Coming October 25: PeerSpot Awards will be announced! Learn more

Security Information and Event Management (SIEM) incident response Reviews

Showing reviews of the top ranking products in Security Information and Event Management (SIEM), containing the term incident response
IBM QRadar logo IBM QRadar: incident response
IT Security Analyst at a manufacturing company with 10,001+ employees

In terms of where it could be improved, this includes its forensics, incident response, and security operation center features. Additionally, some also struggle with the rules. We need more features in order to create rules to detect or to meet some requirements for other areas, such as catching the event from other authentication tools, like in Okta, for example.

In some cases, I have issues because some tools are not integrated in QRadar, such as other tools similar to DLP (Data Loss Prevention). We need to create all the integrations manually because they are not integrated in QRadar. We have a problem, for example, because they have Symantec DLP integrated in QRadar, however, it is not working because it's not detected automatically. It is not converting all the columns, but we do have the option to create manually. This is not difficult because it's very clear in the procedures.

View full review »
AndyChan3 - PeerSpot reviewer
General manager at a tech services company with 201-500 employees

They should speed up the incident response and also, at the same time, reduce the amount of manual effort that is required.

A nice enhancement would be the incorporation of more artificial intelligence and machine learning capabilities.

View full review »
Senior IT Technical Support at a training & coaching company with 1,001-5,000 employees

The solution is primarily used for threat detection and response. QRadar can be integrated with other services from IBM such as Watson, among others. The main need is for threat detection, incident response, and dealing with threats or hunting threats. 

What else? I mean, it's always you're looking for threats. Usually, whoever buys this SIM solution or buys QRadar, for example, is looking for hidden threats and they get the logs to see what's happening within their system. They want a solution that looks very deep inside in order to correlate those logs and see if there's any information that they can get out of those logs or even live packets that are spanning through their networks. Therefore, it's usually threat hunting. That's the main thing, Others might use it to understand the system, and how it's performing overall.  However, that's the lesser use case.

View full review »
Security Sales Consultant at Google, LLC

IBM has recently come out with a new version called Cloud Pak for Security but I haven't used it yet. It contains not just QRadar, but also IBM's resilience incident response products. 

I recommend the solution but because of the issues with pricing and technical support, I rate the solution seven out of 10. 

View full review »
Chief Technology Officer at a tech services company with 51-200 employees

I like the new dashboard which enables us to understand how many real threat attempts are made in a day. I also like the QRadar incident response, we installed the QIF last week. The solution has improved visibility so that we've been able to discover that some of our customers have not had any protection and were very vulnerable. It's an important area. I also find that the user behavior analysis is relatively simple. We are customers of QRadar. 

View full review »
RSA NetWitness Logs and Packets (RSA SIEM) logo RSA NetWitness Logs and Packets (RSA SIEM): incident response
Associate Manager Human Resources at a financial services firm with 1,001-5,000 employees

The most valuable features are the packet inspection and the automated incident response.

View full review »
Presales Manager at a tech services company with 51-200 employees

It gives the capability for the incident response team to correlate logs to identify any kind of problem like malware and incidents in a general sense, both for logs and packets. I think the most important thing was that it gives the customer the capability to discover and respond to an incident. It gives customers visibility about their most important servers and devices.

Regarding the packet model, the most important thing is how easy it is to rebuild the raw data. Through one click, you can see an email that was sent even without accessing the mailbox from the user. It's easy to rebuild the raw data, especially the packet.

View full review »
Senior consultant Cybersecurity

The threat detection capability and centralizing and upgrading capability need to be improved. The threat alert capability needs to be improved as well because there is some lag time at present. They need to work on their database search too.

I would like to see log storage and threat intelligence features be included in the next release. I would like to see them automate the security incident response.

View full review »
ArcSight Enterprise Security Manager (ESM) logo ArcSight Enterprise Security Manager (ESM): incident response
Presales Manager at a tech services company with 51-200 employees

We use ArcSight primarily to provide logs for the incident response team and cyber security analysts to evaluate everything happening in the network. 

View full review »
Splunk logo Splunk: incident response
Assistant Manager ICT - Projects at a financial services firm with 1,001-5,000 employees

We are currently using it with SIEM, and SOAR which is Security Orchestration, Automation, and Response.

Splunk is primarily used for security, incident response, and security analytics.

