LogRhythm SIEM Reviews

The most valuable feature to me is certainly the CloudAI, which I have been a beta tester of, and also the SIEM capabilities and automation.

I see CloudAI expanding greatly. It's obviously a new product for them. It will be able to give contextual evidence of people's behavior which, at the moment, whilst the SIEM does that, AI actually is that specification and concentration on people's behavior, which is a huge component in cybersecurity.

The benefits at an organizational level would certainly be that for my company, which is in healthcare, certainly a huge compliance, but also it gives me visibility of all the departments in my company, not just the IT department. I'm able to see the actions and behaviors of the whole company, not just on my campus, but remotely as well.

What still needs improvement is automation. The SmartResponse obviously does not use open APIs at the moment, so we're having a lot of problems connecting it with things like Palo Alto Traps and some other systems, things like Cisco. I know that it's on the roadmap, but at the moment that is where the weakness lies.

For myself, I would like a HIPAA configuration out of the box where I can switch on various HIPAA rules. Obviously, HIPAA has 18 very exact identifiers and I'd like those to be already in the box ready to be switched on.

My impressions of stability are exceedingly, that I've not heard any down-time. We have had to contact support a few times, but just to see how to do a few configuration settings.

It's actually been scaling incredibly well. We have put more memory in the box and we've taken some of the Websense traffic and put it onto VMs. We can take more hardware and daisy-chain them up, so we know that when we do need to have physical hardware scalability, that feature is there.

Exceptional. One of our tickets had to go all the way to level three, but it was exceptionally covered well and the resolution was incredibly timely.

It was our very first log management solution. When I joined, we did not have a cybersecurity program. My employment was to build a cybersecurity program right from scratch, right from the start. Whilst I evaluated a couple of other programs, LogRhythm came to me, through the evaluation of those, to be the clear winner.

The criteria certainly was scalability. Our company, within a year, has gone from $600 million of revenue to $1.3 billion. At that point, I knew that we had to have that scalability function.

I've been very lucky that some of my staff have very high technical knowledge on configuration of LogRhythm. If I didn't have those staff available to me, I would certainly recommend the Co-Pilot, which is an option that LogRhythm provides. I think that gives you the confidence that you've not only bought a product but, at that point, how to configure it and use it.

Very happy. Yes.

As a guidance and recommendation, I would ask them, what is your level of comfort in configuring LogRhythm? If they say to me, "Not so much," I would say, "Well, then you have to budget not just for the product, but for the Co-Pilot solution as well." If, however, they say, "No, I'm very happy. I have the skills already in-house," then I would say obviously to buy the product with the Professional Service hours.

The thing that I find most valuable is that every interface is consistent. Whether you're looking at a dashboard, a drill-down, an alarm, a search, the interface is exactly the same. As you move through the experience of looking at some type of event, some type of incident, following up on a search, everything is consistent throughout the whole user experience.

One of the evidences we have that LogRhythm is being very successful for us is in this year's penetration test. I caught the pen-testers five times in the course of their duties. That was just great ammunition to show that this works.

The biggest thing that I think needs improvement is reporting in the Web Console. Most of our reporting is done in the thick client console. The only people that have access to that, really, are the people that work for me, the administrators of the system. So the end-users, the people whose logs we consume, we give them views to their logs but they aren't able to run reports. By moving reporting to the Web Console, that would enable all of the regular, non-administrative users to run reports as well.

We've been using it for several years.

We just went through an upgrade just to increase our capacity, so we could bring in more log sources, and it's been a wonderful product for us.

It scales great, which is one of the reasons why we went to it.

Almost all the time things are handled in a proper way. We've had very good experience with technical support. On one or two occasions, a couple years ago, they were going through some growing pains because of their expansion. Our CRM, our Customer Manager, stepped in and helped us get through those hurdles.

It's actually our second SIEM tool. Our first one was not scalable. We didn't really get to pick it, it was chosen for us. We got to a certain point and we just couldn't grow it anymore. 

So we did a full RFP, a bake-off so to speak, and looked at everything that was really competitive on the market. Ended up with LogRhythm. Did our initial deployment, which lasted us for about two years. Because we did our basic measurements on a tapped-out SIEM - we didn't realize how much growth we would have once we uncapped the bottlenecks - we ran into some growth issues. We just doubled our capacity three months ago with no problems at all.

