PeerSpot user
Head Of Technical Services at a tech services company with 51-200 employees
Real User
Stable for long periods, and comes with built-in UEBA
Pros and Cons
  • "I would say the most valuable feature of LogRhythm is that it has built-in UEBA functionality, among other basic Windows packages."
  • "I think there is room for improvement because the system is still running on the Windows Server platform. The problem with running on Windows is that it is not that good for scaling and providing for big deployment environments."

What is our primary use case?

I am a distributor and not an end-user of the product, so I cannot comment on use cases.

What is most valuable?

I would say the most valuable feature of LogRhythm is that it has built-in UEBA functionality, among other basic Windows packages.

What LogRhythm really excels at is its stability, since, in all the deployments that I have been involved in, there's no break-and-fix at all. When the customer finds that there is something lacking from the solution, it is often a matter of deploying extra appliances and things like that. So the most valuable feature in an abstract sense is that it is so reliable. 

What needs improvement?

I do think there is room for improvement because the system is still running on the Windows Server platform. The problem with running on Windows is that it is not that good for scaling and providing for big deployment environments.

With that said, I think it's good enough. For the most part, I just want to have a consolidated platform for the NDR, i.e. the new MistNet NDR that they have acquired, with the current XDR. At this time, it is still two separate controls.

For how long have I used the solution?

I have been working with LogRhythm NextGen SIEM from a company perspective for three years. 

Buyer's Guide
LogRhythm SIEM
November 2023
Learn what your peers think about LogRhythm SIEM. Get advice and tips from experienced pros sharing their opinions. Updated: November 2023.
745,341 professionals have used our research since 2012.

What do I think about the stability of the solution?

All of the deployments that I have been involved in have been very stable, over long periods of time. There's very little in the way of breaking and fixing at all. Most complaints are typically just that the customer comes across extra requirements that need to added on to the base product.

What do I think about the scalability of the solution?

There are some issues with scaling that I'm aware of. Most of the time, the scalability becomes increasingly more complex when increasing the indexing or when processing the loss security complex. It's not easy when we go to a high-volume customer environment where many laptops are involved, for example. In that case, it's perhaps not that easy to scale.

How are customer service and support?

The technical support is good, and they are available at any time. They allocate customer assistants and account managers for taking care of all the application support. Any time that I need a technical fix and the customer is not certified, they will escalate the issue to the customer success manager who will then help solve it.

Which solution did I use previously and why did I switch?

Compared to other solutions, an advantage of LogRhythm is that it still works on a lot of the old platforms. As mentioned, it is based on the Windows platform, and I think that it wins out due to the straightforward pricing and how easy it is to calculate for the sizing and critical add-ons such as UEBA and SOAR.

Because the platform is always the same, it's just easier to extend it as needed. For example, it's not technically dependent on another solution that's been acquired by themselves or another company like IBM.

The main difference boils down to the question: for add-ons and such, do you need to seek out a different service from a different vendor rather than adding to the same solution by the same company? I believe they do it all from the same R&D teams and it shows.

How was the initial setup?

The deployment for only one small or medium size environment is pretty straightforward, but for enterprise deployments where there are many different components (e.g. various appliances or other software add-ons) it can become very complex, especially for HA setups.

What's my experience with pricing, setup cost, and licensing?

The setup and licensing for small and medium size businesses is straightforward, though when it comes to the enterprise it pays to keep in mind the possibility for complications given all the extras and add-ons that may be required. 

What other advice do I have?

My advice is to take a look at the account directly with the account manager of LogRhythm and find a value-added distributor to support you with the sizing, consulting, use case discovery, and building up the operation maturity roadmap, in order to be truly aligned with the LogRhythm deployment in the long term.

I would rate LogRhythm NextGen SIEM a nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior System Engineer at a tech services company with 11-50 employees
Reseller
Stable with one central dashboard and good scalability
Pros and Cons
  • "The product is great for medium to large-scale organizations."
  • "The solution is likely not the best option for a smaller organization."

What is our primary use case?

We primarily use the solution to reducing insider threats. We also use the product to deal with some aspects of banking security. For example, with its product, we are able to lower the threat of being attacked by malware.

What is most valuable?

I appreciate the fact that I can do everything from one dashboard. That is the main aspect of LogRhythm so far that I find extremely useful. We don't need a different dashboard or other solution for managing things.

The initial setup is simple. 

The solution is stable.

The product is great for medium to large-scale organizations.

The product can scale. 

Technical support is reportedly quite good.

What needs improvement?

What I would suggest is for the product to make the consoles more user-friendly. The integration module should be simpler. That way, that the end-customer himself can do the integration and they are not always dependent on our site. The integration with other vendors should be easy.

The solution is likely not the best option for a smaller organization.

One of the features I like to recommend is a LogRhythm queuing ticket for a level-one tier system so that clients are not dependent on a third party.

For how long have I used the solution?

We've been working with the product since 2018. It's been almost three years at this point.

What do I think about the stability of the solution?

The solution is very stable and reliable. There are no bugs or glitches. It doesn't crash or freeze. It's reliable. 

What do I think about the scalability of the solution?

In terms of scaling, the solution is best for medium to large companies. Smaller companies likely do not want to invest in IT security products, however, for medium to large organizations, especially banks, LogRhythm works well.

It's easy to scale. What we do for scalability is we always put the hardware capability higher than the license. For example, if a customer wants a 3,000 MPS license, we always provide 6,000 MPS hardware. If they want to scale the license to 4,000 or 5,000, we just put the license in, and then it works as the size capacity is there. It's easy. It's not that difficult.

How are customer service and support?

We are not an end-user and therefore do not directly deal with technical support. In terms of the support, the end-user would get a response from the technical team, and, so far, from the feedback I've gotten, they are good. Clients seem satisfied with the level of service they receive.

Which solution did I use previously and why did I switch?

I also work with Oracle. 

How was the initial setup?

The initial setup is simple for us, basically. It's not that challenging. The main challenge we face for integration is from the different vendors as we have to do different tasks. However,  the deployment of LogRhythm is very easy.

It takes 12 to 15 days for a full deployment.

We have two phases that are five to seven days each. The second phase involves integration and tuning stuff and that can usually take six or seven days for that part alone.

It's on a Windows server. Windows is very convenient for everyone. Users can just follow the process as per LogRhythm and it's easy to deploy everything.

In our distribution model, we don't provide end-user support directly. We have another partner company that provides maintenance and support for the end-user. For the partner side, many of the engineers are LogRhythm certified and they do the maintenance and other tasks.

What about the implementation team?

As an implementor, we can handle the setup for our clients. 

What's my experience with pricing, setup cost, and licensing?

LogRhythm pricing is based on the MPS. They always quote the pricing per unit of MPS. The number of MPS which the customer needs is what we provide with the unit price and we get a good discount on it, as per LogRhythm.

The price is in USD. For that reason, when we convert from USD to our currency, the pricing seems quite high.  

Everything is included. We get the data processing license as well as the sole license and the filing, ticketing, monitoring licenses, and the collector license as well. We get everything in one package.

What other advice do I have?

We are a distributor and we have around 15 to 20 partners who are working with LogRhythm in this region. We work for the end-user and we implement it and handle presentations for the customer.

We are working with the latest version of the solution. I can't speak to the exact version number, however.

I'd rate the solution at a ten out of ten. It's a very good product overall. Clients have been very happy with it. In terms of the feedback we've received from the end-user and our own experience with the deployment process and manageability, everything is great.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Buyer's Guide
LogRhythm SIEM
November 2023
Learn what your peers think about LogRhythm SIEM. Get advice and tips from experienced pros sharing their opinions. Updated: November 2023.
745,341 professionals have used our research since 2012.
Unit Head Titanium (Security Solution) at RapidCompute
Real User
Great features with good cloud functionality and excellent technical support
Pros and Cons
  • "Technical support is very helpful and responsive."
  • "Parsing is totally controlled by LogRhythm and they do not allow any partner or any third-party to handle this part and this is a key challenge on my end."

What is most valuable?

We really appreciate the new cloud functionality. The cloud is really showing its dominance. 

Technical support is very helpful and responsive.

The product has a lot of useful features.

What needs improvement?

There aren't really any missing features. It's quite a complete solution.

Most of the clients using the on-prem are using customized applications. In the customized applications, we are facing parsing issues and a minimum of two days is required by the LogRhythm team for parsing logs. 

Parsing is totally controlled by LogRhythm and they do not allow any partner or any third-party to handle this part and this is a key challenge on my end. This is a huge cost impact -at least on the Pakistani market. It needs to be addressed.

The solution should be less expensive.

It would be very helpful if there was Kashif a package to help users migrate from QRadar to LogRhythm.

In Pakistan, the government is in the process of developing its final recommendation of cybersecurity and data protection process. We hope this solution will prove to be compliant and will meet the requirements in the future.

For how long have I used the solution?

I've been using the solution for approximately one and a half years at this point. It hasn't been too long just yet.

What do I think about the scalability of the solution?

We have four or five people using the solution in our organization. They are managing the LogRhythm infrastructure.

How are customer service and technical support?

We are in touch with their support. It's government support, and they're quite supportive, and they are quite responsive. They have a divisional team is quite responsive. 

How was the initial setup?

The initial setup is complex with LogRhythm. In that Pakistan market, with LogRhythm, the climate is very limited at this point. For the on-prem, there may be only two customers, for example. One is a bank and one is serving as an MSSP.

We've added four customers to a pay-as-you-go model. You apply Windows 2000 MPS or a cloud environment. The initial setup is quite difficult, however, after making certifications we are able to provide the initial setup and got it working with the LogRhythm support team.

For maintenance, I have five engineers that are part of my security team, including me and my sales and operations. Approximately we have 14 to 15 people that can handle maintenance.

What about the implementation team?

We had some assistance from the LogRhythm support team. We did not entirely do it ourselves.

What's my experience with pricing, setup cost, and licensing?

The cost of the solution should be reduced. In the Pakistan market, they have competition from IBM QRadar. They have quite a significant core difference. While the quality of this product is better, IBM has a stronger penetration in the market base don price. 90% of financial institutions are doing the QRadar in Pakistan. The Central Bank is using QRadar and simply due to the cost differences.

Which other solutions did I evaluate?

Initially, we tested out the QRadar, however, due to some delay and due to some market awareness tests, we did not continue.

What other advice do I have?

We are using the solution for our own infrastructure and we are also offering it as a service. We are the largest service provider, cloud service provider, in Pakistan. However, we use a variety of deployment models - including cloud and hybrid.

We have an ISO position for government-certified infrastructure. We have a PCI-certified infrastructure as well as a GDPI compliant infrastructure.

We work closely with this product in particular. We have a lot of hands-on experience.

I'd rate the solution eight out of ten. If it weren't for some parsing limitations in the product, I would rate it even higher.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Systems Administrators at a tech services company with 201-500 employees
Real User
Very helpful for monitoring and alarming, very stable and scalable, and excellent technical support
Pros and Cons
  • "File Integrity Monitoring is really valuable because we have it set up on our core assets. This is one of the key features that I utilize. We also use it quite a lot for event management to do reporting."
  • "It should have some more message monitoring features. It can also have some free message monitoring tools."

What is our primary use case?

I use LogRhythm for PCI DSS compliance. All of our devices are sending logs to LogRhythm. I have set up Silent Integrity Monitoring, Data Loss Prevention, Registry Integrity Monitoring, and other alarms for detection, and we do investigations.

How has it helped my organization?

I don't have metrics, but it has really improved the monitoring and alarming for us. 

What is most valuable?

File Integrity Monitoring is really valuable because we have it set up on our core assets. This is one of the key features that I utilize. We also use it quite a lot for event management to do reporting.

What needs improvement?

It should have some more message monitoring features. It can also have some free message monitoring tools.

For how long have I used the solution?

I have been using this solution for about two years.

What do I think about the stability of the solution?

It has been very stable. There are no major issues. It has been exactly doing what I expected it to do.

What do I think about the scalability of the solution?

It has been very scalable in terms of adding new systems and stuff like that. It has been quite good.

We have plans to increase the usage of LogRhythm. We have some new solutions and new networks coming up. We might be looking to expand within the next two years to onboard new systems.

How are customer service and technical support?

Technical support has been excellent so far. I never had any issues with technical support. Their support has been excellent.

Which solution did I use previously and why did I switch?

I didn't use any other solution previously.

How was the initial setup?

It was pretty straightforward. The actual deployment of it took about two days, but the implementation strategy took longer. It took a couple of months for meetings and planning with different experts, project managers, and engineers. They looked at our business requirements and other things.

We have two administrators and two analysts. Four of us are managing the system.

What's my experience with pricing, setup cost, and licensing?

It costs a great amount, but its pricing is competitive with some of the other vendors. For licensing and support, we pay about 20,000. There are no additional costs or anything like that. 

Which other solutions did I evaluate?

When I was looking for a solution, I looked at Splunk and LogRhythm. There was one from SolarWinds as well. Cost-wise, LogRhythm was the one that impressed me the most. Splunk was really good as well, but it was a little too costly.

What other advice do I have?

I would definitely recommend this solution for compliance requirements, such as PCI DSS compliance. It does cost a great amount, but its pricing is competitive with some of the other vendors. If it is a necessity to have a SIEM solution, I would definitely recommend LogRhythm.

I would rate LogRhythm NextGen SIEM a nine out of ten. It has been really good. So far, my experience has been seamless. They should keep doing what they're doing.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Information Security Officer, Network Analyst at a university with 1,001-5,000 employees
Real User
It puts things together and provides the evidence and has good automation and integration capabilities
Pros and Cons
  • "Automations are very valuable. It provides the ability to automate some of our small use cases. The ability to integrate with other products that use an API is also very useful. LogRhythm has a plugin for it that we can connect and start to move down towards the path of a single pane of glass instead of having multiple or different tools."
  • "Their ticketing system for managing cases can be improved. They can either do that or adopt some of the open-source ticket systems into theirs. The current system works and gets the job done, but it is very bare-bones and basic. There are some things that could be improved there. They should also bring in more threat intelligence into the product and also probably start to look into the integration of more cloud or SAS products for ingesting logs. They're doing the work, but with the explosion of COVID, a lot of businesses have started to move towards more cloud applications or SAS applications. There is a whole diverse suite of SAS products out there, which is a challenge for them and I get it. They seem to be focusing on the big ones, but it'll be nice to be able to, for example, pull in Microsoft logs from Office 365. They are working towards a better way of doing that, and they have a product in the pipeline to pull logs in from other SAS applications. The biggest thing for them is going to be moving away from a Windows Server infrastructure into a straight-up Linux, which is more stable in my eyes. For the backend, they can maybe move into more of an up-to-date Elastic search engine and use less of Microsoft products."

What is our primary use case?

We use it for log ingestion and monitoring activity in our environment.

How has it helped my organization?

It is a simpler system than what we had before. We had IBM QRadar, which used to give us everything, and we had to dig through, figure out, and piece it all together. LogRhythm lights up when an event occurs. As opposed to just giving us everything, it will piece things together for you and let you know that you probably should look at this. It also provides the evidence. 

It is easy to find what you're looking for. It is not like a needle in the haystack like QRadar was. It is not a mystery why something popped or why you're being alerted. It provides you the details or the evidence as to why it alerted or alarmed on something, making qualifying or investigations a little bit quicker and also allowing us to close down on remediation times.

What is most valuable?

Automations are very valuable. It provides the ability to automate some of our small use cases. 

The ability to integrate with other products that use an API is also very useful. LogRhythm has a plugin for it that we can connect and start to move down towards the path of a single pane of glass instead of having multiple or different tools.

What needs improvement?

Their ticketing system for managing cases can be improved. They can either do that or adopt some of the open-source ticket systems into theirs. The current system works and gets the job done, but it is very bare-bones and basic. There are some things that could be improved there. 

They should also bring in more threat intelligence into the product and also probably start to look into the integration of more cloud or SAS products for ingesting logs. They're doing the work, but with the explosion of COVID, a lot of businesses have started to move towards more cloud applications or SAS applications. There is a whole diverse suite of SAS products out there, which is a challenge for them and I get it. They seem to be focusing on the big ones, but it'll be nice to be able to, for example, pull in Microsoft logs from Office 365. They are working towards a better way of doing that, and they have a product in the pipeline to pull logs in from other SAS applications.

The biggest thing for them is going to be moving away from a Windows Server infrastructure into a straight-up Linux, which is more stable in my eyes. For the backend, they can maybe move into more of an up-to-date Elastic search engine and use less of Microsoft products.

For how long have I used the solution?

I have been using this solution for three years.

What do I think about the stability of the solution?

Bugs are there. We've encountered quite a few, but support is pretty quick at picking up and working with us through those and then escalating through their different peers until we get a solution. Now, the bugs are becoming less and less. Initially, they were rolling out features pretty quickly, and maybe some use cases weren't considered. We ran into those bugs because it was a unique use case.

What do I think about the scalability of the solution?

It is easy to scale. We run different appliances. So, for us scaling is not an issue. Each appliance does a different piece of the function, so scalability is not a problem. We started off doing say 10,000 logs per second or MPS event, and then we quickly upgraded. Now, we're sitting at a cool 15,000. There is no need to upgrade hardware or anything. You just update the license. That is it.

We have multiple users in there. We have a security team, operations teams, server team, and network team for operations. We also have our research team, HBC team, and support desk staff. We have security teams from other universities in the States. We're sitting at a cool 50 users.

How are customer service and technical support?

Their technical support is good. They are pretty quick at working with us. I would give them an eight out of ten. I don't know what they see on their end when a customer calls in and whether they are able to see previous tickets. It always feels like you're starting fresh every time. They could maybe improve on that end.

Which solution did I use previously and why did I switch?

We had IBM QRadar for what seemed to be almost a decade. So, we just needed something different. There was a loss of knowledge transfer, as you can imagine, over a decade with different people coming in and out of security teams, and the transfer of knowledge was very limited. At the time I got on board, I had to figure out how to use it and how to maintain it and keep it going. We had some difficulties or challenges with IBM in getting a grasp on how we can keep getting support. It was a challenge just figuring out who our account rep was. After I figured that out, it was somewhat smooth sailing, and then we just decided it was time for something different, just a break-off because products change in ten years. You can either stay with it and deal with issues, or you do a break-off and get what's best for the organization.

How was the initial setup?

It was complex simply because we had different products. 

What about the implementation team?

We did have professional services to help us, which made the installation a little bit smoother. Onboarding of logs and having somebody with whom you can bounce ideas and who can go find an answer for you if they didn't have one readily available made the transition from one product to the other pretty straightforward.

What's my experience with pricing, setup cost, and licensing?

We did a five-year agreement. We pay close to a quarter of a million dollars for our solution.

What other advice do I have?

I would definitely advise giving it a look. If you're able to deal with it in your environment and just give it a chance, it'll grow on you. It is not Splunk, but it's getting there. They're gaining visibility with other vendors. The integration with third parties is starting to light up a little bit for them, unlike IBM QRadar that has already created that bond with third parties to bring in their services into the product. LogRhythm is definitely getting there, and it is a quick way to leverage in-house talent. So, if you want to do automation and you have someone who is good at Python scripting or PowerShell, you can easily build something in-house to automate some of those use cases that you may want to do. 

I would rate LogRhythm NextGen SIEM an eight out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Cyber Security Researcher at a tech services company with 1-10 employees
Real User
Efficiently catches threats and reduces the risk of exposure
Pros and Cons
  • "In terms of security, LogRhythm NextGen SIEM is great."
  • "Scalability-wise, it's not that great."

What is our primary use case?

Private monitoring is our primary use case.

What is most valuable?

In terms of security, LogRhythm NextGen SIEM is great.

For how long have I used the solution?

I have been using LogRhythm NextGen SIEM for one year.

What do I think about the stability of the solution?

LogRhythm NextGen SIEM is stable.

What do I think about the scalability of the solution?

Scalability-wise, it's not that great, but integration with other solutions is pretty easy.

How are customer service and technical support?

The technical support is great.

Which solution did I use previously and why did I switch?

We also use Splunk, but in terms of security, we always recommend LogRhythm NextGen SIEM.

How was the initial setup?

The initial setup was very straightforward. We deployed LogRhythm very easily. In total, including configuration, we deployed this solution in less than one day.

What's my experience with pricing, setup cost, and licensing?

In the context of our country, the price of this solution is too high.

What other advice do I have?

Overall, on a scale from one to ten, I would give LogRhythm NextGen SIEM a rating of eight. 

I would definitely recommend this solution; my only concern is with the price — it should be lower.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
PeerSpot user
Associate Senior Engineer - Network & Security at Connex Information Technologies (Pvt) Ltd.
Reseller
Enables us to alternate incident automations but reporting needs improvement
Pros and Cons
  • "The most valuable feature is that we can alternate incident automations."
  • "We need to get better training for things like creating code and playlists. The way it's done now takes a long time."

What is our primary use case?

Our primary use case is for financial companies and telcos.

What is most valuable?

The most valuable feature is that we can alternate incident automations.

What needs improvement?

We need to get better training for things like creating code and playlists. The way it's done now takes a long time. 

For how long have I used the solution?

I have been using LogRhythm NextGen SIEM for two years. 

What do I think about the stability of the solution?

The stability depends on the client we installing or integrating for based on the server's requirements. We can create them according to that defined time period. It's not that difficult but depending on the customer or the other server requirements.

We can have a dashboard in a single platform, we can get notifications via email or SMS, and we have Smart Response actions. So that kind of possibility is there.

What do I think about the scalability of the solution?

Our clients are mostly on a larger scale. 

How are customer service and technical support?

You can request support and they respond immediately. They're really good. 

How was the initial setup?

The initial setup is easy. It can take two hours. The first day of deployment is easy. Then depending on the devices and log servers, it can take time. We can give them predefined or pre-created devices and logs. The deployment depends on the devices and systems we are integrating. But the initial stage is easy.

What's my experience with pricing, setup cost, and licensing?

Because we are a developing country, the costs depend on country development. We implement it for large-scale companies because normal companies, startup companies, can't afford products at that price. We mainly focus on large-scale companies.

What other advice do I have?

I would definitely recommend this solution if you can afford it. 

We get customized reports and we get reports including all the details, but when we start using them we couldn't start with the Outlook editor. We can customize a document and we can write a report. The dashboards are very user-friendly and very attractive. But when it comes to the reporting part, I think that could use improvement in the next release. 

I would rate it a seven out of ten. 

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Distributor
PeerSpot user
Cyber Security Researcher at a tech services company with 1-10 employees
Real User
Stable with an easy initial setup and good security
Pros and Cons
  • "The initial setup is pretty easy."
  • "For our market, the solution is quite expensive. It would be ideal if they could work on and improve their existing pricing plans to help make it more affordable in our country."

What is our primary use case?

We typically consult with our clients and help them with necessary services.

What is most valuable?

The UEBA flow is the most useful aspect of the solution.

The initial setup is pretty easy.

While the cost is high, the security provided is quite good, and for those who can afford it, they will pay for the peace of mind.

What needs improvement?

I'm not a fan of the system's user interface.

For our market, the solution is quite expensive. It would be ideal if they could work on and improve their existing pricing plans to help make it more affordable in our country.

We'd like it if the solution could be more customizable in future releases.

For how long have I used the solution?

We've been dealing with the solution for about a year.

What do I think about the stability of the solution?

The solution is quite stable. There aren't issues related to bugs or glitches. It doesn't crash. It's reliable.

What do I think about the scalability of the solution?

The solution can scale if a client needs it to.

We have clients that have 10-15 users on the solution. They are mostly security analysts. In terms of those that can actually view and escalate cases, there may only be five with such access.

At this point, there aren't any plans to increase usage.

How are customer service and technical support?

We typically are the ones that handle technical support for our clients if they run into issues.

How was the initial setup?

The initial setup is not complicated. It's quite easy and very straightforward if you follow the guides provided. I followed the guides and found it to be rather simple. It's not difficult to get everything up and running.  

The deployment doesn't take too long. You can have it ready to go in one working day. That includes installation and configuration.

We have a minimum of five people who handle maintenance and deployments.

What about the implementation team?

Our company handles the installation for our clients. We can handle the implementation ourselves. We don't need a separate consultant or integrator.

What's my experience with pricing, setup cost, and licensing?

In our market, for the price it costs, our clients aren't using this solution so much. It seems to be quite expensive in Nepal. That said, even with the fees and a rather high cost, it is the best product among other competitors. 

What other advice do I have?

We're partners with LogRhythm.

We don't technically use the solution typically. We consult with clients and advise on products. We also provide services on the solutions we offer. In this case, we do use the product as we log issues.

We use the latest version of the solution.

For our customers, the pricing will scare off many. However, if users are concerned more with the security of their account, they'll find this is a good option.

I would recommend the product. On a scale from one to ten, I'd rate it at an eight.

Which deployment model are you using for this solution?

On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Senior Cyber Security Engineer at a individual & family service with 10,001+ employees
Real User
Good support, offers customized alarms, and helps us to focus our investigative efforts
Pros and Cons
  • "I have found the Advanced Intelligence Engine has provided the most value to us because we can customize alarms based on our requirements and have created hundreds of alarms that notify different people for different scenarios."
  • "There used to be the ability to create alarms based on message text that was included in LR Version 6.x that has been removed in LogRhythm 7.x, and on that, I would like to see it added back."

What is our primary use case?

We use multiple instances as dark sites. We have roughly 350-400 hosts per site consisting of 4K to 5K log sources.

How has it helped my organization?

It has not only helped us meet requirements on a development program, but it has also allowed us to focus on insider threats as well as provide forensics capabilities to identify potential security risks.

What is most valuable?

I have found the Advanced Intelligence Engine has provided the most value to us because we can customize alarms based on our requirements and have created hundreds of alarms that notify different people for different scenarios.

What needs improvement?

There used to be the ability to create alarms based on message text that was included in LR Version 6.x that has been removed in LogRhythm 7.x, and on that, I would like to see it added back. I was told that this was due to processor overhead but with the amount of CPU and memory suggested, I don't see why this would be an issue.

For how long have I used the solution?

I have been using LogRhythm NextGen SIEM for six years.

What do I think about the stability of the solution?

It is stable when all the resource recommendations are met.

What do I think about the scalability of the solution?

Scalability is endless with this product.

How are customer service and technical support?

Technical support has been great.

Which solution did I use previously and why did I switch?

We did not use another product prior to this one.

How was the initial setup?

The initial setup is pretty straight forward.

What about the implementation team?

Our in-house team handled deployment.

What's my experience with pricing, setup cost, and licensing?

I don't get involved with pricing.

Which other solutions did I evaluate?

We did not evaluate other options.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Sr IT Security Engineer at Puget Sound Energy
Real User
Facilitates compliance and auditing of adherence to regulations
Pros and Cons
  • "We use this solution to examine disparate log sources and provide a cohesive method to search for anomalous behavior."
  • "I would like to see support added for Exchange 2016, and CheckPoint OPSec Lea."

What is our primary use case?

We use this solution to examine disparate log sources and provide a cohesive method to search for anomalous behavior. 

How has it helped my organization?

In our compliance environments (NERC and SOX), we are able to provide evidence of compliance.

What is most valuable?

The most valuable feature is scheduling the KB update, which reduces administrative effort.

What needs improvement?

I would like to see support added for Exchange 2016, and Check Point OPSec Lea.

Adding the capability to identify and perform an auto import of new log sources (especially Windows-based systems), based on specified criteria, would be a useful feature. 

Enhancing the creation of report packages would also improve this solution.

For how long have I used the solution?

Between four and five years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Network Engineer at a government with 5,001-10,000 employees
Real User
Top 5
Useful to maintain logs for auditing purposes, but too complicated to use with insufficient support
Pros and Cons
  • "The feature that makes it usable is the web interface."
  • "It is a product that is very hard to use."

What is our primary use case?

Our primary use case is for general log monitoring. We do not use it as a SIEM.

What is most valuable?

The feature that makes it usable is the web interface.

One nice feature about the product is the log message field extraction, where they try to fit every field into a field name. A log message is a string of ASCII text and its value depends on how the vendor formats it. Fields within log messages, such as a time stamp or source IP address, are delimited by spaces. Depending on the type of device, the information varies because if it's a temperature sensor you'll get temperature, or if it's a pressure sensor you'll get pressure, but if it's an active directory server you'll get an active directory message. The problem comes about because in some cases, the fields are not labeled.

Rather than an identifier for a source IP address (e.g. "SRCIP="), it will just have the address, and you have to determine what it is based on its location within the message. Of course, even though the field name is not in the log message itself, the field will still have a name. Extracting it correctly requires that you understand how the vendor formatted it. With LogRhythm, it does a better job than some products at slotting every field into a field name.

What needs improvement?

The biggest complaint I have is about their support. There is no free instructional advice available on their website. An example is with their field names inside log messages, where they have one named "Common event". That is something that LogRhythm has created, and you can't figure out what it means unless you pay a large sum of money for LogRhythm training. Compare this to Splunk, where I can go to their website and download twenty articles on field names right now. There is no documentation that we can afford to buy for this product, so we just have to wing it.

Their product has issues when it comes to hard drive management. Again, their support is not one hundred percent. We are using their hardware, and one time the product just spontaneously stopped collecting logs for about a month and nobody knew it. We called them, and it took a week or two of troubleshooting before they found the issue. To make it worse, the issue was not a misconfiguration. Rather, it was related to how they were storing temporary logs on the hard drive. The drive was shutting down and the logs were not being accepted. It took them weeks to figure this out and it shouldn't have happened in the first place, which suggests a bad design.

It is a product that is very hard to use. You have to set a wide variety of parameters before you can even start to search. The highly structured nature of it does provide some guidance, but with a lack of documentation for things like field names, I don't know what I'm looking for. 

We don't get much use out of this product because people around here consider it to be unreliable, and it's hard to do searches. The main reason for it being here is that there are audit requirements for collecting logs and maintaining them. We have been able to solve problems with it, but searching is kind of clunky.

For how long have I used the solution?

Three years.

What do I think about the stability of the solution?

With respect to stability, I can only speak to our environment, but we have had issues with the hardware. It's a Windows product. We have seen the system spontaneously seizing, and we have experienced complete failure.

When an incoming log message is processed there are a lot of operations that have to take place. These include analyzing the time, identifying fields to see which are present, naming the fields, and indexing the information. We have seen this process fail quite a few times. With the recent purchase of new hardware, however, I don't think that we have had this problem lately. It may be related to an older version of the hardware, but I don't know.

What do I think about the scalability of the solution?

I think scalability would be more difficult. Unlike Splunk, where the licensing is based on the volume of incoming gigabytes, you have to buy additional hardware to handle an increase in data. These boxes are then added to a cluster, and it is expensive.

We have four or five people who use this product, and we're all network engineers.

How are customer service and technical support?

I don't like their support.

If you go on their website and you want to get a training video for how to do X then forget about it. They're not going to give it to you until you pay. They don't give you any information unless you pay for it. I think that stinks about the product.

Let's say that I am using Splunk, and I need to know how to write a regex (regular expression), or if I need to know how to configure an index or something, then I go on to the website, find an instructional article, read it, and finish what I'm doing. With LogRhythm it's "Where's the money?"

I understand that you have to pay for training courses, and I understand that you have to pay for certification, but it is the same with Splunk. With LogRhythm, it doesn't give you anything without paying first.

What about the implementation team?

LogRhythm came in and deployed the product, and there is no maintenance required that I know of.

What's my experience with pricing, setup cost, and licensing?

This is a solution for people who have cash to spend. Everything is expensive with LogRhythm, and you don't get anything for free.

I suggest that everybody who uses this product receive the full training and certification, and can also afford to pay for the high-level engineering support. If you don't have the money for the training, then it's not for you. It costs approximately $5,000, but if you don't get it then you won't be an efficient user. It is a very complicated product, so the training has to be a commitment that you're willing to make. The training cannot be for a single person, but everybody who will be using the product.

LogRhythm sells you a box that has a certain capacity for incoming log messages. Once you exceed that capacity, you have to buy another box and cluster it. It's expensive. It is for environments where the money is not a barrier.

Which other solutions did I evaluate?

The solution was already in place when I arrived, so I was not involved in the decision.

What other advice do I have?

Honestly, I don't like this solution so much. I'm actually a Splunk Certified Architect and so I know Splunk pretty well, and when I compare them, I really don't like this product. The best advice that I can give is not to install this product unless you have a use case that matches its capabilities.

The use case for this product, the LogRhythm SIEM, is in a regulatory environment such as HIPAA, SOC, PCI, or banking. These are heavily audited environments where you have precise requirements for reporting. They have pre-configured lots of different types of inputs but it's a very rigid environment. You can only collect information from certain types of sources and it's very complex as to how to instruct the product to obtain a certain type of log message.

Once you configure a new log message source, you'll have to go on to the LogRhythm platform and conduct a variety of clicks and actions to vet or verify that log source and allow LogRhythm to start collecting logs. Not only that, but there's one more annoying thing. I'd say for these highly audited environments, regulatory environments that I mentioned, they have many, many pre-configured reports.

So, it's designed very rigidly. In other words, they have done a lot of work in pre-identifying what the fields are in every type of log message. If you're getting log messages from Active Directory or the firewall then they know exactly what every field is. But, they have their own particular naming convention for fields and with the rigidity, you can't change that so easily.

I'm in the networking team and we're using it to monitor log messages from our networking equipment. For that, it's not such a good product. For example, consider a jet engine with a lot of sensors such as temperature, pressure, rotational speed, wind speed, fuel flow, etc, they have lots and lots of sensors in them that are all connected by ethernet. If you want to use Splunk to monitor a jet engine you can do it, easily. Forget about doing with LogRhythm, that's not happening.

The bottom line is that for highly regulated industries it may work well, but you cannot use LogRhythm to monitor equipment. You also have to make sure that everybody who uses the product has full training and certification. If you're not willing to commit to the full training then don't even consider it.

I would rate this solution a five out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Vice President at a financial services firm with 201-500 employees
Real User
Has the ability to investigate a particular period of time in order to analyze logs but we've had problems with stability
Pros and Cons
  • "The ability to investigate a particular period of time where you can analyze logs is its most valuable feature."
  • "I would like to see more integration with more products that are out there within the same security field."

What is our primary use case?

Our primary use case is for looking at daily logs, drawing conclusions, and making relationships and correlations to investigate particular event IDs, investigate particular alarms that we have, and just viewing normal data use. I'm new to the system so I'm still getting used to it. 

How has it helped my organization?

From a security standpoint, it's the solution to have, in regards to LogRhythm. Just having a SIEM solution in your environment is definitely key. It's a very highly rated solution, but we may be moving away from it in the future. We're looking to see what else is out there. 

What is most valuable?

The ability to investigate a particular period of time where you can analyze logs is its most valuable feature. 

What needs improvement?

I would like to see more integration with more products that are out there within the same security field.

There has to be some improvement with SecondLook Wizard. It's one of the functionalities on LogRhythm where you can restore inactive logs. For instance, it's a forensic analysis point of view if something happened around a year ago that you have to look into. I wish there was a smoother, more seamless feature.

What do I think about the stability of the solution?

We have a lot of issues with stability. Sometimes it crashes and we have to rerun a scan. It also freezes. It hasn't been the best.

What do I think about the scalability of the solution?

Scalability is fine. 

How are customer service and technical support?

We've submitted some tickets with their technical support. My manager has had some poor experiences with them in the past. 

Which other solutions did I evaluate?

Quality, support, preciseness, and accuracy are the criteria we consider when we evaluate solutions to proceed with. 

What other advice do I have?

I would rate it a six and a half out of ten. Sometimes I have to rerun scans and look into why the scan didn't complete and why it crashed. All of that stuff has to do with the initial set up. For the most part, it does what we want, but there can definitely be improvement. 

I would advise someone considering this solution to look beyond LogRhythm. LogRhythm is one of the top solutions. I would say Splunk is overrated. Look into IBM QRadar and then McAfee as well.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Security Lead at a financial services firm with 201-500 employees
Video Review
Real User
It has really improved my personal sense of security as far as our organization

What is our primary use case?

We utilize the LogRhythm solution to monitor most of our servers and our users to make sure that nothing anomalous is happening. What I really love about the LogRhythm platform is the fact that when something anomalous happens, I can see it almost immediately through the ability to collect a massive amount of logs in a very small footprint as far as hardware goes.

We do utilize everything. I think one of the most recent things that I've really enjoyed about LogRhythm is the ability to utilize smart responses published by LogRhythm. For example, one of our use cases is that when we have a termed users group, that when someone is placed in there, we want to monitor to see if their account is ever activated again. So we have a smart response set up that when a termed user is enabled, the smart response immediately activates and says bam, that user is getting disabled again. We don't want anyone to have access to that at all.

How has it helped my organization?

We've seen mean time to detect and to respond go down pretty significantly. We actually recently implemented the CloudAI solution, which allowed us to look into our users' anomalous behavior. Recently, we actually had some user who's a remote user, he traveled to somewhere else in the US, and CloudAI flagged it and was like, hey, this user is authenticating from somewhere new. This isn't somewhere we've seen before. I jumped right in, and I'm saying, "Hey, what's this user doing?" We emailed their manager who emailed them, and they said, "Oh, no, I'm just on vacation in California. It's okay." We had CloudAI learn about it, and now, it's really easy to see when a user does something anomalous.

CloudAI has been something in our environment that I have enjoyed immensely. It takes really a lot of the guesswork out of what our users are doing. Right when we implemented it, our CEO was actually out of the state, and we were having a hard time getting a lot of his user data because he was out of the state on vacation. When he came back, immediately CloudAI flagged him in the 80s with a threat score being from 0 to 100. Immediately, I was like, oh crap, our CEO's account has been compromised. But no, CloudAI was still learning our environment. It took it about a month or two to learn what was happening in our environment, what was going on, and then all of our threat scores, they kind of hover around the 20s now.

When something does something anomalous, when they work out-of-state, even when they authenticate to a different Microsoft server, it lets us know immediately what's going on, and it lets us know, and it lets us understand what our users are doing. CloudAI has definitely enhanced our security operations. It helps me understand what the users are doing almost instantaneously. It helps me understand what these users are doing in a daily report, and it helps me really feel why our users are doing certain things, why they're authenticating to certain servers. It helps me understand what their job would really want them to access or what their job has them access.

