Elastic Security Reviews

I've been using the Elastic solution primarily as an IAM solution. It helps in threat-hunting investigations and provides case management and security incident management.

The general process involves collecting all security events on a data platform or a data lake. These events are then processed and analyzed based on threat perception, comparing them against known attack vectors. Events identified as potential threats are tagged accordingly. During analysis, data enrichment may be necessary to enhance understanding. After tagging threats, the analysis is forwarded to a threat-hunting team. A security incident is created if there's no existing solution, and a case analysis is conducted to find a solution.

Elastic provides the capability to index quickly due to the reverse indexes it offers. This data is crucial as it contains critical information. The reverse index allows fast data indexing because of Elastic's efficient search engine.

After the initial processing, Elastic Search offers rapid access to data and indexes. Additionally, Elastic provides a feature for root cause analysis. In this process, various threats emerge. Relevant events are properly linked, suppressing unnecessary ones. The correlated event is then passed on to root cause analysis, aiding in pinpointing the specific problem area.

The solution lacks discovery. With effective discovery and asset management in place, you can identify the impact of threats. Having an asset management database allows you to determine the effects of threats on assets and their implications for business and operational aspects. 

I have been using Elastic Security for five to six years.

The product is stable in large energy utility environments, where it handles millions of transactions per second, both on-premises and in the cloud.

Scalability occurs on the elastic cluster side because the basic ingestion happens on the cluster side. With increased volumes, your cluster should also be able to handle more, or you must provision additional clusters to handle the workload. The solution is entirely scalable. Elastic operates on an in-memory computing basis. A perfect ratio must be maintained during the data retention period. The Elastic infrastructure is set up in a way that provides input and handles the data lake comprehensively. It's more of an infrastructure-level scalability rather than a solution scalability.

The basic support always comes with a very basic level of SLAs, whereas the premium support comes with advanced or very high SLAs.

Elastic is replacing solutions like Splunk and IBM QRadar.

The initial setup is straightforward but has complex data feeds ingested into the system. Millions of data points are arriving per second, presenting a significant data transfer rate. Consequently, the system must be appropriately sized and scaled to meet this demand. Furthermore, all data is accessed in real-time, complicating the sizing process.

Elastic Security is open-source. Unlike many older solutions where you must pay for data ingestion, Elastic allows you to ingest data freely. Being open source, you can set up a Kafka front door layer to ingest data and forward it to the Elastic cluster in various formats. Once ingested, the Elastic cluster, essentially Elastic search, manages cluster management automatically. Additionally, being open source, Elastic can seamlessly integrate with any data feeds.

Anomaly detection comes into play when conducting a threat investigation using threat intelligence or querying threats. Typically, security events stem from various sources, such as operating system logs, event logs, application logs, and security logs, all collected from different systems and traffic data. This data streams at an enormous rate, measured in events per second, often reaching millions. Therefore, the task involves running anomaly detection across these events to pinpoint those requiring analysis and further threat-hunting efforts.

If you're using Kaspersky for event management or passing through data stream pipelines, Elastic can convert the data into a usable format for ingestion into the cluster. Integration with existing solutions is straightforward since Elastic is an open-source platform.

Overall, I rate the solution an eight out of ten.

We primarily use Elastic Security as a log aggregator, so we use it like a SIEM. It ingests all our logs and reports on them in aggregate.

We've used Elastic Security to solve some challenges involving various data sources. Things were being logged, but they were scattered around the organization. Elastic has sped up problem-solving. I can also imagine other use cases where we might use it for things that weren't system related. I use it for IT troubleshooting, but you could probably use it for sales forecasting or anything that I could make a data source out of.

Elastic Security gives us the ability to look at more than one source of data. For example, if a Windows client is doing something weird, I can grab all the Windows clients, then pivot to the firewall logs. 

I can look at events from more than one source across multiple different locations and find patterns or anomalies. The machine learning capabilities are helpful, and I can create rules for notifications to be more proactive rather than responding after something has gone wrong.

Elastic Security has a steep learning curve, so it takes some time to tune it and set it up for your environment. There are some costs associated with logging things that don't have value. So you need to be cautious to only log things that make sense and keep them around for as long as you need. You shouldn't hold onto things just because you think you might need them.

