases with the tools provided by Securonix.

It is an excellent tool that can ingest data in different ways and is very flexible.

Securonix could open up information regarding the indicators of compromise or cyber-threat intelligence databases that they use. The idea is that they share what threats they are detecting.

I have been using Securonix Next-Gen SIEM for about a year.

It is stable, both in the cloud and on the servers. We have never had access problems or experienced any performance issues.

Scaling is flexible. If we fall short in terms of EPS, we would simply increase the EPS. And if the RIN server has low resources, as it is a virtual machine we could increase the resources according to the data quantity.

It is an excellent option for the cloud in terms of scalability. It is flexible for both us and our clients. We have plans to increase usage for certain customers.

The support is excellent. At the service level, they attend to us quickly. We have a post-sale person who follows up in some cases. He can also see the tickets and can escalate something according to the urgency.

Positive

We used a traditional SIEM where everything was very manual. It did not have threat intelligence or threat hunting of compromises, while Securonix has those features.

We changed because we wanted a good tool to automate certain manual processes so that everything is more flexible. With Securonix, you have the option of integrating with other indicator-of-compromise services, and that helps create a more powerful platform and eliminate false positives.

I started the process of design and continued with onboarding and implementation. The initial implementation was simple, but we had some delays because we had new solutions and we had to create new templates. But in general, if you have traditional solutions that have a template, it is easy to implement. It would take a week.

As for our implementation strategy, the tool that we had previously had a forwarding functionality, so what we did was deploy information to the RIN and, from there, sent the information to the cloud. After that, we created a pipeline and sent the rest of the events so that we could take the previous SIEM out of production.

The sources took a month to incorporate. It took us a month to get access to the teams because we do not manage certain teams. It was a bureaucratic process.

Securonix does the maintenance. It doesn't require work from us. They send us emails indicating that the system is going to have a brief reboot and it takes a short amount of time. 

We hired an onboarding engineer from Securonix who helped us with the implementation of the RIN. He explained the process to us until we understood everything.

Our experience with the onboarding engineer was good. He helped us with any questions we had and followed up through emails.

For the implementation of Securonix, we only needed one person from our side. I was the point of contact with our other areas.

Where we see our best return on investment is in the time and manpower we save. Before Securonix, our staff had to investigate events constantly. Now, one engineer with some expertise is enough to speed things up and give the rest of the admins time to do other things.

The pricing is fine compared to the market but I think that at some point the competitors will catch up on price. It would be good if, for example, there were an option to offer customers who have used the solution for more than a year some kind of additional trial or service.

There is no cost outside of the standard licensing fee, other than an initial installation service charge. Otherwise, there is simply a monthly cost for the service.

We were thinking about Splunk, QRadar, and Rapid7. One of the drawbacks of those systems would be the infrastructure. Many of the other platforms, including McAfee, need boxes or deployment servers in our infrastructure or our clients' infrastructures and, in many cases, the infrastructure is growing continuously.

With Securonix, that does not happen. It is a cloud solution that only requires a small deployment server with low resources, depending on how many events are received. And all that information is stored in the cloud as well.

The cost, compared to other solutions, is better.

Compared to other platforms, it is very simple yet, at the same time, it is very efficient because it packs information into a glance. After that, it gives you the option of hunting threats and that can be initiated on the dashboard.

It is very intuitive. A person who has a certain notion of cyber security can move quickly since it gives you information about any attack. It gives you a summary and it gives you links to receive information. And if you don't have much knowledge of the tool, you can always take the courses that are free on the web. Doing so helped us understand the solution.

This is a solution that will help you a lot in hardware processing and in optimizing the time it takes to review events, which is what admins often spend their time doing.

There are things on the network that you can't see with traditional tools. There are tools that don't give you the visibility that Securonix gives you.

Foreign Language:

(Spanish)

¿Cuál es nuestro caso de uso principal?

Hemos personalizado los usos de la plataforma para nuestro beneficio. En general, lo usamos para intentos de acceso fallidos, problemas de red y permisos/bloqueos, y tenemos casos de uso para plataformas como Windows Server.

Somos una empresa de servicios y socios de varios proveedores. Brindamos soporte a los clientes. Nuestra estrategia es que cada equipo vendido a los clientes venga con un servicio de valor agregado, y Securonix protege a nuestros clientes.