When they do something different from that, I really want to know why they're doing that. CloudAI helps me know what our users are doing. Rather than what hosts are doing or what servers are doing, it helps me know what the users are doing with their accounts. I think somewhere CloudAI would have room for improvement is maybe correlating hosts with IPs because often, I'll have a user, it'll come up with an anomaly score saying it's been authenticating from different hosts, but really what it is is it'll have the user's computer, then the user's IP that they're coming from, and sometimes their hostname with our domain name afterwards. Sometimes, CloudAI will usually be alerting us on some things that are really just the user's computer IP coming up multiple times.

What is most valuable?

LogRhythm has really improved, I think, my personal sense of security as far as our organization. I feel that I can trust the data that it's pulling in. Through its metrics, I can see when something isn't reporting so I know immediately if, maybe say one of our core servers isn't feeding its logs to us, I can remediate that almost immediately, and then feel secure again knowing that that data is coming to LogRhythm, and LogRhythm is correctly dealing with it. I can know that our security is in place.

We haven't used any of the LogRhythm built-in playbooks yet. Stability has been really good. The LogRhythm platform in our environment actually sat for three years with no one really using it. I came in about six months ago. I was able to pull it from generating about a thousand alarms a day that were just heartbeat errors, or critical components going down, to it actually only generating about 100 alarms a day, some of those being diagnostic alarms, but most of them being very helpful alarms that rarely ever point to having a component being down. With some short maintenance daily, LogRhythm has been a very stable platform.

What needs improvement?

I think condensing and consolidating what a user accesses over and over again and just having CloudAI understand that that's all of the user's, and you can consider it as one thing rather than multiple things, and alarming on it, and alerting me on it, having me have a mini heart attack every time it tells me that this user is authenticating from a new place.

What do I think about the scalability of the solution?

Scalability with the LogRhythm platform has been immensely easy. We went from about five system monitors to over 200 in a week. We implemented that through our system management thing, but rolling out 200 system monitors in a week was incredibly easy through the client console, which LogRhythm has documented immensely well.

How is customer service and technical support?

Tech support with LogRhythm has been great. I've only ever had one bad case out of about the 15 or 20 tickets I've put in. They usually immediately get back to me, and even if it's something outside of their scope, there always willing to help refer me to the person that I need to talk to, and my issue is always resolved within the week. LogRhythm's support for log sources is great. We have about 3,000 log sources right now that we're taking in. Most of that is coming into our main data collector, but anytime we've had any new log sources that we need to onboard, it's been pretty seamless, and we haven't seen any performance hit on our main box.

With our LogRhythm solution, we're processing anywhere from 800 to 1,500 messages per second. With the LogRhythm platform, we're processing anywhere from 800 to 1,500 messages per second, and we don't see a performance hit at all.

How was the initial setup?

We've had CloudAI implemented into our deployment for about three months so far, and out of that three months, we've only had one day of downtime. That was with a scheduled transfer from how they were hosting it before to where they're hosting it now. Stability and uptime has been 99% plus. It's been something that I can count on every day to come in and see this report and rely on it. We really haven't had the chance to scale CloudAI. We're a growing organization, but we're not ballooning, and we're not adding on new users. CloudAI is a great option to sync with AD to pull all your users and, and you can just set up the identities and run with it on day one. The reason why we went with CloudAI and decided that it was something we needed in our environment was because we had the log data for a lot of our servers, a lot of our hosts.

We had the authentication data from our domain controller on the users, but we really wanted to understand what the users were doing and why they were doing it. So we looked into other artificial intelligence programs that would do some of the similar things, but we realized that CloudAI would do what we wanted but then feed the data right back into the LogRhythm platform. With that, we were able to see what the users were doing along with what our servers were doing, what the hosts were doing, and we would have all that data correlated, and we could understand it in one big picture right in the web console.

The implementation of CloudAI was incredibly easy. We just ran a script, added a certificate, and all of the sudden, we were sending the data to them, and we had a report the next day. When we choose a vendor to work with, the number-one thing that we want to understand is that they understand the product. We aren't just going to go to a vendor and say, "Here's our money, please go learn about this product and then implement it in our environment," because I'll just implement it, I'll just learn about it myself and do it. But if I go to a vendor and learn that they know about this product, they've implemented something before, I'm going to go with them nine times out of 10 because they will do something that I can't do myself because I don't understand what's going on.

What other advice do I have?

If I had to rate LogRhythm and CloudAI out of 10, I think I'd give it an eight. There's still room for LogRhythm to improve, and they've laid out a pretty great roadmap for what they want to do in the future. I think if they continued to innovate and continue to implement the things that they've talked about, that they'll continue to grow in my eyes. There is some room for improvement, but overall, if you want a very solid platform with stability and scalability, LogRhythm is definitely the way to go.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Information Security Manager at a healthcare company with 1,001-5,000 employees
Video Review
Real User
We find the single pane of glass and the ability see everything that's going on in the environment a valuable feature

What is our primary use case?

The primary use case is tying all of our log sources together between all of our Windows servers, network devices, and we've recently added all of our cloud infrastructure as well. So it's really tying all those together, correlating all those logs and getting us one central pane of glass really as it relates to all of our logging activities.

How has it helped my organization?

I think the biggest way that it's improved us from an organizational standpoint is giving us a single view into all of our log sources and all of our infrastructure devices. Whereas before we didn't ever have that. It was always a hodgepodge of stuff put together, so I think it's the best thing is that it brings everything together so that we can all one view of it.

The playbooks are definitely something I see a lot of value and so look forward to when we do get upgraded to be able to using those playbooks. I think that's a way of automating and making sure that we're standardized in the way that me and my team or are utilizing the LogRhythm. I think playbooks are very valuable.

We really aren't tracking our mean time to respond or mean time to detect as of now, that's kind of something that I want to get better at, to kind of formalize that process. So as of now, it's hard to say how much it has, but I know just from an anecdotal standpoint, I can guarantee that we're doing a lot better in responding now than we did before, before we had the SIEM in place.

What is most valuable?

I think the biggest thing is tying all of our log sources together, whereas there was a lot of manual work before of reviewing Windows logs or you know, firewall logs. Bringing it all together so that way my team, the information security team, as well as the infrastructure team can kind of view all of that from a single pane of glass and see everything that's going on in the environment.

As of now, we're not using all of the full analytics capabilities that we know the logarithm SIM can do. So it's one of the things, areas of that we need to improve on. We have all of our log sources in there, now making sure that we're getting the value of all that together is something we still need work on, so.

What needs improvement?

I would say the thing that I'd like to see the LogRhythm do a better job of is staying ahead of the curve as it relates to like things like cloud. It seems like from that standpoint that maybe the cloud stuff was a little bit of an afterthought or wasn't done kind of as people started to move to cloud quicker. It's one of those things of where we kind of are doing it now, but it seems like some of the cloud connections are still buying, kind of being created as we go. So I think that's one area I think they could improve in.

What do I think about the stability of the solution?

Stability has been great. We have not had any unplanned outages, all the upgrades that we have done have gone as expected. So from that standpoint, stability's been great.

What do I think about the scalability of the solution?

Scalability's been great as well. We've got a very disparate environment and the original servers that we have are from three years ago, are still in place. We haven't had any performance issues at all, so it scales to our solution, understanding that as we bring on additional devices, we know that it will scale up to be even bigger than where we're at right now.

How is customer service and technical support?

Tech support's been great. Every time we work with them on any upgrades or any questions about any of the anything we want to add a new log source or whatever, they've been excellent on that and they're always right on top of it and always get us to where we need to go.

How was the initial setup?

I was involved, actually one of the first. It was one of the first products involved when I started with the company. We didn't have a SIEM, didn't have any really from a monitoring standpoint, didn't have anything. So LogRhythm was really the first major product that we bought and the installation was awesome. I mean it went as expected, moved it along quickly, and it provided value as soon as we were done with the installation. So the install was amazing.

We're about 20 different log source types. I mean all total log sources, we're probably in the 400-500 range, so I mean it has a log source, there are log source types for everything that we have right now. One of the challenges we have had is adding all of our cloud infrastructure in there as well. So I know that's something that logarithm was working on.

We're doing about 2000 messages per second.

Which other solutions did I evaluate?

When we looked at putting a SIEM in place, we kind of realized that we wanted somebody that was a neutral vendor, where they're not tied to specific vendors that, you know, we wanted to make sure that with the SIM we were buying would monitor all the devices that we had in place. So finding somebody that's kind of an independent, not tied to specific hardware manufacturers, really important to us to make sure that, you know, the SIEM could monitor everything that we had in place.

So I think from a security program, maturity level, logarithm really got us started in that direction. As I mentioned, you know, it was one of the first products we bought and when we first started I really started the information security program myself. So it was kind of the first product we bought that we built everything around. So it really is the kind of the central repository for everything we're doing from an information security program standpoint.

What other advice do I have?

I would say LogRhythm, on a scale of 1 to 10, it'd be a nine. I think it's a really solid solution. I think one of the things that they could probably improve on, as I mentioned, was being kind of a little more proactive when it comes to things like cloud and things like that, so I think that they are getting better, but I'd say a nine right now.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Principal Security Analyst at a healthcare company with 10,001+ employees
Video Review
Real User
Our ability to respond quickly or the time to detect has dropped significantly. There's some things that we see now that we would have never seen

What is our primary use case?

My primary use case is to alert to any anomalies that may have security relevance as far as some of the industry regulations that apply to our health care, as well as payment card industry.

How has it helped my organization?

We have a product that is a security orchestration and response tool Demisto and I think that from the standpoint of automation and response perhaps the first version of the playbooks is not going to compare to the product that we have that's a stand alone for that purpose. However from a price point it's very attractive and I think that as it matures we'll look at probably moving over onto the LogRhythm playbooks if it can support the kind of things that we're leveraging out of this other product and it looks like that's their plan.

It was the same that was brought up in one of the talking sessions. Our users will tend to forward every email they don't like just to be safe. It's a spam review and it takes our analysts then a ton of time to go through. So we have leveraged this to go and read from the mailbox that those spam emails all get forwarded to and then to look and analyze the hashes of any files. They'll hash them or the links in the file or the sender or anything that looks funny and it'll do all the things an analyst will do and make its determinations and then we'll see from there if we have anything to follow up on.

Our ability to respond quickly or the time to detect has dropped significantly. There's some things that we see now that we would have never seen. For example, maybe a domain administrator adding an account to a server's admin group that goes against process and policy but they're doing it to troubleshoot something or whatever. We have never seen that before because of the amount of logs that come out of those Microsoft security logs and the fact that we've got 6,000 servers in our environment. But the other things that we would have seen we still see them faster. When we see something that from the power firewalls that verdict change did pass something through, but now it says it's malicious an attachment on an email or something. We can take action now far faster whereas before we might have got the indication out of our antivirus tool when somebody tried to double click the attachment.

What is most valuable?

Most valuable features for our organization are the centralized painted glass for us to go through and triage and see everything going on in our environment. We're a mature organization. We have a lot of tools and a lot of different implementations and to go through all those dashboards monitoring everything is just not possible. So we centralize everything and then we get it, come into the web console and we're able to triage and respond quickly to anything that is important.

We do use many other capabilities with LogRhythm. We of course collect from our printer devices and our servers as well as some of our security specific systems. We'll drink from API's. We'll also implement file integrity monitoring in our data environment. So we use a lot of different features available within LogRhythm.

It makes is possible to stay aware of much more of what's going on. We get an overview, a macro view that we can zoom in on as opposed to prior to that we had individual panes of glass. You might be stuck in the firewall interface for half a day whereas something goin on is not getting addressed that we really should probably investigate. So that's our biggest benefit.

We're not using any of the built in playbooks. We are about to go up to version 7.4 once it becomes available. We were not an early adopter because of our size.

What needs improvement?

There's two that I can think about off the top of my head. One is service protection. So for example to compare it to the antivirus product, if I'm an admin on a server I can't uninstall the antivirus product unless I have the administrator password for the antivirus not the domain administrator passwords. In the same way these guys that are out there doing upgrades in the middle of the night and stuff they don't know why anything isn't working. But the first thing they do is they want to peel off all the security products 'cause they think that's interfering. Then all of a sudden I'll have a server that is no longer even has the LogRhythm agent on it. I'm trying to figure out who uninstalled this and whatever. It gets into a situation where I just go well why is that possible? Product like Symantec antivirus or trapps or something. I couldn't uninstall it from my work station even if I'm a domain admin. I got to have that admin password for the product and I think that should be baked into the LogRhythm agent so we have more stability over our deployment.

The second thing that I would like is, like I said our login level is about 750 million logs a day, but sometimes we'll go 850 or 1.2 billion logs a day. Sometimes maybe 680. So what in my environment changed? I don't have the ability really with the tools they give me to profile the systems very well and the log sources except for running supports which I can look at and kind of the crystal reports interface or I can export it to a big giant PDF or spreadsheet. But then I'm looking, well last month the exchange service kicked out this many logs and it's a little bit more but where did the rest of it go? If I go from 750 million logs average in a day to 850 it might not just be a delta of 100,000 logs increase, it could be 150 because something else might not have generated the same amount of logs.

So for the ability for me to be able to profile a system and say what's behaving normally and abnormally you can do some of that with the AI rules and we've played a little bit with that in the past, but it would be better if it was something like what they're doing with UEBA where I can say this server kicked out 80 million logs yesterday and that's not normal for it. I'd like to see what was going on with that box. That would in some ways where my mean time to detect which servers went through a significant variance in what they typically do would be very helpful for me on a lot of days.

LogRhythm gives us the ability to automate. We do have some smart response plugins that we're using. Unfortunately with healthcare you end up using more contextual smart response plugins then you do actionable ones. I can't go and shut down a system 'cause unless I have absolute 100 percent confidence in the fact that it's not actually touching a person because a biomed is a computerized medical device that connects to a person. So in our environment with a half dozen hospitals, 130 clinics. We can't just go around shutting things down or even necessarily quarantining them because it might be a client server type of situation where we can't interrupt this if maybe they're giving a radiation treatment to someone. We have a lot of different enclaves and things. But LogRhythm allows me to see things that I may want to take action on via a human resource. I can send a desktop tech out there to make sure that whatever it is I'm concerned about is not in fact taking place.

What do I think about the stability of the solution?

In LogRhythm the stability is very good. We're pleased with it. However we have a high rate of logs for at least I think it is. We approach 750 million logs on a daily basis is about our average and if anything stops working or service needs to be restarted it will rapidly vary itself. We don't have too many problems with anything like that it's just from time to time if something's not available, resource it needs, things will begin to back up and then it's exciting trying to recover.

What do I think about the scalability of the solution?

Scalability is good. We had 23 systems not counting the collectors that are big LogRhythm servers, data processors, indexers. That monitors web consoles, pm's. We have in two different data centers we find that scaling for volume is very good. Scaling for the flip over for any disaster recovery situation we don't use Microsoft DNS we use Infoblox and the DR utility up to this point did not incorporate that product line and what was necessary. But they did take it back and that's what I like about how responsive they were. They didn't charge us the PSR's for all the time that we spent when it didn't work. They went back, they worked with Infoblox they handed off a technical document that I can work with my DNS guys back there and then reschedule the hours with PS. So it's really, I liked the way that they addressed it. They made it like we were important. I know we're one of many, but they took that back and they expanded their disaster recovery capability based on the fact that that's what we wanted.

How are customer service and technical support?

Oh, tech support's good. We generate a lot of tickets. Anything from log, sometimes the vendors will enrich their logging but then that changes the ability of the tool to parse it and so then we'll notice that a log is not parsing and everything's going to the catch all rule. We'll open up a ticket, they'll take care of that pretty timely as well as anytime that we have a high issue, something that's affecting our availability and visibility and our network, they're very responsive.

I was back in 2014, so I was assisting someone else who's primary function was to implement it and it was several full versions back. I think it was version six or five or something like that. I don't know what it was. I think your awareness of LogRhythm grows over time. There's certainly ways to do things that are advisable that you can get away with. Rules that are not two and two well when you're on a certain scale once you get big, no technology is going to really handle any efficient rules and log processing policies that are beyond what you need, right? So I think that we probably had a normal growth path and knowledge curve compared to others where we first got it and we tried to do too much, turned on a bunch of rules. Didn't know how to tune them. But I think that right now we have a solid implementation. We have 130, 150 alarm rules running. We're not maxing out resources. Everything is running really well from a reliability standpoint, availability from the product. We do wish that the web console would go back a little bit further with its look in time. However, it is fortunate that they've embraced some of the other stand alongside technology like Cabana and ELK stack where we can take a look at the parsed data and trend back over time.

What other advice do I have?

LogRhythm gives us the ability to automate. We do have some smart response plugins that we're using. Unfortunately with healthcare you end up using more contextual smart response plugins then you do actionable ones. I can't go and shut down a system 'cause unless I have absolute 100 percent confidence in the fact that it's not actually touching a person because a biomed is a computerized medical device that connects to a person. So in our environment with a half dozen hospitals, 130 clinics. We can't just go around shutting things down or even necessarily quarantining them because it might be a client server type of situation where we can't interrupt this if maybe they're giving a radiation treatment to someone. We have a lot of different enclaves and things. But LogRhythm allows me to see things that I may want to take action on via a human resource. I can send a desktop tech out there to make sure that whatever it is I'm concerned about is not in fact taking place.

If I had to rate LogRhythm I would say I give it an eight out of ten. I think that I like the direction that they're going as a company. I like their philosophy and their milestones that they lay out at these conferences. I do like them also from a product standpoint because some of the competitors are just not, they're price prohibitive as far as volume especially when you look at SIEM tools like Splunk. Small shops can afford Splunk, but big shops you got to really need Splunk to really afford it. The same with Qradar that's what we had previously where we were at and they just became price prohibitive. So I like LogRhythm, they have the full package. I like where they're going with network monitor. I like the UEBA stuff. We're not currently using that. I like the playbook integration. It seems like they're really thoughtfully maturing their product line and I think that gives me confidence for even if I have a pain point now they're going to address that going forward.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Security Administrator at a non-profit with 501-1,000 employees
Video Review
Real User
It's been really good with what we needed and it's been very stable for our implementation

What is our primary use case?

My primary use case is for log retention. I've been using it for analysis, and to troubleshoot potential issues on my network and infrastructure. To find out what I have in my network that may be causing problems.

How has it helped my organization?

We can sit and see what's going on, as well as to be able to see errors as they populate immediately since spending time looking at logs is ridiculous, trying to put all that in place.

We will be using the playbooks in the future as we get everything implemented and put in place. The idea is it's going to help automate a lot of what we're doing and make it more efficient, as well as be able to preempt, potentially, a lot of other errors.

What is most valuable?

The most valuable feature has just been the log reporting. Within three hours of installation of LogRhythm, we were pulling error reports that actually indicated we had a switch about to fail. It saved us about ten thousand dollars of a potential failed switch.

We are ramping up the analysis and the analytics part of the LogRhythm. We're in the process of building a lot of that. We're trying to build out as clean as possible, so what we have in place is a lot of the intrusion detection and basic PCI compliance.

What needs improvement?

For me it would be the efficiency and signing up and standing up systems, as well as a little bit cleaner on case management. That can be a little bit complicated to go through and actually be able to analyze it and compile the information that I have. At least that's what I've found so far. Those would be the two biggest things.

What do I think about the stability of the solution?

Stability thus far has been really good. We've had it up for about six months and I've had no failure points with it. Little bugs here and there, but that's expected as you're working through and getting everything stood up. But it's been pretty stable and pretty rock-solid.

I'm probably gonna be around seven hundred and fifty sources that I'm using right now. Somewhere in that realm. It's been robust enough to handle everything that we've been putting through it. I have about 150 to 200 more that I need to stand into it, but it's been pretty stable there.

How is customer service and technical support?

The times I've used tech support, it's been really efficient. I've gotten responses usually within 24 hours.

How was the initial setup?

The initial setup was actually me and the technician. I did 90% of the installation myself and he basically came on board and verified everything I did and gave me some pointers as I went through.

Installation was incredibly straightforward. I was able to get it set up. I said, I stood it up on my own about ninety percent of the way, without any input from anybody else and just the final pieces of staging was done with somebody else.

Which other solutions did I evaluate?

We needed to set up a new solution based on our company requirements that were being ruled out. We needed to step-up and add something. When I came on with the company, I wanted to add-on a SIEM solution immediately, I just got the funding and benefit because the company said we had to. There wasn't anything in place before hand. So it was just very much me saying this is what we need and this is how we need to roll it out. Through my research is where I fell back on to LogRhythm.

The most important criteria on a vendor is ease of use. Since I have a small team, it's pretty much me running everything, so I need to make sure that I am able to do it efficiently and be able to pass it off to somebody when I need to be able to hand it off to do. Next piece is what it can provide and the amount of tools they can provide to me in a very short order.

My short list for SIEM solutions would have been Splunk. Also looked at Spiceworks, SolarWinds, and a few other smaller ones out there. But basically Splunk and LogRhythm are my primary two.

My security program was non-existent when I started, so this was basically one of the first implementations that I did to step-up my security implementation. Before this there really wasn't anything to work with. So it's slowly building its maturity through LogRhythm and a couple of other sources.

What other advice do I have?

I would rate this product an eight out of ten, just because there's always room for improvement and there's always room we can work on. So there's always benefits, but it's been really good with what we needed and it's been very stable for our implementation.

My advice to somebody who's looking to stand-up a SIEM solution is to do your research, look at the white papers, look at their documentation they have available on how other people have responded and how many people have stood it up on their own. Get this information and then start playing with it before you start doing implementation. Gives you a lot of foundation and makes the implementation part a lot easier.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
IT Security Analyst
Video Review
Real User
The product is improving our organization, giving us a lot more visibility. It also gives a lot of our smaller different IT organizations a better understanding of their environment

What is our primary use case?

The primary use case for our LogRhythm product is to maintain PCI compliance across all of our environment. We also use it to monitor authentication and monitor our perimeter for security threats.

How has it helped my organization?

The product is improving our organization, giving us a lot more visibility. It also gives a lot of our smaller different IT organizations that we partner with better understanding of their environment and also a way to kind of structure the access to that data.

We are using a lot of the analytical capabilities. One of my favorite features is the AI engine that allows us to take multiple data events, tie them together in different patterns and different baselines in order to identify more complex threats in our environment.

Our security program is still pretty immature. It's a pretty immature company, we've existed for less than a year. We're growing very rapidly, we're trying to start with the foundational policy and compliance requirements that we have and trying to tie those and map those into LogRhythm. So that's gonna be our main tool to tie all that requirements into.

What is most valuable?

The most valuable feature I get out of the LogRhythm platform is being able to take machine data and present it in a format that's easy to understand, easy to analyze, easy to pivot through to get answers to the questions that I had that I'm investigating, whether they're security related or operationally related.

At this time, we're not using any of the playbooks in LogRhythm because it's currently not available in our version. However we are very excited about that feature coming out in the near future and we're definitely looking at using playbooks to do phishing, unauthorized access and our other use cases we're gonna identify in the future to make sure that our analysts are responding to the threats in similar ways and that the correct actions are being taken.

We have around 75 different types of log sources coming into the environment right now. The log source support is good, there's always room for improvement. One of the areas that LogRhythm's kind of pushing really hard right now is to integrate more cloud solutions, so your Office 365, your Azure, your AWS, making sure that those SaaS and other cloud platforms are getting the data you need into that platform. It's getting better but there's definitely still work to be done.

We currently have 3000 messages per second in our environment but we still have a number of different resorts to onboard in our tenant. So we're definitely looking to push above, probably the 7, 8000 range.

What needs improvement?

The biggest one in my mind that I want to implement is some of the AD controls. Reacting to a threat where an account password needs to be changed, or an account should be disabled, to react to that threat. Moving into first a phase where an analyst is gonna see that, review that action and then once we get comfortable, make that an automated action.

The big two big areas for improvement is TTL. Making sure that the data that we're collecting is available for a longer amount of time. So I know with some of the new releases coming in LogRhythm, that's gonna be improved which I'm really excited about. The other one that's kind of getting back to the fundamentals of why LogRhythm was chosen as a solution, being able to take your machine data, understand it, index it, classify it and give you that visibility.

I'd like to see them focus on that because there's so many different security tools being spun up these days that being able to keep up with that and having more partnerships with security vendors to make sure that security tools have new releases in their environment, they're able to keep up with those logging changes.

What do I think about the stability of the solution?

Stability in the LogRhythm product has been very solid for me. I'm a very experienced user, I've used the product for about five to six years now. I have a lot of administration and analyst experience with the tool. The other great feature is that LogRhythm support is really excellent, they're easy to get a hold of, they're very talented and if they aren't able to answer your question right away, they have a very good internal escalation process to get an answer to resolve your issue.

What do I think about the scalability of the solution?

Scalability is pretty solid with LogRhythm, I know that's one of their biggest issues, is if you have a huge enterprise environment, there might be scalability issues, but for a small, medium, pretty large sized businesses, I think LogRhythm's gonna be a great tool to match that environment.

Which solution did I use previously and why did I switch?

I wasn't part of the evaluation at this location, I actually took the job because I knew they had selected LogRhythm and I had the experience there. I know they did some SIEM tools comparisons with Rapid7, Splunk and QRadar which was the incumbent when evaluating LogRhythm as a replacement SIEM solution.

How was the initial setup?

I was involved in the setup at our organization replacing QRadar, our previous SIEM. It was a very straightforward implementation, the TMF team at LogRhythm helped make sure we got everything deployed, gave us some examples of how to onboard the log sources and then kind of gave us a playbook to move forward and gather the rest of the data from our environment.


What other advice do I have?

I'd give LogRhythm a nine out of ten because of the ease of use, especially as an analyst, being able to twist and turn all that data, drill down on it, really get an easy understand of what's going on in the environment.

From the administration side as well, it's a lot easier to use than other products that I've had and it has all the built in knowledge, whereas with some tools you dump all your data into it and it's up to you to do that classification and indexing and understanding of that data, where the value that LogRhythm's gonna provide for you is that prebuilt classification for all the data sources in your environment.

If I had a friend that was looking to implement a new SIEM solution, I would have them understand what log sources they're trying to bring into their SIEM solution and make sure that the one they chose supported those log sources. On top of that, understand your use cases that you're gonna use this SIEM for, have those ready in hand and be ready to start billing those out as you get that data in the environment.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Security Analyst at a financial services firm with 201-500 employees
Video Review
Real User
Improves our organization by giving us insight into user activity and potential security threats

What is our primary use case?

Our primary use case for LogRhythm is using the log ingestion and analytic features.

How has it helped my organization?

LogRhythm improves our organization by giving us insight into user activity and potential security threats.

Our mean time to detect and respond has really improved with LogRhythm. We've got more people, more visibility, and on our team, looking at security incidents, and we're able to act on things more quickly.

I see room for improvement in the log ingestion. Customizing a log source is very technical, probably more technical than it has to be.

Our security program's maturity is, I would say, fairly advanced. LogRhythm uses a maturity model of crawl, walk, run, and I think we're just about to move from walking to running.

What is most valuable?

The most valuable features, for me as user, is probably the AI engine rules and dashboards, which give us a lot more insight into our security.

The playbooks functionality will be valuable down the road, but right now my team is too small to really take advantage of it.

Our messages per second right now is probably about 4,500.

What needs improvement?

I see room for improvement in the log ingestion. Customizing a log source is very technical, probably more technical than it has to be.

What do I think about the stability of the solution?

Stability of the products is mostly pretty good. Like anything else, there are incidents that we have to respond to. Some very small amount of downtime, some system administration that goes along with any implementation like that.

What do I think about the scalability of the solution?

Scalability, for us, has been very good. We've had two appliances in five years. We've been able to upgrade without too much of a problem.

How is customer service and technical support?

We have to use tech support pretty regularly and it is sometimes not very good. We've had issues where we can't get immediate responses that we need, and cases are open for far too long.

How was the initial setup?

I was not involved in the initial setup. I inherited it from a previous admin.

We probably had close to 2,000 log sources at this time. Setup for them is variable. Some are straightforward, supported out of the box, some take a little more technical expertise.

What other advice do I have?

If I had to rate LogRhythm on a scale of one to 10, I would probably give it a solid eight.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Security Admin with 1,001-5,000 employees
Video Review
Real User
I would say we have seen a decrease in mean time to detect and respond over our previous SIEM

What is our primary use case?

My primary use case is threat detection.

How has it helped my organization?

LogRhythm SIEM has improved our organization by allowing us to bring in very widely diverse log sources, correlate them, and very easily create rules around alerting. We also use the case management features of the product to easily integrate both products into a single pane of glass for our analysts so they don't have to use two different products for alarming, as well as case management.

I would say we have seen a decrease in mean time to detect and respond over our previous SIEM. Basically, I think it can be attributed to the integrated case management. We are able to create cases, get eyes on those cases much more quickly than we were before.

What is most valuable?

The most valuable features are probably the AI Engine is very valuable, as well as Netmon.

We plan on using the playbooks, and the value I think we'll get is automating the or scripting their responses that our analysts use, rather than using our existing playbooks, which are somewhat incomplete. I think the playbooks will be a lot of out of the box pre-scripted playbooks that should be extremely helpful to us, as well as integrating some of the smart response capabilities into the playbooks.

What needs improvement?

Definitely expansion on log parsing. There are some obscure log sources that we don't currently have parses for. We needed a new solution when our previous solution, the licensing expired on it. Hardware was out of life, as well as it wasn't scaling very well. Didn't provide a lot of the features that we needed.

What do I think about the stability of the solution?

Stability has been pretty good. We've had some road blocks, or some, I'm sorry, some road bumps, in terms of A&E stability, as well as with some log parsing with some of our larger log sources.

What do I think about the scalability of the solution?

Scalability seems great. We actually did an expansion recently, and so far, it seems to be scaled well.

How are customer service and technical support?

Tech support has been extremely helpful. They are generally very quick to respond. If the first level is not able to resolve the issue, they generally escalate pretty quickly, gather logs. They seem to be hands-on. They generally will take over your session, actually do a WebEx, take over your WebEx section and actually do most of the driving, to make things run a little smoother, a little more, than, you know, directing you to where to find logs in Linux or things that can be kind of obscure. They generally will do everything for you, short of making, you know, impactful changes.

As far as for supportive log sources, we find it to be very good for very common log sources, Palo Alto firewalls, you know, Windows log sources. There have been a few security tools that we've found that weren't supported out of the box, so we've had to either use professional services, try to create those parsing rules ourselves, or opened cases with LogRhythm support to have those created.

Which solution did I use previously and why did I switch?

The reason we switched to LogRhythm, one of the core reasons, was the case management, and, as well as the Netmon. We liked having the integrated Netmon, and the case management, again, gave us a single pane of glass for our analysts to view the data, import the relevant data into the cases without having to use separate systems.

LogRhythm is definitely influencing. Since investing in LogRhythm, we've seen a lot more visibility into our product, into LogRhythm. We have a lot of non-security operations teams that are using the SIEM tools, just to view logs, Windows logs, troubleshooting issues, troubleshooting security events, so we're getting a lot of by-in from other teams into the program, which has accelerated the maturity of our program.

How was the initial setup?

I was involved in the initial setup, and it was fairly complex. We did use a professional services to do most of the work, but, yeah, it was somewhat complex compared to some other solutions I've used in the past. However, with the capabilities of the product, it wasn't surprising, because, you know, with the feature-rich product, you're gonna have some complexity with it, as well.

What other advice do I have?

I would probably rate it as an eight or a nine, currently, mainly, probably due to the complexity of importing log sources that aren't natively supported.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Information Security Analyst at a non-profit with 1,001-5,000 employees
Video Review
Real User
The most valuable features for me is just to be able know who's in the network, being able to drill down on the alarms and being able to look at the different rules

What is our primary use case?

My primary use case for this solution is to basically monitor the network to make sure that we don't have unknown users or individuals that should not be in our network. So we use it basically to aggregate our logs within our system and to watch it for possible threats.

How has it helped my organization?

It has improved the organization a great deal. Now we're able to see what activity that's actually being used, or what activity is actually being found in the network. So we're monitoring our firewall systems and different areas like that. So it's a great help to us because we're able to see whatever that's out there that would not have been seen previously because it aggregates all the logs together and it flags us according to the alerts that are being triggered at that time.

Right now we have just grown to eight security analysts in our group, but all have different roles. Now there's two individuals that's mainly responsible for SIEM and that's myself and my coworker and he's been cross trained. He just recently went through the LogRhythm University training which is great. So right now we do have about four analysts in this system but the main number is two.

Currently we haven't seen a measurable mean time to detect because we're not using that at this time. But after this session, we will probably go ahead and start using that for metrics.

Our security improvement or maturity level definitely has increased. We started out with three security analysts and it has grown to eight. LogRhythm has improved it because we're able to see much more data. We're able to see much more of what's out there, what type of threats we're encountering, different things like that. So it's been a great improvement.

What is most valuable?

The most valuable features for me is just to be able know who's in the network, being able to drill down on the alarms, to being able to look at the different rules or whatever that's been impacted within the network for anyone being in the network.

At this point we don't use the full spectrum of analytics. We're still fairly new and trying to tweak our system to get the information that we want out of it. So we're still at the beginning stage.

We are not using the playbooks, we're still on a version that doesn't support them. But yes, after going through the session today, the preview session, we definitely want to use the playbooks.

What needs improvement?

For me, room for improvement is the upgrade process. Whenever we have to do an upgrade to the next version, we're a little nervous and apprehensive about that.

What do I think about the stability of the solution?

Stability, it's very stable within our organization. What we're at is 7.25 right now, we do wanna go up to 7.4. we're a little nervous about that at the point because it's so new but eventually we will make that jump.

What do I think about the scalability of the solution?

Scalability is very good for us. We are able to use it in different areas within the organization. Different groups and stuff like that.

How are customer service and technical support?

I have used tech support in the past and it is great. I definitely recommend tech support, we do go to the LogRhythm Community first but with me, when I was first introduced to the SIEM LogRhythm, I was new to the environment and so I leaned on tech support to help me understand the environment, and as I was making those calls with them I was like "Okay, teach me like I'm a two year old. Walk me through this so I can do this on my own."

What other advice do I have?

On a scale of one to ten, I rate LogRhythm as a nine because it is a wonderful tool that definitely helps with identifying different threats within the organization. I would definitely recommend this tool. It's a very, I would say beasty application, you always will be on top of things when it comes to LogRhythm because it's always changing, but that's a good thing because the environment, the threat environment is always changing. So I'd definitely highly recommend it.

The target I would give to an individual that's looking for the best SIEM tools to put in their environment would be definitely look at one that's growing, that's not stagnant and LogRhythm is definitely one of those too that look for ways to improve it, user friendly and the different things that's out there in the environment to be able to catch the types of the bad guys or the different threats. They always try to stay on top of things. So I definitely recommend LogRhythm in that case.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Senior Security Engineer at a healthcare company with 1,001-5,000 employees
Video Review
Real User
Our mean time to detect threats has been going down, which is a good thing

What is our primary use case?

Our primary use case for using the LogRhythm SIEM product is reviewing alarms, events, and managing our cases for forensic investigation.

How has it helped my organization?

The LogRhythm platform has helped my organization by being able to have 24 analyses on logs and events from all the various systems that feed into the LogRhythm platform. It gives our analysts the capability to assess rapidly and be able to respond to events in almost real time.

We currently have over 500 log sources inside the platform. Managing those is relatively easy. The main feature that we do take advantage of with our log sources is setting up silent log source alarms, so that way we can identify if a log source is not feeding logs as it should be.

Currently, our messages processing rate is around 2,000 messages per second.

Our mean time to detect threats has been going down, which is a good thing. Lately, our main focus has been on handling and reducing the mean time to resolve phishing incidences within the company.

Our security maturity program has been overall positively influenced, mainly in the HIPAA healthcare spectrum, by meeting third-party auditing requirements and having those tested, too, and confirmed by our third-party auditors.

What is most valuable?

The capabilities that we mostly take advantage of in the LogRhythm platform is the wide array of log formats that we can bring in from various systems, and the capability to create custom role processing capabilities for log sources that may not already be a part of the platform.

Currently, LogRhythm, the playbook's functionality is not in my version, so we're looking forward to utilizing playbooks. That's part of the main draw for me to come here, was to learn more about the playbook functionality and how we can incorporate that into our platform. But right now, the functionality is not there.

What needs improvement?

The largest room for improvement would be inside the web platform, being able to have a longer log live time. Currently, we manage about five days of live log data inside the web console. Ideally, that should be 30 days-plus.

What do I think about the stability of the solution?

Stability is very good, so stability for the LogRhythm platform has been very positive. We do have pain points around upgrades, but we have been able to engage with support and get rapid response to how those issues resolved.

What do I think about the scalability of the solution?

Scalability for the LogRhythm platform for my company has been very positive. We've been able to ingest logs from very high-traffic log sources without any type of issue, congestion, so very positive.

How was the initial setup?

I was not initially involved in the setup. I came in to manage the SIEM solution three years after its deployment.

What other advice do I have?

I would rate LogRhythm a nine out of 10, primarily because of the current functionality within the system and the direction that the company is going. I feel it's appropriately aligned with security today and being prepared for tomorrow.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Security Engineer at a logistics company with 10,001+ employees
Video Review
Real User
New functionality like playbooks are exactly how we're going to raise the maturity level of our team

What is our primary use case?

The primary use case is to provide security analytics for the SOC and empowering all of our SOC operations for day to day business.

How has it helped my organization?

LogRhythm's improved our organization by allowing all sorts of members of the organization to be able to access this data in a much easier way than they have been able to in the past. So instead of more obscure SIEMs, or things out there like Splunk, where you might have to learn an entire language for how to interact with your data, it's all very visual based.

I'd say that's a big difference right there, but also just the ease of use of getting it into and getting it indexed by the SIEM. The other piece of it that I think is pretty huge for us is just how fast it executes on that data. So in previous SIEMs, I've seen where we've had to take up to three or four minutes for a simple query. I have that back in seconds. That's definitely a huge performance improvement for us.