I always recommend training for everything, but that really is use, not setup. Setup is very easy. I do recommend people take advantage of the LogRhythm Professional Services. They make it very helpful, it's easy to get up and running in a day or two. Use Professional Services is my recommendation.

In terms of the most important criteria when selecting a vendor, there isn't any single important criterion. I have a spreadsheet that I use that expresses value.

• Price is one component of value 
• Usability
• Manageability
• How many resources do I have to apply to it? 
• Can I run it with one FTE? Do I need two FTEs? 
• Also, its efficiency. Does it meet all of the use-cases that we're buying it for?

The first thing you do is sit down and think about, "what are going to be my first steps?" This is the kind of thing you have to phase, really, to be successful. "What are my goals out of my first year?" Plan that out, and then plan where I'm going to go from there. Then sit down with somebody that's experienced like the LogRhythm Professional Services, or your SE, or other people you know that have used LogRhythm for a while, and review that plan and make sure that you've got some specific strategic benchmarks in place so that you can guide yourself through that growth.

I would rate it a 10 out of 10. I am very happy.

We didn't have a main logging system, so it's really nice to have that now, and in place. We are collecting all our logs from all the servers, routers, and its really helpful, and it's a great product to have.

Right now I really like the dashboard, and being able to view it easily, and to just have all the data right there available for me.

I think the dashboard could definitely have more features. I've seen some of their roadmaps that they're going towards. I really like it.

One of the features that I actually put in a request for was, they have the ability to build this great case and have it all ready. But you can't export it, right now on my specific 7.2 product, you can't export it from there. So, I can't have a nice PDF to give to a CEO, or give to legal, or wherever it needs to go to further their investigation. That's definitely a product that their actually going to come out really soon with.

The stability is pretty good. We haven't really had any problems with it. I think in our deployments, we had about 25 monitoring agents. One of the agents did start acting kind of funky, so I just called up support. I said, "Hey, we can't get this agent to work properly." They helped us out right there that same day. We actually updated that specific agent, and its been working ever since.

We're a fairly new customer to the product so we haven't had to meet problems like that with it. But we do plan to scale it fairly soon, so we'll see.

It's been pretty good. After the deployment, I really haven't had to call them. They have a pretty nice knowledge base, and their user guide pretty much explains everything you really need to get done. 

There are some issues that I had with Forcepoint, and getting it to work properly with LogRhythm, but that was more on the Forcepoint side of the problem than LogRhythm.

It was due to compliance that they decided to get a product.

I actually was hired within the last five months. I showed up, and they said, "Hey, you're going to get to deploy this." I said, "Sounds great."

Deployment was fairly easy. They gave us some prerequisites that they needed us to have ready for them, so we went ahead and got those all ready, went through change management, got everything approved. 

They needed to have - if you want it to collect logs remotely - a service account created, you needed to have specific ports already open, to make sure that everything communicates properly.

We went ahead and had everything set up. We got the support call because we got the DMX appliance. The day came, we got it all set up, it was fairly simple. The support agent walked us through everything we needed to do. He showed us tips, and tricks, and best practices for specific situations. He did training at the same time as we were deploying. It was a fairly simple, easy process.

It's one of the top 10 SIEM solutions. What I really like about LogRhythm is that they're always innovating, new ideas. They're consistently trying to improve. I think that's really great about them. 

The breadth and harvesting of information the SIEM is capable of doing. I've been in this probably going on 30 years, and I've seen the growth. I found a resource that's outstanding in finding information and then the most important thing, distilling it, putting it together, which is a real big challenge in this field.

We're a financial service. As our title implies we deal in mortgages, which means we see a lot of personal information, credit reports, financial instruments. We're really concerned that we are able to monitor the movement of that kind of information and protect it.

LogRhythm has been extremely efficient in helping us find the bad guys, who are really out there, they're targeting businesses like us. They specifically want the findings, the money. If you can get in the middle of a loan you may have to go after 10,000 people trying to find the data, but if you can get four houses at $400,000 or $500,000 apiece, you've just harvested $2,000,000.