¿Qué es lo más valioso?

Para optimización y análisis de datos tiene un buen motor de evaluación de reincidentes y eso nos ha ayudado a detectar, a tiempo, lo que otros SIEM básicos no detectaban. Esas otras soluciones necesitaban más tiempo para detectar al mismo nivel.

​​Podemos personalizar nuestros casos de uso con las herramientas proporcionadas por Securonix.

Es una excelente herramienta que puede ingerir datos de diferentes maneras y es muy flexible.

¿Por cuánto tiempo he usado la solución?

He estado usando Securonix Next-Gen SIEM durante un año aproximadamente.

¿Qué opino de la escalabilidad de la solución?

El escalado es flexible. Si nos quedamos cortos en términos de EPS, simplemente aumentaríamos el EPS. Y si el servidor RIN tiene pocos recursos, al ser una máquina virtual podríamos aumentar los recursos según la cantidad de datos.

Es una excelente opción para la nube en términos de escalabilidad. Es flexible tanto para nosotros como para nuestros clientes. Tenemos planes para aumentar el uso para ciertos clientes.

¿Cómo son el servicio de atención al cliente y el soporte?

El soporte es excelente. A nivel de servicio nos atienden rápido. Contamos con una persona de post venta que da seguimiento en algunos casos. También puede ver los tickets y puede escalar algo según la urgencia.

¿Cómo calificaría el servicio y soporte al cliente?

Positivo.

¿Qué solución usé anteriormente y por qué cambié?

Usamos un SIEM tradicional donde todo era muy manual. No tenía inteligencia de amenazas o búsqueda de amenazas de compromisos, mientras que Securonix tiene esas características.

Cambiamos porque queríamos una buena herramienta para automatizar ciertos procesos manuales para que todo sea más flexible. Con Securonix, tienes la opción de integrarte con otros servicios de indicadores de compromiso, y eso ayuda a crear una plataforma más poderosa y eliminar los falsos positivos.

¿Cómo fue la configuración inicial?

Comencé el proceso de diseño y continué con la incorporación e implementación. La implementación inicial fue simple, pero tuvimos algunos retrasos porque teníamos nuevas soluciones y tuvimos que crear nuevos modelos. Pero, en general, si tiene soluciones tradicionales que tienen un modelo creado, es fácil de implementar. Tardaría una semana.\

En cuanto a nuestra estrategia de implementación, la herramienta que teníamos anteriormente tenía una funcionalidad de reenvío, entonces lo que hicimos fue desplegar información al RIN y de ahí enviamos la información a la nube. Después de eso, creamos una canalización y enviamos el resto de los eventos para que pudiéramos sacar de producción el SIEM anterior.

Las fuentes tardaron un mes en incorporarse. Nos tomó un mes tener acceso a los equipos porque no administramos ciertos equipos. Fue un proceso burocrático.\

Securonix hace el mantenimiento. No requiere trabajo de nosotros. Nos envían correos electrónicos que indican que el sistema se reiniciará brevemente y normalmente no tarda mucho.

¿Y el equipo de implementación?

Contratamos a un ingeniero de incorporación de Securonix que nos ayudó con la implementación del RIN. Nos explicó el proceso hasta que entendimos todo.

Nuestra experiencia con el ingeniero de incorporación fue buena. Nos ayudó con cualquier pregunta que tuviéramos y nos dio seguimiento a través de correos electrónicos.

Para la implementación de Securonix, solo necesitábamos una persona de nuestro lado. Yo era el punto de contacto con nuestras otras áreas.

¿Cuál fue nuestro Retorno de Inversión?

Donde vemos nuestro mejor retorno de la inversión es en el tiempo y la mano de obra que ahorramos. Antes de Securonix, nuestro personal tenía que investigar eventos constantemente. Ahora, un ingeniero con algo de experiencia es suficiente para acelerar las cosas y dar tiempo al resto de los administradores para hacer otras cosas.

¿Cuál es mi experiencia con los precios, el costo de configuración y las licencias?

El precio está bien en comparación con el mercado, pero creo que en algún momento los competidores alcanzarán el precio. Sería bueno que, por ejemplo, hubiera una opción para ofrecer a los clientes que han utilizado la solución durante más de un año algún tipo de servicio adicional.