I would say that the maturity of the organization that I'm with now is it kind of straddles a couple of different zones. On the one hand, we have a security team, and members on the security team that have been doing what they're doing for a very long time, and a couple of them even doing that a very long time at that organization. However, the security landscape has changed just dramatically in the last few years. And that definitely sounds like totally hackneyed, but it's true, especially when it comes to cloud integrations, AI, data science, all of this stuff has changed the game so much. So I would say that we're very much behind the curve in terms of we're a team of six or seven people trying to keep up with the industry. And we really look to these next gen tools like LogRhythm's SIEM to bring us there.

New functionality like playbooks are exactly how we're going to raise the maturity level of our team through automation and playbooks. That's absolutely the direct path that we see getting us to a more mature place. We've got the experience on our team, but we don't have 100 people working for us either. And so, we're really kind of looking for LogRhythm to fill that gap there.

What is most valuable?

Specific to LogRhythm SIEM, I would say the dash boarding capability is pretty spectacular, so having the advanced UI available to just instantly drag and drop widgets into the browser and get top 'X' whatever field you're looking for just in real time is incredibly powerful. It's very fast. That's one of the things that I love about it is that we can get trending information at a moment's notice for just about anything that we have packed into the SIEM. So it's incredibly quick to get very easy high level information on any field we're looking for in the SIEM, and then be able to drill down into that through the log feature at the bottom.

We are using their AI engine, we're using the actual web console itself. We're using lists in some of their automated list for generating content of blacklisted hosts or known malware sites and things like that.

Most of those features are turned on at this point in time. We're actually pretty new, I think that says a lot to the amount of use we've been able to get out of it. We've only installed it maybe three or four months ago. And the amount of data that we have going into the SIEM at this point in time, which amounts to nearly 20,000 events per second, plus all the different features we have turned on is pretty impressive. So I think that that speaks a lot to the ease of getting it stood up and running, which is something that I've seen be way more difficult in other SIEMs in the past.

We will be using the playbooks immediately, on day one, as soon as they're available. I've attended some of the playbook sessions here already and we're looking at which ones are already out there for use and how we're going to integrate them into our environment. So, playbooks are going to be a huge point of focus for the next year for sure for us.

What needs improvement?

I think LogRhythm definitely has some opportunity to grow in its documentation space, particularly like if I just use Splunk as an example. Splunk has amazing documentation. It's great. It's almost second to none in terms of the quality of its documentation. I would almost use that as an industry standard and say, "If you can do this ..."

There's no reason someone can't copy that pretty much exactly and say, "Let's do the same thing, but for LogRhythm." That way, when I have a new engineer or even an analyst come on board, I can point them to the documentation and say, "Get to work." That's not really possible today. We definitely need a little bit more hand holding when it comes to administrative features that aren't nearly as obvious when we're using the thick client or something like that. 

We've got a lot of work to do in terms of training people up there. But the documentation, I would say, is probably the biggest, one of the biggest things that I've come across to say, "This definitely needs some improvement here in terms of its clarity and availability."

Even just finding the right documentation that you're looking for can be tricky sometimes. My best bet is usually just to do a search of the forums and hope that I can find something and get lucky on the first try, as opposed to having every part of the system thoroughly documented out in an almost open source like way, in the way that open source projects have often gone about documenting and Wiki-izing, if you will, their content. I would love to see LogRhythm do something like that.

What do I think about the stability of the solution?

I would say that stability for us, overall, considering we're a brand new customer of LogRhythm, it's been very stable. We've had a couple of things come up, and I'd say those are more than anything just a "Oh, we didn't know that this should be tuned to a particular way or that the database wouldn't auto grow on its own". And there've been a couple of things like that, but there's been no major issue of, "Oh no, we threw too much data at it and the whole thing just died."

That's one thing that I'm pretty grateful for is that the whole thing hasn't come crumbling down upon us. And that can happen with a SIEM, particularly when you've got multiple data streams feeding in. As one piece of the puzzle breaks down, there's a downstream effect of killing every other part of the SIEM further on down the line. That hasn't happened yet. So, we haven't had any cascading failures or anything like that. It's actually been really stable so far and we've enjoyed that.

What do I think about the scalability of the solution?

Scalability has been good. We have general guidelines on how far we can take it with with the hardware that we've purchased and installed. And we can sustain even above a little bit, we've found, a little bit above what we're even scoped out for our hardware. So, we've been able to really expand the scope of logging to the endpoint level, so we can take logs from every end point in the company and throw that at LogRhythm for the installation that we've set up. And it can keep up with that and we haven't had any issues of it just starting to drop stuff or anything like that. And so I would say it's definitely a top tier vendor in terms of being able to handle scale in my experience.

I've personally used a bunch of them and we've also, in just our QA process, we've interviewed several before settling on LogRhythm. Splunk would be the big one. And I think in that case the, the licensing mechanism kind of disqualified them. And it's a good system with a large community around it. But the ease of use for the end users wasn't quite there as it was with LogRhythm. Plus the licensing scheme felt a little bit out of date and cumbersome in comparison to LogRhythm.

How are customer service and technical support?

I have only needed support a couple of times so far, we've opened a few cases with tech support. I can't sing too many praises of tech support so far. And they definitely have a tendency to want to try to lead you towards professional services, which isn't completely unusual in these cases, especially for new users.

I would say that the information is out there somewhere, but they don't have the best support site. They just don't. A lot of the information is just kind of in a forum somewhere buried somewhere in that forum probably, or in somebody's head. The documentation isn't quite as greater or spectacular as Splunk for example. But LogRhythm Community does have a passionate community. And if you find the right person, chances are you're going to be able to get your question answered.

How was the initial setup?

I was hired just after they did the initial setup. But I immediately, because I'd missed that, set up a dev environment for us using all of the same components, so the differentiated data indexers and the platform manager and all that. So I set up a whole version of that on my own in virtual environment after the fact. And I did it by myself without too much help. So, that really did go pretty smoothly. I only needed to contact support once for that whole process. So it wasn't too bad.

Which other solutions did I evaluate?

A couple of others that we've considered, IBM QRadar that's actually one that we had in house previously, and we'd had stability issues with that platform. And so it was one that we were kind of looking at the market to see what we could replace that with. And I would say again that the ease of use of LogRhythm, for new analysts as well as management people, and the licensing scheme were two things that made it pretty attractive for us

What other advice do I have?

We do have quite a few log sources. Currently we've got around 30 or 40 completely different kinds of log sources and roughly six or 7,000 different devices currently reporting in. We set it around 20,000 events per second sustained for our new infrastructure. That's kind of a lot for us. We've gotten that up relatively quick, up and running. So the stability for that has been great. And as far as parsing goes, we have generally stuck to platforms that we know would parse out of the box. And now, we're just starting to get our feet wet with, okay, what are some platforms where maybe it doesn't have out of the box support for the parsing messages" Or we might want to write our own parser or something along those lines.

We know that it supports things like common event format. And so generally, I'm pretty confident that we'll be able to get everything in there that we want. I wish we had that information. Unfortunately we don't have mean time to detect or any of those soft things. Prior to LogRhythm, it wasn't even an option for us to get those sorts of things. Now with playbooks coming out and some of the new tagging features and case management features that are going to be in seven point four for LogRhythm, that's our first target is to start actually putting numbers around that. And we just haven't had LogRhythm in house long enough to stand up a program around getting those metrics.

As far as the rest of 2018 and 2019 goes, that's one of our number one goals is to get those metrics in place. And certainly, the case management features and seven four are what we're looking to get us there. 

I can tell you for sure that that saves at least an hour of analyst time every single time that occurs and that might happen three or four times a day even for just potentially unwanted software and things like that. So we know that we're saving a lot of time. I have no idea how much exactly we're saving just yet, but I know it's going to be a lot more in the future because we're really starting to get sped up with smart response options and automation, especially when it comes to playbooks. So we'll see a lot of that in the future and that's another one of the big reasons that we've looked to LogRhythm to say, "Okay, we know that we still have yet to see some of what we've invested in here, but we're confident that we're seeing it already."

I give it a nine out of ten right now. The only only minus being for documentation, that's it. But I think that they can get there. So I have faith in them. The advice I would give to somebody looking for a new SIEM or to invest in SIEM technology would be obviously they have to keep in mind the price. We always have to work within that constraint. As a technology person, I hate to think from that perspective, but it's our reality and so things like Splunk really work against that in terms of being able to have to pay for ingestion of data. LogRhythm is great in that area. And that's one of the reasons why we've definitely looked towards LogRhythm for that. A couple of the other things that I look at for them is automation capabilities and API's. 

Everything these days has to have an API. So how good is your SIEMs API? And LogRhythm definitely seems committed to continuing developing their API out, particularly with playbooks and automation. And so, generally, I'm going to say that's where you should be looking for SIEM right now is automation. Most of the SIEM software solutions can do 99 percent of what's out there. Can It parse a message? Can it store it? Can it index it? All of those things, they all generally check that box somewhere along the lines. But how closes is that ecosystem? How available is the API? How good is the support gonna be and things like that, that not necessarily every SIEM does equally? I would say that's where they need to look to find their value.


Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Global Security Manager at Chart Industries Inc
Video Review
Real User
Top 10
We bought it simply because it is awesome, it is fast and less expensive than Splunk

What is our primary use case?

Our primary use case for bringing on a SIEM in general was the need to correlate our data across dozens of different solutions that were spitting out logs. We got to a level of complexity where it became mandatory.

How has it helped my organization?

This solution has been almost like a transformative change in how we detect and then respond to incidence. Quite honestly before, we didn't know what was going on and we couldn't detect anything other than  a random virus that sent an email from our AV solution. For us, it really took off when I was a little onboard the Office 365 logs and then we were able to start monitoring locations of login and we actually detected multiple accounts that were logging in from countries that had no business being there.

That led to some investigatory work and actually led to some password resets. It was really positive and we continued to detect that type of activity and enhanced the rules, changing here and there. That was a big one for us because we had never even looked at the Office 365 audits because we didn't have a way to do it. LogRhythm brought that in and within a day or two, we're like, "These three accounts are popped and we need to get these guys off the network now." It was amazing.

We're currently processing about 3,500 messages per second. We have experienced a massive decrease in our mean-time to detect. It's actually hard to improve on nothing. It's hard to get worse than no detection, so we went from being able to like, "Oh, a virus happened," to, "This user went to a weird website. We got that from your DNS logs and then 10 minutes later, their antivirus fired on something." And now we know that we can go over there and triage that system quickly as opposed to maybe not getting the virus log for a day. The other thing is detecting when we think breaches are happening, which is something we just didn't have the capability to do before we brought in LogRhythm.

When it comes to our security maturity, I was the first person at my company to do security, and the company had been around for 30 years. I bet that started from scratch, and I started where we were bleeding which was our endpoint detection for malware and ransomware. And then be added on more layers. We added on like IPS and we added on a lot of perimeter type stuff.

While LogRhythm was probably the last component that I have onboarded in like first two-year time frame, it's now the center of the program. Everything feeds into it and that's where I go for just about everything. There are a few solutions that I still have to go out to those solutions to look at stuff but even like from a purchasing perspective, even my IT operations team, my IT applications team, my company asks vendors two questions right out of the gate. Do you have a cloud offering, and do you natively support LogRhythm? And those two are heavy, heavy hitters when it comes to whether or not we're going to put you in the running to buy your software.

What is most valuable?

The most valuable features in LogRhythm, honestly for me, the single most valuable feature is the web console. That is actually the primary reason we chose LogRhythm over some of these other solutions because I was able to leverage web console usage across multiple layers of IT, and I didn't have to sit back and teach everybody complex SQL queries. Just that point-and-click interface, it's nice and bouncy and it's beautiful to look at has really driven the adoption of the use of the software. Secondarily, I think another really great feature is the LogRhythm community. And the content that that provides has enhanced our adoption over the years.

We don't use the full-spectrum analytics capabilities of the SIEM mainly because I'm a lone wolf in running it. It's just a matter of timing and focus. We do a lot of analytics around user behavior although we're not a cloud AI customer yet. We're doing a lot of what they call the AI engine to do user behavioral modeling and we're starting to onboard some network behavior modeling analytics as well.

What needs improvement?

It honestly comes back to me for log sources. The time to get support to onboard a log source runs about 18 months, and that's just too long. Like I said, I'm a lone wolf running the system. I don't have a lot of free time to write ReGex and build out my own policies, and I tend to write bad ones that are very inefficient. It is tough when I get a critical source or when a part of the business went out and just bought something, never consulted IT, and now we have to audit it and it doesn't support LogRhythm or it doesn't even like have a function that gets us the logs. We have a cloud solution where we can't even get the logs out of it. It's crazy bad. But when we do get those logs in, it would be really helpful if we could get a supported log source policy from LogRhythm in a shorter amount of time

What do I think about the stability of the solution?

I have had a lot of trouble with stability, perfect timing. We onboarded way too many log sources on the get-go and overran our appliance's capabilities. And I've spent probably the last 12 months working to stabilize the damage that I caused the system when I did that. It's been a rough year for stability. Even just before I came to this conference, I think I got it finally stabilized. I'm cautiously optimistic that I can take a deep breath and start focusing more on the logs instead of the appliance itself.

What do I think about the scalability of the solution?

We've scaled the solution twice. I haven't done a whole lot of like large-scale build-outs. We're still a single appliance. What we did scale was we scaled the memory and we scaled our NPS license and then I added in some external storage. And all of those things went great. We're to a point now where they're recommending that we buy what they call a data indexer separately. My leadership is more interested in moving it to the cloud than buying more hardware, so I'm working to get a POC started up to get it up into Azure and see if we can scale horizontally in Azure as opposed to buying more hardware. I might have a lot more to say about scalability next year.

How are customer service and technical support?

Tech support LogRhythm is one of my favorites. Of all the solutions I deal with, those guys and girls are insanely good at their jobs. And so when we bought the solution, my leadership did not buy professional services to help me deploy it. I did it blind, basically, with the user guide. And I think in the first year, the number was about 75 tickets that I opened in the first year. And they still answer me when I call them, so that's great. And they're very willing to stick with you as long as you need.

The only challenge I do have with their tech support is the time shift because their tech support is all based here and I'm on the East Coast. They want to meet it like 5:00 p.m. Denver time, it's like, "Oh, no. I'm at 7 o'clock, dude. I'm done for the day." One little annoyance but it's well worth it in the end to get the support that we get.

The support for log sources is fantastic. It is challenging because you're always going to come up stuff that you need that is not recognized, and writing my own policies has been very challenging. As far as log sources, the last time I checked on Friday, I think we were at 2,900 log sources. It's a lot for this little appliance.

Which other solutions did I evaluate?

When we went shopping for a SIEM, I had come from a Splunk shop. I was very familiar with Splunk the interface. I like the software, so Splunk was number one on my list. And who was number two? SolarWinds had a SIEM solution that we had played with a little bit at my company, so they were also in the running. And then actually one of my partners talked to me about LogRhythm because I'd never even heard with LogRhythm before and so we did a demo.

And ultimately, it was two big factors. From a Splunk perspective, cost. Cost to build it out and then cost of licensing, it's just unattainable for us. And number two, LogRhythm's WebUI and the speed with which you can run searches in it was hands down my primary reason for going with LogRhythm.

What other advice do I have?

I'm going to give them an eight. It's a fantastic solution and I totally support what they're doing and I like where it's going. But there is room for improvement, and there are some pain points and honestly I've had a rough year. That kind of influences it too. It's been a lot of time on the phone with support this year.

I will tell them what I wished I have known the day I started onboarding logs, and that is when you're looking for a SIEM, put all the features and everything to the side. Go talk to your business people and find out what's important to them because that's how you're going to know what to bring on initially. And once you know those things that are critical and the things you have to do, then you can evaluate the different solutions to see who has the native support because we didn't do that.

We bought it simply because it was awesome and fast and less expensive than Splunk. And then I onboarded 1,500 log sources in a week and brought the system to its knees. And I'm even now today still cleaning up and removing log sources that just bring no value. It's just noise.

Take the time and plan that out before you even go talk to vendors. Figure out what logs are out there, which ones are meaningful to you and the business and then find the solution that fits best with that.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Avraham Sonenthal - PeerSpot reviewer
Avraham SonenthalSenior Network Engineer at a government with 5,001-10,000 employees
Top 5Real User

I am not sure how LogRhythm would be less expensive than Splunk. Splunk charges licensing by the GB of incoming logs. LogRhythm sells an appliance and it has a certain capacity. If you want more capacity you need an additional appliance. Splunk you add additional indexers for free as long as you have the licensing. Also here is a big one: LogRhythm does not give you any documentation to speak of. If you want to know how to use it, you better pony up $5000/user for training.

That said, LogEhythm is good for highly regulated environments such as banking and health care. They have a huge number of canned reports and known log formats. If you want to gather logs from a lab or a jet engine, LogRhythm is not going to do it. Also to onboard even a single log source is an involved process that takes a good number of operations.

It is like the difference between a Barret .50 cal and a .380 handgun. Different tools for different jobs.

PeerSpot user
Senior SIEM Engineer at a financial services firm with 501-1,000 employees
Video Review
Real User
We've reduced mean time to detect and respond to threats by 24 hours

What is our primary use case?

Our primary use case is for fraud detection and infrastructure, so we use the SIEM to detect frauds in the banking side of the house as well as infrastructure. I use it for security and UEBA purposes. 

How has it helped my organization?

We have seen a lot of improvement. When I first got into LogRhythm, we were just doing the fraud side of the house. Afterwards, we started doing the infrastructure side, where we're seeing a lot of events coming in. We were getting a lot of ransomware attacks that are happening or a lot of malicious actors coming in, trying to hack ours, which we can see in the SIEM right away and use the SmartResponses to block it at the firewall level.We stop them at the edge level, and we don't have to worry about them coming in.

We do have an MSSP that does our 24 hours ops, when we're not there during normal business hours.

The playbooks will come in handy for them to go through and meet our expectations, so I can design the playbooks of what I expect and what the organization expects during certain events triggering and the process that they need to take place for them to call us up at night and say, "Hey, this is something that needs your attention."

I have plenty of log sources. Roughly, I have about 500 plus different types of log sources coming into my LogRhythm, and the support's been great. The out of the box solutions with their log message processing has majority of what I need. There are some that I had to create, because obviously the products are new, and I made LogRhythm aware of it, and they're creating custom parsers for it.

We are rated for 10,000 MPSs because we have two data processors and data indexers, but I'm only using about 3,5000 combined.

The solutions have been great for us. We use the SmartResponse to do most of our automation work for us, to block attacks, and to kick off users if they're doing anything malicious. It's saved us a lot of man hours. Based on MTT and MTRs for us, we've saved a lot of considerable time.

I did see it decrease in time to detect and response by a day, because there is myself during work hours and MSSP, which we combined, and we've reduced it to about 24 hours, mean time to detect.

What is most valuable?

Some of the valuable features, I find it's very easy for me to integrate new log source types within the SIEM. The MPEs, there's plenty out of the box solutions that we can integrate new appliances with. We're constantly buying and upgrading our appliances, so it makes it easy for me to ingest logs and run correlations in the AI Engines. 

Currently, we don't have full spectrum capabilities. We're using AI Engine mostly to run correlations, and then we obviously have our dashboards and stuff, but apart from that, we're working on the UEBA implementation for users to run more correlations. We do have our net monitors that we use to run packet monitors, packet captures, and even traces.

What needs improvement?

I think where I see room for improvement for LogRhythm is probably granularization of log source types. So, if that were to happen, I think it'd be a lot more better for the product. So, we are in the current five-year security maturity program.

What do I think about the stability of the solution?

I've never had any issues with my SIEM. We just upgraded from physical to virtual, and it was a seamless process. Everything worked well.

What do I think about the scalability of the solution?

LogRhythm is very scalabe. We increased our MPEs from 2,500 to 10,000 right now, and we're very happy. We have room for plenty of growth. We're only using less than half of what we have.

How is customer service and technical support?

Tech support's always been great. Every time I had an issue, I'd go in, open up a support ticket. I usually get an engineer calling me back within the first half an hour, and they'll help me troubleshoot within a day.

How was the initial setup?

The product was already set up when I first jumped on with the organization. My only process is the movement from physical to virtual and then the upgradation to 7.3 and 7.4.

What other advice do I have?

So, we are in the current five-year security maturity program. We're on year one, and LogRhythm is gonna be the center point for the first two years in terms of aggregating all the different log source types within the organization. We still find that there are log source types that are not coming in, which we plan to integrate within LogRhythm and use its analytics tools to help us get more mature and establish us forward in maturity of our security for the industry.


I rate LogRhythm 10. It's very easy to use. It's very user friendly. The product is very innovative with SmartResponse and AI Engine, so it takes half the work from myself and my analysts, so I love that product for that reason.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Information Security Analyst at a pharma/biotech company with 51-200 employees
Video Review
Real User
CloudAI gives us analytics into our user's behavior and whether or not they are acting outside of their norms. It has helped me to identify a lot of policy violations inside of our networks

What is our primary use case?

The primary use case for this solution is to monitor our environment and ensure that we are not having any breaches. In addition, this solution allows us to maintain compliance with HIPAA .

How has it helped my organization?

The SIEM and the CloudAI has improved our organization by helping us track down errors in our network. It has helped out our IT services team, and it's also helped out our database team in trying to track down errors inside of our network. It's also opened our eyes to a lot of the attacks that have been coming in to our network from outside threat actors. It's helped us stop a lot of those attacks as they're happening, and it's also helped us identify some policy violations inside of our network as well. 

I haven't used the playbooks yet, but from what I've learned here at RhythmWorld, I will be integrating the playbooks as part of our incident response policy.

What is most valuable?

The most valuable features for me are the customization features. I can build it out to do whatever I want. I've created rules in there for Crypto mining and Crypto jacking. 

The compliance aspect is phenomenal. The reporting in there is fantastic. It helps our internal audit team. It also helps us with our compliance, as well, for our audit. So it's a lot of good options in there.

CloudAI gives us analytics into our user's behavior and whether or not they are acting outside of their norms. It has helped me to identify a lot of policy violations inside of our networks. A lot of bad habits. Just for a specific use case, I've identified where an account that should have been disabled was being used by another user inside of our network. A lot of policy violations. A lot of geographical location identification inside of the networks.

CloudAI-UEBA has enhanced my security operations because I've been able to track down users with anonymous behavior. To be more specific about that, I've been able to track down users that were using accounts that they shouldn't have. So for example, we had a user that left the company and another user was using that account to access servers inside of our network that they didn't have access to. So it's very powerful. It just takes some learning to get used to.

What needs improvement?

I have over 3,300 log sources. The support for log sources is pretty good, unless you want to go to the cloud where I've had some rough spots with that. I had a hard time integrating with Office 365 because my antivirus wasn't supported. I had to get some custom parsers in order to get that integrated.

I would say that better API support for cloud log sources would be a definite improvement. 

Ease and setup would be a major improvement because it took over a week to get it all up and running, and that didn't even count tweaking it and getting it all set up for my environment. There's some room for growth there.

What do I think about the stability of the solution?

The stability is decent. During the day it works just fine. We do a lot of reporting at night and it hits the system pretty hard, but other than that, everything works perfectly. During the day, searching is perfect. It runs perfectly. The stability is fine except for those heavy hours.

Stability for CloudAI has been great. I haven't seen any issues with it dropping. I haven't had any issues with that at all.

What do I think about the scalability of the solution?

The scalability for the most part is OK. The product has some hard stop limits on what your processor can handle.  I have an XM appliance, which means it's an all in one.

I have some hard limits on how far I can go with the processing rate. So if I go above that I'll have to spec out a whole new system and then renew my license. I don't see that happening anytime soon in my environment.

How are customer service and technical support?

I have used tech support a few times when getting things set up. For the most part, they are pretty quick to get back to you and very helpful. They've also showed me a lot of tips and tricks to make things either run better or to get better results for my SIEM. The customer support is fantastic.

Which solution did I use previously and why did I switch?

I knew that we needed a SIEM solution because we had no visibility

We didn't have any SIEM monitoring tools up until I showed up at the company. We didn't have any visibility into what was going on on our networks or on our systems. So that was one of the first steps that I took when I came on with the company.

Which other solutions did I evaluate?

My shortlist was Rapid7 InsightIDR, LogRhythm, and Splunk

I had a live demo of InsightIDR running in my environment and I liked LogRhythm a whole lot more, a whole lot better than their solution.

What other advice do I have?

On average, I process around 1200 messages per second.

So measurable results for mean time to detect and mean time to respond. I don't have measurable results because there wasn't anything there beforehand. But now, we've responded within hours to events that could have been breach incidents, or in some cases within minutes and stopping attacks in their tracks.

My security program's maturity is still in its infancy. I'm basically starting it from scratch. LogRhythm has been a major step with giving me file integrity monitoring, the SIEM capabilities, log collection, a lot of things that we didn't have before. User behavior has been amazing for helping me keep track of what's going on in my network. So it's been a major stepping stone. It's the first in many.

I would rate LogRhythm as an eight out of ten because of the compliance factor. The modules for compliance are fantastic. The UEBA and CloudAI are solid for user behavior, and the SIEM itself is very powerful. I work very heavily in the customization aspect of it. Writing my own alarms, my own rules to try and track down events and alarms, stuff going on inside of my network. My only complaint really is just the lack of API support and how much work it takes to bring in cloud. That definitely needs some work. And just the time to set up is very time-intensive.

If I had a friend or a colleague that was looking to implement a SIEM, I would definitely recommend LogRhythm, and I would pretty much give them the same answers that I gave here where cloud support is still growing, but the tools that it has are very powerful. The behavior analytics are fantastic. It definitely would have to be on their list at least to look at.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
IT Security Architect at a construction company with 10,001+ employees
Real User
It has centralized monitoring for our security operations
Pros and Cons
  • "It has centralized monitoring for our security operations. Therefore, it improves our analysts' work."
  • "Stability has probably been one area where Health Checks have not been great with the product. We have been told that they are going to improve Health Checks on product, though we do struggle with them on a daily basis."
  • "Scalability misses the mark sometimes, especially when you have an integrated disaster recovery built into the solution."

What is our primary use case?

The primary use case is to monitor for compliance and the behavioral analytics of our users, tracking for potential threats to the company's infrastructure.

We are using both products. We are using NetMon integrated with the LogRhythm platform.

How has it helped my organization?

It has centralized monitoring for our security operations. Therefore, it improves our analysts' work. 

Our security program's maturity has been transformational for my staff. First from an educational standpoint, all the staff has started to go through either admin or analyst tracks and education. This definitely organizes my security operations to the point that it makes it easy for me to do security operations. It facilitates it throughout the organization.

What is most valuable?

Out-of-the-box, it already has a knowledge base solution. Therefore, if you do a little bit of work, such as configure the lists and log sources, you can have use cases implemented quickly.

What needs improvement?

Their current roadmap is what I want to see implemented. I want to be able to upgrade to 7.4 and have the playbooks implemented as fast as possible. 

What do I think about the stability of the solution?

Stability has probably been one area where Health Checks have not been great with the product. We have been told that they are going to improve Health Checks on product, though we do struggle with them on a daily basis.

What do I think about the scalability of the solution?

Scalability misses the mark sometimes, especially when you have an integrated disaster recovery built into the solution. 

LogRhythm is looking at elasticity and trying to make the product more scalable.

How is customer service and technical support?

We use the tech support on a daily basis. They are very easy to reach. There is always a person whom you can talk to and is focused on my issue at hand. They really pay attention to me, and that's worth it in my book.

What about the implementation team?

I maintain the solution. Right now, I have two dedicated engineers and two analysts. However, we need more staff and are looking to hire more because we want to grow this solution to suit our needs.

What was our ROI?

It improves our mean time to be able to respond and remediate issues that we come across.

Which other solutions did I evaluate?

There is a different reason why you pick LogRhythm over its competitors. It is a security SIEM, where others are SIEMs but not focused on just security.

What other advice do I have?

The capabilities of playbooks is in 7.4, which we are not able to utilize yet. Therefore, we have built outside of the solution playbooks. However, we are looking forward to the integration of playbooks in 7.4, or even version 8. 

We were shown today a couple of things where playbooks will be enhanced, even having SMARTResponse coming right out of the playbooks, so hopefully advanced SOAR capabilities.

We run two independent LogRhythms. On one, we have about 33,000 different log sources, which include endpoints and now IoT devices. On the other, we have a very small footprint. It somewhere around 3000 log sources.

On one of my LogRhythms, I have a message per second around 2400 to 2500. That spikes depending on the time of day. Sometimes, it goes up to 17,000. On average, it comes back down to about 2300. On the other LogRhythm, there are very few messages per second. It is around 600. 

Do your homework first. See what pie in the sky solution is supposed to be for your SIEM. Do not just check a box. LogRhythm will more than likely suit your needs.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
SIEM Architect at Marsh & McLennan Companies, Inc.
Real User
Enables our SOC and IR teams to do their jobs, but our environment has yet to stabilize over the last 18 months
Pros and Cons
    • "My biggest issue - I know that they say they're doing it - is that the API-building is extremely important. They keep saying it's coming, it's coming. It's not coming fast enough. I don't care if they need to double their team size to get it out there quicker, the world is already in the cloud and we can't monitor it. That's a big problem for us. My boss keeps coming to me about it. That's an issue."
    • "My biggest complaint is documentation. Everyone tells me, "We have documentation on the Community site." I have searched for different types of documentation on numerous occasions, and it might be there, but it's not easily findable."

    What is our primary use case?

    We have been using LogRhythm for the last seven to eight years. About a year-and-a-half ago we made a push, which is why I was brought on, to go global with it. The global use case is security only, we're not getting back to the business. It's the first time I've done SIEM that works that way. It's all about feeding the SOC and IR teams and letting them do their job.

    How has it helped my organization?

    We use Dell SecureWorks right now for our SOC. But in a much quicker-than-expected manner - literally a few months after we started really bringing everything in, and we took over teaching them how to use LogRhythm - our SOC has fallen right into line. LogRhythm is already almost replacing Dell SecureWorks and we might be able to get rid of Dell SecureWorks sooner than later.

    I was the one who started getting the SOC team involved. I needed to teach them. They were a very frustrating group that didn't want to learn LogRhythm. "No, no, we're doing it our way," and it was very manual. They would pull information from Dell SecureWorks and compare it manually against other information. They were totally against LogRhythm. But very quickly, they changed their minds. Now, we get calls constantly to help support them. The leaders of the SOC, that understood LogRhythm and had some LogRhythm background, have implemented different things that have totally surpassed where we thought, six months ago, we would be. Things are going great.

    We have seen a measurable decrease in the meantime to detect and respond to threats.

    What is most valuable?

    I've worked with a lot of SIEMs. It's nice that it's straightforward. 

    What needs improvement?

    My biggest complaint is documentation. Everyone tells me, "We have documentation on the LogRhythm Community site." I have searched for different types of documentation on numerous occasions, and it might be there, but it's not easily findable.

    We're running an HA situation and we wanted to do an upgrade. There was "Oh, and do this," in the documentation. It didn't give you an order, step one, step two. It was just, "You've got to do this and this and this." We decided to do it as they wrote it and it totally messed us up. We had to then reinstall. It just was a mess.

    Also, I can't really talk about features I would like until I have a stable environment. Once I have that, there are things that we would like. For example, we're doing a lot of things in-house. We're doing auto-acceptance; LogRhythm doesn't do it quickly enough. We develop something because LogRhythm is taking a long time in developing things, and then we want to present it to LogRhythm and say, "What do you think?" We don't even mind if they steal it and use it. But at the same time, we're getting a response of, "No, you're probably not doing it right. You're probably missing stuff." We're still going to do it.

    My biggest issue - I know that they say they're doing it - is that the API-building is extremely important. They keep saying it's coming, it's coming. It's not coming fast enough. I don't care if they need to double their team size to get it out there quicker, the world is already in the cloud and we can't monitor it. That's a big problem for us. My boss keeps coming to me about it. That's an issue.

    Finally, writing parsers is much easier - and I can tell you a few things about it - in Security Analytics. I would love LogRhythm to get something similar to that, instead of having to write out RegEX. That's very old-school.

    For how long have I used the solution?

    More than five years.

    What do I think about the stability of the solution?

    After a year-and-a-half, we're not stable yet. Every time we think we're stable for a week or two, we wake up the next morning to another million logs backlogged somewhere. We're very unhappy with that, very frustrated. We've been working with engineering and upper levels, with everybody. The one positive part of that is that everybody has been very responsive and everybody has been very helpful in trying to stabilize our environment. Version 7.3 destroyed us. There is not one device that we have original code on. Everything is DevCode.

    To be fair, we're a very tough company. We're presently at 5.5 billion events a day. We're sustaining 55,000 logs a second. We have a pretty big deployment, but it's not stable.

    What do I think about the scalability of the solution?

    We were supposedly built for 100,000 logs per second, and if you read the answer I just gave to the "stability" question, you know we're still not stable at 55,000 events.

    How are customer service and technical support?

    The tech support is fantastic. The only complaint I have about tech support is that sometimes they'd rather try to hold on and fix something, rather than escalating. Things do need to be escalated more quickly.

    The source of the issue - meaning the customer - has to be part of the evaluation. I've been doing this for 15 years. When I go to customer support it's because I've already run every bit of the gamut and my teams have done the same. I'm more than happy to spend a week looking, from a support perspective, at this and this and this. But at the same time, they should be objective enough, so that if I were to say, "Hey, I don't see it coming from that area, let's look someplace else," to take my word for it. They should know me as a customer. Know your customer is more the issue.

    How was the initial setup?

    They installed two weeks before I got there and I've been miserable about that. I'm in the midst of re-architecting the design.

    Installation/upgrade is a complex process. We haven't gone through anything straightforward. I did learn from one of my breakout sessions, here at RhythmWorld 2018, that 8.0 is hopefully going to fix that a bit. There were some things that complicated it when we did our first upgrade to 7.3. We've gotten better at it.

    What other advice do I have?

    My advice:

    1. Get a SIEM.
    2. Which SIEM I would suggest really depends on what your key use cases are. There are other SIEMs that do other things better. As an example, Splunk brings in logs wonderfully. But if you're not going to hire a Hadoop engineer who absolutely specializes in it, you're going to bring in a lot of logs that you're not going to be able to do anything with. You really have to look at everything that every piece does. 

    In terms of the full-spectrum analytics capabilities, we're not using NetMon, we're not using FIM. We're just collecting logs from every device that we can collect them from. I'm in the process of onboarding hundreds of application logs. We feed them all to our SOC and Instant Response and Compliance teams.

    Playbooks, for me, are "N/A." I have an associate that handles all the analytics and reporting and alerting. I'm more of the architect.

    We have somewhere around 90,000 log sources. Do remember that Windows takes three log sources each. We're running about 5.5 billion logs a day. We're running a sustained 55,000 logs per second. Our database is somewhere in the neighborhood of 4.5 terabytes in size, over two tables. It's a large installation.

    When it comes to our security program maturity, we have built a very strong security team. Since LogRhythm was implemented, the team has exploded, not only because of LogRhythm. We're now implementing many other vendors, cloud and other things.

    For deployment and maintenance of the solution, we have three staff. That being said, being Marsh & McLennan Companies, we're running a very big installation where we have several teams that have input. This is my first time being part of that kind of team. I've been in SIEM for 15 years, but until now, every time I've ever done it, I've been the sole "SIEM guy," the one who handled everything. But now, I'm an architect. We have a SIEM analyst. I work directly with one of the heads of the server teams, so when we need to do upgrades we use that team. We also have a SOC, we have an IR team, all in-house. We have a lot of teams that have input into the SIEM.

    When selecting a vendor, the most important thing to me is that the product does what it says it's going to do; that and the support.

    I've worked with many other SIEMs. I was Professional Services for ArcSight for a year-and-a-half. I've worked with enVision, I've worked with RSA Security Analytics. We were their first customer when they rolled out the analytics and it took a year to get through all the bugs. There are some things that some of the other pieces do better. There are some things that I think that LogRhythm has missed. But all in all, it's one of the best SIEMs, as a total package, that I've worked with. When I hit an issue, the support teams and other teams are there to help.

    Because my installation is not stable, I rate the solution at six out of ten. Once I become stable it will be a nine.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Enterprise Information Technology Security Engineer at a government with 1,001-5,000 employees
    Real User
    The most valuable features would be the automation, reporting, and the support. There are some compatibility issues with different browsers.
    Pros and Cons
    • "The most valuable features would be the automation, reporting, and the support."
    • "My big thing is the easability. I don't like to go to two different systems. The fat client that you have to install to configure it, then the web console which is just for reporting and analysis. These features need to collapse, and it needs to be in a single solution. Going through the web solution in the future is the way to do it, because right now, it is a bit cumbersome."

    What is our primary use case?

    The primary use case is compliance requirements. 

    It is performing at the moment, but we are still in the process of implementing it.

    How has it helped my organization?

    We haven't fully integrated it or stood up the platform, so the benefits are realized yet.

    What is most valuable?

    The most valuable features would be the automation, reporting, and the support.

    I do plan to use the full extent of the correlation and AI Engine to streamline our processes.

    What needs improvement?

    My big thing is the easability. I don't like to go to two different systems. The fat client that you have to install to configure it, then the web console which is just for reporting and analysis. These features need to collapse, and it needs to be in a single solution. Going through the web solution in the future is the way to do it, because right now, it is a bit cumbersome. 

    If I remember correctly, there are some compatibility issues with different browsers. The user system work only on Chrome. In order to use something like this solution, we would have to have that extra browser. It would be nice if LogRhythm had a full support compatibility across all browsers, regardless of what platform they're using and whether they are on desktop or mobile devices.

    For how long have I used the solution?

    Still implementing.

    What do I think about the stability of the solution?

    I'm a little on the fence about stability, because the platform runs on Windows at the moment. There has been some finicky administration stuff, especially if we are going to try to integrate it with our own domain's policies which need to be correctly reflected. In the instance that we have, it is not necessarily a good idea to have an endpoint security, but when you have to meet compliance and follow rules, these are some of the exceptions. There needs to be a way to allow organizations to utilize these platforms and still be in compliant.

    What do I think about the scalability of the solution?

    I don't what the demand is. I know the number of systems that we have. We try to forecast the demand ahead of time by coming up and listing the services that we need in the environment, but there are still things which are probably still yet to be seen.

