The solution saves me at least half an FTE, some 20 hours a week. If I didn't have the managed services, I would have to have another half an FTE just to do the work that they do for us.
EventTracker has assisted our server administration team as well. If they're having software problems or access problems or the like, they have the ability, with all the logs now centralized in one place, to go to one place and do those searches, rather than to go individually, server by server by server, and try to figure it out.
It's also tied into our enterprise firewall, which is Palo Alto. It really helps them in their troubleshooting time if they're having an issue.
There are 3 aspects that EventTracker is very helpful to our organization. One side is the information security side where it helps us quickly investigate an incident including false-positives. A second aspect is operational efficiency. It would really take a lot of time to try to figure it out server by server but with EventTracker they can go to one place which has all those server logs. The third aspect is log archives. Once it makes it to EventTracker, they can keep local log storage space pretty low and don't have to burn a lot disk space on the local servers.
I also feel that EventTracker has better integration. Almost any product could integrate with just about anything else, given enough time and resources. But that's part of the managed services that we contract with EventTracker. We have integrations into Sophos (for antivirus), Office 365 (for email) and for our enterprise firewall (Palo Alto), and our Cisco networking equipment. So we've got all the critical infrastructure pieces integrated and all of those were integrations out-of-the-box-that I probably could have figured out if I had enough time. But I tell them what I'm trying to do and either they have a white paper which gives me one, two, three steps to do it, or they actually take over. I give them a service account. They take over, they do it, we do some testing and we go live with it.
Everything we have is a real-time feed. We don't have anything that is just batch and then it reads it in later. Especially on those real-time alerts that I mentioned, I know about each of those literally within minutes after it happens, because it's a real-time feed. The alert fires and sends me an email or a text, whichever I have set up.
We're also very impressed with EventTracker SIEMphonic. That's what they've renamed their SIEM tool. We use it quite a bit now. They've got something called potential insider threats that we look daily. Those are things like account creations and the like. A SIEM tool doesn't necessarily know, just because an account is created, whether it should have been created or if somebody created it to try to hide their tracks. Also, seeing things like logs being cleared on servers has been very helpful to us. We would have no other good way to get visibility into those types of things. An extension of that is the alerts that we talked about. It's really been really invaluable for us to get insight into our environment. There'd be no other way for us to really get that without either SIEMphonic or one of its competitors.