No hay ningún costo fuera de la tarifa de licencia estándar, aparte de un cargo por servicio de instalación inicial. De lo contrario, simplemente hay un costo mensual por el servicio.

¿Qué otras soluciones evalué?

Estábamos pensando en Splunk, QRadar y Rapid7. Uno de los inconvenientes de esos sistemas sería la infraestructura. Muchas de las otras plataformas, incluida McAfee, necesitan cajas o servidores de implementación en nuestra infraestructura o en las infraestructuras de nuestros clientes y, en muchos casos, la infraestructura crece continuamente.

Con Securonix, eso no sucede. Es una solución en la nube que solo requiere un pequeño servidor de implementación con pocos recursos, dependiendo de cuántos eventos se reciban. Y toda esa información también se almacena en la nube.

El costo, en comparación con otras soluciones, es mejor.

Comparado con otras plataformas, es muy simple pero, al mismo tiempo, es muy eficiente porque empaqueta la información en un vistazo. Después de eso, le da la opción de cazar amenazas y eso puede iniciarse en el tablero.

Es muy intuitivo. Una persona que tiene cierta noción de ciberseguridad puede moverse rápidamente ya que te da información sobre cualquier ataque. Te da un resumen y te da enlaces para recibir información. Y si no tienes mucho conocimiento de la herramienta, siempre puedes tomar los cursos que están gratis en la web. Hacerlo nos ayudó a comprender la solución.

¿Qué otro consejo tengo?

Esta es una solución que ayudará mucho en el procesamiento de hardware y en la optimización del tiempo que lleva revisar los eventos, que es a lo que los administradores suelen dedicar su tiempo.\

Hay cosas en la red que no puedes ver con las herramientas tradicionales. Hay herramientas que no te dan la visibilidad que te da Securonix.

I use this solution for security monitoring and user behavior analytics. Banks, governments, and the oil and gas sector utilize it.

The software includes user behavior interactions, dashboards, and training capabilities. These features are interactive, allowing for comprehensive engagement.

In terms of improvements, SIEM could have better integration with other technologies. 

Additionally, it might benefit from integration with other sources, such as firewalls. It all depends on specific use cases.

I have been using the solution for three years.

I have found the solution to be stable.

The system is very scalable, and I would rate it around eight out of ten.

I find customer service to be very good.

Neutral

The initial setup is not very complex, however, it does have its intricacies, and I would rate it around seven out of ten.

The return on investment depends on the customer. It typically takes at least a year to realize the value.

Comparatively, it is reasonable when compared to solutions like Splunk and Exabeam. Licensing is based on events per second (EPS), costing between $50 to $60 per EPS.

My rating for the solution would be around eight out of ten. 

If organizations are on a journey to move to cloud, I recommend transitioning to Securonix over an on-premise solution due to its ease of deployment in cloud.

We mainly use Securonix for SIEM software architecture and for logs. We generate all the logs from different APIs and firewalls. We also have created other policies. Securonix is the primary tool we use to get everything done for our projects and architecture. We even use it for other solutions like AD.

Primarily, I work on violations and policies, not the backend. As an analyst, I work on SIEM.

The solution is deployed on a private cloud. It is deployed with Microsoft Azure.

Everyone has access to SIEM, but they don't have admin access. We mainly have three people and a team lead on the Azure Securonix team. I am the backup and work on the operational side of that team. Everyone has read-only access except the three team members. 

Securonix primarily helps with our log code situation. We found a vulnerability last December, so it helped us gather logs for that. We informed our vendor, and they provided some queries on how to get those vulnerabilities and logs.

I normally work on policies and face a lot of false positives. We reduced many false positives since using this solution. Securonix has definitely helped improve our threat detection response and reduced noise from false positives.

Sometimes we face threats and sign-in logs from different countries, but we're able to resolve those. Sometimes we face malicious activities from traffic but it's very rare. It happens about twice a month.

Securonix helps a lot with monitoring. My project is in the monitoring and operational stage, so it's a primary tool I use to monitor everything. The implementation stage has already been completed. We have created policies for all kinds of tools and APIs.