    As we run into systems which we were not aware of and need custom integration, I don't know what the pain points will look like or if things will be overlooked: Is the system scalable enough to where it will allow me to continue to log certain things without any restrictions? I don't know at this time, and I will find out once it happens.

    How is customer service and technical support?

    So far, the technical support has been good.

    What about the implementation team?

    I was hired in because I have the skill set to implement it. The original acquisition of the product was done by other people. Now, they have somebody who has the skill set and understands the technology deploying and configuring it, then going forward maintaining it.

    For the development and maintenance, it will be just me. However, for the day-to-day log analysis, there will be a second person providing that function.

    What other advice do I have?

    While we are aware of the playbooks, we still need to look into them.

    We are close to a gig of messages a second, so quite a bit of data.

    To capture your use cases, understand exactly what you are looking at ingesting. Do the research as far as what the company has done. For example:

    • What have they provided at organizations of similar size?
    • At peer organizations, how have they implemented the solution and what are some of their pain points?

    Understand what everybody else has done previously with the solution.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Security Engineer at a financial services firm with 1,001-5,000 employees
    Real User
    Web Console allows me to see the health of our environments, but support needs work
    Pros and Cons
    • "The Web Console is my favorite. It enables me, at a glance, to see the health of the environments."

      What is our primary use case?

      I'm an admin and analyst, so use cases cover a lot of log sources for applications, mostly.

      How has it helped my organization?

      Being able to see when one of our assets is down and being able to restart it really quickly has been a definite benefit. It has been really helpful in the general maintenance of our whole environment.

      We're able to look at our environment and see how it's being affected, according to the log sources. We can immediately see how the system responds to things that our development team does.

      What is most valuable?

      The Web Console is my favorite. It enables me, at a glance, to see the health of the environments. That is really important to me and to us.

      What needs improvement?

      I would like to see more widgets. I just love the widgets on the Web Console, I love to play with them, so more would be better.

      What do I think about the stability of the solution?

      The stability has been great since the upgrade.

      What do I think about the scalability of the solution?

      We just upgraded to 7.35 and, although I wasn't involved in that, it seems like since then everything has been working really well. It scaled really well and we are taking in new network monitors. That has been really easy.

      How is customer service and technical support?

      We usually do end up having to remind technical support about our issues, get back in touch with them to see what the status is on our tickets. That has been frustrating in the past, but they do find solutions. Sometimes it takes a while. And sometimes that communication gets lost. Some of our tickets had to be escalated to engineers. They get a little bit lost, at times, when that happens to a ticket.

      Overall, I would rate tech support at three out of five.

      What other advice do I have?

      I would definitely recommend LogRhythm. Work with the LogRhythm team to help learn how your environment works. Use as much help as LogRhythm can provide in your initial setup, so you can understand your environment best.

      We have more than 20 log sources. We average around 3,000 messages per second. We have hit 8,000 in the past, but not since the new upgrade in which we got more room. In terms of staff for deployment and maintenance, there are just two of us who share it. But when we're on-call, all of us use it. There are nine of us who use it every day when on-call.

      I rate the solution at seven out of ten. I'm very happy with it. I love how powerful it is. However, the customer service is where the points come off. I know they're working on it.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      SOC Analyst at a financial services firm with 1,001-5,000 employees
      Real User
      Enables us to find everything in one place and even feed alerts from other products into it
      Pros and Cons
      • "Even other products we have that feed into it, instead of having to watch all of them we only have to watch one. For example, we have CrowdStrike, so instead of having to pay attention that solution - because their dashboard doesn't really pop when an alarm comes up - we can see issues with the red on the LogRhythm alarm. That is very nice."
      • "One thing we have mentioned to them before is that we'd like to be able to do searches, or drill-downs, directly from an alarm. When you click it and the Inspector tab slides out, that might be a good place to be able to click the host to search for the last 24 hours. I know the search is right there but it would be even nicer to just click that and then have an option to search something there."

      What is our primary use case?

      We use it for centralized log management and for alerting. It's been working pretty well. We're on the beta program so what we're on right now has not been working quite as well lately. We're helping them find the bugs, but before this we didn't have any really major issues with it.

      How has it helped my organization?

      It makes everything quicker when it's all centralized. Anything we need to find, it brings to our attention. Even other products we have that feed into it, instead of having to watch all of them we only have to watch one. For example, we have CrowdStrike, so instead of having to pay attention that solution - because its dashboard doesn't really pop when an alarm comes up - we can see issues with the red on the LogRhythm alarm. That is very nice.

      We have seen a measurable decrease in the mean time to detect and respond to threats.

      What is most valuable?

      Being able to find everything in one place is really nice when you're doing your searches.

      What needs improvement?

      One thing we have mentioned to them before is that we'd like to be able to do searches, or drill-downs, directly from an alarm. When you click it and the Inspector tab slides out, that might be a good place to be able to click the host to search for the last 24 hours. I know the search is right there but it would be even nicer to just click that and then have an option to search something there.

      What do I think about the stability of the solution?

      Going into the beta, stability was very good, but in the beta its not been as great for us lately.

      There was a known bug where, after about five minutes it would duplicate alarms, up to about 10,000. After 10,000 alarms in five minutes, everything is shutting down. Also, some of the maintenance jobs get deleted when upgrading, so our database was filling up without deleting the old backups. Those are the two major issues so far.

      What do I think about the scalability of the solution?

      I just took it over recently but we got it built to last. It's been the same since we put it up.

      How is customer service and technical support?

      I open tickets frequently, especially in the beta program. To get the first response is usually a little slow, but once they're talking to you it's very good.

      What other advice do I have?

      Figure out what you need it for before just getting everything you can into it. That's probably the main thing. We recently brought in an external firewall and it has everything enabled. So make sure it can do what you want and don't try to do more than what you need.

      We have made a few playbooks, but we haven't done too much with them yet. For deployment and maintenance of the solution, it's just me doing the administration.

      We're at 60 or 70 log sources right now. With some of the newer ones, we've had to open up tickets for them, like the newer Cisco Wireless. We've had issues with Windows Firewall and AdBlocker. We've had to get those fixed. We process about 600 messages per second.

      In terms of the maturity of our security program, we got this solution right after we started up, so it has been growing with us. We're now at a point where we're happy with it and getting good value out of it.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Principal Security Analyst at a healthcare company with 501-1,000 employees
      Real User
      Centralizes our logs from multiple sources, enabling us to triage and react much more quickly
      Pros and Cons
      • "We take in around 750 million logs a day. We have a lot of products and that would be a lot of different panes of glass that we would have to look through otherwise. By centralizing, we can triage and take steps much more quickly than if we tried to man that many interfaces that come with the products."
      • "I have Windows administrators who will remove the agent when they think that that's what's fouling up their upgrade or their install or their reconfiguration, etc. The first thing they do is to turn off the antivirus, turn down the firewall, and take off anything else. They don't realize that the LogRhythm agent is just sitting there monitoring. Most antivirus products have application protection features built-in where, if I'm an admin on a box, I can't uninstall antivirus. I need to have to the antivirus admin password to do that."
      • "We do about 750 million a day and some days we do 715 million. Some days we do 820 million or 1.2 billion. But there's no way to drill in and find out: "Where did I get 400,000 extra logs today?" What was going on in my environment that I was able to absorb that peak? I have no way to identify it without running reports, which will produce a long-running PDF that I have to somehow compare to another long-running PDF... I would like to see like profiling behavior awareness around systems like they've been gunned to do around users with UEBA."
      • "We had a little bit of difficulty implementing a disaster recovery situation because it was leveraging only Microsoft native DNS and it wouldn't work with our Infoblox DNS deployment that we use in our environment. They've been working on that behind the scenes."
      • "Sometimes the error-logging is not altogether helpful. For example, on an upgrade, a systems data processor, a Windows box, was throwing an error code like 1083. Then it just stopped and it died right out of the installer and nobody looked. We searched through Google and what it means is the Windows Firewall wasn't turned on so that it could create a rule for the product. Why wouldn't they bubble up that description so that I wouldn't have to call support and I could just know, "Okay, the firewall wasn't turned on. Turn it back on. Re-run the installer and keep going.""

      What is our primary use case?

      We collect from our primary devices and our endpoints and we look to identify any concerns around regulatory requirements in business use. We have payment card industry regulations that we are monitoring, to make sure everything's going the way it's supposed to, as well as for HIPAA, HITECH, and general security practices.

      How has it helped my organization?

      In terms of seeing a measurable decrease in the meantime to detect and respond to threats, we live in the Web Console and we see things when they come in right away, and then we triage.

      What is most valuable?

      There's value in all of it. The most valuable is the reduction in time to triage. We take in around 750 million logs a day. We have a lot of products and that would be a lot of different panes of glass that we would have to look through otherwise. By centralizing, we can triage and take steps much more quickly than if we tried to man all the interfaces that come with the products.

      What needs improvement?

      There are two improvements we'd like to see. I mentioned these last year and they haven't implemented them yet.

      The first one is service protection. I have Windows administrators who will remove the agent when they think that that is what's fouling up their upgrade or their install or their reconfiguration, etc. The first thing they do is to turn off the antivirus, turn down the firewall, and take off anything else. They don't realize that the LogRhythm agent is just sitting there monitoring. Most antivirus products have application protection features built-in where, if I'm an admin on a box, I can't uninstall antivirus. I need to have to the antivirus admin password to do that.

      Why does the LogRhythm agent not have that built-in so that I don't have well-intended admins removing things or shutting off agents? I don't like that.

      The second one is, you can imagine my logging levels vary. We do about 750 million a day and some days we do 715 million. Some days we do 820 million or 1.2 billion. But there's no way to drill in and find out: "Where did I get 400,000 extra logs today?" What was going on in my environment that I was able to absorb that peak?" I have no way to identify it without running reports, which will produce a long-running PDF that I have to somehow compare to another long-running PDF. I have to analyze it and say, "Well, last month, Exchange entity was only averaging this many logs. Now it jumped up this much. It could have been that." But then, if I find something that spiked, I still have to make sure nothing else bottomed out, because there might be a 600,000 log delta if something else wasn't producing as many logs as it normally does.

      I would like to see like profiling behavior awareness around systems, like they've been gunned to do around users with UEBA.

      What do I think about the stability of the solution?

      It's a well-written platform. That being said, with our log levels, we ultimately have almost 30 servers involved. Some of them are very large servers. It will bury itself quickly if there's a problem. 

      I find the product to be well-written and very efficient. However, sometimes the error-logging is not altogether helpful. For example, on an upgrade, a systems data processor, a Windows box, was throwing an error code like 1083. Then it just stopped and it died right out of the installer and nobody looked. We searched through Google and what it means is the Windows Firewall wasn't turned on so that it could create a rule for the product. Why wouldn't they bubble up that description so that I wouldn't have to call support and I could just know, "Okay, the firewall wasn't turned on. Turn it back on. Re-run the installer and keep going."

      There have been many times where I've been disappointed, where I'll ramp an agent up to Verbose and it will say, "LogRhythm critical error, the agent won't bind to a NIC," or the like. I end up with no really actionable or identifiable information coming in, even though I've ramped up the logging level.

      There's room for the solution to grow in those situations, especially with regards to a large deployment where it can quickly bury itself if it can't bubble-up something meaningful. I need to be able to differentiate it from other stuff that can be triaged at a much lower priority.

      What do I think about the scalability of the solution?

      The scalability is good. We're deployed in two data centers at the moment. We had a little bit of difficulty implementing a disaster recovery situation because it was leveraging only Microsoft native DNS and it wouldn't work with the Infoblox DNS deployment that we use in our environment. They've been working on that behind the scenes. That's one of the things that is queued up for me next.

      Scalability, volume-wise, the product works very well. As far as the DR piece goes, I think there's room to improve that.

      How is customer service and technical support?

      Tech support is good. There are a lot of guys that know what's going on. Sometimes though, I've stood my ground saying, "I don't want to do that." If we have a problem with a server, we can bounce it and maybe it starts running right, but then we don't know what was wrong. We can't do anything about it in the future except bounce it again because that's what worked last time. Sometimes I need to push them and say, "Okay, I want to identify what's wrong. I want to see If I can write a rule that will show me when something's happening," or "I want to figure out if there's something wrong with my scaling and my sizing."

      I like support. I think they're customer-focused. But sometimes it seems they've got a lot of tickets in the queue and they want to do the "easy-button." I push back more on some of that. It could just be a situation where the logs aren't going to have that information, and they already know that, but they don't want to say, "Well, our logging is not sufficient. This is the best way forward."

      Which other solutions did I evaluate?

      What I find is that there are die-hard Splunkers. The problem is that Splunk is not affordable at a large scale. QRadar is not any better. It's just as bad. LogRhythm, for the price point, is the most reasonable, when you begin to compare apples to apples.

      What other advice do I have?

      From a performance standpoint, I have no problems recommending LogRhythm because it allows me to get in under the hood and tweak some things. It also comes with stuff out-of-the-box that is usable. I think it's a good product. Things like this RhythmWorld 2018 User Conference help me understand the company's philosophy and intentions and its roadmap, which gives me a little more confidence in the product as well.

      Regarding playbooks, we have Demisto which is a security orchestration automation tool, and we're on LogRhythm 7.3. Version 7.4 is not available yet because of the Microsoft patch that took it down. We're looking to go to 7.4 in our test environment and to deploy up to that. I'm not quite sure how its automation, or the playbook piece, will compare with Demisto, which is primarily built around that area and is a mature product. However, from a price point, it is probably going to be very competitive.

      In terms of the full-spectrum analytics, some of the visualizations that we have available via the web console are, as others have expressed, short-lived, since they're just a snapshot in time. Whereas, deploying Kibana will, perhaps, give us a trend over time, which we also find to be valuable. We're exploiting what is native to the product, but we're looking to improve that with either going with the Kibana or the ELK Stack to enrich our visualizations and depict greater time periods.

      We have somewhere north of 22,000 log sources and we average a little over 12,000 messages per second.

      The staff for deployment and maintenance is myself - I'm the primary owner of this product - and I have one guy as a backup. The rest of my team will use it in an analysis role. However, they're owning and managing other products. It's a very hectic environment. We're probably short a few FTEs.

      One thing that we've yet to implement very well is the use of cases and metrics. Because oftentimes, if we see something that we know - we glance at it, it's a false positive - we're not going to make a case out of it. We might not close it for a day or two because we know it's nothing, and because we're busy with other things since we are a little bit short on staff.

      In terms of our security program maturity we have a fairly mature environment with a lot of in-depth coverage. The biggest plus of LogRhythm is that we can custom-write the rules based on the logs and then speed up time to awareness, the meantime to detect. I can create an alarm for virtually anything I can log.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Senior Architect at a energy/utilities company with 201-500 employees
      Real User
      We use it to examine traffic patterns and anomalies, but have a hard time visually sifting through the noise
      Pros and Cons
      • "We have NetFlow information going into it, so we can examine a lot of traffic patterns and anomalies, especially if something stands out and is not the baseline. This helps a lot."
      • "We're still struggling to get a real return on it and finding something that isn't false noise."

      What is our primary use case?

      We have a small population of users, but we are large physically and geographically spread out with a lot of devices on our network. We need all that login capability going into one spot where we can see it and correlate events across all our infrastructure with a small staff.

      How has it helped my organization?

      We're still struggling to get a real return on it and finding something that isn't false noise. 

      There have been a few things, such as weird service accounts that have an encrypted password which are locking things out. However, we haven't had a big security event success with it as of yet. We could be missing things here, not seeing what is going on.

      What is most valuable?

      We do a lot of the alerting, as far as user accounts. We have NetFlow information going into it, so we can examine a lot of traffic patterns and anomalies, especially if something stands out and is not the baseline. This helps a lot.

      What needs improvement?

      We still have a lot of noise, so this is a problem. We are having a hard time visually sifting through it. We need help dialing it in. We don't have the in-house expertise. Do we hire someone just for this purpose and have them sit there all day, every day doing that? It is almost at that point. We are looking at Optiv as solution right now.

      It is so robust. There are so many moving pieces that you can't dabble in them. This is the problem that we are struggling with. You have to have somebody who works with it, and that is their job. Maybe a bigger company could have a whole team which could do this, but we don't have the capability right now.

      I would like to see the client and the web client merged, so all the administrative functions are in the same web interface. It is just clunky right now. If you leave it running, it slows down your machine. However, we are still on version 7.3.

      For how long have I used the solution?

      One to three years.

      What do I think about the stability of the solution?

      It seems to be stable.

      What do I think about the scalability of the solution?

      It should meet our needs going forward. It seems like it is a mature enough product. 

      As far as what it takes, I don't know if it's worth the effort to get it on all the desktops, like every single user desktop and laptop reporting to it or if it is better just to target the main controllers, etc.

      How is customer service and technical support?

      I haven't had to use them too much. We will find out after we go online with Optiv. 

      I have my sales engineer with LogRhythm, who has been helpful. She reaches out to me every couple months just to see if we need anything and offers assistance, because we'd already used up our block of hours when we first provisioned this solution.

      We probably will contact them, if we go with Optiv, then they can help us upgrade.

      How was the initial setup?

      We did an on-premise solution. If I had to do it again, I would probably do a cloud-based solution. They basically shipped two boxes which were essentially ready to go. Then, I worked with an engineer who had a block of hours and he got the HA capability going. We got it dialed in and tied it up with the mainframe.

      Our team is in the process this week of doing a health check and trying to get everything up to speed. We are doing an upgrade, because we are still on 7.3. We need to be upgraded to 7.4.

      We have been using it for about a year. We are probably only about 75 percent there. We need help getting it dialed in, having some of the noise tuned out, and getting the alerts set up properly, so we can work off hours on different triggers. This is where we are struggling because we need to sleep, and we are blind during that time. So, we something to help us with that.

      What about the implementation team?

      The installation wasn't too bad. LogRhythm did most of it. I just had to do the stuff that was specific for our environment.

      Which other solutions did I evaluate?

      We went back and forth between LogRhythm, Splunk, and AlienVault. 

      I liked LogRhythm mostly for how it integrated with the network infrastructure. It was my decision, and I'm not 100% sure that I picked the right one.

      LogRhythm works well with our network-centric environment. However, it may not be the best for other things.

      What other advice do I have?

      I am rating the solution a six out of ten, because we have not gotten it to work yet. With all its components, there is such a learning curve. 

      I haven't gotten far enough along in the process to know if the solution has a shortcoming or if it is our shortcoming with somehow getting it dialed in.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Senior Security Analyst at a consultancy with 1,001-5,000 employees
      Real User
      It has helped us centralize and have better visibility into devices on our network, but there has been instability in a previous version
      Pros and Cons
      • "It has helped us centralize and have better visibility into devices on our network. We are better able to respond to threats in a timely manner."
      • "The content in the community is very helpful and useful for new users."
      • "When we had version 7.2.6, there were a lot of issues deploying that version and with the indexing. The indexer was unstable. So, we were not able to use the platform when we were on that version until we were able to upgrade to 7.3.4."

      What is our primary use case?

      It is for security monitoring.

      How has it helped my organization?

      It has helped us centralize and have better visibility into devices on our network. We are better able to respond to threats in a timely manner.

      What is most valuable?

      • Out-of-the-box features, like widgets and dashboards.
      • The content in the LogRhythm Community is very helpful and useful for new users.

      What needs improvement?

      I would like to have threat indexing and a cloud version.

      What do I think about the stability of the solution?

      When we had version 7.2.6, there were a lot of issues deploying that version and with the indexing. The indexer was unstable. So, we were not able to use the platform when we were on that version until we were able to upgrade to 7.3.4. That is when it became more useful to us.

      Now, the stability is good. Right now, it is more a matter of fine tuning the alerts and rules that we have, then we can reduce the hit on the XM performance.

      What do I think about the scalability of the solution?

      In terms of capacity, we have the same XM appliance. We still haven't touched it (going beyond having that appliance), deployed another indexer, or moved to a distributed architecture.

      How are customer service and technical support?

      Tech support has been good. They have fixed whatever has been bothering me when I contact them.

      How was the initial setup?

      I do the deployment and maintenance for the solution.

      What was our ROI?

      We have seen a measurable decrease in the mean time when detecting and responding to threats.

      What other advice do I have?

      Definitely consider LogRhythm. There are a lot of players in the market, but LogRhythm is a solid solution.

      We don't have the playbooks. They are on version 7.4. We just upgraded to version 7.3.4. We are going to wait before we upgrade again due to performance issues.

      We have around 22,000 log sources and average 5000 messages per second.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Information Security Engineer at Seminole Tribe of Florida
      Real User
      It has allowed us to dive deeper into our network and figure out what is going on
      Pros and Cons
      • "It has allowed us to dive deeper into our network and figure out what is going on by parsing logs properly and being able to reduce the time it takes to work cases down from seven days to approximately two days."
      • "LogRhythm has increased productivity because all the tools that we need are in the web UI, allowing us to find threats on our network fast and efficiently."
      • "Technical support could use a little work in the terms of responding back. The feedback that we received is they do need a little more staff."
      • "We would like to see more things out of the console into the web UI. I guess this is what they are doing in 7.4."

      What is our primary use case?

      Our primary use case would be for compliance. We needed a check in the box for compliance. Right now, it's performing and doing its job, allowing us to say that we are compliant with HIPAA, PCI, etc.

      How has it helped my organization?

      It has improved the way our organization functions. It has allowed us to dive deeper into our network and figure out what is going on by parsing logs properly and being able to reduce the time it takes to work cases down from seven days to approximately two days.

      LogRhythm has increased productivity because all the tools that we need are in the web UI, allowing us to find threats on our network fast and efficiently.

      Our security program is still in its infancy. There is a lot of work that needs to be done. We finally were able to get our SIEM. A few things that we need to do are data loss protection, user behavior analytics, and another feature that LogRhythm offers that we're probably going to invest in the future. The program could use some work, but it is pretty solid now.

      What is most valuable?

      The most valuable feature is the Threat Intelligence Services (TIS).

      What needs improvement?

      We would like to see more things out of the console into the web UI. I guess this is what they are doing in 7.4.

      For how long have I used the solution?

      Less than one year.

      What do I think about the stability of the solution?

      In the three weeks that we have had it, we have had 99 percent uptime. It is a very stable platform.

      What do I think about the scalability of the solution?

      It is scalable. They don't charge for going over your messages per second. It does scale with the business. 

      How are customer service and technical support?

      Technical support could use a little work in the terms of responding back. The feedback that we received is they do need a little more staff, but every issue that we've opened a ticket up for has been resolved.

      Which solution did I use previously and why did I switch?

      We did not have a previous solution that we were using.

      How was the initial setup?

      The initial setup is straightforward and complex as it requires a lot of work. It's very straightforward and very organized. Our consultant guided us as to what we needed to do, but the entire thing is complex. One misstep or incorrect character can bring the whole thing down.

      I do all the deployment and maintenance.

      What about the implementation team?

      The sales engineers and salespeople who come in and scope out what you need are very knowledgeable. They are not there to upsell you. They get you what you need for what you have, so everything runs perfectly. The consultants are extremely knowledgeable. Getting LogRhythm up took less than a week. It's a very solid solution.

      What's my experience with pricing, setup cost, and licensing?

      When it comes time to renew, they say, "This is what you are using. This is what we can do for you." So, they work with you on pricing.

      Which other solutions did I evaluate?

      There were multiple competitors. We almost went with Splunk, but LogRhythm ended up being the best for the price. It ended up being everything we needed in one solution.

      What other advice do I have?

      Everyone needs a SIEM. Go with LogRhythm.

      We are not using the full-spectrum analytic capabilities yet, as we are brand new.

      We have not used any of the playbooks. We do have them. We find them to be very detailed and organized. We just need to find a way to implement them.

      I run in about 45 log sources with 12 of them being domain controllers, aka DNS.

      Messages per second are fluctuating between 3000 and 9000. We are still trying to figure out why. We think it is our very chatty domain controllers, as we do deal with the Hard Rock and Seminole tribe, but I would say that we average about 5000.

      Most important criteria when selecting a vendor: customer service. Do they care about our business as much as we care about our business? Also know as, do they care about our data as much as we care about our data?

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Senior Network Engineer with 201-500 employees
      Real User
      Allows us to automate a lot of things with a smaller team
      Pros and Cons
      • "It allows us to automate a lot of things with a smaller team."
      • "Move it to Linux. I would like to see it get off the SQL Server."

      What is our primary use case?

      We use it to alarm our help desk. 

      We staring to use it for SMART Response. We have been using SMART Response for about a year. Now, we are starting to push that towards the help desk, so the junior analysts can do more.

      How has it helped my organization?

      It allows us to automate a lot of things with a smaller team.

      What is most valuable?

      • AI
      • SMART Response
      • Looking forward to using the playbooks

      What needs improvement?

      • Move it to Linux. I would like to see it get off the SQL Server.
      • I would like it to be containerized. 

      What do I think about the stability of the solution?

      Our appliance is a little older, so we need to upgrade it. We are going to probably move to the software-only version. However, the issues that we have are our own fault because we didn't buy the right-size appliance.

      What do I think about the scalability of the solution?

      We are not that big of a company. We are only at about 800 events per second.

      How is customer service and technical support?

      We have had a couple of custom logs built, but we don't call in that much.

      How was the initial setup?

      The initial setup is easy with the physical appliance.

      What about the implementation team?

      We have two people who are setting it up and doing the admin side.

      What other advice do I have?

      Make sure you size the appliance correctly.

      We use Ansible and Terraform for infrastructure, so the same concept as the playbooks. We are looking to use the playbooks going forward.

      We have about 1500 log sources. We do about a 25 million logs a day. Obviously, they're not all events.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Manager of Information Security at a real estate/law firm with 51-200 employees
      Real User
      It has given us visibility into log information that we did not have before
      Pros and Cons
      • "The ability to drill down and pivot from an event is one of the biggest advantage the product has compared to other things that I have seen in the market."
      • "We have gone through a few versions which has caused a lot of instability. We have logged a lot of hours with professional services."

      What is our primary use case?

      The biggest use case is visibility. Because we have a lot of flaws, if you don't have a tool that can bring it all in and give you that visibility, then all that log information is useless. Thus, LogRhythm helps us keep that visibility.

      How has it helped my organization?

      It has definitely improved our security program's maturity, because we have visibility that we didn't have before. We came from another SIEM platform that we had used for over ten years and we completely outgrew that platform. LogRhythm has given us more visibility. It has created more actionable items for us on a day-to-day basis, which gives us more work. At the same time, it has given us more tools than we had before, so that is definitely nice.

      What is most valuable?

      I wish I could just name one feature! There are so many: 

      • The ability to drill down and pivot from an event is one of the biggest advantage the product has compared to other things that I have seen in the market.
      • LogRhythm differentiates itself through its usability.
      • Its simplicity. It can do more than just basic simplicity.

      For how long have I used the solution?

      Three to five years.

      What do I think about the stability of the solution?

      We have gone through a few versions which has caused a lot of instability. We have logged a lot of hours with professional services. The version that we are currently on is a lot more stable than what we have experienced in the past. So, it is progressively getting better day-by-day. However, we have had some instability in the past.

      What do I think about the scalability of the solution?

      There are a lot of things that are on our wishlist which I found out about on day one.

      As far as scalability is concerned, it is good.

      How is customer service and technical support?

      I would rate the technical support as a nine out of ten. We have had some issues. Though overall, support has been great. The portal and their interaction with us along with their full support has been fantastic.

      How was the initial setup?

      The initial setup is complex, because it's a huge product. LogRhythm is a beast. It can do so much more than just the analytic software, so it is not your typical installation. It's more of a three to four month installation process because you are gradually bringing in logs and fine tuning them. It is not a difficult process, just a lengthy one.

      What was our ROI?

      We have seen a measurable decrease in the mean time to detect and respond to threats. As it comes out new features and new releases, the window is becoming a lot narrower because you can pivot a lot more with the data. Therefore, the new features and enhancements are reducing that.

      What other advice do I have?

      I just found out about the playbooks at the conference. I plan on using them as soon as I get back.

      We have about 2500 messages per second coming in.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Security Engineer Analyst Admin at a aerospace/defense firm with 1,001-5,000 employees
      Real User
      The dashboard puts things at our fingertips, but it's a challenge to pull out all the info we need
      Pros and Cons
      • "Alarms are the most valuable feature. We also like the dashboard and how things are at your fingertips. The fact that we can now edit the report templates is going to be a great thing."
      • "Granted, we haven't enabled the UEBA module, but we're forwarding all our proxy logs to LogRhythm and we have a really hard time pulling those proxy logs back out of LogRhythm. However, when we take LogRhythm and forward the same logs into somebody else's user-based analytics software, we get the majority of what we were missing... If we've got all our proxy logs and I go out to Google or Facebook or the like, we should be able to go in and pull that information out ten minutes later, but it's a big challenge to do that."

      What is our primary use case?

      The primary use is monitoring logs, to see what's going on.

      How has it helped my organization?

      It's head and shoulders above what we were using, which was SolarWinds LEM.

      What is most valuable?

      Alarms are the most valuable feature. We also like the dashboard and how things are at your fingertips. The fact that we can now edit the report templates is going to be a great thing.

      What needs improvement?

      My installation has some unique problems, apparently, because of our network architecture, and that's why we're looking at other solutions, and possibly a replacement. 

      We're looking at user-based analysis. Granted, we haven't enabled the UEBA module, but we're forwarding all our proxy logs to LogRhythm and we have a really hard time pulling those proxy logs back out of LogRhythm. However, when we take LogRhythm and forward the same logs into somebody else's user-based analytics software, we get the majority of what we were missing. So we know the logs are making it to LogRhythm, but we still can't pull them out. If we've got all our proxy logs and I go out to Google or Facebook or the like, we should be able to go in and pull that information out ten minutes later, but it's a big challenge to do that.

      What do I think about the stability of the solution?

      As long as you don't overfeed it, it's fairly stable.

      What do I think about the scalability of the solution?

      The scalability has been fairly decent so far, as long as you don't overfeed it.

      How is customer service and technical support?

      Tech support is hit-or-miss. Some of the tech support agents are just wonderful and I've learned a lot from interfacing with them. Some of the tech support agents seem like they are metrics-based: How many tickets they can close in a short amount of time? I usually express my feelings in the ticket notes, so these are not unheard-of comments.

      How was the initial setup?

      The initial setup was fairly straightforward.

      What other advice do I have?

      My advice would be to definitely look into it. I've used other SIEMs that were a whole lot easier to program and I've used other SIEMs that were vastly oversold and cost way too much money. LogRhythm is a good product for what it is.

      We have more than 500 and less than 1,000 log sources. In terms of messages per second, therein lies the rub. We bounce anywhere from 2,500 to, on certain days, a peak of over 12,000.

      We are not using the full-spectrum analytics features. We don't use any automated playbooks. In terms of the number of staff for deployment and maintenance, the latter is me. I've got two other analysts that work with me.

      Regarding our security program maturity, we've grown a whole lot in the last three years. LogRhythm, fortunately, was a part of that. Our previous SIEM had to be rebooted two or three times a day. Unfortunately, now that we're trying to leverage it to get more data out of it, we don't seem to to be able to do that.

      I can't say I have seen any measurable decrease in the meantime to detect and respond to threats because I can't watch it all the time.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Senior Cyber Security Engineer at a individual & family service with 10,001+ employees
      Real User
      AI Engine rules help us detect changes through privileged-user actions

      What is our primary use case?

      We work on a dark site. It's the next generation ground station for the Air Force's GPS system. Our use cases are based mostly on an insider-threat perspective.

      We utilize a lot of AI Engine rules within the LogRhythm SIEM to detect different types of privileged-user actions, whether it be escalation of privileges, creation of user accounts, or modification of user accounts. We also use it for IDS rules and firewall rules that are met, in terms of the IDS finding signature attacks.

      How has it helped my organization?

      It has helped our organization because we utilize the SIEM for a lot of analysis, not necessarily for malicious threats at this point, because we're in development. It's helping as far as figuring out how something got changed on the system, because it is in development and things are changing constantly. We are then using that forensic analysis to figure out what was changed, so we can turn it back because, a lot of times, in development, we don't know what caused something to happen.

      What is most valuable?

      The most valuable feature that we use is the AI Engine itself.

      What needs improvement?

      They're addressing a lot of the things that I've thought of over the past four years, in the various releases they're coming out with.

      A lot of times they'll say something is coming out in a certain release and then we get to that release and they say, "No, we're pushing it back to a coming release." More engineering thought will go into when they are going to release something. Often, we'll give feedback to our management saying, "Hey it's going to come out in this release." That release comes out and it's not there and we have to go back to management and say, "Hey, they're not going to do it right now." Then management gets frustrated because they don't understand the intricacies of what goes into different components and into different releases.

      What do I think about the stability of the solution?

      The stability is very good, now. Initially, when I started working on this four years ago, the actual solution that was brought into our company wasn't very scalable, it wasn't architected properly for our type of environment. I've since re-engineered and architected a different solution with LogRhythm to actually meet our needs.

      What do I think about the scalability of the solution?

      It's very scalable. It's a matter knowing what you need regarding the quantity of logs you're putting out on a routine basis. If you size it and scale it correctly, you can keep scaling it as far as you need to scale it. We've added data processors, data indexes - we have multiple for each for each environment. And we have close to 20 environments that we have LogRhythm SIEMs in.

      How is customer service and technical support?

      I do more the architecting, engineering, and implementation, versus analysis. The only thing I would say in evaluating tech support is that a lot of times, I start out with the tier-1 and it's just not what I need. I need to get to tier-2, tier-3, and usually tier-3, before I get what I need.

      If LogRhythm could do something on that side - for people who actually deploy and integrate the SIEM itself, instead of it just being an analyst - by having a different phone number for them, that would be a recommendation I could see going forward.

      How was the initial setup?

      Was the setup complex? Yes and no. I did a lot of research prior, on my own, regarding using the recommended specifications that LogRhythm puts out. I designed it around that. I didn't utilize customer support a lot, only for a few questions. It was pretty straightforward after the research I put into it.

      What other advice do I have?

      I would definitely recommend LogRhythm, based on my experience with it. LogRhythm is always trying to change and improve its product which is always a good thing. Other SIEMS are in development to upgrade and better their SIEMs but LogRhythm, across the board, has a great team. They look an inch deep but a mile wide, whereas other companies will look a mile deep and an inch wide. I think it's a lot better to do "across the horizon," instead of a small, six-foot-deep hole.

      We are not using the full-spectrum analytics capabilities at this time. We are thinking about it, but there's a process for getting those changes into our baseline, being a development program. We have no playbooks at this time.

      We have about 5,000 to 7,000 log sources per environment and there are 20 environments. In terms of logs per second, it all depends. We're in development. Some of our environments are not ramped up and they're all at different stages of development. Where we only get 100,000 to 150,0000 logs a day in some environments, in others we'll get close to 1 billion logs a day.

      When it comes to what's important in selecting a vendor, price, names, and support are all great and dandy. Obviously, the big names of the world have a track record. LogRhythm hasn't been huge for a lot of time but they're starting to grow. They were one of the ones recommended by industry reviews in the SIEM world, but they were a relatively small company at the time. When you have industry reviewers recommending a small company, it says a lot for that small company. I know that they are growing now, but back when LogRhythm was first talked about by the industry they weren't very big, compared to the Arclights and IBMs of the world.

      I rate it an eight out of ten because I don't have a lot of experience across the board with different SIEMs. I've worked with ArcSight but ArcSight is very expensive. And I've worked a little bit with QRadar. I actually like QRadar as much as LogRhythm.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Information Security Analyst at Endicott College
      Real User
      We now have a central point of monitoring for all potential threats
      Pros and Cons
      • "When it comes to dealing with support, all my interactions have been great. Everyone has known what they're doing and have been quick to respond. They seem to always know the answer. I haven't stumped anybody yet."
      • "We now have a central point of monitoring for all potential threats."
      • "I would like it to do a lot of the automation (which I still need to learn more about), because I am essentially a one man shop doing all the jobs. I'd like for it to be able to do more for me."

      What is our primary use case?

      It monitors any potential security threats within any of our important network security appliances, like our firewall, or any of our important databases. The idea being that you can't look at all the logs at once, so we now have a central point of monitoring for all potential threats.

      How has it helped my organization?

      I have been using LogRhythm for just a few months, but the college has had it for over a year. Until I worked with it, there was no monitoring it and the solution just sat there. The solution is just picking up speed now.

      What is most valuable?

      • The threat analytics
      • Seeing what potentially could be happening; what are the riskiest things going on.

      What needs improvement?

      I would like it to do a lot of the automation (which I still need to learn more about), because I am essentially a one man shop doing all the jobs. I'd like for it to be able to do more for me, so I can focus my attention on my other job responsibilities, because there are a lot of them.

      For how long have I used the solution?

      Less than one year.

      What do I think about the stability of the solution?

      The only issues that we have had with it were Windows-based. The actual appliance has been up and continuously logging everything that we have, and CIS logging through it. There have been no signs of any problems nor instability.

      How is customer service and technical support?

      When it comes to dealing with support, all my interactions have been great. Everyone has known what they're doing and have been quick to respond. They seem to always know the answer. I haven't stumped anybody yet. That's not something that I typically encounter. Usually, I wind up being the person finding the weird thing where people have to get back to me and it is left up to the developers.The few issues that I have had while doing upgrades, LogRhythm's support answered them incredibly quickly.

      When it comes to dealing with support, all my interactions have been great. Everyone has known what they're doing and have been quick to respond. They seem to always know the answer. I haven't stumped anybody yet. That's not something that I typically encounter. Usually, I wind up being the person finding the weird thing where people have to get back to me and it is left up to the developers.

      How was the initial setup?

      The few issues that I have had while doing upgrades, LogRhythm's support answered them incredibly quickly.

      Which other solutions did I evaluate?

      I have never used a competing product.

      What other advice do I have?

      I love the potential of this solution. It sounds like a "set it and forget" type of solution. Let it deal with all the problems. It is good at doing that.

      On the day-to-day, I haven't had a huge amount of time to work with the full-spectrum analytics. I have been focusing on getting it updated and up-and-running.

