Elastic Security pros and cons

The indexes allow you to get your results quickly. The filtering and log passing is the advantage of Logstash.

The solution has a good community surrounding it for lots of helpful documentation for troubleshooting purposes.

It is very quick to react. I can set it to check anomalies or suspicious behavior every 30 seconds. It is very fast.

Elastic has a lot of beats, such as Winlogbeat and Filebeat. Beats are the agents that have to be installed on the terminals to send the data. When we install beats or Elastic agents on every terminal, they don't overload the terminals. In other SIEM solutions such as Splunk or QRadar, when beats or agents are installed on endpoints, they are very heavy for the terminals. They consume a lot of power of the terminals, whereas Elastic agents hardly consume any power and don't overload the terminals.

The cost is reasonable. It's not overly pricey.

ELK is open-source, and it will give you the framework you need to build everything from scratch.

The most valuable feature is the speed, as it responds in a very short time.

The solution is quite stable. The performance has been good.

We've found the initial setup to be quite straightforward.

Enables monitoring of application performance and the ability to predict behaviors.

The most valuable feature for me is Discover.

We're using the open-source edition, for now, I think maybe they can allow their OLED plugin to be open source, as at the moment it is commercialised.

The solution needs to be more reactive to investigations. We need to be able to detect and prevent any attacks before it can damage our infrastructure. Currently, this solution doesn't offer that.

There should be a simulation environment to check whether my Elastic implementation is functioning perfectly fine. Other solutions have their own Android and iOS applications that I can install on my mobile so that I am continuously connected to the SIEM.

Its documentation should be a bit better. I have to spend at least a couple of hours to find the solution for a simple thing. When we buy Elastic, training is not included for free with Elastic. We have to pay extra for the training. They should include training in the price.

This type of monitoring is not very mature just yet. We need more real-time information in a way that's easier to manage.

There isn't really a very good user experience. You need a lot of training.

The training that is offered for Elastic is in need of improvement because there is no depth to it.

The problem with ELK is it's difficult to administer. When you have a problem, it can be very, very difficult to rebuild indexes.

Sometimes, the solution isn't the easiest to use.

Upgrades currently released as stacks when it should be a plugin or an extension to save removal and reinstallation.

I would like the process of retrieving archived data and viewing it in Kibana to be simplified.