As we are the client, most of us don't have the SIEM threat model feature. There isn't a lot of proper information about how to implement that. Customer service doesn't have a proper idea either. We are lagging in this area, but it's good overall.

In some cases, we have observed that people start getting login failures, so we checked the logs from Securonix and resolved the issue. In that way, it's helped.

Securonix Next-Gen helps us detect advanced threats faster and gives us lower response times. Sometimes we face a data source delay and it's impacted badly, but overall it serves us a lot.

I haven't faced any data loss since using Securonix.

The most valuable feature is that it works on user behavior and event rarities. Those features are in Splunk too, but they're not as effective. Securonix's customer service is also pretty good.

It's not difficult to use the interface, but there's a lot of documentation to read.

We haven't experienced any performance issues when ingesting log sources and investigating threats. The response is good.

Parsing needs to be improved. Every time we integrate a new, specific data source, we face a lot of problems in parsing, even for the old data source. That should be updated on a regular basis.

In some of the policies, the geographical location for a single IP is from a specific country, but the IP doesn't match. For instance, if the log is from China, the actual location of that IP will be from somewhere else, not China.

I have been using this solution for more than a year.

It's reliable and very stable. We haven't faced any major or even minor issues with security.

It's definitely scalable and fulfills my needs.

Technical support is good, but sometimes we face delays with responses.

I would rate technical support as nine out of ten.

Positive

The solution was already in the mid-stage of implementation when I joined the organization. I mostly worked on fine-tuning the policies.

We have a team that takes care of maintenance updates. The solution needed some updates because the user behavior wasn't working properly for some of the policies. As of now, instead of using user behavior, we use event rarity. After version 6.4 is implemented, the issue will be resolved. There are two or three more issues we have that will be resolved after the update.

I would rate this solution a nine out of ten. 

My advice is to get a proper idea of the tool you are working on and be sure to read the documentation.

Our primary use case is monitoring attacks on our cloud environment.

The solution's behavior analytics, in terms of detecting cyber and insider threats, are very effective. We are getting actionable results. When I say actionable results, not every finding is going to be a threat, but every finding is worth investigation. Depending on the investigation, some of them are real threats, some are just bad hygiene, and some are a good finding but not a threat for us. So there is work we still need to do. But whatever they are pointing us to is worth investigating. And that is what I expect from the product.

The solution's behavior analytics help to prioritize advanced threats. That's exactly what I mean by "actionable threats." One of the key pain points for us, previously, was that the solution we were using was giving us a lot of low-value indicators which we couldn't even act on. With this solution we have fewer alerts but they're actionable alerts.

From there on, it is on our analyst to then decide which ones are threats. And based on that, what we have done with a few things. In some cases we have changed our security policies so that we can have more rules in place to give us stronger access control and better governance around our workstation usage policy. There were certain things we could do to improve our employee behavior and it enabled us to take those steps. Based on some of the cyber-related threats it identified, we were able to upgrade the software we were using for our endpoints so that we had the strongest possible defense. There are certain things that are real threats and certain things that are bad hygiene and in both cases it's still valuable for us to take action.

Moving from on-prem to cloud, our analyst's time and effort have been reduced by half. I had to have two people working on the product before we got Securonix. We are a small company so we had two people dedicated: One was creating use cases, maintaining the application; the other was the analyst who was investigating. When we moved to the cloud, the operations part was taken care of by Securonix. They manage the use cases, they manage the upgrades. Now I don't need to have a dedicated person to do that. And my analyst gets higher-value threats to investigate.

In summary: First, I have been able to reduce my overhead by half. And second, my analyst is a lot more efficient and the noise in my environment is reduced by at least 70 percent. I was getting seven times more alerts to look at to get to the same results. Now my analyst can go deeper, versus having to rule out seven other things which are not useful.

Also, there were a couple of instances of insider threats where we had employee accounts compromised through phishing. Someone got an email from an email address that looked like a valid email address but it was not. It had the first name and last name correct, but the company name was misspelled. The employee clicked on it and his account was compromised. That compromised account was then used to access intellectual property in our environment. Securonix was able to detect that threat. If that data had been leaked, that would have been millions of dollars in losses for us because everything we do is our intellectual property. Securonix, with its behavior analytics, was able to detect that this account was behaving differently, that it was trying to scan all our shared folders and access a lot of documents in a very short period of time. They were all source code files and the employee whose account was compromised was not even a developer. That was one of the biggest threats it detected.