For us, LogRhythm has given us the kind of insight we need to understand when those threats either are being recon-ed, found out, or when they're really trying a brute force attack to get at us. It's excellent for that.

I really can't think of a particular one, I've been very satisfied with what's happening. 

I know they're going to get another spike in customer base, hopefully they'll have the ability to ramp up people in support along with the customer ramp up. That's a hard game to play.

I've been part of a number of beta tests, so when CloudAI came out - which is phenomenal: The ability for something to give you information in a SIEM environment, you're often gathering data, writing rules to monitor the data, so you can see what you think you should see. But they're doing inference engine work, where they're looking at what a threat implies, and then presenting it to you.

In our field, false positives versus true positives are a big deal, but they've kind of taken it a step forward. I've come to call it - they may offer me information that I look at, that I didn't know about but I should know about - it's not a false positive because it didn't show a threat. It's a true insight because it showed me something that I wouldn't ever infer myself. 

So features like that, the work that they're doing moving forward in that space, especially with machine learning. The sky's the limit in that, I'm looking forward to them doing it. 

I find it very mature, it's well designed. 

I'm sure if you're speaking with other folks today here at the LogRhythm User conference, you'll find that they're talking about all the new product roll-outs. They think these things through. Since I've been in the industry for many years, I've often found people will roll out products very soon. Often before they're mature enough to be out in the field. LogRhythm doesn't have that problem. I've been very impressed with that.

Except for the experience you often have when you do upgrades - and mostly it's the human, not the software - becoming accustomed to the new material, they've done a really great job.

We tried to size what we purchased, as an appliance, properly. You never realize how much data you're gathering until, of course, you see how much you're gathering. You're thinking maybe 100 million records a month, and you find out it's 100 million records a day. But we've been able to deal with that, understand what we're using. 

They've also been very helpful about throwing away the stuff. There's a lot of information that computers generate, not all of it is relevant. So we've able with it, to look at stuff and begin to filter out, in some cases, 20% to 40% of the content that isn't relevant at all.

I've found through the past two years they've had a few bumps because they've become so popular - I was in customer support years ago, I understand it. When you get a quick rise in customers it's impossible to maintain a support staff at the same time that you're having a fast rise in people who've bought your product. But they've worked through it, they've been responsive to it. 

I've been able to talk to the Director of Training, and the Director of Support on a couple of occasions, we've come to know each other, which is really valuable, especially in our business. Because he can look at me and say, "This is what we're doing." I appreciate the fact they're honest about the situation, they know me well enough now sometimes to be blunt, which is great. It's a good rapport, intelligent people, which is really essential.

None of this is offshore, it's all inside the United States. When I used to do secret cleared work, it was always a requirement that it be carried on within the boundary of the US. I've sort of picked that up as a habit, and these guys are really good at it. It's here, occasionally I go up to Boulder and see them, but it's very satisfactory, very reliable. They get on top of my problems, we usually fix them inside 24 to 72 hours. 

I had to do a proof of concept review two years ago when we were doing a rebid, and LogRhythm was the incumbent. I looked at some other companies. The thing that was essential for me was not only that you could gather data quickly and efficiently, but how you harvested it and how you maintained it. A lot of the other vendors had different ways of doing it, nothing I considered reliable and I was worried about the fact that, as their volume increased, the performance of their appliances would decrease.

What I found with LogRhythm, especially since I picked up one of the newer XMs, is that it has the capability to handle the volume I'm looking at but also, if I want to separate certain parts off onto certain systems, to basically spread those elements out. That was a feature that became really critical for me. Without that I'd be stuck with the pressure of one box, if it fails it takes all my operation out. So I get both, strength and diversity, because I can use multiple systems, they have that flexibility, the others didn't show me that. 

Those were some of the things that were important. 

Also, being able to handle tens of millions, and hundreds of millions of records from a wide variety of resources. They have something called log source types. Log source types let you ingest data from Palo Alto firewall, Cisco firewalls, big F5s, all sorts of environments, draw the data in and make it relevant. 

The other environments - whenever I hear an engineering environment tell me, "Its just a simple matter of programming." It's not. 