View full review »
AT&T AlienVault USM logo AT&T AlienVault USM: incident response
Sergey Kornienko - PeerSpot reviewer
Director of Department at BAKOTECH LLC

We have three main uses for the solution. They are compliance, incident response, and as a tool for information security.

View full review »
LogPoint logo LogPoint: incident response
CEO at a tech consulting company with 1-10 employees

The use case with the business case actually is using LogPoint as a full-blown team system. And actually to orchestrate incident responses.

It's a SIEM system and if you incorporate detection rules and can set alerts, severities, stuff like that. It's the center of a SOC, basically. That's the main use case for it. Of course, it's also sued to fulfill regulatory compliance, which is making a report every week, every day, every month, according to the auditor, what he wants. That's the basic use case.

View full review »
Securonix Next-Gen SIEM logo Securonix Next-Gen SIEM: incident response
Ibrahim Albalawi - PeerSpot reviewer
SOC Leader at a tech consulting company with 51-200 employees

The incident response area should be improved.

It is more difficult than other products, but overall, it is good. The platform has a lot of options and functionality. So, you need to check almost everything. For new engineers or people who don’t have much experience with this kind of platform, it is a bit difficult, but for experienced engineers, it is not that difficult.

When you have been doing a lot of work for about one or two hours, and you have a lot of tabs open, it slows down or gets stuck. There is a delay of 10 to 15 seconds in opening tabs or dashboards. I don't know why this happens, but for me, it is not a big issue. I just wait, and that's all.

View full review »
Exabeam Fusion SIEM logo Exabeam Fusion SIEM: incident response
COO at a computer software company with 11-50 employees

The solution is easy to use and on a whole, it is pretty valuable.

The way it can connect with AWS is very useful, and the integrations are pretty good.

The incident response functionality is good.

View full review »
George Succar - PeerSpot reviewer
Strategic Account Specialist at FITS Consulting

We're just a consultant. We give advice to clients and present them with what we think are the best options. I'm not an integrator or user. Our clients rely on our insights and reports.

This solution will potentially be used on a governmental project. We need to have the full set of features. The government is very concerned about protection. We are trying to deploy the data lead, cloud connector, advanced analytics, entity analytics, recounting incident response, case manager and the full package, the full system, in order to collect information and properly detect and respond.

While the scoring is very high so far, I still need to determine the hardware requirements. From what I can see so far, I would rate the solution at an eight out of ten.

View full review »
FireEye Helix logo FireEye Helix: incident response
BiswabhanuPanda - PeerSpot reviewer
Tech Lead at Ivalue Infosolutions Pvt Ltd

You can use it for everything, incident response, automated responses, alerts,  visibility.

View full review »
Devo logo Devo: incident response
Art Faccio - PeerSpot reviewer
Director Cyber Threat Intelligence at IGT

The fact that the solution keeps 400 days of hot data to look for historical patterns was extremely important because many of the competitors kept 90 days or maybe six months. We looked at the big choices that most other companies use. And with those competitors, if you wanted the extra data, it would be put into warm or cold storage and to utilize it you'd have to pull it back in.

Another one of Devo's advantages is, as I've mentioned, the user experience. It's well thought out and the workflows are logical. The dashboards are intuitive and highly customizable.

There are a few drawbacks to it. Some third-parties don't have specific API connectors built, so we had to work with Devo to get the logs and parse the data using custom parsers, rather than an out-of-the-box solution. Most of our third-parties are working on them because it seems that Devo is making some waves in the industry and more and more people are using them. But that has been what we've had to do with three of our third-parties that didn't have a connector. Devo had to create one, and, once again, their customer service was great. They just built it for us and it worked.

When it comes to analyst threat-hunting and incident response, because there are so many options, and Devo has the ability to do many things from one screen, the workflow is a lot more organic and natural. That means you can drill down to the level you need to and pull in the data you need from one screen. You don't have to keep moving around in Devo. It's much more configurable and the options are there to pretty much dig as deep as you need, from one screen.

Overall, Devo approached things a little differently and that's why we ended up going with them.

View full review »
Digital Security VP at a tech services company with 201-500 employees

Prior to Devo, we were using QRadar and Elastic. We switched because Devo is more powerful and the scalability is better.