I have used Elastic Security for about a year.

Elastic Security support is pretty good. Their support staff seems to know the product well. They provide answers but don't offer much training. They have lots of videos and documentation, but there's not a live person that tells you how to do things. They mostly refer you to the documentation. 

Setting up Elastic Security is complex in some ways. Getting the solution to ingest your logs is the most difficult part. If the logs are of little value or you're holding on to those events for too long, they're not really worth as much. They're not as actionable if they're a month or a year old.

I rate Elastic Security nine out of 10. I can't speak to any of the other security features, but it works for logging and SIEM. 

We primarily use the solution for security purposes. 

It works just fine. We haven't had any issues with it. 

It is scalable. 

Technical support has been good.

It is stable. 

The product is fast to set up and very easy to deploy.

We aren't expecting any new features in the next release, We have everything we need. 

Technical support could respond faster.

I haven't been using the solution for too long. It's been only a few years. 

The solution is stable and reliable. There are no bugs or glitches and it doesn't crash or freeze. 

The solution is quite scalable. I'd rate the ability to expand nine out of ten. 

Technical support is quite helpful and responsive. However, it could always be faster. 

Positive

We did use a different solution. We decided to switch to this product as it fit our needs. 

The initial setup is straightforward. The deployment is fast. It only takes a few seconds to get up and running. 

I was able to handle the initial setup myself. 

We have not necessarily seen any ROI. 

The pricing is pretty good. We pay for a license annually. The cost is very good. We don't find it too expensive. 

I'm using the latest version of the solution. 

I'd recommend the solution to others.

I'd rate the solution eight out of ten. 

Elastic Security makes data communication easier.

The solution should generate an automatic product that integrates with ELK Stack to use artificial intelligence.

The solution is not expensive and costs around ten dollars a month.

The solution allows you to generate alerts. You can automatically detect and configure mail in some addresses and automatically identify the identity that you have in your system. This is important for confidentiality in order to control the risks in identifying the users. The solution also uses artificial intelligence to identify anyone using your system.

We use the solution to monitor the activities of the people in the organization to prevent attacks in a controlled environment. We use the tool to observe the behavior of attacks and how to mitigate them. Today, security is more important than people know. You need to know who has access to your network, repository, or cell phone.

Overall, I rate the solution ten out of ten.

The product is for use cases involving observability, visualization, dashboards, analytics, and security.

There is a constant evolution in the product. I think that the solution has a strong roadmap in place. I believe that the tool is going to be a leader in a lot of spaces, considering that it is evolving at a fast rate.

From an improvement perspective, the product should be easier to use for those who don't know query language and have experience with only some basic products in the market.

I have been using Elastic Security for more than three years. My company has a partnership with Elastic Security. My company operates as the solution's reseller, and we also manage the tool's implementation.

It is an extremely stable solution. Stability-wise, I rate the solution a ten out of ten.

It is an extremely scalable solution. Scalability-wise, I rate the solution a ten out of ten.

Whether the product suits small, medium, or enterprise-sized businesses is something that would depend on how you quantify your risks. Elastic Security is an ideal solution for anybody and everybody because it offers a free version of the solution. Small or medium businesses can use the free version of the tool. The solution has very comprehensive capabilities in the free version itself. Enterprises, large corporations, and government organizations can use the tool's paid version because it supports a lot of features from an analytical perspective. The free version doesn't have many analytical features in it. People who want to have a cybersecurity solution in their environment, which may not be specifically Elastic Security, should know the roadmap and the vision, along with a plan on what they want and how they want to go about with the product they want in their company to see where they want to end up in their cybersecurity journey. Your investments will make a lot of sense if you have a clear vision in mind.

Elastic Security is not an ideal product if you are trying to do something very simple or basic with some check mark activities or an audit to show someone that there is some technology used in the company.

I haven't had any single customer of my company telling me that the support of the product is not good. I believe that the product offers great support. I rate the technical support a nine out of ten.

Positive

I have experience with Elastic Security, Rapid7, and IBM.

I rate the initial setup phase a six or seven on a scale of one to ten, where one is difficult and ten is easy.