When somebody says, "Here's the log source type, and this will do this with your data," and you draw in 10 million records from the firewall, and that afternoon you can make sense of it. That was another reason why.

We've lived through three or four years of the product, so in the early time it was major upgrades, releases had a lot going on. But now things are almost completely seamless. 

LogRhythym uses both the central environment and then sensors that it spreads out. It used to be that you'd have to upgrade the central environment then get all the sensors. As they've moved through things I can now do one upgrade in one place and tell that central environment to upgrade everything else. It cuts down my time from being 12 or 13 hours for an entire operation, to about three or four hours to bring the main environment up, 15 minutes to start up the upgrades. Then it's time for coffee, come back, usually I'm done.

Things that are important: the first time you get a SIEM in your hands you think it's great to gather everything. Then you find out within a couple of days, gathering hundreds of millions of records and trying to make heads and tails... 

Begin slowly, focus on various systems, understand what they mean. 

A lot of people go, show me the perimeters, show me the firewall, show me the network. Pull that data in and when you've got it then turn around, look at all of your Windows servers, your domains, those environments. 

Moving slowly and classifying your data, so you can make the rules you design really specific. It helps you if you've got control on it, you can throttle volume, but also when you have anomalies pop up they don't pop up because you forgot something in a rule. They pop up because there really is something new.

It serves several different features. We can check the checkbox for HIPAA compliance, SEC-type stuff.

But really, our biggest focus was actually on our clients. Because we're an accounting firm, a lot of our clients actually audit us, or they have large security questionnaires that we have to fill out. So having a SIEM product is one of those check boxes, and being able to say "yes" on security questionnaires; or one that clients come in and say, "We want proof that you're auditing your domain controllers, that you're auditing the security files servers, you know who touched our files, how they read them, deleted them, modified them." 

Being able to pull all that information up before the auditors, it's great. Very critical.

We're fairly new to LogRhythm. One of the things that we really liked in the deployment PoC phase was the dashboard. How easily it percolated critical information up onto a screen that we could immediately review, and drill-down to look at the raw logs. That was one of the key features that we liked in the PoC. Still today, that is by far one of the best features.

Probably the biggest improvement and I've talked to several of the management here at the LogRhythm User conference on it, is their thin piece, which is their file integrity monitor, that we use on some of our security servers. The data sets are extremely large, tons of files are being modified, deleted, created. That product could use some more enhancing.

We've been working with them to enhance that product for future releases. It's been a good experience. 

Any issues that we've had, they've actually fixed the majority of the issues that we had with the initial product, by even giving us customized installation packages to adapt to our environment.

It's been real good. We've done several upgrades since then. Each time, if there has been an issue, we've just opened up a ticket with support and literally, it's hours to minutes sometimes - depending on time you open up the ticket. There's a response and then engineers calling you, and helping you out through some of those issues. It's been good.

We haven't scaled because, like I said, we're still the first-year phase. Now, when we purchased the product, we did purchase it to scale it out a little bit over time. We overbuilt it just a little bit so that we could keep adding log sources to it. But so far, we've been right on the money, as far as the initial build of it. 

We had come from two other SIEM products that were going end-of-life. The original one was the Cisco Security Manager, and then the latest one was RSA enVision. Because that was going to end-of-life, we needed to find a replacement product.

The big thing was the PoC was a great tool to get a great overview of what the product was going to be like. We also worked with an SE that helped deploy the product. Then we also were able to talk to support. So we got a good feeling to how the product was going to operate, not only from our operational standpoint, but also from a support standpoint, and also from help from our local support engineer.

We just had a great experience all round, and when comparing feature sets, the web interface to the alarm drill downs, the AI Engine drill downs, to the network monitor product, it was definitely on the top of the list.

The other big thing that we really liked about LogRhythm - we had a unique requirement - was that we had to have appliances, we didn't want virtual devices. Just from the security side of things, we wanted to be able to manage those devices ourselves, rather than having our infrastructure group manage those. LogRhythm also provided us the appliance base versus Splunk which is all virtual base.

We actually used LogRhythm's Professional Services group to help us get the product up and running. It went real smooth. Matter of fact, the amount of time that we allocated the Professional Services, we were short of that. It just went real well. 