With respect to analyst threat hunting and incident response, you can create a lot of complex dashboards and consequently, it is easier to perform a deep dive. It is really aligned with Splunk in terms of capabilities and usability.  Our analysis had data from different solutions to work with and they preferred to use what was coming from Devo.

View full review »
Product Director at a insurance company with 10,001+ employees

We started off with about 10 possibilities and brought it down to three. Devo was one of the three, of course, but I prefer not to mention the names of the others.

But among those we started off with were Elastic, ArcSight, Datadog, Sumo, Splunk, Microsoft systems and solutions, and even some of the Google products. One of our requirements was to have an integrated SIEM and operational monitoring system.

We assessed the solutions at many different levels. We looked at adherence to our upstream architecture for minimal disruption during the onboarding of our existing logs. We wanted minimal changes in our agents. We also assessed various use cases for security monitoring and operational monitoring. During the PoC we assessed their customer support teams. We also looked at things like long-term storage and machine learning. In some of these areas other products were a little bit better, but overall, we felt that in most of these areas Devo was very good. Their customer interface was very nice and our experience with them at the proof-of-value [PoV] level was very strong. 

We also felt that the price point was good. Given that Devo was a newer product in the market, we felt that they would work with us on implementing it and helping us meet our roadmap. All three products that we looked for PoV had good products. This space is fairly mature. They weren't different in major ways, but the price was definitely one of the things that we looked at.

In terms of the threat-hunting and incident response, Devo was definitely on par. I am not a security analyst and I relied on our SIEM engineers to analyze that aspect.

View full review »
Gabe Martinez - PeerSpot reviewer
CEO at Analytica 42

We work with Elastic, Sumo Logic, Splunk, other SIEMs, and more. These solutions are very comparable to Devo when it comes to threat hunting and incident response. It just depends on the end customer and what solution will work best for them.

Some advantages of Devo are multi-tenancy and scale. It was built to be multi-tenant which uses resources in an intelligent way. This helps being able to manage multiple organizations. Some of the security solutions you need to create a separate instance for every single organization, which can be inefficient.

The other advantage or sweet spot of where Devo shines is price/volume at scale. Some of the other vendors may be a better solution at lower volumes of data ingest. Devo really accelerates once you get above 500 gigs or a terabyte a day. Cost-wise, once you start hitting that terabyte mark or above, some of the other vendors won't necessarily compare in price or scale. We have seen it where others would need a lot more TCO infrastructure to manage the same volumes that Devo can handle.

View full review »
Dennis Pope - PeerSpot reviewer
Security Delivery Senior Manager, Cyber Solutions Architect/Engineer at a tech services company with 10,001+ employees

We're primarily using it to correlate WAN and endpoint activity for our clients. We work with vendors that have endpoint solutions or that control the networks for our clients. We are receiving their feeds, along with some of our other custom deployed equipment, to not only collect endpoint data, but to monitor network activity and correlate it to identify threats, vulnerabilities, attacks, and provide incident response.

View full review »
Microsoft Sentinel logo Microsoft Sentinel: incident response
Director - Technology Risk & Cyber at a financial services firm with 10,001+ employees

It is quite efficient. It helps our clients in identifying their security issues and respond quickly. Our clients want to automate incident response and all those things.

View full review »
KrishnanKartik - PeerSpot reviewer
Cyber Security Consultant at Inspira Enterprise

It's mostly used for cloud-based analytics for proactive incident response. As an enterprise product, it falls under next-gen SIEM.

View full review »
Consultant at a tech services company with 11-50 employees

I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals when it comes to incident response.

The solution helps prioritize threats across your enterprise and that is quite important. There is a concept called "alert fatigue," and Sentinel can also cause that because it detects so many false positives. But usually, the high and medium risks it identifies are things you need to take a look at. So prioritization is quite important.

We also use Defender for Cloud, Defender for Endpoint, and Defender for Cloud Apps. It's quite easy to integrate these Microsoft products because they can easily communicate with other Microsoft products. The tricky part is to integrate other vendors' products, like Cisco or Linux, with Microsoft Sentinel. The actual integration is easy, but they generate a lot of data. But with its entire Defender suite, Microsoft is trying to cover everything in Azure and that is a really strong point.

Sentinel enables you to ingest data from your entire ecosystem and that is vital, but sometimes it's a bit hard to figure out what data you actually need.

Also, the UEBA is a neat feature.

View full review »