      Currently, we have a Windows agent. Therefore, we technically have just two log sources, because the Windows agent is picking up all the domain logs onto one box and forwarding them on. It is taking all the Windows Servers and single-sourcing them. Then, currently, the only other thing that we have actively logging is our Sonic logs and CIS logs. We only have two individual sources listed, but it is more logs than that.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      IT Specialist at a healthcare company with 51-200 employees
      Real User
      It should scale easily with the way our environment is set up
      Pros and Cons
      • "It seems like it will scale easily with the way our environment is set up."
      • "We should be able to response to threats and gain visibility into our environment that we don't currently have."
      • "The initial setup is complex. We are using a LogRhythm partner, at least for the first three years, to help with the monitoring and the deployment of it. We are not a big enough environment where we have people that we can dedicate to it right now."
      • "I would like to see our vulnerabilities counter. We will be using Tenable to fill that void right now."

      What is our primary use case?

      We have a lot of distributed offices and no visibility into any of them. The use case for this product is to collect and integrate logs from all the machines at all the different sites and get better insight into the security areas that we need to tighten up.

      How has it helped my organization?

      I am hoping that we will be able to response to threats and gain visibility into our environment that we don't currently have.

      What is most valuable?

      The AI Engine.

      What needs improvement?

      I would like to see our vulnerabilities counter. We will be using Tenable to fill that void right now.

      For how long have I used the solution?

      Still implementing.

      What do I think about the scalability of the solution?

      It seems like it will scale easily with the way our environment is set up.

      How are customer service and technical support?

      We have not used LogRhythm's tech support yet.

      Which solution did I use previously and why did I switch?

      We were using an MSP and were dissatisfied with its performance. What we started to do was figure out what we could bring in-house and what we needed from a security standpoint, and this SIEM kept coming up as something we should look at.

      How was the initial setup?

      The initial setup is complex.

      What about the implementation team?

      We are using a LogRhythm partner, at least for the first three years, to help with the monitoring and the deployment of it. We are not a big enough environment where we have people that we can dedicate to it right now.

      We require one person for deployment and maintenance.

      What other advice do I have?

      I would recommend LogRhythm. I am really impressed with it, though we haven't start using it yet.

      We are just in the middle of deployment of the full-spectrum analytics capabilities. We haven't finished the configuration of the product yet.

      We do plan to use the built-in playbooks.

      We have approximately 931 log sources at this point.

      Most important criteria when selecting a vendor: 

      1. The reputation of the vendor. 
      2. The quality of the product. 
      3. The integration into the environment that we have right now.
      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Senior Security Engineer at a manufacturing company with 5,001-10,000 employees
      Real User
      The AI Engine can take an event and correlate it into something else giving us meaningful context regarding what is going on
      Pros and Cons
      • "The AI Engine can take an event and correlate it into something else giving us meaningful context regarding what is going on. We integrated it in with our ticketing system, so if an alarm fires, it raises a ticket in our system."
      • "I would like a more fuller implementation of STIX/TAXII so I can pull in some of the government lists without having to go implement a whole new STIX/TAXII platform."

      What is our primary use case?

      It came in as a compliance package. Now, it is more of a security analytics platform for us, so we try to route relevant security and computer logs. We also have some use cases that we came up with and some of the stuff that LogRhythm provided, which has been the basis of our use of this security platform. 

      The company is dedicating me to working on this solution exclusively, so it has been great.

      How has it helped my organization?

      It has helped operationally with things that I have discovered stuff in logs, like errors. Without it, things going wrong would probably have gone undetected. It has certainly helped with some of the general user behaviors going on out there. 

      It provides a measurement of the things going on in our organization from a security standpoint. We can either address the issues, or say, "That's the way it is."

      What is most valuable?

      The AI Engine can take an event and correlate it into something else giving meaningful context regarding what is going on. We integrated it in with our ticketing system, so if an alarm fires, it raises a ticket in our system. Therefore, if I find somebody needs to action other things on it, I can just forward the ticket along. This is all done via email, which is pretty slick.

      What needs improvement?

      I would like a more fuller implementation of STIX/TAXII so I can pull in some of the government lists without having to go implement a whole new STIX/TAXII platform. 

      I'd like to do user based analytics, but that is a funding thing.

      What do I think about the stability of the solution?

      Stability has been good. We have been bitten by the knowledge base (KB) twice in the last two years. I had some things that I did that caused the AI Engine to have problems. 

      Once you get stuff up tuned, it just runs.

      What do I think about the scalability of the solution?

      Scalability has been fine. So far, we have been adequate capacity-wise but I can see very soon that we're going to be taking advantage of some of the features that come with the new version. In particular, the data processor arrays which will help us scale out. Then, there is whole mention of hot versus warm and being able to keep data because SecondLook is terrible.

      What about the implementation team?

      We have a partner, a service provider, who helps me administer the platform. Then, there is me, as the company didn't want to hire additional resources, but this complements the staffing by having somebody else from the outside help with it.

      What's my experience with pricing, setup cost, and licensing?

      Check it out.

      Which other solutions did I evaluate?

      We went through a competitive comparison of the three leading platforms out there. It was an easy win, not only from the technology-side, but from the company with its support. That's a big thing for us, when you are small, that you count on the support team. Some of the competitors, their support is not good.

      What other advice do I have?

      Our security program is not real mature. The security group just got a CISO within the last year or two, so that has been the focus. The company is bringing up that side of the business. They recognize that it is something that needs to be invested in, along with their investment in LogRhythm.

      I don't have playbooks right now. We are still on 7.2. I don't think playbooks are in there yet. It makes sense that we use that functionality, and we're looking to go to 7.4 as soon as the .3 release comes out.

      We have about 1800 log sources. 

      We are right at 5000 messages per second, and the system is scaled for 10,000.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Security Engineer at Managed Technology Services, LLC fka LexisNexis
      Real User
      The customer support is friendly, attentive, and willing to help
      Pros and Cons
      • "We have to be able to show the evidence, and LogRhythm does a great job of putting it forward and making it easy to create reports with nice looking dashboards, which show off what we are doing as a security program."
      • "Their customer support is friendly and willing to help."
      • "The installation was a bit complex because we are running a virtual infrastructure."

      What is our primary use case?

      We primarily use the LogRhythm SIEM for the law collection aggregation for all of our Windows machines. We have all our firewalls sending logs to it. We have it hooked into Office 365 with the API to manage our cloud environment, and it's performed phenomenally.

      What is most valuable?

      The most valuable features are the reporting tools. A lot of times as security, we are tasked with explaining to management and the executives how the security program is going, what our concerns are, and if we want to get anything out of them as far as budget to fix some issues. We have to be able to show the evidence, and LogRhythm does a great job of putting it forward and making it easy to create reports with nice looking dashboards, which show off what we are doing as a security program.

      For how long have I used the solution?

      One to three years.

      What do I think about the stability of the solution?

      It has been completely stable. We have had it in for a little over a year now, fully in production, and it has never gone down once. 

      The only thing we had an issue with was when I tweaked the AI roles to basically fire on everything, which then caused a lot of accelerated rollover in our events. This was simply user configuration, and not anything on the LogRhythm side. It has been a very stable solution the whole time that we've had it in.

      What do I think about the scalability of the solution?

      We are currently in the process of upscaling our current LogRhythm instead of buying a new one, which is really beneficial.

      I don't know what they do on the back-end as far as the algorithm for crunching logs and keeping everything small and compact, but we haven't had any problems with the sizing. With some of the other systems the we have used, we quickly run into the problem where everything gets overblown and you have to go in and filter stuff out. What LogRhythm does that I like is they have all these knowledge base add-ons and modules out-of-the-box. It comes with all these features that you can use and get up off the ground running.

      How are customer service and technical support?

      Their customer support is friendly and willing to help. I can't compliment their support staff enough. They've been nothing but helpful. Any questions that we have, they come out and help us, or they email us. It's great to have such an attentive support staff.

      Using the LogRhythm Community, you can find the answers to any of the problems that you have. Everyone out there is just trying to help each other get better. So, it's really nice.

      How was the initial setup?

      The installation was a bit complex because we are running a virtual infrastructure. Some of the stuff that we dealt with on the virtual machine and the discs was a little complex. However, the engineers at LogRhythm were more than willing to help. I had a little trouble because I was unfamiliar with the way vSphere works in the way that disk sizing stuff goes to get it setup.

      What about the implementation team?

      Everything is running on one large virtual machine instance that we have because we have a lot of virtual infrastructure. We help other companies and host their solutions. We are really versed in that. So, we have one huge deployment, and it works really well.

      What's my experience with pricing, setup cost, and licensing?

      The nice thing about LogRhythm is you can either use the agents, getting a certain number of agents with your license depending on how you want to go, and those agents do a lot of cool things, or you can use CIS Log host, then you have like an unlimited number of them. So, we have used the CIS Log for a lot of ours because it was easy to put into LogRhythm and change the destination of our CIS log solution. Now, our CIS Logs go into LogRhythm, and it's easy. You see them pop up there, then you just accept them as new log sources, and bingo you're in. Now, you're working. So, it is really good.

      Which other solutions did I evaluate?

      Where some other engines have been touted as SIEMs, you actually have to do a whole lot of actual engineering work of your own to even get the basic functionality out of them. This is one thing LogRhythm knocks out-of-the-box. 

      What other advice do I have?

      It helps that the product is fully realized and ready to go as soon as you get it installed. You can immediately see results and immediately see the data coming in. You're able to collate and correlate it, obtaining your data in a quick and easy manner. 

      Do a demo. See what they're offering. Just know that their support is the best.

      I haven't used any of the automated playbooks yet. Our engineers are leery about having the automatic stuff go off, which I can understand. We also have separation of duties. I don't have a lot of their credentials to work with it on my own, so we would have to go back and forth with the engineers, and that is something that they don't really want to do. However, we do have our own playbooks and security team, but it's more manual. I am interested in the playbooks feature, so I will attend one of the events here to learn more about it and figure it out, then take it back to the team to get buy in on it, so we can then use it.

      We have about 2500 log sources sending logs to LogRhythm right now. We have about 20 firewalls, with a lot of Windows PCs. 

      It's the best solution that I've ever used. We're expanding its use, not only in our corporate network, but out to the cloud environment where we host customer data stuff, too.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Senior Security Analyst at a leisure / travel company with 10,001+ employees
      Real User
      Enabled us to build alarms that allow us to react to issues quickly

      What is our primary use case?

      Our primary use case is incident response and alerting. In terms of performance, it's pretty awesome.

      How has it helped my organization?

      It has saved us a lot of time. We've built some pretty cool custom alarms to alert us on stuff that we know is bad so we can respond to issues pretty quickly.

      What is most valuable?

      The AI Engine is the most valuable feature.

      What do I think about the stability of the solution?

      We've had no issues with it regarding stability. It's been pretty rock solid.

      What do I think about the scalability of the solution?

      Scalability has been a little tougher for us. We're definitely looking to scale up. We've got a few log sources that we don't have in there that we need to get in there, but it's going to take a little additional effort.

      How is customer service and technical support?

      Technical support is fantastic.

      What other advice do I have?

      It's been pretty great. For us, the use case is all about generating actionable alerts and alarms and seeing how much we can reduce manual operations, so that's what I would compare: time saved.

      We don't use the full-spectrum analytics capabilities. In terms of playbooks, we're still on 7.26 so we don't have the playbooks yet, but we're upgrading as a high priority right now. For deployment and maintenance of the solution, we use two staff members.

      In terms of log sources, we have a couple of thousand and our MPS is 3,800.

      When selecting a vendor, what's important for us is support. Support is huge.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      IT Security Administrator at a energy/utilities company with 1,001-5,000 employees
      Real User
      We integrated Azure logs with it, allowing us to compare that with our Windows and host logs
      Pros and Cons
      • "We integrated Azure logs with it and that makes it simpler. Rather than having to log into the portal, we can just check everything in one place. We can compare those to our Windows and host logs to see if any problems correlate between them."
      • "We've tried to work with a couple of engineering department guys there. We've called them and called them but we never hear anything back."

      What is our primary use case?

      We've been working with LogRhythm for a few weeks. We had Splunk and we're replacing it LogRhythm.

      It's a general SIEM system for us, gathering the logs into one area.

      How has it helped my organization?

      We integrated Azure logs with it and that makes it simpler. Rather than having to log into the portal, we can just check everything in one place. We can compare those to our Windows and host logs to see if any problems correlate between them.

      It just makes it simpler for analysts to find everything in one place. We don't have to give everyone access to ten different things, it's just one area where we can see everything.

      What is most valuable?

      We like the alerting features. They seem a little more hands-on and easier to set up.

      For how long have I used the solution?

      Less than one year.

      What do I think about the stability of the solution?

      It seems like a stable product. We haven't had any downtime yet. All the network monitoring seems to be going smoothly.

      What do I think about the scalability of the solution?

      We have about 20,000 logs per second as our ceiling and we're at about 6,000 to 8,000 now, so we're okay. It looks like it's going to meet our needs for many years.

      How are customer service and technical support?

      They're hard to get a hold of. We've tried to work with a couple of engineering department guys there. We've called them and called them but we never hear anything back.

      Which solution did I use previously and why did I switch?

      We moved away from Splunk because we were not happy with it. Workstation monitoring seemed a little more complex than it is with LogRhythm. It's much simpler to search for issues and get alerts through it.

      What's my experience with pricing, setup cost, and licensing?

      The setup was pretty straightforward. They sent us the appliance, we tailored it to our needs, made sure our network met everything it was looking for. We worked with their support a little bit on what they recommend for setting everything up.

      We had a kick-off meeting before they sent the appliance to us and they handed all the documentation to us. That aspect's good. But working with the engineering support has lacked.

      Which other solutions did I evaluate?

      We looked at AlienVault, that was one we demo'ed. LogRhythm does seem better.

      What other advice do I have?

      I'm not sure that we're hands-on yet with the full-spectrum analytics capabilities and we don't use any of the built-in playbooks. We have plans to use them in the future. We want to integrate everything into it and make it more automated.

      We're at about 6,000 logs per second. In terms of a measurable decrease in the meantime to detect and respond to threats, we haven't gotten there yet. We are still implementing, still learning. We have to get to all our logs correlated.

      So far we're pretty happy with the overall functionality of the system. It's going to meet everything we're looking for.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Security Engineer at U.S. Acute Care Solutions
      Real User
      We can now pick up what is anomalous in our network
      Pros and Cons
      • "Its benefits are broad. The solution isn't necessarily made to do any one thing, but it can do anything you tell it to. It is able to tackle any different type or size of job."
      • "I would like to see APIs well-documented and public facing, so we can get to them all."

      What is our primary use case?

      Primary use case for the SIEM would be for log collection and threat identification.

      We're still in the beginning stages of our security solution, as far as maturity. Two years ago, this security program didn't exist. 

      How has it helped my organization?

      Its benefits are broad. The solution isn't necessarily made to do any one thing, but it can do anything you tell it to. It is able to tackle any different type or size of job.

      What is most valuable?

      The analytics that it does.

      Full-spectrum analytics capabilities, which we use for:

      • User behavior.
      • Watching and monitoring for login events or any anomalies. 
      • Going through and watching trends. 
      • Knowing what activities endpoints are doing, where they're going, what websites they visit, then making sure that they're in the normal or making sure they pick up on any outliers.

      What needs improvement?

      I would like to see APIs well-documented and public facing, so we can get to them all.

      For how long have I used the solution?

      One to three years.

      What do I think about the stability of the solution?

      When it comes to a single version, it is rock solid. We haven't had any major bugs or flaws that haven't been involved with upgrading or going to another version. As long as you're on the same version, it is rock solid.

      What do I think about the scalability of the solution?

      It works. The biggest thing with scalability is looking at how much data you have to ingest, so if you have to build the DX to be a specific size then you have to plan out how big its going to be. Therefore, it doesn't necessarily scale easily, but you can add additional data indexers at any point.

      How is customer service and technical support?

      The technical support is very good. They are in the top two to three companies that we work with.

      How was the initial setup?

      Its very complex. As with anything, it takes time to get it working and know all the different nomenclature with it.

      I do the deployment and maintenance of the solution myself.

      What was our ROI?

      I have seen a measurable decrease in the mean time to detect and respond to threats. We went from not detecting them to detecting them. We can actually pick up what is anomalous in our network now.

      The solution has provided us with consistency and increased staff productivity through orchestrated automated work flows by at least 20 percent. 

      Which other solutions did I evaluate?

      Our top choices were LogRhythm and Splunk

      Splunk is a data lake that doesn't necessarily do any analytics. Whereas, with this solution, we're looking at all the analytics. We can quantify data, we can drop data, and we can do what we need to, plus the pricing model is better.

      What other advice do I have?

      Know what you want it to do. If you buy a SIEM because its called a SIEM or someone says it's a SIEM, you're gonna end up with what someone else believes they need. Figure out what you need beforehand and make sure that those bullet points are covered because there are a lot of options.

      We're currently using the built-in manual playbooks. So far, the features are very good. They are growing. I am looking forward to seeing how they expand upon it.

      The automation is coming. The API access and everything else we're looking for to be able to deeply automate a lot of common tasks is still being built-in. Right now, we can do automation on simple tasks. E.g., if it sees something bad, it can take it off the network and put it in our remediation subnet. However, it does not have the capability for complex investigative actions yet.

      Right now, we have about 3000 log sources and 3000 messages per second.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Systems CSO at a manufacturing company with 1,001-5,000 employees
      Real User
      Case Management allows us to track what we see in the incidents that arise
      Pros and Cons
      • "The alarm functions have helped us cut down on the manual work. They bubble things up to us instead of our having to go look for stuff. Also, from an operational perspective, day to day, the Case Management functions are really useful for us. They allow us to track what we see in the incidents that we have."
      • "We have run into problems with stability going through upgrade processes. Recently, we have been on the front edge of the upgrade path. When that happens we tend to run into issues either with certain functionality not working after the upgrades or stability issues because of the upgrades."

      What is our primary use case?

      It's our central security monitoring platform. It's where we bring all of our events together so we can monitor our network.

      How has it helped my organization?

      It's helped us be more streamlined in our monitoring processes. We used to have multiple places where we'd have to do this work and now we have centralized all of it into one platform.

      Also, the alarm functions have helped us cut down on the manual work. They bubble things up to us instead of our having to go look for stuff.

      In terms of our security program maturity, I think we're fairly mature. We definitely have some ways to go still, but we're continually improving. We've had a security program for some 15 years, so it's been around and had time to mature. LogRhythym has definitely been a part of that. For the operations and monitoring pieces, going from what we had before to it being the central component for us, it has really helped us become more mature in those areas.

      What is most valuable?

      From an operational perspective, day to day, the Case Management functions are really useful for us. They allow us to track what we see in the incidents that we have.

      We use the full-spectrum analytics capabilities. We have a number of rules that we've built, and built-in rules that we leverage as well. We've got a whole bunch of dashboards and the like to do the analytics. We definitely find the full-spectrum analytics to be valuable.

      What needs improvement?

      Hearing the roadmap items, it's pretty good. I especially like the fact that the playbook is coming with the ability to integrate the smart responses into the playbooks. That way, we can not only have the playbooks, take those steps, but start to automate those steps as well. I think that is really powerful.

      We played around with the CloudAI portion during the beta. We're not currently using it. But I think more in that area is going to be really important, where we can look at machine-based patterns, as opposed to just, "I saw two of these and three of these things, so set an alarm." I'm really excited about that.

      For how long have I used the solution?

      More than five years.

      What do I think about the stability of the solution?

      Generally, the stability has been good. We have run into problems with stability going through upgrade processes. Recently, we have been on the front edge of the upgrade path. When that happens we tend to run into issues either with certain functionality not working after the upgrades or stability issues because of the upgrades.

      What do I think about the scalability of the solution?

      It will definitely meet our needs going forward. We're not a huge shop, so we haven't had a whole lot of problems there.

      But going back to the upgrade issue, in a previous upgrade from 6 to 7, we ended up with some hardware problems, because of scalability, with the software change. The hardware that we had didn't meet the needs anymore. But we were able to get that resolved.

      How is customer service and technical support?

      Technical support is not bad. The lower-level, first-line support is not always great, but if we can get to the right people, then it's pretty good.

      Which other solutions did I evaluate?

      At this point, it's a pretty core platform for us, so we haven't been looking around.

      What other advice do I have?

      We do not use any of the playbooks currently. We'd definitely like to. It's a feature that we're planning to implement pretty soon.

      Regarding our log sources, it's in the high hundreds, probably not in the thousands. When it comes to messages per second that we are processing, looking at the average, we're at about 1,000, but we peak somewhere north of 1,500.

      I rate the solution an eight out of ten. It's a great platform, but I don't want to give them too much confidence, there's always room to improve.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Senior Security Engineer at a healthcare company with 10,001+ employees
      Real User
      Deeper look into our applications helps us see configuration errors, enhancing security

      What is our primary use case?

      The primary use case is looking at our security as a whole, as an organization, trying to get all the logs collected, see how things can be integrated or what's happening through the different products. We also use it to see how people are trying to potentially circumvent security and what we can do to prevent people from doing that. Finally, we use it to get training out to end-users for certain things that they may be doing inaccurately.

      We don't currently use the full-spectrum analytics or the built-in playbooks.

      How has it helped my organization?

      The benefits are having a deeper look into some of the applications, what's happening within them and possibly seeing configuration errors, enhancing not only the security but the functionality of different applications.

      It has also provided us with increased staff productivity through orchestrated, automated workflows.

      What is most valuable?

      The most valuable features are the alarms, and some of the reporting features in the product are great. The web interface is awesome, it's very intuitive and gives a lot of great information.

      What do I think about the stability of the solution?

      So far the stability has been great. No issues whatsoever.

      What do I think about the scalability of the solution?

      We're actually going through an expansion at the beginning of next month and it seems to be fairly easy.

      How are customer service and technical support?

      We have used technical support in the past and it hasn't been an issue. They get back with us fairly quickly. Great people to talk to, very knowledgeable.

      Which solution did I use previously and why did I switch?

      We were using another product before, McAfee Nitro SIEM, and that product was just getting too hard to maintain. We had other people on the team and within the organization who had used LogRhythm in the past, so it came highly recommended. We checked into it, checked reviews on some of the different vendors, and LogRhythm is the one that came out on top.

      How was the initial setup?

      The initial setup was pretty straightforward.

      In terms of the deployment and maintenance of the solution, for us right now, it was very light staff for the setup. It was two or three people that racked and stacked the servers. Once that is done, you don't really need them anymore. For maintenance, we've got two or three people on staff who manage and maintain it.

      What other advice do I have?

      I'd highly recommend going with the product.

      Our security program is pretty much in its infancy. We're always looking to improve things. Just as IT, in general, constantly changes on a daily basis, LogRhythm is always evolving and coming out with different things, helping with innovation. It's been great.

      Right now we have roughly 70 to 80 different log sources. We have about 5,000 to 6,000 events per second, and we're looking at expanding that.

      I rate it at eight out of ten. It's up there, top-of-the-line, but just like with any other application or program, as you grow, there are going to be some small hiccups. They're very minor.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user545001 - PeerSpot reviewer
      Security Operations Center Manager at a financial services firm with 1,001-5,000 employees
      Real User
      We have seen a massive increase in the amount of data that we can collect
      Pros and Cons
      • "Its ability to work with all different sorts of log sources has been extremely valuable."
      • "We have seen a massive increase in the amount of data that we can collect, the type of things that we can see, the way we can look at logs, the way we can get alerts, and the way can create our own customer roles, which has allowed us to customize the work in our environment."
      • "There are other security technologies outside of this SIEM that should be inside of this SIEM. I can see in their roadmap that they're trying to address a lot of these things, and have these technologies built into the solution, because there is no point in going to another vendor or opening up a second window to obtain the data that you need."

      What is our primary use case?

      We use it for all of our log correlations and event management. We try to do some external troubleshooting for other groups, like WebOps, but it's primarily our security and event manager.

      How has it helped my organization?

      For the same price, we have been able to go from a SIEM that could only manage about 20 percent of our environment to a full 100 percent coverage of all the devices on our network. Thus, we have seen a massive increase in the amount of data that we can collect, the type of things that we can see, the way we can look at logs, the way we can get alerts, and the way can create our own customer roles, which has allowed us to customize the work in our environment.

      What is most valuable?

      We find the user interface and the ability to pivot near search from one particular item to the next part item to be highly valuable. 

      Its ability to work with all different sorts of log sources has been extremely valuable. 

      What needs improvement?

      The reporting could be improved. 

      There are other security technologies outside of this SIEM that should be inside of this SIEM. I can see in their roadmap that they're trying to address a lot of these things, and have these technologies built into the solution, because there is no point in going to another vendor or opening up a second window to obtain the data that you need.

      For how long have I used the solution?

      One to three years.

      What do I think about the stability of the solution?

      It is stable. We haven't had any major problems. We had a slight hiccup when we went through our upgrade procedure, but it wasn't anything overly complex, and support was there to help us. Therefore, we had it back up and running very quickly.

      What do I think about the scalability of the solution?

      It should meet our needs going forward. The way we have it designed right now, we should be able to bring in single boxes and multi boxes to increase storage capacity performance whenever we need it. It's well-designed in that sense, allowing us to grow as needed.

      How are customer service and technical support?

      Everything experience I have had with them has been awesome. I have had no issues going to them. They are willing to get on the phone with you. They will get on Webex with you and control the system to see what's going on, getting their hands deep in to it, then resolving the issue.

      In previous and other support departments, they will just email you some suggestions and then leave you to take care of it yourself. That is not really what LogRhythm is about.

      Which solution did I use previously and why did I switch?

      It is more intuitive than the previous solution (IBM QRadar) that we had in the environment.

      How was the initial setup?

      We definitely had to get some assistance, because we didn't have the expertise. Once we got the product in place, it's good at maintaining itself, along with the support. 

      If you're going anything more than the single box solution, I would not try to set it up by yourself. I would get the expertise to help you get it right.

      What's my experience with pricing, setup cost, and licensing?

      In comparison to the competition, they are more affordable. This allows us to do more with less.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      CISO at a religious institution with 501-1,000 employees
      Real User
      Daily alerts allow me to quickly find security and operational issues
      Pros and Cons
      • "The daily alerts allow me to quickly find security and operations issues which need to be addressed."
      • "More detail in the alerts given to avoid additional searches, as often the source or destination associated with the alert is not evidenced."

      What is our primary use case?

      The primary use case is an analysis of server logs with some deeper analysis done on searches. Reports help ensure various departments have daily notices of any activity that they should be reviewing.

      How has it helped my organization?

      • Alerts to account usage errors.
      • Reports of malware from the antivirus.
      • Reports application errors presented in logs.

      What is most valuable?

      Daily alerts: These allow me to quickly find security and operational issues which need to be addressed.

      What needs improvement?

      More detail in the alerts given to avoid additional searches, as often the source or destination associated with the alert is not evidenced.

      For how long have I used the solution?

      One to three years.
      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756381 - PeerSpot reviewer
      Manager Of Cyber Security at a healthcare company
      Video Review
      Vendor
      I'm able to see the actions and behaviors of the whole company, including remotely

      What is most valuable?

      The most valuable feature to me is certainly the CloudAI, which I have been a beta tester of, and also the SIEM capabilities and automation.

      I see CloudAI expanding greatly. It's obviously a new product for them. It will be able to give contextual evidence of people's behavior which, at the moment, whilst the SIEM does that, AI actually is that specification and concentration on people's behavior, which is a huge component in cybersecurity.

      How has it helped my organization?

      The benefits at an organizational level would certainly be that for my company, which is in healthcare, certainly a huge compliance, but also it gives me visibility of all the departments in my company, not just the IT department. I'm able to see the actions and behaviors of the whole company, not just on my campus, but remotely as well.

      What needs improvement?

      What still needs improvement is automation. The SmartResponse obviously does not use open APIs at the moment, so we're having a lot of problems connecting it with things like Palo Alto Traps and some other systems, things like Cisco. I know that it's on the roadmap, but at the moment that is where the weakness lies.

      For myself, I would like a HIPAA configuration out of the box where I can switch on various HIPAA rules. Obviously, HIPAA has 18 very exact identifiers and I'd like those to be already in the box ready to be switched on.

      What do I think about the stability of the solution?

      My impressions of stability are exceedingly, that I've not heard any down-time. We have had to contact support a few times, but just to see how to do a few configuration settings.

      What do I think about the scalability of the solution?

      It's actually been scaling incredibly well. We have put more memory in the box and we've taken some of the Websense traffic and put it onto VMs. We can take more hardware and daisy-chain them up, so we know that when we do need to have physical hardware scalability, that feature is there.

      How are customer service and technical support?

      Exceptional. One of our tickets had to go all the way to level three, but it was exceptionally covered well and the resolution was incredibly timely.

      Which solution did I use previously and why did I switch?

      It was our very first log management solution. When I joined, we did not have a cybersecurity program. My employment was to build a cybersecurity program right from scratch, right from the start. Whilst I evaluated a couple of other programs, LogRhythm came to me, through the evaluation of those, to be the clear winner.

      The criteria certainly was scalability. Our company, within a year, has gone from $600 million of revenue to $1.3 billion. At that point, I knew that we had to have that scalability function.

      How was the initial setup?

      I've been very lucky that some of my staff have very high technical knowledge on configuration of LogRhythm. If I didn't have those staff available to me, I would certainly recommend the Co-Pilot, which is an option that LogRhythm provides. I think that gives you the confidence that you've not only bought a product but, at that point, how to configure it and use it.

      What other advice do I have?

      Very happy. Yes.

      As a guidance and recommendation, I would ask them, what is your level of comfort in configuring LogRhythm? If they say to me, "Not so much," I would say, "Well, then you have to budget not just for the product, but for the Co-Pilot solution as well." If, however, they say, "No, I'm very happy. I have the skills already in-house," then I would say obviously to buy the product with the Professional Service hours.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756336 - PeerSpot reviewer
      Deputy Ciso at Temple University
      Real User
      Consistent user experience; I was able to catch multiple pen-testers in this year's test

      What is most valuable?

      The thing that I find most valuable is that every interface is consistent. Whether you're looking at a dashboard, a drill-down, an alarm, a search, the interface is exactly the same. As you move through the experience of looking at some type of event, some type of incident, following up on a search, everything is consistent throughout the whole user experience.

      How has it helped my organization?

      One of the evidences we have that LogRhythm is being very successful for us is in this year's penetration test. I caught the pen-testers five times in the course of their duties. That was just great ammunition to show that this works.

      What needs improvement?

      The biggest thing that I think needs improvement is reporting in the Web Console. Most of our reporting is done in the thick client console. The only people that have access to that, really, are the people that work for me, the administrators of the system. So the end-users, the people whose logs we consume, we give them views to their logs but they aren't able to run reports. By moving reporting to the Web Console, that would enable all of the regular, non-administrative users to run reports as well.

      For how long have I used the solution?

      We've been using it for several years.

      What do I think about the stability of the solution?

      We just went through an upgrade just to increase our capacity, so we could bring in more log sources, and it's been a wonderful product for us.

      What do I think about the scalability of the solution?

      It scales great, which is one of the reasons why we went to it.

      How are customer service and technical support?

      Almost all the time things are handled in a proper way. We've had very good experience with technical support. On one or two occasions, a couple years ago, they were going through some growing pains because of their expansion. Our CRM, our Customer Manager, stepped in and helped us get through those hurdles.

      Which solution did I use previously and why did I switch?

      It's actually our second SIEM tool. Our first one was not scalable. We didn't really get to pick it, it was chosen for us. We got to a certain point and we just couldn't grow it anymore. 

      So we did a full RFP, a bake-off so to speak, and looked at everything that was really competitive on the market. Ended up with LogRhythm. Did our initial deployment, which lasted us for about two years. Because we did our basic measurements on a tapped-out SIEM - we didn't realize how much growth we would have once we uncapped the bottlenecks - we ran into some growth issues. We just doubled our capacity three months ago with no problems at all.

      How was the initial setup?

      I always recommend training for everything, but that really is use, not setup. Setup is very easy. I do recommend people take advantage of the LogRhythm Professional Services. They make it very helpful, it's easy to get up and running in a day or two. Use Professional Services is my recommendation.

      What other advice do I have?

      In terms of the most important criteria when selecting a vendor, there isn't any single important criterion. I have a spreadsheet that I use that expresses value.

      • Price is one component of value 
      • Usability
      • Manageability
      • How many resources do I have to apply to it? 
      • Can I run it with one FTE? Do I need two FTEs? 
      • Also, its efficiency. Does it meet all of the use-cases that we're buying it for?

      The first thing you do is sit down and think about, "what are going to be my first steps?" This is the kind of thing you have to phase, really, to be successful. "What are my goals out of my first year?" Plan that out, and then plan where I'm going to go from there. Then sit down with somebody that's experienced like the LogRhythm Professional Services, or your SE, or other people you know that have used LogRhythm for a while, and review that plan and make sure that you've got some specific strategic benchmarks in place so that you can guide yourself through that growth.

      I would rate it a 10 out of 10. I am very happy.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Information Security Engineer at a financial services firm with 501-1,000 employees
      Video Review
      Real User
      Great having the data available; support walked us through everything we had to do

      How has it helped my organization?

      We didn't have a main logging system, so it's really nice to have that now, and in place. We are collecting all our logs from all the servers, routers, and its really helpful, and it's a great product to have.

      What is most valuable?

      Right now I really like the dashboard, and being able to view it easily, and to just have all the data right there available for me.

      What needs improvement?

      I think the dashboard could definitely have more features. I've seen some of their roadmaps that they're going towards. I really like it.

      One of the features that I actually put in a request for was, they have the ability to build this great case and have it all ready. But you can't export it, right now on my specific 7.2 product, you can't export it from there. So, I can't have a nice PDF to give to a CEO, or give to legal, or wherever it needs to go to further their investigation. That's definitely a product that their actually going to come out really soon with.

      What do I think about the stability of the solution?

      The stability is pretty good. We haven't really had any problems with it. I think in our deployments, we had about 25 monitoring agents. One of the agents did start acting kind of funky, so I just called up support. I said, "Hey, we can't get this agent to work properly." They helped us out right there that same day. We actually updated that specific agent, and its been working ever since.

      What do I think about the scalability of the solution?

      We're a fairly new customer to the product so we haven't had to meet problems like that with it. But we do plan to scale it fairly soon, so we'll see.

      How are customer service and technical support?

      It's been pretty good. After the deployment, I really haven't had to call them. They have a pretty nice knowledge base, and their user guide pretty much explains everything you really need to get done. 

      There are some issues that I had with Forcepoint, and getting it to work properly with LogRhythm, but that was more on the Forcepoint side of the problem than LogRhythm.

      Which solution did I use previously and why did I switch?

      It was due to compliance that they decided to get a product.

      How was the initial setup?

      I actually was hired within the last five months. I showed up, and they said, "Hey, you're going to get to deploy this." I said, "Sounds great."

      Deployment was fairly easy. They gave us some prerequisites that they needed us to have ready for them, so we went ahead and got those all ready, went through change management, got everything approved. 

      They needed to have - if you want it to collect logs remotely - a service account created, you needed to have specific ports already open, to make sure that everything communicates properly.

      We went ahead and had everything set up. We got the support call because we got the DMX appliance. The day came, we got it all set up, it was fairly simple. The support agent walked us through everything we needed to do. He showed us tips, and tricks, and best practices for specific situations. He did training at the same time as we were deploying. It was a fairly simple, easy process.

      What other advice do I have?

      It's one of the top 10 SIEM solutions. What I really like about LogRhythm is that they're always innovating, new ideas. They're consistently trying to improve. I think that's really great about them. 

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Senior Security Analyst at a financial services firm with 501-1,000 employees
      Video Review
      Real User
      Give us the insight needed to understand when threats are recon or an attack

      What is most valuable?

      The breadth and harvesting of information the SIEM is capable of doing. I've been in this probably going on 30 years, and I've seen the growth. I found a resource that's outstanding in finding information and then the most important thing, distilling it, putting it together, which is a real big challenge in this field.

      How has it helped my organization?

      We're a financial service. As our title implies we deal in mortgages, which means we see a lot of personal information, credit reports, financial instruments. We're really concerned that we are able to monitor the movement of that kind of information and protect it.

      LogRhythm has been extremely efficient in helping us find the bad guys, who are really out there, they're targeting businesses like us. They specifically want the findings, the money. If you can get in the middle of a loan you may have to go after 10,000 people trying to find the data, but if you can get four houses at $400,000 or $500,000 apiece, you've just harvested $2,000,000.

      For us, LogRhythm has given us the kind of insight we need to understand when those threats either are being recon-ed, found out, or when they're really trying a brute force attack to get at us. It's excellent for that.

      What needs improvement?

      I really can't think of a particular one, I've been very satisfied with what's happening. 

      I know they're going to get another spike in customer base, hopefully they'll have the ability to ramp up people in support along with the customer ramp up. That's a hard game to play.

      I've been part of a number of beta tests, so when CloudAI came out - which is phenomenal: The ability for something to give you information in a SIEM environment, you're often gathering data, writing rules to monitor the data, so you can see what you think you should see. But they're doing inference engine work, where they're looking at what a threat implies, and then presenting it to you.

      In our field, false positives versus true positives are a big deal, but they've kind of taken it a step forward. I've come to call it - they may offer me information that I look at, that I didn't know about but I should know about - it's not a false positive because it didn't show a threat. It's a true insight because it showed me something that I wouldn't ever infer myself. 

      So features like that, the work that they're doing moving forward in that space, especially with machine learning. The sky's the limit in that, I'm looking forward to them doing it. 

      What do I think about the stability of the solution?

      I find it very mature, it's well designed. 

      I'm sure if you're speaking with other folks today here at the LogRhythm User conference, you'll find that they're talking about all the new product roll-outs. They think these things through. Since I've been in the industry for many years, I've often found people will roll out products very soon. Often before they're mature enough to be out in the field. LogRhythm doesn't have that problem. I've been very impressed with that.

      Except for the experience you often have when you do upgrades - and mostly it's the human, not the software - becoming accustomed to the new material, they've done a really great job.

      What do I think about the scalability of the solution?

      We tried to size what we purchased, as an appliance, properly. You never realize how much data you're gathering until, of course, you see how much you're gathering. You're thinking maybe 100 million records a month, and you find out it's 100 million records a day. But we've been able to deal with that, understand what we're using. 