The product's initial setup phase is neither easy nor difficult. It is easy to manage the setup phase if you know how to do it correctly. Complexity comes along as a part of the tool, especially if it is powerful and has a lot of capabilities. If it is very easy to manage the setup phase of a tool, then it is bound to have some limitations.

The solution is deployed on the cloud, on-premises model, or a hybrid cloud.

It can take a few days to get the product up and running. The time required to deploy the tool depends on the use cases of the user.

The product offers an amazing pricing structure. Price-wise, the product is very competitive.

The product has made amazing developments and has gone miles ahead in a short span of time when it comes to its enhanced threat detection and threat response capabilities.

The product has helped manage endpoint security since it serves as a single tool that provides all the functionalities together. After you deploy Elastic Security, you can do everything with it, and there is no need to buy separate products or licenses. Through the setup of Elastic ELK Stack, you can get all the functionalities like SIEM, SOC, threat detection, endpoint detection, user behavior analytics, data analytics, data lake analytics, virtualization, dashboarding, cross-referencing, and threat response.

Elastic Security's most beneficial for security needs steps from the tool's openness. The tool is a highly customizable product, allowing you to play with it as much as you want.

Speaking about real-time data analytics features in Elastic Security improve security posture, the real-time is not real-time natively. You need real-time streaming capabilities, for which you need something like Apache Kafka to stream data. The analytical power of Elastic Security is extremely high. If you can get me data in real-time, I can analyze data in real time with Elastic Security.

The product has introduced generative AI in the tool.

The product has covered all technological advancements a person can think of, and it also has a lot of roadmap for the future development of the solution. The tool is strong and capable.

Elastic Security offers one of the highest integration capabilities I have seen in any kit in the market. The tool offers a lot of out-of-the-box connectors and a lot of certification from a lot of providers across different areas. From a workflow perspective, if you are a customer using a proprietary tool with proprietary mechanisms to manage how work is done, then the integration offered by Elastic Security wouldn't be great. If you have an enterprise-grade product involving firewall solutions, SOC tools, endpoint tools, privilege access management solutions, or any other cybersecurity tools, Elastic Security's integration capabilities would work and help manage your workflows seamlessly.

One of my company's customers told me that the incident response time after the implementation of the product was reduced by half within the first few weeks of the rolling out of the solution in the company.

The product is very user-friendly since it offers generative AI in the dashboard. If you don't know how to do something on the dashboard, you can ask a question, and the solution will guide you. From a user perspective, I would say that the person using the product should be knowledgeable and should know what he wants. The product is not for someone who is a novice. The cybersecurity analyst working on the tool should have a fair understanding of what he wants to achieve with the product. It is okay if a cybersecurity analyst does not know how to write a query in the tool since the product offers help through generative AI. You can ask generative AI how to write a query, and it helps you. Elastic Security can be a bit difficult to use if a person only has experience in SMBs with tools like Zoho. The product can also be difficult for those who have never dealt with query language. It would be easy to move to Elastic Security for those who use Splunk, IBM QRadar, or other enterprise-grade tools.

I rate the overall tool a ten out of ten.

We are looking for the same tool on-premises that we can provide to our client as an MSSP. We're evaluating different types of tools in the market.

Although, we have a premium version, and I was checking the functions and features here.

We have some questions about the query language. So that also from this console and so that we can actually want to have a demonstration session where we can clarify this thing query to manage.

The interesting thing is about the dashboard. There are available widgets for the dashboards, along with specific features like different types of reports, such as a list of alerts. This helps to remind us which events are happening most often.

We are still evaluating the solution, but the dashboard is something good. And one more thing, it also has anomaly reports. I like that there is a report that is only based on anomaly-related activity.

One limitation of Elastic Security is that it does not have built-in workflows for all tasks. For example, if you need a workflow for compliance, you will need to create a custom workflow.

Sometimes, different types of clients require different workflows. And it absolutely varies from context to context. So that is often not available in [Elastic Security].

Additionally, the list of data sources that Elastic Security supports is limited. If you need to collect data from a system or application that is not on the list, you will need to develop a custom integration.

We have been evaluating it for the last two months.  