The other thing it is very good at identifying is that now, with everything in the cloud, there are no firewalls involved. People can, through social engineering, find out what your email address is and then try to guess your password and access your cloud environment. We see a lot of these brute-force types of activities in the cloud, and Securonix is able to detect a lot of those threats as well. We have some automation in place where we can block or challenge the user with additional credentials. We were able to put that in place as well, as a preventative measure, to stop our cloud environment from being compromised. That's is a big area of concern for us.

In terms of operational overhead, one of the benefits is configuration. With our previous product, the issue was that we had to figure out the use case. It was "do-it-yourself." But Securonix is providing us with packaged "apps" for insider threats or cyber threats. So now I don't have to create my own content. In addition, when we were doing this on-prem, we had to have hardware, to worry about patching the hardware. Then we had to worry about patching the operating system. Then we had to worry about patching the Securonix application. All of that, maintaining compliance, was a full-time job. Now, with SaaS, we don't need to do any of that. Securonix maintains it. The third advantage is availability. With on-prem, if you have a network issue, you tend to lose the data for that period of time. With the cloud solution, we have SLAs with Securonix for 99.9 percent uptime. That means I don't have to worry about an outage in the data center or a loss of data. I can hold the vendor accountable for that. So another overhead that I don't need to worry about is disaster-recovery planning for my implementation internally. That is something that the vendor takes care of and I can just focus on monitoring the SLAs that I have with them.

When we were looking for products for our security monitoring needs, our biggest requirement was that we wanted something based on machine-learning and analytics. If you go with rules, it can raise a lot of noise. Securonix, with its UEBA capability, had the best analytics use-cases.

Our number-two criterion comes from the fact that we are a cloud-first company, so we needed a solution that would work in the cloud and work with the cloud. Working in the cloud means it would be a service, a SaaS offering. And working with the cloud means it would integrate with our cloud applications and monitor our cloud environment. Their product was the most-ready SaaS product in the industry.

The solution's cloud-monitoring functionality is the only thing we use, because we are a cloud company. Our Office is Office 365, our HR system is BambooHR. Everything we use is hosted in the cloud. So cloud monitoring is the number-one use case for us. In addition to those applications, the solution monitors Salesforce, which our sales team uses, Concur, which is our time and expense system, and it monitors our own application that we use for providing service to our customers. And finally, it monitors our AWS environment.

They have done a great job building the API-based connectors so they can automatically pull data from these applications. They have packaged use-cases that they provide us and, in certain applications, those use-cases are still a work in progress. But I feel confident that the content they have is good and they're improving on it continuously. There's a lot of development that happens on the cloud front. For example, Office365 changes every three months. Cloud applications are new so there's a lot that goes on with these applications. So vendors have to keep updating their content to align with where the cloud application is. Securonix is doing a good job of staying abreast with the latest and greatest developments on the cloud-vendor side and updating their content. A lot of their competition is very poor. We had QRadar in our environment but it couldn't even connect to Office365. From there to where we are today, it's a huge improvement.

The UX could be simpler. I know they're working on it. I would like to have one dashboard that has everything in it. We have compliance needs. We have investigation needs. And we have situations where an analyst needs to look at threats. These three things require a different view of how they look at the threats. What would be good is to have Securonix create three different views of their Security Command Center so that, depending on the persona of the person logging in, they'd get the relevant data they need and not see everything.

It is a SaaS solution. We are looking at 99.9 percent availability. If there's anything less than that, it's an issue for us. So far, they've been able to deliver that. I don't know what they do in the background, but they keep the lights on and that's what I care about.

The good thing about being in a SaaS solution is that we are agnostic to the platform. We don't see the Hadoop platform at all, but it provides benefits in terms of scalability. If we are sending 10,000 events per second and I want to scale that to 15,000 events per second next year, I know the platform can scale. That means I don't have to come up with a different deployment or start from zero again. That is definitely a benefit. I don't have to worry about the complexity, but I get the benefit of it being able to scale.