      They've also been very helpful about throwing away the stuff. There's a lot of information that computers generate, not all of it is relevant. So we've able with it, to look at stuff and begin to filter out, in some cases, 20% to 40% of the content that isn't relevant at all.

      How are customer service and technical support?

      I've found through the past two years they've had a few bumps because they've become so popular - I was in customer support years ago, I understand it. When you get a quick rise in customers it's impossible to maintain a support staff at the same time that you're having a fast rise in people who've bought your product. But they've worked through it, they've been responsive to it. 

      I've been able to talk to the Director of Training, and the Director of Support on a couple of occasions, we've come to know each other, which is really valuable, especially in our business. Because he can look at me and say, "This is what we're doing." I appreciate the fact they're honest about the situation, they know me well enough now sometimes to be blunt, which is great. It's a good rapport, intelligent people, which is really essential.

      None of this is offshore, it's all inside the United States. When I used to do secret cleared work, it was always a requirement that it be carried on within the boundary of the US. I've sort of picked that up as a habit, and these guys are really good at it. It's here, occasionally I go up to Boulder and see them, but it's very satisfactory, very reliable. They get on top of my problems, we usually fix them inside 24 to 72 hours. 

      Which solution did I use previously and why did I switch?

      I had to do a proof of concept review two years ago when we were doing a rebid, and LogRhythm was the incumbent. I looked at some other companies. The thing that was essential for me was not only that you could gather data quickly and efficiently, but how you harvested it and how you maintained it. A lot of the other vendors had different ways of doing it, nothing I considered reliable and I was worried about the fact that, as their volume increased, the performance of their appliances would decrease.

      What I found with LogRhythm, especially since I picked up one of the newer XMs, is that it has the capability to handle the volume I'm looking at but also, if I want to separate certain parts off onto certain systems, to basically spread those elements out. That was a feature that became really critical for me. Without that I'd be stuck with the pressure of one box, if it fails it takes all my operation out. So I get both, strength and diversity, because I can use multiple systems, they have that flexibility, the others didn't show me that. 

      Those were some of the things that were important. 

      Also, being able to handle tens of millions, and hundreds of millions of records from a wide variety of resources. They have something called log source types. Log source types let you ingest data from Palo Alto firewall, Cisco firewalls, big F5s, all sorts of environments, draw the data in and make it relevant. 

      The other environments - whenever I hear an engineering environment tell me, "Its just a simple matter of programming." It's not. 

      When somebody says, "Here's the log source type, and this will do this with your data," and you draw in 10 million records from the firewall, and that afternoon you can make sense of it. That was another reason why.

      How was the initial setup?

      We've lived through three or four years of the product, so in the early time it was major upgrades, releases had a lot going on. But now things are almost completely seamless. 

      LogRhythym uses both the central environment and then sensors that it spreads out. It used to be that you'd have to upgrade the central environment then get all the sensors. As they've moved through things I can now do one upgrade in one place and tell that central environment to upgrade everything else. It cuts down my time from being 12 or 13 hours for an entire operation, to about three or four hours to bring the main environment up, 15 minutes to start up the upgrades. Then it's time for coffee, come back, usually I'm done.

      What other advice do I have?

      Things that are important: the first time you get a SIEM in your hands you think it's great to gather everything. Then you find out within a couple of days, gathering hundreds of millions of records and trying to make heads and tails... 

      Begin slowly, focus on various systems, understand what they mean. 

      A lot of people go, show me the perimeters, show me the firewall, show me the network. Pull that data in and when you've got it then turn around, look at all of your Windows servers, your domains, those environments. 

      Moving slowly and classifying your data, so you can make the rules you design really specific. It helps you if you've got control on it, you can throttle volume, but also when you have anomalies pop up they don't pop up because you forgot something in a rule. They pop up because there really is something new.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user769674 - PeerSpot reviewer
      Sec And Risk Lead at Baker Tilly Virchow Krause, LLP
      Video Review
      Real User
      Easily percolates critical information to the dashboard for drill-down

      How has it helped my organization?

      It serves several different features. We can check the checkbox for HIPAA compliance, SEC-type stuff.

      But really, our biggest focus was actually on our clients. Because we're an accounting firm, a lot of our clients actually audit us, or they have large security questionnaires that we have to fill out. So having a SIEM product is one of those check boxes, and being able to say "yes" on security questionnaires; or one that clients come in and say, "We want proof that you're auditing your domain controllers, that you're auditing the security files servers, you know who touched our files, how they read them, deleted them, modified them." 

      Being able to pull all that information up before the auditors, it's great. Very critical.

      What is most valuable?

      We're fairly new to LogRhythm. One of the things that we really liked in the deployment PoC phase was the dashboard. How easily it percolated critical information up onto a screen that we could immediately review, and drill-down to look at the raw logs. That was one of the key features that we liked in the PoC. Still today, that is by far one of the best features.

      What needs improvement?

      Probably the biggest improvement and I've talked to several of the management here at the LogRhythm User conference on it, is their thin piece, which is their file integrity monitor, that we use on some of our security servers. The data sets are extremely large, tons of files are being modified, deleted, created. That product could use some more enhancing.

      We've been working with them to enhance that product for future releases. It's been a good experience. 

      Any issues that we've had, they've actually fixed the majority of the issues that we had with the initial product, by even giving us customized installation packages to adapt to our environment.

      What do I think about the stability of the solution?

      It's been real good. We've done several upgrades since then. Each time, if there has been an issue, we've just opened up a ticket with support and literally, it's hours to minutes sometimes - depending on time you open up the ticket. There's a response and then engineers calling you, and helping you out through some of those issues. It's been good.

      What do I think about the scalability of the solution?

      We haven't scaled because, like I said, we're still the first-year phase. Now, when we purchased the product, we did purchase it to scale it out a little bit over time. We overbuilt it just a little bit so that we could keep adding log sources to it. But so far, we've been right on the money, as far as the initial build of it. 

      Which solution did I use previously and why did I switch?

      We had come from two other SIEM products that were going end-of-life. The original one was the Cisco Security Manager, and then the latest one was RSA enVision. Because that was going to end-of-life, we needed to find a replacement product.

      The big thing was the PoC was a great tool to get a great overview of what the product was going to be like. We also worked with an SE that helped deploy the product. Then we also were able to talk to support. So we got a good feeling to how the product was going to operate, not only from our operational standpoint, but also from a support standpoint, and also from help from our local support engineer.

      We just had a great experience all round, and when comparing feature sets, the web interface to the alarm drill downs, the AI Engine drill downs, to the network monitor product, it was definitely on the top of the list.

      The other big thing that we really liked about LogRhythm - we had a unique requirement - was that we had to have appliances, we didn't want virtual devices. Just from the security side of things, we wanted to be able to manage those devices ourselves, rather than having our infrastructure group manage those. LogRhythm also provided us the appliance base versus Splunk which is all virtual base.

      How was the initial setup?

      We actually used LogRhythm's Professional Services group to help us get the product up and running. It went real smooth. Matter of fact, the amount of time that we allocated the Professional Services, we were short of that. It just went real well. 

      Our group caught on to the product very quickly, which was another great benefit. We were able to do a lot of the work ourselves, versus relying on Professional Services to do it, just because we caught on much quicker than we had thought initially.

      Which other solutions did I evaluate?

      Our SIEM solutions list included several different vendors from Splunk to LogRhythm to RSA, their new product. We ended up choosing LogRhythm.

      What other advice do I have?

      Just from the simplicity standpoint, it's met all of our expectations now. Like I said, you always have that little thing here and there that you still have to tweak, but other than that, we've really liked the product. 

      The biggest thing in this product is not everybody on our security team is well versed in SIEM or analytics, but we found that LogRhythm - the Web Console UI - really simplified, especially with the metadata parsing out. It allowed those people to read those type of events much quicker, because it was right there, and it was pretty easily translated. So "user" is username, "host" is the host, and so it's very easy. You're not having to dig through this big long raw log file to actually figure it out. Then if it needs to go there, it goes to an advanced person.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user769680 - PeerSpot reviewer
      Sec Eng at a financial services firm
      Video Review
      Vendor
      I don't have to log in to six or seven different appliances and hunt for data

      What is most valuable?

      What I found most helpful out of it is the ability to see all of the same data, that I would get from my appliances, in one place. I don't have to log in to six or seven different appliances and hunt for that kind of information. I can just do some queries within LogRhythm and it tells me the same information.

      What needs improvement?

      One of the things I find that would be helpful is the GLPR information, to be able to understand what is actually being processed. I've got, say, 20 different rules, but I don't know which one is getting more of the data, which is getting none of the data, because there's not really a good interface for that.

      What do I think about the stability of the solution?

      The stability, it's pretty high, there were some early issues, we were overrunning it with data, and part of it was a sizing issue. Once we got through that it's been running a lot better and it's been more stable. We haven't had to worry about it falling over on itself.

      What do I think about the scalability of the solution?

      At this point we're still using a single XM appliance. The scaling that we've had is really just upgrading from an older-series to a newer-series XM appliance.

      How is customer service and technical support?

      There were a lot of support calls we went through, and they would tweak and change a few settings here and there. Then eventually, what we did was we upgraded to different hardware because there wasn't anything else we could remove. We had to continue to keep getting those same logs.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user576042 - PeerSpot reviewer
      Senior IT Security Analyst at a retailer with 1,001-5,000 employees
      Vendor
      AI Engine rule set significantly changes how we notify users about our network

      How has it helped my organization?

      More of the AIE drill-down notifications. I don't have to customize a lot of stuff. I'm more of an advocate for LogRhythm dashboards for my company, to make sure that other teams utilize what I'm bringing into LogRhythm. Use it for their operations, use it for their alarms and so on.

      What is most valuable?

      For my situation, besides the investigation that LogRhythm offers, it's the AI Engine rule set that it offers. It has brought us more significant changes in how we alarm and notify our users about what's going on in our network. It's not just one specific log, it's the correlation of multiple logs on different log sources.

      What needs improvement?

      More features that I would like to see more development in are the automation and the smart response. A lot of the attendees here at the LogRhythm User conference are working towards that, and most of us are not even developers. But we're trying to figure what are the skill sets and how do we make sure that LogRhythm gets more intuitive in automating and responding to alarms and notifications that we get.

      What do I think about the stability of the solution?

      The stability is pretty much straightforward. I know the product has grown very big and it has tried to cover a lot more features, it has brought more features, and I was surprised that I've seen a lot more features coming out in version 7.3.

      What do I think about the scalability of the solution?

      I'm at that point where we're investigating getting a new box, looking at other options. I'm at that point that my box has reached its maturity and I need to replace it, probably next year. We're in the process of working that out with our sales engineer.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user769683 - PeerSpot reviewer
      Cyber Security Operations Manager at Old National Bancorp
      Video Review
      Vendor
      We've got so many sources in it, we can easily investigate the logs on any system we have

      What is most valuable?

      Probably the investigation part, being able to investigate any log. We've got so many sources that go in there that, at any given time, we can easily look up the logs on just about any system that we have.

      What needs improvement?

      What I'm looking for was actually in a session, here at the LogRhythm User conference, about the PIE phishing analytics. That was real interesting because right now we've got a guy that walks through that process attempting to see if the email came in, who got it, and whether or not it was exploited. That's all manual at this point. 

      I think they're limited now with this to Office 365. We've got on-prem Exchange and it would be interesting to act like they're going to evolve that into that, to have that ability to look at that information a lot quicker.

      For how long have I used the solution?

      We've had it for about nine years, going on 10 years. 

      What do I think about the stability of the solution?

      It's definitely evolved. It's gotten to the point where you can scale it well. We recently got the AI Engine running and realize that we need to spin off the Web Console and the AI Engine to a separate box, and off the platform manager. Then we can easily add a data processor or a data indexer to expand our processing power too.

      Which solution did I use previously and why did I switch?

      We had some other vendors at the time, but LogRhythm beat them out. We had RSA, I don't remember what the name of their product was, and LogLogic.

      What other advice do I have?

      It's just amazing, that you can get the information, especially the AIE information, where it correlates different logs together. It's just incredible. It's something that in the old days, that you had to use grep and go to multiple servers, versus now you just tap in and drill-down and, bam, you've got all the logs that you need. It's just amazing, the process.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Information Security Officer at First Mid-Illinois Bank And Trust
      Video Review
      Real User
      Enables our IT staff to be more proactive, fix problems, instead of waiting for end user calls

      How has it helped my organization?

      Not just for security but from an operational standpoint as well. Perhaps an end user would call with a particular problem - "I can't print in this" - and, during the investigation of that, we could find perhaps there was a log message that was generated, an error from that application. Then we could create a rule, quickly and say, "Any time that you see that log generate an alert..." 

      It enables our IT staff to be a lot more proactive, to fix problems, instead of having to wait for the end user to call and say something is not working.

      What is most valuable?

      The scalability. We had a huge problem with that before. Now, we can quickly search through all of our logs. If we have an issue that, perhaps there's something suspicious from a particular host, we can quickly go through there and search all the logs for anything that had to do with that host for a specific time frame, and anything coming to or from that host, or if it's a user, or whatever it is. Investigations, its really been helpful for.

      What needs improvement?

      It's not necessarily bad against LogRhythm, but I think an area that always can be improved is the parsing rules. The more information that we can get out of the logs, as far as specific metadata in the logs, whether it's an IP address, or something like that. Sometimes, LogRhythm will parse the rule but perhaps it won't get every little detail out of the rule.

      Any advancement in those, could be very helpful to be able to correlate those logs against other items. Especially for items that are a little less - "mainstream" may not be the right word - that are not necessarily a top-tier vendor. Perhaps, instead of Cisco, it's a different firewall vendor. Those sorts of things, that sometimes we run into an issue where the log parsing is suboptimal. It could be a little bit better, could be some improvements there.

      What do I think about the scalability of the solution?

      We have about 550 users and 150 servers or so, and I think we're feeding in approximately 800 logs per second on average, into LogRhythm. We haven't had any problems with scalability. It chews through the logs, and our searches are pretty quick, they're very responsive.

      How are customer service and technical support?

      Fortunately, we haven't had to deal with them a lot, but when we have we've had really good luck with them. They have always been very knowledgeable, quick to solve our problems, very responsive. They'll follow up if there is a delay, perhaps they're still researching the solution. They're always quick to reply back and say, "Hey, I haven't forgot about you, it's still with the developers." Fortunately, we haven't had many issues with the product.

      Which solution did I use previously and why did I switch?

      We were using a different SIEM tool before. It's probably not really fair to call it a SIEM. It just really wasn't quite robust, it was more of a log collection tool. The system worked fine, we could create some basic events from a single log: "You see this log, fire an alarm off of it," or something like that; not really correlation per se. 

      We had issues with scalability with it. We could stand it up for about a month, and then after about a month, as the database started getting full, then trying to do searches and things like that, it was too slow. So you would have to clear out the database, start again, and again it would work for about a month.

      Which other solutions did I evaluate?

      Yes we did, unfortunately I don't recall exactly which other ones we looked at, but we had a number of different demos with other vendors and, obviously, chose LogRhythm. 

      What other advice do I have?

      We are really happy with the product. We've been a customer for a number of years now and really haven't had any issues. It's done just about everything we ask it to do.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      it_user769689 - PeerSpot reviewer
      Technical Systems Analyst
      Video Review
      Vendor
      At setup we turned on 14 AI rules and have found them to be really advantageous for us

      What is most valuable?

      I would say to us, the thing that matters most is the automation of the AI rules that are being sent to our emails to let us know what's happening within our network and within our environment.

      When we set it up, we went through and probably turned on about 14 AI rules that we found to be really advantageous to us, and have tuned those over the past couple years. It's just worked out really well for us.

      How has it helped my organization?

      PCI compliance was our main driver for purchasing LogRhythm, but it turns out there was just a ton of other information that really came from having that appliance, other than just being PCI compliant and checking that box for us. 

      Like I said, it was just more insight into our own network, our own users, our own flow of traffic, helping to alleviate a lot of that burden from our system admins by automating some of those alerts. So, all in all, it's just been a great fit for us.

      What needs improvement?

      I'm really excited about the CloudAI stuff. One thing I've asked, and I don't know if it's in the works or not, is for a better way to test our AI rules, to make sure they're working correctly, instead of having to manually go in to each one and doing an invalid login to see if the rule fires. Some better way to test all those rules that we have turned on and enabled would help.

      What do I think about the stability of the solution?

      Out of 10, I would give it an eight. We upgraded our firewall and that broke our parsing rules and it took a while to get that all fixed, but other than that it's been great.

      What do I think about the scalability of the solution?

      We haven't taken in a whole lot of logs since our initial setup, so we haven't scaled it, I'd say, to its potential yet. 

      We're on an upgrade path, we just got to 7.2.5 and we're on the beta program for 7.3 to get to CloudAI. Once we get that done, we plan on ingesting more logs, going to Office 365, pulling those down. So, we plan on really growing it.

      How is customer service and technical support?

      Technical support has been great. I will be honest with you, I think that's one of the strengths of LogRhythm. Every time I've opened a ticket I've gotten a response back that day. They're great, they work through it. Even when we did our upgrade through Professional Services, she was great. She recorded the whole session so we could use that at our next upgrade. 

      I've just found them to be tremendous.

      How was the initial setup?

      For me, not having been in the security world, at least on the SIEM appliance side, it was a lot to take in at first. We had an onsite engineer come in, help us put it in play. We had a week's worth of training. All in all, it went pretty smoothly. 

      There were gaps in our knowledge, I think, but that's where we opened up customer service requests and they came through and helped us out. But for me, personally, I would say it went well. It was just "a lot," it was new to us, it was new to our organization, so it was just a lot of information, but as far as it goes, it was pretty smooth.

      What other advice do I have?

      We're really happy with it.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      it_user769665 - PeerSpot reviewer
      Chief Security Officer at Optomany
      Video Review
      Real User
      A single pane of glass for my analysts, gives us complete eyes and ears into our environment

      How has it helped my organization?

      From my point of view, at a organizational level, we're able to get that insight into what users are doing, what our applications are doing, whether there is any untoward traffic coming in, whether the applications are misconfigured. It's also used, dare I say, to tick a compliance box.

      What is most valuable?

      The most valuable feature for me is that it's a single pane of glass for all of the analysts in my team. It gives us complete eyes and ears into what's going on within our environment. We run two separate installations. One is in our datacenter where we handle all of the sensitive data, and one is on the enterprise side, so it gives us a real good visualization of what's really going on.

      What needs improvement?

      In terms of the product, what really needs to improve are the metrics that you can get from it. We're all about mean time to detection, mean time to response, pulling those metrics out so I can put them into my KPI packs to present to the board. Everyone in a CISO role is having the same challenge. We've got multiple spreadsheets. Being able to leverage the SIEM to give us the information would be invaluable.

      The other area is Office 365. We're cloud-first as far as our enterprise goes, and what we lack at the moment is being able to pull that information into the SIEM. I understand that that's coming, so we're looking forward to that.

      What do I think about the stability of the solution?

      On the whole it's been fine. We've not had any issues with volume, with the system going down. There are a couple of tweaks that you get with older systems. Patching time is always interesting. When you want to do an upgrade, if you're going from a minor version it's fine. If you're going from a major, then it's always good to use the autopilot services.

      What do I think about the scalability of the solution?

      In a previous role of mine, we had an IT department that thought they could do everything, and virtualization was the way to go. That definitely didn't work. In the current organization, we found the two instances are very, very scalable. Being able to get additional licenses for agents works well, very easy to do.

      How are customer service and technical support?

      The feedback I get from the analysts in the team is the first-line support is your traditional first line support, they'll log a call. We often get the responses in a timely manner. If it needs to be escalated, we've got good contacts within the wider organization and it gets escalated from level-one to level-two, definitely don't have any issues there. 

      It's nice to see that the vendor listens. If something does go wrong, they're on the phone giving you the support that you need. Other vendors don't necessarily do that as quickly as LogRhythm.

      Which solution did I use previously and why did I switch?

      If we go back nine to 10 years, we had the advent of PCI. The standards council says you needed to use file integrity. The only real solution at the time was Tripwire. That's when I got introduced to Ross Brewer (Vice President and Managing Director of EMEA for LogRhythm). From that point, we knew this was the right solution. We wanted to gather the logs into a central place.

      How was the initial setup?

      In the various guises that I've had over the years, we've gone from multiple installations across 54 datacenters, globally, into our smaller setups. It's easy to install, it's pretty much, as they say, "out of the box," but it needs to be fed and watered on a daily basis. You do need a team to look after it, which I think is the same with any SIEM out there, but this is much easier to use. And because it's out of the box, you get the information you need within the first couple of hours.

      Which other solutions did I evaluate?

      With the new organization that I've been with for three and a half years, we spent seven months looking at other solutions out there; looking at Splunk, looking at ArcSight. We did a trial, we stood them up next to each other. Straight away it was fairly evident that the LogRhythm application itself, and the agent roll-out, was straight out of the box. Like I said, it needs feeding, watering every day, but in terms of being able to take the box, put it into your datacenter, get it up and running, they're definitely light years ahead of the competition.

      What other advice do I have?

      In terms of the criteria for selecting a vendor, it always comes down to cost.

      And usability. I like to make sure that my analysts are hands-on when we look at these tools. What's the interface like? How easy is it to use? What's the after-sales like? What's their tech support like? These are all things we need to look at. 

      Also, which operating systems do the agents run on? Can you integrate into all the hardware that you've got? What syslog feeds can it take? Can it take SNMP as well?

      If colleagues were looking to purchase a similar solution, the guidance that I'd give them is make sure that they draw out what they're looking to get from the solution. Make sure they have an inventory of hosts. Don't go all out, don't put everything on at once. As they said, don't try to boil the ocean at once. What are your critical hosts? Feed that information in first. Build case studies. What do you want to get from it, what are you looking for? And then work your way through it.

      What I've done in the past is I've asked them to come over to our office and take a look at our implementation. I'm happy to share that information with others. I'm able to give them some case studies on what we've found with the Windows operating systems and some of the other hardware out there.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756366 - PeerSpot reviewer
      Senior Network Systems Engineer at a non-profit
      Video Review
      Vendor
      Ease of administration means we don't need a FTE just to admin the product

      How has it helped my organization?

      We have a big issue with our users, they really like to click on links and attachments. The Phishing Intelligence Engine, is a new feature they're releasing, which is really going to have a nice fit for us. Then the CloudAI stuff they built right into the SIEM. There's nothing else you've got to do other than upgrade it to the latest and greatest version. Those would be two really key opportunities for us to really take care of a security vector that we have issues with every day.

      What is most valuable?

      Favorite feature of the product is the ease of administration. There's not a lot of overhead. We don't need a FTE dedicated just to admin the product. That was one of the biggest selling features for us.

      What do I think about the scalability of the solution?

      Have not scaled. Like I mentioned, it was a compliance check-box. We are running what they call an all-in-one, all the features are running all in one box. But you can also take each feature as you grow, and move those features off. For example, if the Web Console is slow, you can extract that out and run it on its own separate system. 

      There are Fortune 500 companies running it, so obviously it scales.

      How are customer service and technical support?

      We had one issue, self-inflicted wound. We were capturing too many active logs and not archiving them off. We went through a process where we did Professional Services with our VAR; missed that step, that we actually needed to use some archiving. About three months into it, we're saying, "We're out of space. Performance is terrible." 

      Quick call to support. Support's great. You have a service manager you talk to, and then they get you to the right team. There's no bouncing around. They do all the schedule coordination, everything like that. Can't say enough about support. We were back up and running within a couple of hours.

      Which solution did I use previously and why did I switch?

      The general SIEM was brought in, like a lot of SEIMs are brought in, is to solve a compliance issue. To check a box. That's initially what it was brought in for. Now, I'm investigating where we're going to grow this tool. Because apparently, it's sitting in a state that's getting a little stale.

      At this LogRhythm User conference I'm looking to see what additional benefits it can provide. LogRhythm can do a lot. It's just a matter of making the right choices to gradually get yourself going down the path of developing it, because it can get overwhelming, like any SIEM. 

      But LogRhythm's got a nice online community to shape your decision making, like, "Here is where you should start." They've got actual tips and tricks every month that you can get on, really easy things to digest over lunch hour. You've got to dedicate the time.

      How was the initial setup?

      The recommendation from VAR was to actually have Professional Services engagement. That was one week. Basically, that was just building out the SIEM, creating some basic rules, showing it lay of the land, where things are, where you go to administer, how do you create a case. Really basic administration.

      Then, what LogRhythm also built into that was a one-week training, which we did online, which was great. That just built on to that first week of here's how it's built out, and then here's how to use it, here's how the administrate it, here's how you use it for analyzing alarms in your environment.

      Which other solutions did I evaluate?

      We looked at IBM, and then we also looked at Splunk.

      FTE cost. We're a small shop. Infrastructure team is five people, not a dedicated security professional. Cost, being a small shop, ease of maintenance, and ease of use; top four. LogRhythm came in by far the cheapest, was easiest to maintain - this was the initial thought - that's proven out that it is. Then, actually easy to just get in there and look at the logs. It's really easy to use. From not having anybody with any real SIEM experience, to get us off the ground and running was incredible.

      What other advice do I have?

      From how we use it, I would rate it a 10 out of 10; not knowing exactly where we could go with it, I'd have to give it a nine, because I don't know if there are any challenges inside it. What we're doing is very limited. I would like to, as we continue to grow with the product, see if there are any ceilings on that.

      I would highly recommend taking a look at the FTE requirements. They're not all the same. That's huge, depending on the size of your staff, and budget constraints too. There are other SIEM software solutions that have a lot of add-ons that continue to add cost. You need to look at the big picture of what you want it to accomplish. Ours was pretty straightforward with compliance, we didn't have a lot of additional costs. I think those are the two big takeaways I could give somebody.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Network Security at a energy/utilities company
      Video Review
      Real User
      Brings all my logs together to produce evidence in my compliance role for NERC

      What is most valuable?

      For me, one of the most valuable things about it is it helps me to produce evidence in my compliance role for NERC. It helps me to really bring all my logs together and easily translate that into evidence, to show I’m doing what I’m supposed to be doing.

      What needs improvement?

      In the canned reports, I would like to see, rather than a blank report come out, for it to say something like, "No logs found," or "No log sources available." I don’t like blank reports.

      For how long have I used the solution?

      I’ve only been using it a couple of months. I started in about March, 2017.

      What do I think about the stability of the solution?

      I think it’s wonderful. I use a high-availability version that fails over for me if needed. I’ve got one in one datacenter and one in another. It seems to function properly.

      What do I think about the scalability of the solution?

      I have not had any issues. Mine is a very small deployment.

      How is customer service and technical support?

      The LogRhythm support system is phenomenal. I can’t give those guys enough praise. If I have a problem or a question even, they’re quick to answer or connect me with an engineer to resolve the problem. The support system is really the selling point of this product.

      How was the initial setup?

      My deployment is very new so we are still implementing it. There’s a little bit of work left to be done to get it to full capacity. I would say that it’s been relatively painless.

      What other advice do I have?

      I gave it an eight out of 10 because of the ease of use, and the support really deserves high marks.

      I would definitely tell colleagues to look into it. Again, the support that they provide, they’re there to hold your hand if you need it, or just give you guidance and let you go. They really do take care of their customers.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user769692 - PeerSpot reviewer
      Information Security Officer at a insurance company with 201-500 employees
      Video Review
      Vendor
      Delivers actionable intelligence to our security engineers but we need it to ingest more sources
      Pros and Cons
      • "LogRhythm has shown to us, to this point in time, that it has the capabilities of being able to deliver actionable intelligence to the security engineers and analysts."
      • "Right now there is the concern about being able to gather all of the data into the system."

      How has it helped my organization?

      We did a bake-off with several others when we brought in LogRhythm, 10 months ago. And a lot of it was around a cost perspective. Also, its capability of easily ingesting event data from many different types of platforms. 

      Some of the competitors require the use of agents that are deployed on those various end-points, or they'd be servers or otherwise, to ingest it. So this is a much quicker deployment. 

      And through their upgrade processes that we've seen, it makes it a much more streamlined process, rather than having to touch on multiple end-points.

      What is most valuable?

      Any SIEM, in and of itself, should be easy to ingest data, it should also be easy for the analyst to assess the different types of events that are coming through, be able to sift through false positives, and ensure that they are only acting on things that are truly actionable, that need to have attention. It's not one of those things that you want to have analysts spending a lot of time on, and then seeing false positives in the system. It just gets to a lack of trust within the system.

      LogRhythm has shown to us, to this point in time, that it has the capabilities of being able to deliver actionable intelligence to the security engineers and analysts.

      What needs improvement?

      The biggest thing that we need - in one of the presentations today here at the LogRhythm User conference they were talking about it - is automating your SOC and trying to get your systems to do as much as they can do without human intervention. Which is great. 

      I provided feedback afterwards to say, "We need to be able to ingest all data. And we need to be able to parse all data." What that means is, my Checkpoints that I have today, which is my unified-threat management system, I'm only able to ingest firewall logs and events from the blade. I own all the other blades from Checkpoint: IPS, Threat Emulation, threat detection, Data Loss Prevention. All of those blades have data that I need to be able to feed down into LogRhythm. From there, we also need to be able to truly parse the data. I've had to have a couple of custom collectors built specifically for SQL Server-type events, for database analysis, to ensure that the data that's being brought in, the events are parsed, we can be actionable on that.

      What do I think about the stability of the solution?

      Stability has been, for the most part, quite good. We do have a HA, High Availability configuration, between two different datacenters. 

      There have been a few challenges that we're working through. Mostly it's a Windows-based, all-in-one appliance that we have. We are in discussions with LogRhythm support right now in respect to HA breaking through automated patching. But we're encouraged that we're going to be able to get over that hurdle, and then we'll have a 100% up-time with it.

      How are customer service and technical support?

      As the Security Officer of the organization, I don't have to interact with them directly. My team has found that there are some very good engineers that they've been engaged with, and have been able to work with them throughout different issues. They've said a lot of good things about the support portals; better than some of the other technology products that we offer. 

      I know some of the other technologies that we use for our unified-threat management systems and the like, some of those portals are a little bit more cumbersome to actually put in support tickets. LogRhythm seems as if they want to really engage with you, so they don't make it overly cumbersome to put in a ticket.

      It's been fairly good interaction, with the capabilities that they offer to quickly get an engineer on the line.

      Which solution did I use previously and why did I switch?

      We were a QRadar shop for five years prior. To be honest, the product was great initially, when it was a Q1 Labs product. Things started to change a bit after IBM's acquisition of it. So we were looking to see if there were better alternatives. The top-two were LogRhythm and Splunk. 

      We did a several week SIEM solutions comparison between the two of them. Splunk is a great product in and of itself, but it was too massive for us, for our size of organization. As well, it looked like it would require a little bit too much of an analytical programming background for my engineers and analysts, which they don't have. So they were really most satisfied with the LogRhythm platform, its capabilities, the ease of use. And then, from my perspective, from the company's checkbook, the sustainability of it, the upfront cost, and the long-term ownership of it.

      How was the initial setup?

      I did oversee the implementation, and the initial setup that we did seemed to be fairly straightforward. My engineers were very happy with the simplified installation process. 

      Being an all-in-one appliance, that helps a lot in the initial setup. You rack it, you perform the updates, being a Windows box. And even some of the software upgrades that we've done since our initial purchase and installation, those have been fairly trivial as well.

      Which other solutions did I evaluate?

      A lot of the competitors, IBM specifically, there's these WinCollector and other types of agents that you have to install and push the event data to the SIEM. 

      LogRhythm is more of a collection using APIs to pull the data down, so it's much more efficient. And you don't have to get any of the other areas within infrastructure, or the application teams, to participate. You just go and point at the systems, assuming you have the correct level of authorization and credentials, and then the data is ingested naturally.

      What other advice do I have?

      The solution, one to 10 at this time, would probably be a strong seven. Right now there is the concern about being able to gather all of the data into the system. That's key. It's one of those things, pre-sales versus post-sales, what is said can be done, and then what actually is fruition. There is only so much you can do in a proof of value, or what they sometimes call proof of concepts - in those bake-offs - because you only have a limited amount of time with it to do that connectivity, and analyze. It really is that integration and some of the customization that we've had to do from parsing rules, not only for SQL Server, but also for ingesting NetFlow data from our Gigamons - which is the core of all of the network activity that happens within our environment.

      With this or any technologies, that pre-sales process is key. Really asking the intricate questions, try to get them to talk in-depth about the capabilities. Just saying that, "We have integration with this technology or the other," is not sufficient. You really need to have a good understanding of the capabilities that you are looking for, what your systems are capable of, and what you need that integration to be. The last thing that you want is to get in there and say, "Well, it works. But it only works 30% with that." You want it to be 80% at a minimum or better.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user769662 - PeerSpot reviewer
      Operations Team Lead at Mary Kay Inc
      Video Review
      Vendor
      Facilitates visibility into our infrastructure, identifies things we can trigger on and alert

      How has it helped my organization?

      It's visibility. Frequently our network team - while our network security is paramount from a security perspective - our network team is really focused on keeping the network up. They're not concerned about intrusions, and potential malicious activity. They're making sure that users can get data from point A to point B successfully without any downtime. With LogRhythm, our SIEM solution offers more of a rounded perspective, especially from security, making sure they are not only operational, but they're operational in a security conscious manner. That's really helped. 

      I specifically keyed on the network, but it's really where we're able to add additional visibility across all groups, from a security perspective, that they might not be aware of. Usually a business owner is just focused on, "Is my application up, is it running? Yes." They're happy. We come in and bolt on security, and we're changing the mindset of our company one group at a time.

      What is most valuable?

      Most valuable feature is really providing us visibility into our infrastructure. Frequently, I'm reaching out to our partners in the business, and I'm asking them how I can assist them, and how I can improve their visibility from a security perspective. 

      Often times, like many of the users I've met this week here at the LogRhythm User conference, we've encountered that the business owners, they're not familiar with their logs. Some of them haven't even really looked at them. But when I delve into the logs with them, and identify some things we can trigger on and alert on, and really help them improve the efficacy of their tool, it's really been a big benefit to have that visibility. Not only from the security perspective, but an operational perspective. It's really helped to build a relationship between us and the business.

      What needs improvement?

      There is, of course, always, improved automation. Because, as we are continually needing more and more people from an analyst perspective, the more we can automate, the fewer people we need. If we can automate some of the lower-level things, that can allow our SOC to be trained on the higher-level more technical things that really give the true value. I don't want my analyst to be stuck underneath sending emails, and "alert fatigue" is the buzz word. 

      But, on top of that, there has been a market that has grown from SIEM for security orchestration, where it's another tool you have to bolt on top of SIEM to make SIEM as effective as it should be from day one.

      I was in a session earlier today here at the LogRhythm User conference where they're mentioning that the web UI, and through the case management, they're actually getting an incident playbook that you can utilize. That's a big step that I'm intrigued by. Hopefully it goes the way that it's planned because that is one that saves me from having to go out and purchase a separate security orchestration tool, which is just another screen I need to look at.

      That feature is one that I'm very excited about, and hopefully it follows the roadmap according to what LogRhythm is projecting. That's definitely a feature that I and my managers have identified as a need. I was excited to hear about that at this conference. 

      That's probably the only feature request that would be of drastic improvement to our SOC.

      What do I think about the stability of the solution?

      We've been on LogRhythm since version 6. We've dealt with some bumps and bruises here and there. However, LogRhythm has clearly been dedicated to improving stability at every turn and every hotfix and every new agent release. It's gotten better and better.

      With 7.2.2 we went to High Availability mode. We were having some issues, our deployment is global, we're in multiple datacenters across the world. Having HA has really helped us because if our platform manager went down, we could just failover perfectly to our second one, and not get called at midnight. So that's been great.

      However, past 7.2.2, HA has almost become unnecessary because its stability has improved to such a level that HA is now just a bonus feature. It's a security blanket versus a necessity.

      What do I think about the scalability of the solution?

      Currently, we're running one AI Engine in our local datacenter where we're based out of, in Texas. We have two platform managers like I mentioned, they're both in HA mode. We have a en-clustered DX cluster in that datacenter. We've got at least one data processor, if not multiple, in every other datacenter with its own corresponding indexer as well. 

      We treat as many LogRhythm environments across all data centers that funnel up to our main one in Dallas.

      How is customer service and technical support?

      The Professional Services as well as the general support has been phenomenal. They're very attentive to our needs. When we submit a ticket we get a pretty quick response back. If they don't know the answer, they're either immediately going over to their buddies down the row, and seeing if they can get help and, if not, they escalate it as quickly as possible. 

      Any upgrade of an application this size, you're going to hit some snags and hurdles, but LogRhythm as a SIEM tool company, from a support perspective, has really allowed us to overcome those and we haven't really had any downtime as a result of upgrades.

      How was the initial setup?

      They go pretty well. Of course there are bumps and bruises, especially with LogRhythm being such a massive application. If it was to go 100% well, I would honestly think that it didn't go that well, and I just don't know about it.

      What other advice do I have?

      I don't think any application can truly be a 10 out of 10, especially one of LogRhythm's size; that would be very difficult to achieve. But an eight, in my mind, is perfect. That means there is room for improvement, there is room for me to work with the vendor, and talk back and forth about what my needs are specifically so they can work that into a feature request down the line.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user769659 - PeerSpot reviewer
      Data Sec Program Manager at a insurance company
      Video Review
      Vendor
      Streamlines correlating logs from many sources; enables alarms / reporting from them
      Pros and Cons
      • "The most valuable feature of LogRhythm for me is the ability to correlate logs throughout many different log sources."
      • "I think they probably need to, because a lot of companies are having this cloud-first strategy, where anything that's new has to go into the cloud for some reason."

      How has it helped my organization?

      The benefits we see are manifold, compliance. We have to store logs. We're under SOX control, we're under now New York Department of Financial Services, cyber regulations, we are under EU GDPR, loads of regulations are coming out. To be able to store these logs and be able to access them if we need to, from an archive point of view, is very valuable.

      What is most valuable?

      The most valuable feature of LogRhythm for me is the ability to correlate logs throughout many different log sources. Every different log has a different time stamp, it has a different user, things are in different places. But with LogRhythm you can take all of your logs from all the different sources and make them relevant to each other. 

