What is our primary use case?
Our company is using the solution to build a next-generation security operations center that automates all administration and orchestration. It will include our entire MITRE framework and use cases being mapped at the moment.
We were already developing UEBA and SOAR when we started using the solution. UEBA will track when users move around to determine if movements are suspicious or should be mapped with threat activity.
The solution is a hybrid model. The hardware infrastructure and log collector is on-premises. We provide IP addresses that open a specific communication with the solution's cloud console where our EPS data is contained. We administrate the SIEM via the cloud portal and manage operations or log management on-premises.
What is most valuable?
The beauty of the solution is that you can develop infrastructure for a data lake using open sources that are separate from the licenses. You can use Ubuntu, CentOS, or any flavor of Linux to build your infrastructure. The solution installs a Docker with their licenses and script running on top of it. You can increase volume or build up servers and backend infrastructure at any time. Other products require you buy their proprietary-based log management system, forward the devices log to the SIEM, and pay for its storage.
What needs improvement?
The solution's command line should be simpler so that routine commands can be used. The search configuration is a bit different than other OEMs or SIEM solutions like ArcSight or QRadar that are easy to search because they operate similarly. The logic is there and the solution supplies a pretty good explanation. Basically, DNIF spelled out is the opposite of FIND. You have to find commands whenever you want to search something. For example, a highway gets you to your destination but there is an alternate way people don't yet know about. Gartner or Forrester haven't yet studied it. We were a bit nervous when we were trying to get familiar with the solution. We wondered if we could realize ROI because the commands and ways of pulling data were different to us. We raised a case with the support team and their professionals provided the needed support. The command line is user friendly once you understand it. If you need immediate use, then you might want to get assistance from someone who is well-versed in methods for using key patterns to find things.
Lengthier files for threat hunting or analysis are needed. The correlation happens, but exporting a large number of files to abstract them is not possible. For example, I want to present raw data to management so I should be able to customize a date range in my query and download the files.
For how long have I used the solution?
I have been using the solution for two years.
What do I think about the stability of the solution?
From a product point of view, the solution is stable so I rate stability an eight out of ten.
What do I think about the scalability of the solution?
The solution is very scalable so I rate scalability a ten out of ten.
How are customer service and support?
The support center does a lot and provides support but most of their team is new so they have to seek assistance from senior staff. This sometimes happens for basic queries but has improved over time.
I rate support a seven out of ten.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We previously used ArcSight but were looking for a mature solution that could perform a variation of data discovery and threat intel discovery.
How was the initial setup?
The solution requires a huge infrastructure so that can be tough. It is complicated to manage a large number of servers. Basically, you have to arrange 15 servers for some very limited EPS.
Configuration, deployment, and administration of each and every component on top of those servers is very easy.
What about the implementation team?
We utilized DNIF professional services to deploy along with our team. The solution was new to us, so we opted for their services rather than going with a third party. It took three to four months for end-to-end deployment.
We deployed in 2020 and, within a period of five months, had 30,000 users and 2,000 servers in our infrastructure.
What's my experience with pricing, setup cost, and licensing?
The solution requires a huge infrastructure and that is costly.
SIEM solutions always cost more so you have to determine if your budget can handle the cost to get to ROI.
In the future, I would like the solution to reduce its infrastructure requirements.
Which other solutions did I evaluate?
The solution was selected after a POC with a couple of vendors. Deciding factors were cost and the fit to our use cases. The techno-commercial aspect was the final deciding factor.
What other advice do I have?
Before buying the solution, ask for an overview and use-case session. Learn the infrastructure requirements and EPS cost. The solution is hyper-cloud which is a hybrid model, so budget for both on-premises needs and cloud service. Ensure that you can sustain the cost of running a SIEM solution because it is hard work to change solutions.
If you need a parser to integrate existing technologies or a stack, be sure to tell your vendors before buying the solution. Bind them to the same timelines and agreements. We had a couple of lags during the POC stage that took DNIF a long time to resolve after implementation. Timelines published on the internet for TAC response are very generic so make sure they are customized as part of any agreement.
In rating the solution, I have considered several factors. There are lots of improvements needed. The infrastructure specs are huge and require on-premises management. The solution should have a completely cloud-based option or only require a lightweight infrastructure it is managed as a service. There should be a two-way exchange where issues proactively flow to a dashboard where anyone can take action.
Overall, I rate the solution a seven out of ten.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Other
Disclosure: I am a real user, and this review is based on my own experience and opinions.