We used QRadar. We switched to Securonix because we wanted something in the cloud. There was just too much work to maintain the previous system. Second, we wanted something that was analytics-based so that it would give us actionable threats, versus noise. Number three was that we wanted something that could integrate with our cloud applications faster.

The initial setup was straightforward for us because it is SaaS. For us, it was just a matter of forwarding the logs to them. Within two days we were able to start seeing our data in their environment. Our previous deployment took us six months. That's what the cloud is. It is so much easier. It's someone else's problem to manage and maintain it.

In terms of our implementation strategy, for us the key was is to prioritize: What was the number-one thing we wanted to start sending and get visibility into? We prioritized our applications and created a multi-phased approach. We specified, in the first three weeks, the three applications that were business-critical which need to be monitored. Then we added some more, then we added some more. Overall, over the course of six months, we had all our data sources integrated, fine-tuned, and ready to go. It was important to follow a phased approach. If we had started to put everything in at once, we would have had too much noise to manage.

We deployed it with the help of Securonix. When we bought the solution we also bought Professional Services from them for four weeks. We needed that help in the first four weeks because we are not product experts, they are. At the end of four weeks, that PS turned into support. We did not need Professional Services, we just needed support when we had questions.

Professional Services were very hands-on and very committed to us. That's the best thing about them: Their customer success team cares about making you successful. I've worked with others, like IBM, in the past. You ask them something, it takes a week, sometimes two weeks, for their PS and support people to get back to you. Working with a smaller company, the good thing is that these guys are motivated, hungry, wanting to make sure they have a reference client. We had a great experience with them.

From all the benefits I have talked about, there has been a return on investment. And it was quick return on investment as well. With my previous experience, it took us six months to even get up and ready, so we weren't even talking about an ROI until then. Whereas with Securonix, in two days we started seeing our data in their environment. It was definitely a quick ROI.

A good thing about Securonix is that they don't charge by volume of data or number of devices. I don't have to think twice about what I bring into the system. That was a big pain point for me before because every time I brought something in I had to pay extra. They charge by the number of employees, which is a much more predictable number for me, versus data. Our costs are in the $100,000 range over a three-year subscription. There are no additional costs to the standard licensing fees.

Rapid7 was one we looked at because it is also cloud-based. From a SIEM perspective, it was not where we expected it to be. We also looked at Splunk but it was too expensive. Capability-wise, Securonix was far ahead of them.

If you're looking for an analytics-based system, which is what everybody should look at, and if you are thinking of something that provides a quick return on investment, then you should definitely look at Securonix, in addition to doing your due diligence with other products. Definitely have Securonix in the mix if you're looking for actionable threats, flat pricing, and a cloud-based solution.

The biggest eye-opener is how wonderful the cloud environment is. There is a whole new universe of threats that get exposed by moving to the cloud. It has all these benefits, but it also reveals a lot of risks. So there's a lot of work. Businesses will continue to adopt the cloud, and security has a lot of catch-up work to do to secure data in the cloud. But Securonix is bringing those issues to the front and we are coping with them, one thing at a time.

This is our single pane of glass for monitoring threats to our environment. It's being used companywide for monitoring purposes. It's our 24/7 eyes on glass. There are certain applications that we have not integrated yet and there are new applications that we continue to onboard. As we grow, and as we bring in more devices, we will want to integrate them into this platform. It is always a work in progress.

Our analyst who goes in and looks at the threats is the primary user of the system. There are also secondary users. For example, the compliance team looks at all the compliance reports that they need to meet the requirements we are bound by. They have their own use-cases that they look for. As the CTO, I have dashboards that I look at to monitor the overall health of our security posture. We also have investigators who look at specific investigations. If there is something that involves HR or our legal team, that becomes a case that we need to track.

From a deployment perspective, we had one person working part-time with the Securonix PS team for the first four weeks. After that, Securonix went away and that part-time resource continued to work on it. The part-time resource for deployment is a point of contact for Securonix. We need to send them data. We can tell them, "Hey, these are the data sources that we want to prioritize," in the first four weeks, for example, and this is the data we are going to send you. This person is the point of contact for them to coordinate with our internal teams to make sure the data is fed correctly and that we have scheduled the imports, etc. In terms of maintenance, there is none for us because they do it.