      So if you're looking for a user that is doing something malicious or if you're looking for a computer that is maybe making some calls out to systems that you've never made before, you can correlate based on a user attribute or a computer attribute to say, "Go find me everything that that user is doing." Because of the correlation, you can then have alarms and reporting off of multiple log sources.

      What needs improvement?

      I'm not really sure I can pinpoint any particular area that I see LogRhythm needing improvement in. 

      I think they probably need to, because a lot of companies are having this cloud-first strategy, where anything that's new has to go into the cloud for some reason. So I think with CloudAI coming out, that's really good. But maybe having more of LogRhythm in the cloud. Educating people about how we get LogRhythm more into the Cloud.

      Part of the care and feeding of LogRhythm is staying on top of what's coming out in LogRhythm. I know that their community site has been improved and that they're wanting people to be more involved with the community. But I think making people aware of parts of LogRhythm that are new is very important. 

      What do I think about the stability of the solution?

      On the whole it's a stable product. Occasionally we do have issues with upgrades, but Professional Services and the support staff have been very helpful with fixing any of the challenges that we've had.

      What do I think about the scalability of the solution?

      For us, because we're a small company with not that many locations - we only have seven datacenters in seven offices - we haven't had any problems with scale. 

      We did purchase a company a few years ago and adding their log sources into LogRhythm did not pose a challenge. We always know that with the system that we purchased, there's a certain limitation of messages per second that we have to watch out for, and we've never gone over that. So for us there have been no issues with scale.

      How are customer service and technical support?

      Whenever we've had Professional Services on site to work through new alarms, to implement a new feature that we haven't used before, they're always very professional, they're always very responsive. They follow up on items that they said they would, which is always good. We're paying them to do a service, and that's always nice, that they perform their service.

      We have had challenges in the past with EU-based support - most of this is run out of Dublin and London - and those challenges were overcome by LogRhythm bringing their support back in-house. They were using a second-level team to perform the support. But once they fixed that, we get great support from LogRhythm. 

      When you open a ticket they acknowledge that a ticket has been put in, and then somebody will get back to us. We also have 24/7 support, so sometimes our ticket can move from the EU to the US, and we have people in the US that are able to take over the tickets. They seem to be very good at managing that. 

      Which solution did I use previously and why did I switch?

      We did not have a SIEM solution in place at all. I was told to go out and look for one, so I did, and LogRhythm definitely came out on top for what we needed it for.

      How was the initial setup?

      The main challenge with setting up LogRhythm is you cannot just put LogRhythm in and let it run. You have to put some care and feeding into it. You really have to work on it.

      LogRhythm gives you a lot of standard rules, but some of those, a lot of them, do need tweaking, and there are reasons for it. They can create a global rule that would work for maybe 20% of their customers, but everyone needs to go in and actually make changes. You have to have a staff on prem to be able to know your organization, know what your organizations looking for, and to be able to make those tweaks.

      So the challenge with setting up LogRhythm is you don't just flip it on, you work at it, you make sure that you're invested in it. You have to have a team. It doesn't necessarily have to be a huge team of people that are working on LogRhythm 24/7. I'm sure for some financial institutions, or some institutions, that has to happen. But you need to align resources internally to be able to know the product. 

      It's almost best if you have a first-line support for LogRhythm internally, because you can't always rely on somebody else to fix your problems. You really have to know your system. So taking the LogRhythm training - when we've had other people come on to our staff - I've done a lot of training, but we have had Professional Services come back and do more internal training. 

      What other advice do I have?

      In terms of criteria for choosing a vendor, when you go through an RFP process there are always weighted criteria. We went through that whole process and started out with eight vendors, got it down to two and then selected LogRhythm. For me it's relationship, I want to feel that the product that we're buying is going to be supported, and that we have almost a team behind us that is there. When we did purchase LogRhythm we felt that. We bought a lot of Professional Services time to help us implement. 

      It's not like the sales guy says, "Okay bye," and never talks to you again, and just takes in the money for the license renewal every year. They have customer boards, the sales engineers will talk to you and will bring things to the table. They'll come and do a health check. I don't feel like we just bought a product with LogRhythm, I felt that we bought a team.

      You have to allocate resources, and that's why I've recommended LogRhythm to a few friends and colleagues. To get the best out of LogRhythm you really have to put the time in.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user769656 - PeerSpot reviewer
      Information Security Architect at a healthcare company with 1,001-5,000 employees
      Video Review
      Vendor
      We can constantly add logs into our system without any issues; find and fix problems fast

      What is most valuable?

      I believe the most valuable feature for us has been that we have all the logs together. We can query them, we can find all kinds of different situations that are going on in our network that we wouldn't have knowledge of without searching many different servers and logs.

      How has it helped my organization?

      Quicker ability to troubleshoot the problem, find the problem, get it fixed, and get the customers back up and using our system. 

      What needs improvement?

      I'm sure there are always areas, in stability and scaling, that need improvement. I don't have anything right off that I can say I know needs improvement right at this point.

      What do I think about the stability of the solution?

      We installed in 2009, and the stability has improved over the years. I consider it to be quite a stable product now. It seems to work day after day, week after week.

      What do I think about the scalability of the solution?

      With version 7, we feel the scaling improved a lot. We are a large health system and we are quite often adding new businesses, new healthcare offices, new hospitals to our system. We we are able to add those extra logs into our system without causing any issues.

      How is customer service and technical support?

      Tech support has always been good from the very first. In most cases the first response is a good one. It does the job, and if not, then you get back to them and they stay with you until they get it fixed.

      How was the initial setup?

      We thought the setup was very quick and easy, of course we didn't try to boil the ocean all at once. We've been, over the years, adding more and more phases to our system, completed it in phases.

      What other advice do I have?

      Really figure out what you want it to do for you, because it is very flexible and can be used for many different purposes. Determine what you want to use it for, and then get the assistance from LogRhythm to help implement it in that way. Then you can always expand it and take in other areas. But your primary goals need to be met right up front.

      We are very happy with it.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756408 - PeerSpot reviewer
      Information Security Analyst 2 at a non-profit with 1,001-5,000 employees
      Vendor
      Gives us visibility into areas we wouldn't have seen, such as code execution; allows us to drill down on servers

      What is most valuable?

      • Visibility
      • The AI Engine for rule generation

      How has it helped my organization?

      We have two facilities, a combination of all different platforms, Linux, Windows, etc. It's just all across the board.

      It's definitely given us a lot of visibility into areas that we probably wouldn't have normal visibility into, such as code execution and things like that. It allows us to really drill down as to what's happening on the servers as they are being used in production, to where we can really get in and figure out what's going on.

      What needs improvement?

      It's pretty effective. In some cases we have run into some issues: The way that the rules work, and the alarms trigger. We get a good number of false positives.

      I wish that there were more instructional videos on how to do different things and more walk-throughs.

      Also, easier generation of AIE rules, or custom ones.

      What do I think about the stability of the solution?

      So far it's been really good.

      What do I think about the scalability of the solution?

      Scalability is very good.

      How is customer service and technical support?

      I've used LogRhythm tech support. I would rate it as very good, not excellent. For instance, we were trying to deal with pass the hash, which is a very common exploit and LogRhythm tech support told us they were just going turn that rule off, that we can't use it. We had to keep pushing until we had someone in another department push to an upper level of tech support to finally get it to where it was working.

      What other advice do I have?

      It's very important for a solution to be a unified, end-to-end platform for us.

      It's a really good solution. It's been very stable. At the same time, we have had some issues, some false positives.

      And that issue I told you with tech support, there have been some challenges getting it to be where we wanted it to be, for a solution, like LogRhythm, that is supposedly best in the industry. I just thought it was kind of poor that they would take a common exploit that's been in use for years and say we can't get it to work when, obviously, they could get it work. It was kind of lazy.

      Still, I would say go with LogRhythm.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756417 - PeerSpot reviewer
      Information Security Engineer at Lancaster General Health
      Vendor
      it's the center of our SOC but we are starting to use it for operational things as well

      What is most valuable?

      • SmartResponse flexibility
      • Ease of use
      • Ease of administration

      Overall, versus competitors, it is a lot easier to use, a lot more user friendly, but it still gives you a lot of flexibility to do whatever you want. The limit is your imagination, for SmartResponses at least.

      How has it helped my organization?

      We've actually been able to use it to show that we need more people, because we're going to be doing more. It's the center of our SOC, but we are starting to use it for operational things as well, not just security.

      What needs improvement?

      I would like to be able to use the Web Console, but because of our volume I can't.

      Also, it needs to stay healthy. A lot of the problems seem to pop up out of nowhere, and a lot of them seem to be somewhat debilitating. We were fine for a long time, and then eventually one day our processing just dropped. I ended up talking to support for something like a month, and eventually I got to someone who said, "You should check the BIOS settings on your data processors and your indexers." Turned out there was some read-head caching setting that wasn't enabled by Dell. We were fine for over a year, and then all of a sudden, problems.

      It's a great tool, just random dragons seem to cause problems.

      What do I think about the stability of the solution?

      Hit or miss, it depends. A month or two will go by and everything will be fine, and all of a sudden, something breaks. Then it's in the air for a little while, and then I manage to figure out what is causing the problem, fix that, and then everything is fine for a couple months. Then something else happens.

      It's different every time. One specific example, I think it was related to a KB-update that basically broke a log source type, that was doing tens of millions of logs per day. And that just trashed our data processors. It put everything behind, we went down to single-digit processing, blocks-per-second processing, for a period a few weeks. I had to rebuild all the MPE rules into a new log source policy, and then everything was fine.

      For a few months everything was working and then all of a sudden one day it just goes into the toilet. We didn't do any upgrades, nothing like that, so that is why I'm thinking KB-update, but I haven't pushed it.

      What do I think about the scalability of the solution?

      It's pretty good, it's easy to add parts, it's pretty easy to do that. It's just expensive sometimes.

      When we started, we had one platform manager, and two DPXs. And then we added this second organization, network domain, etc. Then we realized that we didn't have the infrastructure we needed to support everything. We were able to buy five DPXs, etc.

      How is customer service and technical support?

      On a scale of one to 10 , it's a seven to eight.

      Once you have escalate and validate, it's pretty easy to get to someone who knows what they're doing, and has a lot of the expertise in that specific area.

      Which other solutions did I evaluate?

      I know that it came down to LogRhythm, Splunk and ArcSight. They ideally wanted one person to administrate and run the whole system, which is why the other two got the boot and LogRhythm was chosen. That was the most important criterion in selecting a vendor.

      What other advice do I have?

      It's not perfect, but no solution is going to be perfect. If you have one person that you can dedicate forty hours a week to the SIEM it will be fine.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756420 - PeerSpot reviewer
      Security Advisor at a manufacturing company
      Vendor
      The UI allows us to hand it off to our SOC and train them

      How has it helped my organization?

      We have about 170,000 employees worldwide. We have thousands of unique log sources we're ingesting. Right now, it's kind of information overload in what we're trying to create logs off of.

      Our key challenges are staffing and, right now, we're just trying to get the best bang for the buck on what we can create for alarms, so that's what we're trying to get out of being at the LogRhythm User conference.

      We're about to ingest pretty much all of our log sources and write alarms based off the log sources. That's what we're working towards right now, getting valuable alarms to trigger for our SOC to action.

      LogRhythm meets our problem statement, as a solution.

      What is most valuable?

      The UI. We can give it down to our SOC and we can train them.

      What needs improvement?

      The CloudAI obviously, that's going to be big for us. Hopefully that matures. I saw the problem statement video they did today at this conference, which is great. But I haven't seen anything tangible out of that yet, so looking forward to that.

      I wouldn't give them a 10 out of 10 because there is definitely some room for improvement as far as in the GUI. Some of the things don't make sense. I think they need to better understand how a SOC would use that platform.

      I don't think they understand that every morning we do a case review and we need a quick dashboard to go review open cases for our SOC. And that's not built into the dashboard, so we have to create that. There are some use cases that I think they should sit down a little bit more with the customer and understand how we use it.

      What do I think about the stability of the solution?

      It's pretty stable.

      What do I think about the scalability of the solution?

      It was scaled inappropriately when we got it, so we had to buy a bunch of hardware after that. But, it's working now.

      How are customer service and technical support?

      I don't use it. My cohort, who is more of the SIEM admin, he uses it quite a bit. I think he's happy with it, as far as I know.

      Which solution did I use previously and why did I switch?

      We used Q1 QRadar. After IBM bought it, it kind of died on a vine. They quit supporting it, so that was the main driver for getting off of that and going to LogRhythm.

      How was the initial setup?

      Pretty straightforward.

      Which other solutions did I evaluate?

      We did a RFP for all the major vendors, ArcSight, all the big ones. LogRhythm came out as the best SIEM tool.

      What other advice do I have?

      When selecting a vendor, for us, the platform has to be a unified, end-to-end solution. We've got so many unique platforms around our business that it has to be.

      All SIEMs suck, but LogRhythm is the best.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756411 - PeerSpot reviewer
      Security Analyst at a financial services firm
      Vendor
      Makes log information available on demand for investigation but generates a lot of alarms we have to overlook

      What is most valuable?

      The most valuable part of the solution is being to view all of the logs whenever you want. Any time an issue comes in or something that needs to be researched, I have the logs there. I can go in, run an investigation. It's pretty much at my hands. Information is available on demand. I feel like I'm in control of it, which gives me warm, fuzzy feeling.

      How has it helped my organization?

      Pro's and con's I would say. We are short staffed, like the majority of the people are here at the LogRhythm World conference. We have a lot of alarms that get overlooked, there's not a lot of prominence to them. So our SLAs are over extended. But other than that, we're getting alerted on things that we need to quickly look at, glance, and see what needs our attention right away.

      Usually, anything that's really hot, urgent, rated 90 or above, we answer those right away, and get those tasks completed.

      What needs improvement?

      If they continue to do innovation, and listen to their customers, then they'll move forward, and I think that will be the best thing for all parties involved.

      What was my experience with deployment of the solution?

      One thing that surprised me was how many logs were being generated by our environment and how many logs are just a waste of time, looking at them. They're just there. It's just logging information, and we were able to reduce.

      Deployment, I believe, took about two weeks, and going from, let's say, a 100 logs, we were able to reduce to about half of those logs in terms of what we're reviewing.

      What do I think about the stability of the solution?

      Stability is perfect. We have had no issues whatsoever with the servers, or with the Web Console or anything else.

      What do I think about the scalability of the solution?

      The scalability is awesome. Initially, when we first purchased LogRhythm, we purchased only about 20 lite agents. Then we realized, as we were looking for additional log sources, we needed more. Pretty much within a day, we were able to purchase additional licenses and get them rolled out to our organization.

      How are customer service and technical support?

      Tech support is amazing. They always follow up with a document on how to do something and if you still need further assistance, they're willing to get on the phone with you, without any doubt.

      Which solution did I use previously and why did I switch?

      We were using a different vendor and we decided to go against it. We wanted to bring this in, in-house. We were using Dell SecureWorks, and we were just not satisfied with their ability to give us reporting and information on a timely manner.

      How was the initial setup?

      It was a little complex, I did not have training prior to, so it was more of a hands-on learning, which I appreciate. I prefer to do hands-on. It's easier for me to learn that way. It was complex but at the same time it was educational. It had benefits.

      What other advice do I have?

      Being at this conference I learned a lot. For example, I haven't been using the Web Console to the extent that I should be using it, and I think going back I'll be using that a lot more.

      It's extremely important for a solution to be a unified, end-to-end platform. In terms of criteria when selecting a vendor, we look at it as a relationship between our organization and LogRhythm. We want them to work with us and we're willing to work with them to fit what's best for our environment.

      I gave it seven out of 10 because we've only used the product for about a year and a half and it's still a building process, and I think it will always be a building process. You're always tweaking things. I can't imagine the company being the best at one specific thing, and then if you're the best at it, then there's no room for improvement. But I know as an organization, we are extremely happy, with LogRhythm.

      I would definitely tell colleagues to at least PoC LogRhythm, and see for themselves what their getting in their environment and what other vendors might be missing.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756405 - PeerSpot reviewer
      Principal Security Specialist at University Of Massachusetts
      Vendor
      We have been able to find out what is wrong, and suggest how to remediate

      How has it helped my organization?

      Key challenge, of course, is how the threat situation changes every day. LogRhythm is on top of that and very helpful. Another challenge, of course, like many other companies, staffing is not where it should be, money is not where it's supposed to be, but we do well.

      We service the University of Massachusetts, but we also have other customers, all higher-end. It's up to the customer what they want us to look at and LogRhythm, absolutely, has the tools that we need to find the data threats that the customers are interested in.

      We're MSSP and we've only been using LogRhythm this past year and we've actually found several instances where we've benefited our customers with the data that we have found, that we've collected. We were able to find out what was wrong, deep dive into it, and suggest to our customers what they need to do.

      What is most valuable?

      I would say the amount of data that it collects and the way it correlates it, extracts it, and makes it easy for an analyst to look at it and deep dive into it. I had another SIEM before LogRhythm and it was nowhere near what LogRhythm does.

      The idea to me is collecting all this data and then extrapolating all that data, and it's phenomenal.

      What needs improvement?

      From what I saw yesterday here at the conference, they seem to be right on track with making the Web Console much easier, case management much easier.

      When you're searching on something, you see something that you think may be a threat, you have to keep threat-hunting, deep diving, and from what I saw yesterday, it looks like it's going to get a lot easier and more helpful.

      What do I think about the stability of the solution?

      Unbelievable! Very good.

      What do I think about the scalability of the solution?

      Very good. I was very impressed, especially yesterday, here at the LogRhythm User Conference, I did the 7.3 session, what's coming out. We've been around, as I said, less than a year and within that time frame - and from what I saw yesterday - it's unbelievable the way LogRhythm is moving forward.

      How is customer service and technical support?

      If I look back to my other SIEM solution providers, the one we had before this, it's light years difference. LogRhythm support is very, very helpful, very knowledgeable. There's always somebody there. If they don't know the answer, they're going to go find someone who knows the answer. So it's very good.

      How was the initial setup?

      We used their Professional Services, I was one of a group of three - and the professional services - that helped roll out. It was pretty straightforward. Of course, it was different because it was all new to us, and using the Professional Services was very helpful.

      What other advice do I have?

      The driving factor in searching for a security solution would be, in this day and age, the threats that are out there are incredible. I think LogRhythm addresses a lot of the issues that are out there. Again, it's on us to make sure LogRhythm is a solution. It's a tool. If we don't use it properly it's pretty useless at that point. It's on us.

      I would say it's very important that a solution be a unified, end-to-end platform, especially in a higher-end environment.

      My nine out of 10 rating is based on what they offer, and what I saw yesterday at the conference, what they're coming out with. They seem to be on top of things.

      Among the different SIEMs that are out there, the companies, I would definitely recommend LogRhythm.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      PeerSpot user
      Sr. Systems Support Analyst at a manufacturing company with 10,001+ employees
      Real User
      Ease of use has helped us uncover a lot of information and protect our data

      What is most valuable?

      Ease of use.

      How has it helped my organization?

      We're pretty new to it, but so far it's uncovered quite a bit of information. Just having everything in a single space has been very helpful.

      As a security organization, our challenges are discovering where our data is at, most times, and protecting it. As I said, we're fairly young in LogRhythm, but so far it's done a very good job.

      What needs improvement?

      CloudAI is amazing from what I've heard about it so far, and I'm looking forward to it.

      There is always room for improvement. Everybody continues to integrate. They've been a great company to work with so far. I'm one of those who is optimistic, there's always room for improvements.

      What do I think about the stability of the solution?

      Rock solid so far.

      What do I think about the scalability of the solution?

      Scalability is incredible. There are no two ways about that, we're not even scratching the surface, and we're a pretty large company.

      How are customer service and technical support?

      We've used tech support a couple of times, and they've been very responsive and very knowledgeable.

      Which solution did I use previously and why did I switch?

      This is our first SIEM. My biggest driving factor was something that we could run with a small team. Like most, we have a very limited set of people to do this.

      How was the initial setup?

      It was fairly complex, but that's just because we did the little things that aren't normal in our environment, but other than that fairly straightforward.

      We did it in a little bit of a different fashion than most would. We deployed it in Azure, in a cloud environment. That was a little different, but still pretty straightforward.

      What other advice do I have?

      The unified, end-to-end solution is very key here. We have a lot of various tools, and trying to get them all into one is very key.

      Be sure to size it properly. Don't try to boil the ocean. Get your key log sources and let it start paying for itself immediately; it will.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756393 - PeerSpot reviewer
      Junior Information Security Analyst at a financial services firm with 51-200 employees
      Vendor
      All logs in one place; we can quickly determine if there is a threat actor, from internal to external​

      What is most valuable?

      The fact that I can quickly determine if there is a threat actor from internal to external. That's our primary goal. We have a lot of traders and a lot of developers, internal, so that's generally where our presence is. We don't have a whole lot of online presence. We're not so much worried about external actors.

      Being able to determine what a user is doing is really helpful for us.

      How has it helped my organization?

      We've got two facilities. We pretty much have one setup, the DX. We don't have any failover, just because it doesn't work for us.

      Our key challenge is weeding out who is actually trying to be a threat. Now, LogRhythm certainly helps us, but it's still very difficult because we've got not a super high turnover, but high enough that you're constantly going through them looking at stuff.

      Being able to actually track somebody down and figure out what they're doing. Before, we didn't really have these insights, we were going by the the seat of our pants and trying to pull whatever logs we could, whatever Unix logs we could find, and it wasn't really helpful that way. Now it pulls it all into one spot and we're actually able to correlate data and say, "Hey look, this person's really actually being shady," and go from there.

      We've been able to identify certain individuals and not have issues past that.

      What needs improvement?

      There is a Group-By field that they're breaking out, which stopped me from being able to have certain events. They're breaking it out in 7.3, so they've already got it. That was the one thing that bothered me, so I'm happy about that.

      What do I think about the stability of the solution?

      Stability is not great but I think that's our issue. Qualys seems to blow it up all the time, but that's more on us to stop Qualys from scanning LogRhythm.

      What do I think about the scalability of the solution?

      Scalability is pretty good. We rolled it out at our primary company and then rolled it out past, to our sister company, which went really, really well.

      How is customer service and technical support?

      It's awesome.

      What other advice do I have?

      It's fairly important that a solution be end-to-end unified. The fact that LogRhythm is, is working out very well for us.

      I gave it eight out of 10 because of some of the issues we've had with the system actually going down but, again, that might be entirely on us. We're still in the defining phase of that.

      One thing that surprised me over the course of our deployment is the amount of logs that I didn't realize we had, different log sources that we're seeing pop up, pending, being brought into the system and we haven't even seen them before. People are standing them up left and right and I'm thinking, "Guys, stop it."

      Make sure that your operations guys, your network guys can actively search through it well. Get them training. Don't do half a job with it.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756387 - PeerSpot reviewer
      IT Security Administrator at a financial services firm
      Vendor
      Facilitates receiving alerts quickly and remediating them with partial scripts

      What is most valuable?

      The Web Console, and digging in through the logs.

      How has it helped my organization?

      We use a single appliance, around 5,000 MPS. We're a Windows shop, so mostly Windows servers, desktops, workstations, etc. Somewhat distributed as well, we have three main sites and 20 or so distributed sites as well.

      Our key challenges are, mostly people, getting more resources, and the goal is just get better. Are we better today than we were yesterday?

      I think it has helped immensely. I think the ability to quickly receive an alert and investigate that alert is pretty beneficial. I think it is pretty effective.

      Also, the ability to remediate alerts with partial scripts is pretty good.

      What needs improvement?

      I would definitely like to see more things in the Web Console, in terms of the ability to run reports and generate reports out of it, and schedule those. Instead of having to go to the FAT client, you would just do it out of the Web Console.

      Right now there are two brains, there are the Web Console and the FAT console so that hinders a little bit of flexibility or innovation that they can do. It is a tough spot to be in, but otherwise it is a pretty good product.

      What do I think about the stability of the solution?

      In terms of just stability of the product, sometimes we have run into some issues there.

      What do I think about the scalability of the solution?

      In our environment, we have X number of clients, so that's not extremely scalable, but I know that the solution is pretty scalable.

      How are customer service and technical support?

      Support has been really good.

      Which solution did I use previously and why did I switch?

      We were using Splunk prior to this but it was too expensive and we needed a true SIEM solution.

      How was the initial setup?

      A little complex, but usually any SIEM is; just all the components that are in that one appliance.

      What other advice do I have?

      I am pretty impressed with it. I have seen a it grow, just in the short time that we have had it.

      It is very important for us that a solution be a unified, end-to-end platform. That is one of the biggest driving factors, having a single place that I can do network monitoring if we wanted to. We could do log correlation out of different security tools that we have.

      Make sure you give it enough resources in terms of users. Somebody to manage it, whether that be a MSSP or in-house resource.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Senior Security Engineer at a healthcare company with 10,001+ employees
      Real User
      We can't feed it fast enough, gives us a ton of insights into our organization

      How has it helped my organization?

      We have 10 hospitals or so throughout Minnesota, and a lot of clinics and smaller health facilities. The technology stack is mostly Microsoft based. We do about 25,000 MPS.

      Key challenge is just protecting PHI, personal healthcare information, that's a challenge in our industry. Patient care comes first, even before security. Then also, healthcare is a bit behind the loop. It's a large organization, we've got over 30,000 end points.

      Just like any SIEM product, LogRhythm gives you a lot of insight into your organization. The web UI has been particularly helpful for our analysts and our budding SOC program. Being able to give them a nice kind of sexy layout, dashboard. And the reporting is great for management.

      Then there are all the "cobwebs" that we're discovering, that LogRhythm gives us insight into.

      We can't feed it fast enough, is basically what it comes down to. It's given us a ton of insight that we didn't have before. It's been magic.

      What is most valuable?

      The functionality of it. It definitely does a lot of things out of the box. You don't have to do a ton of tweaking and tuning, but that's there for you if you want it. Big-time usability and implementation is easy.

      What needs improvement?

      Maybe it's just my lack of understanding of it, but I would like to see the web UI expanded further.

      I would also like to see - and there might be some documentation around it - building your own smart response plug-ins.

      I think those would be pretty nice.

      What do I think about the scalability of the solution?

      So far so good. No complaints.

      How is customer service and technical support?

      It's been very good. I've had a couple instances where it's taken a week or more to figure out the issue. But usually, when it gets to the tier-2, tier-3 guys, they get it answered really quickly. We've also had a lot of success sending logs to them so they can do RegX on those for us, some custom parsing. It's nice.

      The issues we had surrounded integrating the Qualys API, and some questions that we had. It ended up taking awhile to get it figured out, that we needed to get a feature request put in.

      What other advice do I have?

      In terms of a solution being unified, end-to-end, for us it's huge. We have a ton of different security controls. I'm sure we're not any different than any other organization. Being able to bring it all in and put it on a single pane of glass is awesome.

      My rating of eight out of 10 for LogRhythm is because, while I think the support is great, the solution is a little rough around the edges. Like I said, I'd like to see the web UI built out more, and be able to jam more data into it. The fat client console feels a little rough around the edges to me, even though I use it every day. But overall, not a ton of complaints.

      Definitely check out LogRhythm. That's one of the things that I've noticed in talking to other people, it seems like people really focus on other top 10 SIEM tools like ArcSight and such. I don't hear LogRhythm talked about that much, so usually I'll bring it up and say, "Hey, go check out Logger."

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Andrew S. Baker (ASB) - PeerSpot reviewer
      Andrew S. Baker (ASB)Cybersecurity & IT Operations Professional (VirtualCxO) at BrainWave Consulting Company, LLC
      Consultant

      LogRythm is a very good tool, but it comes with a pretty hefty price tag (especially for smaller orgs than yours). While it does not have (as yet) the name of an ArcSight -- especially with larger orgs -- it is definitely making a strong name for itself in the mid-market and enterprise space.

      it_user756369 - PeerSpot reviewer
      Senior Cyber Security Engineer at a healthcare company with 1,001-5,000 employees
      Vendor
      Enables pivoting through the data in real-time; we can detect and remediate issues more quickly

      What is most valuable?

      I like the usability of it. I like the web console and the ability to pivot through all the data in real-time.

      How has it helped my organization?

      We have a pretty varied environment. We have all kinds of compliance. We have PCI, HIPAA, FISMA and the like. We are also a large development shop. It's not as strict as we would like it to be.

      As a security organization, our key challenges/goals are just staying on top of everything. The environment changes rapidly, especially with a big dev environment.

      Regarding meeting those goals, In the last two months that we've had LogRhythm it's been very good. We ripped out an old SIEM that wasn't quite as easy to use. That has been nice.

      The benefits are that it gives us a central pane of view for all of our logs and all the events. Where it's really helped us is that it requires less time to remediate and detect any issues.

      What needs improvement?

      It's hard to say what should be improved because we're still trying to get an understanding of what the tool does.

      I think in all the sessions we have at the LogRhythm User Conference, we'll find out more what the tool does. Then, from there, we'll probably decide if we really wish it would do this or that.

      For how long have I used the solution?

      Two months.

      How are customer service and technical support?

      I have not personally used it, but a co-worker has. So far, we're very happy with it.

      Which solution did I use previously and why did I switch?

      We did have a previous SIEM solution, which was IBM QRadar. One of the biggest reasons we decided to move on from that was cost. The renewal costs from IBM were extraordinarily high. We had already talked to LogRhythm for a different use case, with compliance. We already knew what LogRhythm had to offer.

      How was the initial setup?

      It was a little bit of both straightforward and complex. There were certain parts of it that were very straightforward. There were other pieces where we just had to get a grip on which log sources we were going to send where, and how to manage it all.

      What other advice do I have?

      When selecting a vendor, one of the biggest things for us is ease of use. The second is how are they going to be a partner with us?

      In terms of advice to someone who is looking into this kind of solution, I would say to look at the long-term costs of any solution that you're looking at.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756363 - PeerSpot reviewer
      IT Analyst at a energy/utilities company with 501-1,000 employees
      Vendor
      Visibility into all log sources in one place, and alerting are key advantages; helped us find misconfigurations

      What is most valuable?

      Visibility, obviously. Seeing all the logs from all the various log sources, be it perimeter, internal, overall security controls; getting it in one pane of glass. And alerting, obviously.

      How has it helped my organization?

      I started here two years ago, no SIEM. Now we have visibility into any type of external attacks, perimiter attacks. We've found operational problems, misconfigurations, things like that.

      What needs improvement?

      Logging improvements. I think that the template to reporting is just difficult, it's hard to go back. You can't modify the templates. So more customization. That would be key.

      We could also use more information on how to integrate with specific vendors.

      Threat intelligence is a big thing. LogRhythm actually has a pretty good threat intelligence deal, but we happen to use a vendor that is not built-in. It'd be great if LogRhythm could expand more on the user forum on how to integrate more with the more non-mainstream vendors.

      What do I think about the scalability of the solution?

      It's good. We have all-in-one, an XM unit, because we're a smaller shop. It's been a great, a single unit. As we've needed to expand, I've put out more collector systems feeding back into the XM unit, so it's good.

      How are customer service and technical support?

      We've used them many times. I'd say overall good. I was actually an ArcSight user at a previous company, I'd rank LogRhythm higher than those guys.

      Which solution did I use previously and why did I switch?

      As I said, it was ArcSight at my previous company. I was lucky enough to try to build the security practice where I'm at now. LogRhythm was one of three that we evaluated.

      How was the initial setup?

      I'd say straightforward. We did have PS as well, so it was very helpful.

      Which other solutions did I evaluate?

      QRadar and Splunk. And, for whatever reason - it is not really a truly a SIEM player - Tripwire. Management wanted us to evaluate Tripwire.

      What other advice do I have?

      We're about 1200 seats, 10 locations roughly, totally a Cisco shop, from perimeter ASAs to IDS, Sourcefire, to web filtering, it's a big Cisco shop that I stepped into.

      Our key security goals revolve around maturation and pulling more information into the SIEM. We started off with the low hanging fruit, the Active Directory, the SOCKS servers, things like that. But now we need to get more - all our security controls as well - security systems. We need more from executive PCs, from application servers, we need more visibility I think.

      In terms of meeting these goals, this solution, on a scale of one to 10, is an eight, at least in terms of how we've been able to adopt it.

      The most important criterion when selecting a vendor interoperability, the ability to pull logs, and the ease of customizing parsing logs. By far.

      In terms of advice to a colleague, if they're looking at this and similar solutions: I've dealt with ArcSight before, they're a magnitude higher in terms of operationally managing the software. I haven't used QRadar, but from the surface, looking at it form 10,000 feet, I would say and Logarithm and it are probably much easier to mange, much easier to use.

      LogRhythm has been really a good partner, they've reached out, they're always wanting information, "How we can improve? How can we do this or that?" Our SE and sales guy are really great. Keep in touch, so I feel like there's someone I can always reach out to if there's a problem.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Network Security at a energy/utilities company
      Real User
      Provides an eagle-eye view and enables you to delve down granularly and easily

      What is most valuable?

      For me, the NERC compliance modules are probably the best thing. And the system monitors, they really pick up a lot for me.

      It helps you get an eagle-eye view and then delve down granularly. The ease of that is pretty amazing.

      How has it helped my organization?

      I've got three main datacenters and then I'm processing somewhere in the vicinity of 20 million logs a day. My key challenge is making sure that I'm complying with federal regulations.

      It's helping me in my compliance role. Helping me to provide evidence for our audits so that I can show we're doing what we're doing.

      What needs improvement?

      My main thing I'd like to see is, when you're using canned reports, that they're not blank. If there's no log source say, "No log source", or if it didn't find anything say, "It didn't find anything". I hate blank reports.

      What do I think about the scalability of the solution?

      I think it's pretty amazing. We have two deployments. My deployment is a small one that is on secured systems. We also have another deployment that's way bigger and for our normal corporate environment. So it fits from small to huge.

      How is customer service and technical support?

      I have used LogRhythm tech support and I would say those guys are phenomenal, outstanding. They get back to you quick. If they can't answer it right off the bat they get an engineer to give you a call back, and they follow it through till it's good.

      What other advice do I have?

      I gave it an eight out of 10 because you can kind of dig around and find what you need, so it's fairly user friendly. And the support that you get from their tech teams is pretty phenomenal.

      I'd say definitely give it a look, and talk with them. I would definitely say that the support that you're going to get is well worth it.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756348 - PeerSpot reviewer
      IT Security Analyst at a financial services firm with 201-500 employees
      Real User
      It has helped tremendously when following up on investigations and logs

      How has it helped my organization?

      It has helped tremendously when following up on investigations and logs. We often get bogged down with many tasks during the day. We can actually come back to a particular scenario that we are looking into, so it has been very beneficial for that.

      Key challenges are our users and network. In our network, we get logs from a particular product called a NetScaler, which hides our source IPs, so that makes it a little challenging. Our goals are to tune LogRhythm further and utilize all the different modules that they do offer us. It is a challenge to get it all done.

      What is most valuable?

      • The web console
      • The case management

      What needs improvement?

      I did hear about the new playbook edition coming up and I am excited about it.

      What do I think about the scalability of the solution?

      It is excellent.

      How is customer service and technical support?

      I have used the tech support and think they are great. I have many vendors that I deal with for other tools and hands down LogRhythm has been the best SIEM solution.

      What other advice do I have?

      It is a big project, but very worthwhile, and LogRhythm has plenty of documentation, support people, professional services, and classes that can help get a business implemented and push them all the way to completion. I definitely think it is worthwhile.

      It is very important for me that the solution be a unified end-to-end platform.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756336 - PeerSpot reviewer
      Deputy Ciso at Temple University
      Real User
      Generates real insight into the security posture of my organization and scales very easily

      What is most valuable?

      The consistency of its interface, whether you go to a dashboard, a search, an alarm - everything comes back consistently. There isn't a different interface for every function that you do, so it makes it very usable.

      How has it helped my organization?

      The benefit is really getting insight into the security posture of my organization. Proof in the pudding was that we had a penetration test over the summer and we caught the penetration testers five times because of various LogRhythm alerts.

      What needs improvement?

      The biggest thing I want is, right now you have thick console and the web console. Most of the reporting has to be done in the thick console. I'd love more reporting in the web console. A lot of our users don't have access to the thick console, only administrators do, so a lot of users can't run their own reports.

      What was my experience with deployment of the solution?

      I think part of the thing that LogRhythm has always done with the deployment is a lot of hand-holding by Professional Services. I would tell everybody that was going to do this to pay the money and get Professional Services. Don't try to do it by yourself.

      What do I think about the scalability of the solution?

      Awesome. In fact, I just went through a scaling exercise where we outgrew our initial implementation and we were able to double, very easily, our capacity through an upgrade process.

      How are customer service and technical support?

      They're awesome. We use them all the time. I tell my staff that whenever you have an issue, the first thing you do is you open a ticket with tech support, then you start playing with it. If you have solved it by the time tech support gets back to you, cancel the ticket.

      Which solution did I use previously and why did I switch?

      We were previously using SolarWinds and we outgrew it. It wasn't scalable. We needed to find a solution that would scale as we grew it.

      How was the initial setup?

      It was straightforward.

      What other advice do I have?

      We're a big university. We're the 26th largest university. I've got 45,000 students, 10,000 researchers and faculty members, plus staff. Main campus is in Philadelphia, Pennsylvania. A mile down the road we have a Health Science campus that has a medical school, a dental school, a pharmacy school, and it's kind of attached to the hospital, which is separate from us. We also have campuses in Harrisburg and Center City that are small adjunct campuses. We also have a campus in Japan and a campus in Rome. We have a big international presence, that's the size and the scope.

      Our key challenge is that the drivers of the university have been notoriously open, but with the threat landscape of today we have to be mindful that the openness that the faculty wants has to be balanced with the needs of protecting all of the data information that we have, like any business has.

      When it comes to the most important criteria when selecting a vendor, a unified, end-to-end platform is really important, but it's one of the key features. We look at the overall value that a platform has. Cost comes in, but also leadership in the field, manageability, how many FTEs it's going to take to run this solution. All of those things are factors.