It works fine on the few devices we have deployed this solution. 

The scalability is good. It can be scaled easily in the production environment. 

The initial setup is easy. 

The pricing is fine. But the basic pricing should cover all the features you need.  Elastic needs to add more features, which are available as subscription-based add-ons. So more features may need to be added.

Overall, I would rate the solution an eight out of ten. We are still evaluating Elastic Security, but we are interested in learning more about its capabilities.

Overall, the solution is good.

The machine learning aspect of the solution has been great.

The deployment is not that complicated.

ELK is open-source, and it will give you the framework you need to build everything from scratch.

The SIEM modules in Logstash, need more improvement. In the future, the modules could be more advanced as right now there are only very basic modules.

We are facing an issue with the engineers. In the region, there are not many available. Only a few people might be available in our particular region, which is a problem. 

There isn't really a very good user experience. You need a lot of training. There is an interface with limited options. You need to work with the coding and you need to work with the scripts. It's not simple. If you want to configure something, for example, you need to be a proper programmer.

It would ideal if they had a dashboard. Right now, the only way to see what you need to see is to go through all of the logs. 

I've used the solution for one and a half years.

The stability of the solution is good. However, it depends on the configurations. If the solution is configured properly from the beginning, it will be stable. However, if the solution is not configured from beginning properly, it will not be. This is due to the fact that ELK Elasticsearch gives you the framework only, and the customizations depend on the guys who will be coming to configure everything for the company.

The scalability is good, however, there is a certain level of skill that is needed. Due to the lack of trained engineers in the area, this could be a challenge.

We've reached out to technical support in the past. We found that sometimes communication with them was difficult as there was a lack of understanding. This means that it takes a longer time to reach a resolution. However, in the end, when we have had issues, we were able to resolve them, even if it was a bit delayed. 

I've also worked with LogRhythm and there is no comparison. LogRhythm is the best solution for me. The use cases are better and are readily available. In contrast, with ELK, we need to deploy a lot of things. We need to program people and we need skills and training. We need a lot of things. Even the LogRhythm training is easier than ELK. With ELK, you need to build the customization, rules, everything, from scratch. WithLogRhythm, you just have to enable features.

If a company wants some more specific detailed use cases, then ELK would be better than LogRhythm, however, for a generic use case, LogRhythm is better.

The initial setup is pretty simple and straightforward. It's not overly complex. 

That said, it does require trained specialists, and there just aren't that many in our area. 

Overall, I would rate the setup process at a two out of five. 

The configuration must be done correctly, and that depends on who is configuring it. If the person configuring it, for example, only has an administrator background, he will configure the administrator stuff. If he has a security background, he will configure for security.

We are a partner. 

I'd advise others considering the solution that ELK is a good solution, however, it requires skills and capability. You need to be properly trained with it to get the most out of it. 

I would rate the solution at a five out of ten.

It is for our own infrastructure. We are trying to do ELK Stack for everything. We are trying to build our own monitoring solution. For now, we are using it as an alerting solution, and SIEM is going to be our destination.

Its flexibility is most valuable. We can have a number of scenarios, and we can get logs from anything. If we know how to use Logstash, we can tweak it in many ways. This makes the logging search on Elastic very easy.

With Kibana, we can make very beautiful dashboards the way we wanted. It makes sense for the business.

We are paying dearly for the guy who is working on the ELK Stack. That knowledge is quite rare and hard to come by. For difficulty and availability of resources, I would rate it a five out of 10.

We don't have any scalability problems as of now. We have less than 2,000 devices.

We have a contractor who is trying to develop and deploy the ELK Stack for us. He has requested a couple of servers, and we have given those to him. He asked for more RAM and storage for the service, and he will take time developing the custom Logstash scripts that we have asked for.

I find it better than Splunk in terms of cost-effectiveness. For cost-effectiveness, I would rate it a nine out of 10.

It is complex, but you just need to have patience and personnel to develop it. Unless you explore a technology, you won't know what are the pros and cons. I have not seen any cons as of now, but it has miles to go in terms of being equal to Splunk. It is a community-driven technology. So, it will get there.

I would rate this solution a seven out of 10.