Our group caught on to the product very quickly, which was another great benefit. We were able to do a lot of the work ourselves, versus relying on Professional Services to do it, just because we caught on much quicker than we had thought initially.

Our SIEM solutions list included several different vendors from Splunk to LogRhythm to RSA, their new product. We ended up choosing LogRhythm.

Just from the simplicity standpoint, it's met all of our expectations now. Like I said, you always have that little thing here and there that you still have to tweak, but other than that, we've really liked the product. 

The biggest thing in this product is not everybody on our security team is well versed in SIEM or analytics, but we found that LogRhythm - the Web Console UI - really simplified, especially with the metadata parsing out. It allowed those people to read those type of events much quicker, because it was right there, and it was pretty easily translated. So "user" is username, "host" is the host, and so it's very easy. You're not having to dig through this big long raw log file to actually figure it out. Then if it needs to go there, it goes to an advanced person.

What I found most helpful out of it is the ability to see all of the same data, that I would get from my appliances, in one place. I don't have to log in to six or seven different appliances and hunt for that kind of information. I can just do some queries within LogRhythm and it tells me the same information.

One of the things I find that would be helpful is the GLPR information, to be able to understand what is actually being processed. I've got, say, 20 different rules, but I don't know which one is getting more of the data, which is getting none of the data, because there's not really a good interface for that.

The stability, it's pretty high, there were some early issues, we were overrunning it with data, and part of it was a sizing issue. Once we got through that it's been running a lot better and it's been more stable. We haven't had to worry about it falling over on itself.

At this point we're still using a single XM appliance. The scaling that we've had is really just upgrading from an older-series to a newer-series XM appliance.

There were a lot of support calls we went through, and they would tweak and change a few settings here and there. Then eventually, what we did was we upgraded to different hardware because there wasn't anything else we could remove. We had to continue to keep getting those same logs.

More of the AIE drill-down notifications. I don't have to customize a lot of stuff. I'm more of an advocate for LogRhythm dashboards for my company, to make sure that other teams utilize what I'm bringing into LogRhythm. Use it for their operations, use it for their alarms and so on.

For my situation, besides the investigation that LogRhythm offers, it's the AI Engine rule set that it offers. It has brought us more significant changes in how we alarm and notify our users about what's going on in our network. It's not just one specific log, it's the correlation of multiple logs on different log sources.

More features that I would like to see more development in are the automation and the smart response. A lot of the attendees here at the LogRhythm User conference are working towards that, and most of us are not even developers. But we're trying to figure what are the skill sets and how do we make sure that LogRhythm gets more intuitive in automating and responding to alarms and notifications that we get.

The stability is pretty much straightforward. I know the product has grown very big and it has tried to cover a lot more features, it has brought more features, and I was surprised that I've seen a lot more features coming out in version 7.3.

I'm at that point where we're investigating getting a new box, looking at other options. I'm at that point that my box has reached its maturity and I need to replace it, probably next year. We're in the process of working that out with our sales engineer.

Probably the investigation part, being able to investigate any log. We've got so many sources that go in there that, at any given time, we can easily look up the logs on just about any system that we have.

What I'm looking for was actually in a session, here at the LogRhythm User conference, about the PIE phishing analytics. That was real interesting because right now we've got a guy that walks through that process attempting to see if the email came in, who got it, and whether or not it was exploited. That's all manual at this point. 

I think they're limited now with this to Office 365. We've got on-prem Exchange and it would be interesting to act like they're going to evolve that into that, to have that ability to look at that information a lot quicker.

We've had it for about nine years, going on 10 years. 

It's definitely evolved. It's gotten to the point where you can scale it well. We recently got the AI Engine running and realize that we need to spin off the Web Console and the AI Engine to a separate box, and off the platform manager. Then we can easily add a data processor or a data indexer to expand our processing power too.

We had some other vendors at the time, but LogRhythm beat them out. We had RSA, I don't remember what the name of their product was, and LogLogic.

It's just amazing, that you can get the information, especially the AIE information, where it correlates different logs together. It's just incredible. It's something that in the old days, that you had to use grep and go to multiple servers, versus now you just tap in and drill-down and, bam, you've got all the logs that you need. It's just amazing, the process.