      I've been around this field for 25 years. I've used many solutions. LogRhythm is scalable, it's robust, they're constantly growing it, their tech support is good, their Professional Services are good. We just went through a massive upgrade to double our capacity. They give us training credits on our old solution. They want customer happiness and customer success.

      Definitely do your homework. Understand what logs are important to you and really evaluate what scope you need to do, and take your time. This is a big project, you can't do it all at once. You really have got to do it in phases.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756354 - PeerSpot reviewer
      Security Analyst 3 at a comms service provider with 1,001-5,000 employees
      MSP
      It is a single pane of glass for all of the logs

      What is most valuable?

      • The user interface (UI)
      • Ease of use, especially if you are starting off
      • The AI

      How has it helped my organization?

      Key challenges and goals: Anytime you are building a program from the ground up, there is a lot of legwork to be done to get things tuned to the point where they are usable.

      Effectiveness of solution in meeting security challenges and goals: It is very effective. It is a single pane of glass for all of the logs, that not just myself, but anybody who is looking for information about how the network is behaving can use. So, not just primarily a security tool, it is a tool for everybody if it is set up that way.

      What needs improvement?

      We run across the odd vendor which we are using that we think are large players in their environment, but there is not necessarily a native support for their log ingestion per se, where it requires customization in order to be able to parse and accept their logs. I would also like to see them expand on some of the ability to interact with other technologies in real time via the programming platforms.

      What was my experience with deployment of the solution?

      It pre-existed before I got there. Once it was deployed, I have been responsible for most of the log ingestion and the tuning efforts.

      What do I think about the scalability of the solution?

      It seems scalable so far. I have not had to add more devices to our deployment yet, but it has yet to be discovered.

      How are customer service and technical support?

      We have used LogRhythm tech support and they are excellent. They have been very helpful.

      Which solution did I use previously and why did I switch?

      This is our first adoption of a proper SIEM product, so there is really nothing to compare it to with respect to the job that I am in right now.

      How was the initial setup?

      It pre-existed before I got there.

      What other advice do I have?

      I am very happy with the solution right now. I would absolutely recommend it and have.

      Most of the basics have been tended to, and as we discover other things that we need to get more data on, and they are brought up, the company addresses them.

      The most important criteria when selecting a vendor: It is very important for it to be unified.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      it_user756360 - PeerSpot reviewer
      Director Information Security at Vail Resorts
      Vendor
      An easy, centralized view of our environment

      What is most valuable?

      Being able to centralize and have one view of all the threat events coming out of all my multiple security sensors.

      It has been the easiest SIEM platform that I have worked with or seen in production.

      How has it helped my organization?

      It is an easy, centralized view of our environment.

      Our key challenges and goals are maturing our security operations and security event management process.

      What needs improvement?

      • Better correlation of all events: We seem to get a lot of misinterpreted data coming from multiple sources. It would be nice to have an easier way to interpret the data and correlate it.
      • The challenge of maintaining it: Maintaining compatibility with all of our log sources is still a challenge for us.

      We have implemented it as a necessary feature, but we need to be able to mature that.

      What was my experience with deployment of the solution?

      I was just involved in the decision-making process. However, I know that the deployment was straightforward.

      What do I think about the scalability of the solution?

      It seems to be highly scalable and easy to scale.

      How is customer service and technical support?

      I have not used LogRhythm technical support.

      How was the initial setup?

      I was just involved in the decision-making process. However, I know that the setup was straightforward.

      What other advice do I have?

      It is extremely important for our solution to be a unified internal platform.

      I would recommend looking into it.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      it_user756357 - PeerSpot reviewer
      Senior Security Analyst at a energy/utilities company with 1,001-5,000 employees
      Real User
      The ability to leverage alarm and case management features through a centralized location

      What is most valuable?

      The recognition of many device types, log message formats, and the most common device types out there. Then, the ability to quickly display data, and do the classification on it. That is the big value.

      I have used it a lot. I have used it against other SIEMs. I have used it in conjunction with other SIEMs, and it is the easiest to use and makes the most sense to me.

      How has it helped my organization?

      • Being able to gather the data into one central location.
      • Being able to leverage alarm and case management features through there on that centralized single pane of glass. That lets us work through those issues that we find from all those disparate device types, fairly quickly and efficiently using that stuff.

      Key challenges and goals are retaining talent. Guys tend to do really well in this field, oftentimes monetize those skills pretty quickly. So, there is always someone willing to pay a premium out there for those skills and that talent. Therefore, you find a lot of churn from that.

      What needs improvement?

      I would like to see additional features around alarm management. We are producing alarms right now, and we are able to change statuses on them. But, I would like to see more details around having timers on those alarms. So, if I have a new alarm that has been sitting there for 15 minutes and no one has gotten to it, I would want some sort of alert to tell me that or a threshold I can set.

      What was my experience with deployment of the solution?

      I was not involved in this particular deployment, but have deployed about 25 LogRhythm deployments previously.

      It is straightforward. Not too bad.

      What do I think about the scalability of the solution?

      It scales well. It can go from 1,000 messages per second to 50,000 messages per second fairly easily.

      How is customer service and technical support?

      I have used a lot of tech support, and I think it's the best out of other SIEMs that I have worked with: McAfee ESM and IBM QRadar. LogRhythm definitely has the best support.

      What other advice do I have?

      Go ahead and do the evaluation with their other competitors out there. Understand each of the SIEMs capabilities by sitting down with them. I think you will find that LogRhythm will win out.

      A unified end-to-end platform is extremely important, because as we get going to this more holistic security model, we will be looking at minimizing the number of tools that we have to have in our environment, and trying to centralize a lot of that work into one platform, which LogRhythm is definitely one of those platforms that does that.

      Most important criteria when selecting a vendor: Selecting a vendor is pretty important. We go through a lot of things, a lot of due diligence. We like to put them up against their main competitors in the market. That is generally a step we take when evaluating different vendors for a solution.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      Global Security Manager at Chart Industries Inc
      Real User
      Top 10
      The scalability is near infinite. It goes both vertically and horizontally.
      Pros and Cons
      • "The ability for me to go into the Web UI, and just learn what's going on in my environment."
      • "I have probably submitted half a dozen log parser requests, and I keep finding more stuff that we need to keep an eye on that doesn't have a definition in LogRhythm."

      How has it helped my organization?

      The benefits are almost innumerable. You can't know anything unless you are capturing the data. Once you are capturing the data, you can then make intelligent decisions around what is and is not appropriate, and what is and is not dangerous. It improves the security posture, because you can then know when things are happening that are bad.

      Before the LogRhythm solution, if someone was trying to login to a server with a local admin account, I would have no way of knowing that. Nothing would log it, audit it, and it would never show up. Now, I get an AIE alarm every time that happens, because it is considered a pass the hash attack.

      If we know when these things are going on in our environments, we can identify rogue admins doing things that they should not be doing, and the questions can be asked, "Why are you using this process? What's failing you that you have to go around the normal procedure to do this?"

      Another big one we found was just the ridiculous amount of PSExec running around the environment by non-admins to touch other things, which we have tried to curb. Then, we were able to ingest some custom log sources that have helped us become more proactive in alarming. Some of the stuff that we are using does not do good alerting, or it does not do role-based alerting. So I do not need an IT admin in Georgia to know about a potential issue in China. He does not care.

      I need that alarm to go to China, and not to Georgia, but some of our solutions will only send their alarms to one source. So, you either send it to the entire IT organization, every time it happens, or you do not send them at all. It has helped us pair down the noise to our site level admins, and give them more actionable intelligence quicker.

      We are a global company. We have 37 locations. China is one big country in Asia. We are on Australia, North and South America, and in Europe, with about 5,000 full-time employees. For the technology stack, we are running a single LogRhythm LR 6403. 2500 NPS license which we are currently hitting the lid on every day, and running a combination of Trend Micro and Malwarebytes. For endpoint, doing Cisco, Firesight for IPS. We are a Cisco shop, a 100% on the network, and we are a VMware shop, 100% for the servers.

      Right now, my biggest challenge is distilling the technical data that I am getting out of the LogRhythm appliance, in my reports, and translating that to business value statements to the business units to justify that I need more NPS or I need a bump to NPS, or I need another VX, which is a lot of money to spend. I have to now, instead of making the fear argument of, "Oh my god, the world's on fire." Instead, it is more of, "Here is this device, here is how this solution partners with the business to enable them to make better decisions about risk." Also, they can feel safer in making somewhat more risky decisions, because they know that this solution is behind the scenes, watching, keeping an eye on things, and our team will tell them if something is going wrong.

      What is most valuable?

      The ability for me to go into the Web UI, and just learn what's going on in my environment. Being able to go in and show our company's management, "Look, this is what we can see. This is what we can now know about our environment."

      Then, using the past several months to baseline what's normal, it has been invaluable, and we have also been able to stop things that were bad, at the same time. We were able to actually show value, while we were still building out the solution.

      What needs improvement?

      My biggest challenge always come back to log sources. We are a manufacturing company, so we have a lot of old stuff, and it has been a challenge to get some of our old stuff to light up within LogRhythm in a way that makes sense. I have probably submitted half a dozen log parser requests, and I keep finding more stuff that we need to keep an eye on that doesn't have a definition in LogRhythm. I keep pressing through, and I know they are working hard on it, but that is our biggest challenge.

      What do I think about the stability of the solution?

      It has been incredibly stable. I had one minor hardware problem, where it did not reboot at all. It just sat there, but it was just a minor hardware thing, other than that, the software itself has been incredibly stable.

      What do I think about the scalability of the solution?

      It is near infinite. We are running a single appliance, but I can, even with my current license, break the Web UI off and put it on a VM if I need to, just to relieve some of the pressure. If I need to bring in another appliance, I can bring in another VX, and cluster those, or I can move AIE off onto another machine, it goes vertical and it goes east-west.

      How are customer service and technical support?

      Customer Service:

      I can't say enough about LogRhythm's tech teams, the staff, the SEs, and even my CRM. They have all been fantastic.

      Technical Support:

      We are on a first name basis with most of the technical support.

      My company did not get me professional services, so I deployed LogRhythm by myself, with no knowledge. So I probably opened 50 tickets in the first three or four months.

      They are amazing. They have an incredible depth of knowledge, even the Level 1 person that answers the phone, and their Level 3 support has been invaluable.

      Which solution did I use previously and why did I switch?

      LogRhythm is the first SIEM that my company has ever owned. They never owned one before, and it took a lot of convincing to get them to buy it in the first place.

      What's my experience with pricing, setup cost, and licensing?

      Definitely do a PoC.

      • Get an appliance in your system and your company.
      • Get your PoC guys to sign their CTU.
      • Then, truly think through the business case for this device.

      What is it that the business finds important, and how can this appliance/device enable the business to know more about the solution, and to protect that solution from anything.

      Because if you start with what we like in the tech industry and what we want to do, you are going to be talking about red team exercises and hacking attempts, and those are all good things to have, but they just do not translate on that initial ask for $100,000s.

      You really need to target the business, find out what is important to them, then focus that stuff in, and try to answer their questions with the PoC. Then, they will sign any check you hand them.

      Which other solutions did I evaluate?

      We were actually dead set on using Splunk. I came from a Splunk shop at my previous job, and I am a big fan, but I had never seen the Web UI before. So, it is a combination of a few things: The web UI, price pressure from the business, and dedicated hardware, which made LogRhythm the overriding choice for us.

      What other advice do I have?

      I have seen the features that are coming in 7.3, and they look incredible.

      It has far exceeded what I thought it was going to do for me in my job role. With the Web UI, over like a Splunk solution, it has actually become a tool that is used outside of security. I do not have to have people who have Lucene SQL Query Syntax memorized in order to get a value out of the system. They can jump in, log in as themselves, point and click, build themselves a query, and everything's great, then they love it.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      it_user756339 - PeerSpot reviewer
      Information Security Analyst at a legal firm
      Vendor
      Produces visibility into all of our data at once, allows me to see everything in one place

      What is most valuable?

      The visibility that it gives us into all of our data at once.

      How has it helped my organization?

      It would take me a thousand hours a day to go through all that data, so, like I said, it lets me see everything in one place, and I'm able to see where the problems are.

      What needs improvement?

      A cleaner interface. I keep getting confused and forgetting where everything is. A more intuitive interface would be helpful.

      It does seem to be good at gathering data. Like I said, it's hard for me to get that data. I would just like it to be more intuitive. When I go to look for stuff I frequently can't find it. Either it's not there or I just don't know the program.

      What do I think about the scalability of the solution?

      It scales enough for us. We haven't had any issues, no complaints about it.

      How is customer service and technical support?

      I've used their training. I have not used their tech support. Again, we have an administrator, he's been there. He probably knows more about this than I do.

      What other advice do I have?

      In terms of a solution being a unified, end-to-end platform, that would be nice. It's not something that I think about. I just use what's there.

      I would tell a colleague at another company who is researching this or a similar solution to try it out. That's the only way you're going to know whether you like it. Don't trust the marketing materials. Ever.

      I like the direction they're going with the AICloud stuff. They're talking about the playbooks. LogRhythm seems to be on top of things and always looking to improve, I like that.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756330 - PeerSpot reviewer
      Senior Network Engineer at a transportation company
      Vendor
      SmartResponse, alarming, and being able to write our own rule set allow us to delegate alarm monitoring

      What is most valuable?

      • The SmartResponse and the alarming
      • The ability to write your own rule set

      How has it helped my organization?

      It allows us to delegate some of the alarming, where there's not just one person looking at it all the time. Some lower-level techs can handle basic alarming.

      What needs improvement?

      Sometimes our rules don't fire correctly, events don't get created correctly, but that's mostly just because we have to write custom regex.

      Also, moving from away from the fat console, more into the web console for log sources and tuning and things like that, would be helpful.

      At times It gets a little clunky, or resource-intensive, but it works.

      What do I think about the scalability of the solution?

      It works pretty well. It's somewhat hard to delete something out of the system. That's probably our only challenge, because we reuse an IP address and then it's difficult.

      How are customer service and technical support?

      We've used them a few times. They were pretty good.

      Which solution did I use previously and why did I switch?

      We actually weren't using anything before. It was a conglomerate of a firewall and the Windows logs. But we had an IT architect that was more into security.

      How was the initial setup?

      It was pretty easy.

      What other advice do I have?

      Regarding a solution being a unified, end-to-end platfrom, it helps, but it's not completely necessary.

      For what it does, LogRhythm works pretty well.

      If I were to advise a colleague who is looking into a this solution, I would say train someone, as their full-time, job to use it. It's not an easy product to get around.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756426 - PeerSpot reviewer
      SOC Manager at a energy/utilities company with 10,001+ employees
      Vendor
      The event correlation has helped us to mitigate the security threats in our environment

      What is most valuable?

      The important thing in LogRhythm is the correlation in the AIE rules. It correlates all the logs to give meaningful events.

      How has it helped my organization?

      It helps us to improve our procedures management by decentralizing log management. We collect all the logs from our security devices, Windows server devices, and all the network devices into one single platform, then we can see all the events that led to the securities.

      Our key challenge is how we can convince our top management that we are in a very secure state/environment.

      What needs improvement?

      The Web Dashboard UI: Maybe it can improve more to indicate some of what Splunk is doing, because I also compare with other SIEM products. Maybe LogRhythm can have some sort of dashboard similar to what Splunk is giving to their customers.

      The product is good, but maybe they can further improve what they are doing in the roadmap, such as cloud AI and some of the web dashboard enhancements.

      For how long have I used the solution?

      Since 2015.

      What was my experience with deployment of the solution?

      At first, it is quite straightforward, but in terms of the the meaningful events, the AIE rules, during the implementation stage, we had difficulties getting the correct AIE rules, but further on it is improving.

      What do I think about the stability of the solution?

      For overall performance, it is very good. In terms of the correlation to the alarms rules, the AIE rules, I think in those terms of the reporting, maybe it can be further improved upon. The customization of the reporting could give more information that we need.

      How is customer service and technical support?

      We have been using quite a lot of technical support. Every time we have any issues, we will create a ticket to LogRhythm support. Example, when we have an error in our deployment monitor's usage, they will have us fine tuning or do some maintenance to improve the logs, the logs that we receive.

      Which other solutions did I evaluate?

      During the proposal, we are looking at three to four different vendors, such as LogRhythm, Splunk, and IBM QRadar, so in term of alarms and AI intelligence, we see that LogRhythm is giving more accurate and meaningful events compared to the others.

      What other advice do I have?

      My advice, when they first implement the solution, they should make sure that they know what data source or log sources that they want to give to LogRhythm to do the correlations, because they cannot just simply dump all the log sources to LogRhythm. It will impact performance, so they will need to carefully choose the log sources first. Then, after that, they can move away to the correlation, the engine rules, and so on.

      It is important for us to have a unified internal platform.

      The most important criteria when selecting a vendor:

      The most critical thing for us is in term of the correlations, because without the correct correlation, or alarms, then there will be no meaningful events. So what our priority is to give many people events that we can trigger our teams to do the mitigation and remediation action.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      it_user756324 - PeerSpot reviewer
      Senior Manager IT Security at Virginia Premier Health
      Vendor
      Allows us to be more defensive, have a better security posture, and be more prepared for anything that occurs

      How has it helped my organization?

      It's allowed us to have more visibility into our network as well as be able to respond more quickly to incidents seen on the network.

      What is most valuable?

      • Being able to gather logs in one place
      • Being able to process them and generate alarms

      What needs improvement?

      I work in a highly regulated industry. I know the product has compliance mechanisms, but being able to get more governance surrounding some of the compliance. Merging things that we have to be on top of would be helpful.

      What do I think about the scalability of the solution?

      LogRhythm has been able to show that their products are very scalable. Usually, when you buy things that are out of boxes, you get them, they're old. But the new enhancements and things that LogRhythm continues to integrate allow you to scale up with them as they grow. They scale with you also.

      How are customer service and technical support?

      I've used tech support. They're very helpful, very knowledgeable people who genuinely care about you and want to see not just their product but you, as a company, be successful.

      Which solution did I use previously and why did I switch?

      This is our first iteration of SIEM at my organization. At the time, my superior had used Splunk previously, and that was what he was a fan of. But LogRhythm is one of the emerging leaders, price point was very important, and also to be with a company that's on the cutting edge of technology.

      How was the initial setup?

      I think that anytime you're integrating SIEM monitoring tools into an environment, it is complex, but the LogRhythm Professional Services help make things easier, and I've worked with them every step of the way.

      What other advice do I have?

      It's very important to our organization that the solution be a unified end-to-end solution.

      I don't think any company is perfect, but I know that they're striving, and that's why I give them such a high score.

      I understand that whatever you're buying with LogRhythm, it is not going to be static. It's a very dynamic company and a lot of new technologies emerge, so ensuring that you get the proper level of training upfront, as well as continued training for your staff, is important for being able to wrap your hands around what LogRhythm is actually doing and where they're going.

      You start to talk about some things like blockchain and quantum, I'm sure that LogRhythm is already researching some of those new computer technologies. I didn't know what to expect back in 2015 when we bought the product, but it's showing to be agile, scalable, and the people are very knowledgeable.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Security Analyst at a financial services firm with 201-500 employees
      Real User
      Dashboards and AI Engine are key features giving us more insight into the traffic patterns we see

      How has it helped my organization?

      It's given us more insight into the traffic patterns that we see.

      What is most valuable?

      The dashboards and the AI Engine.

      What needs improvement?

      Mostly they should just expand on the features that are already there. More pre-built parsers, more pre-built AI rules, more dashboard widgets that we can put to use.

      What do I think about the scalability of the solution?

      I would say scalability is very good.

      How is customer service and technical support?

      Mostly very good. We have had some issues that have taken a long time to resolve, various technical issues that have taken longer to resolve than we desire.

      What other advice do I have?

      The criteria that we look when selecting a vendor are usually support, and being and end-to-end solution, that is very important too.

      I gave it a nine out of 10 overall because we have had some support issues that haven't been resolved quickly enough but, other than that, I've been very happy with the product.

      If a colleague was researching this and other popular SIEM tools, I would say for the most part I'm very happy with it. I would advise them to schedule a demo and see if it meets their needs.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756315 - PeerSpot reviewer
      Security Analyst at Guitar Center
      Vendor
      Enables us to feed in logs from other solutions and build dashboards to show us what we need to see

      What is most valuable?

      AI Engine

      How has it helped my organization?

      It's got intelligence. Does a lot of the heavy lifting, you can create custom AI rules. I'm looking forward to this CloudAI.

      It definitely complements all of the other solutions we have. We can feed all the logs into our system, build dashboards that the products themselves cannot provide. For example, we have web filtering, their dashboards aren't so great for that product. But when we feed it into LogRhythm, we can build dashboards that really show us what we need to see.

      What do I think about the scalability of the solution?

      Pretty scalable. We were on an HA setup. Got about 2000 messages per second. It's pretty scalable.

      How are customer service and technical support?

      They're top-notch. Every time I call, there's somebody willing to pick up the phone, somebody willing to jump on a WebEx, so I have nothing but good things to say about LogRhythm. Compared to every other product we have, LogRhythm support is the best. Without a doubt.

      Which solution did I use previously and why did I switch?

      I've used Symantec SIM, which wasn't so great. This is a real breath refresher, because it's more scalable, and I feel it's a better product overall.

      What other advice do I have?

      The most important factor, for me, when selecting a solution is that it needs to be lightweight.

      Advice I would give to a colleague at another company who is researching this sort of solution: Talk to me first.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      Administrator Executive at a individual & family service with 10,001+ employees
      Real User
      I have done a lot of good work with the account reps and engineers. It feels like we are on the same team.
      Pros and Cons
      • "It gives us insight into our entire installation, where we are multiple sites, going as far as the East Coast to the Central West Coast."
      • "I would really love to be able to take some of the data and not have to export it to a CSV file, so I can pull it into Excel to turn it into some other kind of graph."

      How has it helped my organization?

      We are primarily Windows-based. We have Linux. We have some Solaris. We are an isolated network. We have no connectivity to the internet, so we are more focused on insider threat and advanced persistent threat. One of the things that has really been a concern is we have a lot of software developers and engineers. These guys are gonna be able to create their own threat, so the behavioral analysis function of LogRhythm is really important, because there may not be a threat signature that we can find somewhere. We are going to need to see, "Oh hey, this guy, he is doing that at some weird hour. Okay, trigger an alert." That's probably the biggest difference. We are not going to have to worry about phishing attacks. We have really locked down. Our endpoints are going to a lot of thin clients just to eliminate a lot of potential access to systems.

      LogRhythm has caught a few odds and ends, where things were done for sheer convenience. It caught this weird behavior, and alerted us, and we're like, "Why do we have a DNS server with a software install point on it?", which is completely strange because we have an official software repository where everything is supposed to be. LogRhythm caught that for us, and it was really a case of a privileged user account, which was no longer active, and someone just tried to login with it. We were like, "Who is this? It's not even the same format for the username." So, it caught something like that, and it turned out to be harmless.

      Maybe years ago, they had brought someone in, not an IT guy, they were pushing out a lot of common software, and they didn't have an SCCM or a WSUS solution, so they had people going to machines, and downloading it from various locations. It is something we cleaned up, and got out of the way. We haven't had anything nefarious show up, yet.

      It has also been helpful for tracking a lot of stuff, like user account activity. We have our own folks, we have vendors and contractors that come in. It's great to be able to see when their accounts are being created, and when they're being locked down, because our security people can say, "Okay, this person is a new hire. We know they are supposed to be here. This person is leaving the company. Good to see their account has been locked down." There is a lot of confirmation on account activity, which is great.

      We need to catch everything before it does anything bad. Our biggest challenge is we have reporting requirements with our customer. They want to see specific types of activity, and while we want to be able to provide that, we also want to be able to catch things that might be on the edge or just outside of those boundaries. So that is our biggest challenge because I can watch the industry news and see, "Oh well, we have a threat that is coming in this way now that could possibly get on our system. How do I catch that?" Well, my customer's requirements might be too vague or too specific. I have to convince them that this is also important, include it, and here is why. So keeping my customer educated as to the threats is really critical.

      What is most valuable?

      It gives us insight into our entire installation, where we are multiple sites, going as far as the East Coast to the Central West Coast. Our operation is small. I am a one-man shop right now, so it gives me a chance to aggregate all my events and logging, alerting, in one spot. I come in and can see exactly what is happening.

      What needs improvement?

      The biggest thing is when you are looking at the client console:A lot of the data, the reports that you can generate, then you are given just a pie chart, a list of data, or both. I would really love to be able to take some of that and not have to export it to a CSV file, so I can pull it into Excel to turn it into some other kind of graph. I know some of that's being handed off to the web console, but that would be the one thing that would be really helpful.

      It is a little hard to get integrated.

      The one thing that would help me the most, because I am sort of isolated from things, and the guides that LogRhythm puts out are really good. However, a lot of times, it is, "Do this, do this, and this works because of this, this works because you do this." I would love to see something where they show or explain why doing something would break something or wouldn't work for you. That is the one thing, because I have done some things, like created a GLPR, just done them a couple of times, and I had two of work really well, and one that seems like it should be perfect, it is just a simple exclusion, but it does not work at all.

      What do I think about the stability of the solution?

      Stability has been great.

      How is customer service and technical support?

      Customer Service:

      I have done a lot of good work with the account reps and engineers. It really feels like we are on the same team.

      Technical Support:

      Technical support has been pretty good. It has been a challenge, because we are not connected to the Internet, and when they want to get our logs, we are like, "Well, it is going to be a few days before any of it gets to you." That's our biggest challenge, but they have tried to work with us.

      Overall, they have been good. They have been pretty helpful

      How was the initial setup?

      I was not involved in the initial setup.

      What's my experience with pricing, setup cost, and licensing?

      I would recommend talking to the rep. That's the biggest thing because they will know what questions to ask.

      What other advice do I have?

      It does what we want, but there is so much you can do with it. It is like buying the biggest tool set you can find, then you are trying to find out, "Okay, what am I going to do with all of these tools?" Trying to tune your system with the tools that you have available is a little daunting. It was for me because I did not have the security background. If you are new, it will be a little bit daunting. The training is a big help, though.

      Understand what your scope is. What are you really trying to do with this tool? If all you want to do is collect logs and pile them up somewhere on a server, this is not going to help you, and it will defeat your security goals, probably. If you are looking for something, talk to the LogRhythm rep to find out, "Okay, we are really operationally-focused. Or, we are really security-focused."

      Most important criteria when selecting a vendor:

      • Vendor access, which is what LogRhythm is very good at. We have got the engineers coming to us saying, "Hey, we are coming to town, is there something we can talk to you about? Do you want us to visit?"
      • Very flexible.
      • Really good communication is important because if something is happening, I need to be able to get it taken care of quickly, and that is what's going on.
      • Scalability: It looks like it is wonderfully scalable.
      • Integration: I have been interested with what I have seen with the carbon block and the endpoint stuff.
      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      Senior Security Engineer at a healthcare company with 10,001+ employees
      Real User
      AI Engine, alarm rules correlation, and drill-down are key; we're able to find more with less effort

      What is most valuable?

      • AI Engine
      • Alarm rules correlation
      • Web interface
      • The amount of information it has throughout the web interface
      • The drill-down

      How has it helped my organization?

      We've been able to go ahead and find more with less effort, just on the web interface itself.

      What needs improvement?

      Functionality, ease of use.

      There are a few "gotchas" in the applications. One of the issues that we're having right now is on the AI Engine, when you do the drill-down. There are no events that are being populated for the drill-down. The recent upgrade and release fixed some of that.

      And some of the other parsing rules. Parsing isn't done correctly.

      For how long have I used the solution?

      We've only been a customer for maybe about five months.

      What do I think about the scalability of the solution?

      It seems to be fairly scalable.

      How are customer service and technical support?

      We have used LogRhythm technical support. The response is really good.

      Which solution did I use previously and why did I switch?

      We were using McAfee Nitro. The administration of the application was very cumbersome, and trying to get reports, customizing the analytics on there, is a bit difficult. We looked at LogRhythm, and LogRhythm seemed to have a lot of the stuff built in, canned already.

      How was the initial setup?

      It was pretty straightforward. There were some things that were a little bit complex after the setup, and trying to troubleshoot some things. For example, log indexer was indexing most things, but not everything. It got backed up, so we had to go in and troubleshoot some of the processes.

      What other advice do I have?

      It was pretty significant for our solution to be a unified end-to-end platform because we did have a wide range of systems out there; trying to make sure that it was able to bring in the sources and correlate the events.

      The only thing that surprised me was the logs filling up for some of the indexing jobs. Other than that, there was nothing that support wasn't able to go ahead and help us with and get resolved.

      My advice to a colleague at another company who is researching a similar solution would be: Make sure you do your research. Understand what it is you're looking for in a SIEM. Have a plan of attack on what it is that you're looking for, and what do you want to get out of the tool.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756303 - PeerSpot reviewer
      SYM Engineer Specialist at FIS
      Consultant
      Provides huge visibility into your network, you see everything and you see it easily

      What is most valuable?

      Visibility. Being able to see the system, see what's coming in, and being able to report on the logs coming in. Seeing what other people are doing and being able to track down quickly what is going on in your network.

      How has it helped my organization?

      We're a worldwide company with 50,000 employees, in probably 15 locations, three SOCs and four or five data centers.

      It's made it quicker for us to see threats. It's an easier platform to work with. Its more user friendly, GUI based.

      What needs improvement?

      Easier creation of rules and parsing, and more user-friendly. A more user-friendly basis of using the tool to create rules and alarms to be able to report off of, and quickly stop any attacks and the like.

      Also, more in-depth training on how the security platform works with other pieces of software like Sequel, firewalls, or PowerShell.

      What do I think about the scalability of the solution?

      A ten again. It's very easy to scale.

      How are customer service and technical support?

      Great. They respond quickly and are very knowledgeable and they also allow us to be hands-on. Instead of them doing it for us, they actually teach us how to do it. So better knowledge transfer.

      Which solution did I use previously and why did I switch?

      We were using RSA Security Analytics and, before that, we were using RSA enVision. The challenges behind them were that they were very clunky, not very user-friendly, and you had to know coding, and you had to know command-line interfaces to even use them. Even on their GUI side. With LogRhythm we don't have to.

      How was the initial setup?

      It was straightforward and, like I said, a lot of good knowledge transfer on what to do and how to proceed.

      Which other solutions did I evaluate?

      IBM QRadar and RSA Security Analytics, but LogRhythm stood out because of their scalability and their interface and their user friendliness. Being able to easily navigate through the system.

      What other advice do I have?

      It is very important that our solution to be a unified end-to-end platform. Very important. We wanted a one-stop shop with LogRhythm. We didn't want to use anything else to record our logs and stop threats.

      I would give LogRythm a 10 out of 10 just purely on the fact they are very helpful, very knowledgeable. The software is very easy to use. Easy to learn. I came into security with no knowledge of security or how to do anything, and within a year I'm an administer of the software. So it's pretty good.

      I would say go with it. Hands down, one of the best security platforms I've seen. Easy to use, ease to scale, huge visibility into your network. You just see everything and you see it easily. You don't have to go search for things.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      PeerSpot user
      it_user756429 - PeerSpot reviewer
      Senior Security Engineer at Augeo Marketing
      Real User
      It takes good log sources. Needs more integration between the web console and the thick client.
      Pros and Cons
      • "Provides visibility into the network."
      • "I would probably look for more things to go into the web console that is currently on the fat client."

      How has it helped my organization?

      It takes good log sources. We have investments in endpoint protection and Mail Gateway, and our firewalls are going to be catching up soon. To have all the logs centralized, we haven't had that before across the enterprise. We had it logging at one or two locations, but this is the first time this year that we actually had all the logs go to one spot and be able to have alerts and alarms set up.

      We use CrowdStrike as our endpoint, so we are in the process of getting those logs into the SIEM and we haven't got that done yet, but that's going to be a real big win for half our logs are on the endpoints that the employees have. To have that visibility is really important.

      What is most valuable?

      Provides visibility into the network. We got it for PCI compliance for the most part, and we also do SOC 1 and SOC 2 compliance, so we can show that we're secure to our clients. We have a lot of financial and other customers that care about security with the kind of business that we do. But we're looking at it to do SOC Light, not 24/7, but we want have a visibility into everything that is going on in our network, be able to respond, and do incident response using LogRhythm as our main console.

      What needs improvement?

      Our key challenge is working with disparate IT groups. We are a brand new security team within our organization. It's a pretty small company. They have grown their infrastructure by acquisitions, so they have a lot of separate naming conventions at each location, different staff, different log sources, and firewalls, which are different at each location.

      It is has been a challenge. This has been one of the first applications that we've had. This and a couple others that security teams brought in recently that works across the enterprise. So, we've had a lot of challenges just getting AD or DNS to work, real basic stuff.

      Then, also the log sources for the servers, we didn't have a lot of the logging enabled, so we had to kind of go back and then we had to enable a lot of logs using GPOs, working with our IT, and actually doing a lot of the work ourselves, because challenges are resources. There is so much work to do and not enough staff.

      I did see a lot of the web console features coming up. I think those dead on, exactly what's needed. A lot of them had to do with better case management and more sorting, going through your alarms, and drilling down in different ways. I think that is really important.

      In terms of improvements, I would probably look for more things to go into the web console that is currently on the fat client. I think that is the trend. I think that is what LogRhythm is doing. I find myself going back and forth between the web console and the client console and I probably spend more time in the thick client and it'd be nice to just be in one.

      LogRhythm is really on track and they're doing a lot of things very well. In some other areas, particularly with the UI, how things are done administration-wise and a little bit on LogRhythm University, some improvements are needed. There are some challenges with registering for classes and taking them.

      I was not completely satisfied. I wasn't really sure what classes to take. I did not feel like I had the direction initially to understand how to deploy LogRhythm. When you get LogRhythm out-of-the-box, there are so many knobs to turn and so many things to configure and set up, that it's almost impossible to do it on your own, as an enterprise senior engineer. I have a lot of experience with a lot of advanced tools and I find LogRhythm very challenging. I do not think we really could have gotten where we are without Optiv coming out for a week and spending time setting up the appliance and optimizing it the way it should.

      There are some improvements that could be made to make it easier to use.

      What do I think about the stability of the solution?

      We haven't had any issues. I believe we had an alarm for a service restart, it kind of self-corrected itself. Something I noticed, but other than that, it has been rock solid.

      What do I think about the scalability of the solution?

      I am not even using a quarter of the resources on the appliance today, and that's good, but we still have some log sources that we are still enabling.

      We got our biggest ones in there, except for Mimecast and CrowdStrike, so that will add quite a bit. Hopefully, it won't be an issue for us right away. My impression is that there's all sorts of ways to expand and build out.

      We have an all-in-one appliance, but I'm fully aware that you can spread out the functionality, so we'll keep an eye on it. I feel like for our size organization, we're growing fast. We had double-digit revenue growth year-over-year for the last seven years. We are growing really fast, so I anticipate it will be a problem eventually, but not in the foreseeable future.

      If they're a super, large enterprise company, they might want to weigh having a LogRhythm infrastructure that is spread out.

      I am not completely convinced that LogRhythm scales to the highest, largest size enterprises. I really do like IBM QRadar, I think it is one of the best SIEM solutions. If it was a larger enterprise, I would maybe have them go head-to-head.

      How are customer service and technical support?

      We have used technical support. The last issue that I opened was because I didn't have the correct parsing support for our Fortinet firewall at our main locations.

      The version of firewall we're on, not very new. It's actually a year and a half going on two years, and it wasn't supported. We opened up a ticket, but it was already a known issue, and they did eventually release the parsing. We're seeing all our logs now.

      We get pretty much same day response from them. I've opened up a total of two or three tickets, and each time it was right away. Their support is good.

      We did buy the XM appliance, the 5GB, I forget the model number. We just got it, the largest one that they would sell us.

      We are not using it completely, but it's a single appliance for the LogRhythm. We have a mixture of Microsoft clients, Linux, and Mac on the PC, the laptop side. We also have a lot of 12U servers, which is a little bit of a challenge getting support.

      The other change that we made recently was upgrading to Mimecast. They don't have the integration with LogRhythm yet but it's coming. I just talked to the Mimecast SE a couple times in the last few days, and it's not here yet, but it'll be here soon.

      Which solution did I use previously and why did I switch?

      I had a little bit of experience with QRadar and a customized SIEM solution at my last job where we had used an MSSP environment, so really a lot different scenario, and you didn't really get to work with the clients directly upfront and control the log sources. Now, I work an enterprise that is slowly gaining control of everything, and that is a lot better.

      We chose LogRhythm because in the Minneapolis area, the security community is pretty close and there are a lot of other customers and associates, like my manager and myself, who know a lot of people using LogRhythm. So, we got a lot of good feedback.

      How was the initial setup?

      I was involved in the initial deployment and setup.

      We had some challenges. The problem that we ran into is that without doing a lot of due diligence was management decided that let's deploy LogRhythm on the cloud on AWS because we're going in that direction for a lot of things, so we had Optiv come out and do the installation and setting it up for us, letting us drive, control the mouse, the keyboard, and so on. We ended up discovering that it would be $100,000 a year to have the virtual appliance in AWS just for the spec requirements and we pulled back on that. It was cheaper just to buy an appliance basically. The cost for one year almost paid for the appliance that we got.

      We lost a few days of consulting time. Because of that, we had to delay the project a little bit and start over. Then we realized that once we did start getting all of the agents and logs coming in, we were not seeing all the logs that we needed. Then a lot of the log sources that we really needed weren't there yet because of our infrastructure challenges.

      That was a learning experience, knowing what it takes to install a SIEM from scratch:

      1. Have your inventory down.
      2. Understand your network infrastructure challenges upfront.
      3. Having the appliance versus the cloud and really understanding the pros and cons of that.

      I know when we spoke to our sales engineer (SE) that there were very few cloud implementations. It is still pretty new. They tried steering us away from it and we didn't listen. We probably should have listened a lot better.

      What about the implementation team?

      We use Optiv, and I understand its LogRhythm's largest partner for third party support, and we have had good experiences working with Optiv.

      Which other solutions did I evaluate?

      LogRhythm is successfully employed in a lot of organizations. We tried using another large SIEM, I won't name it, but we weren't able to even get it deployed. It was just too complex, and this was at CenturyLink.

      QRadar, it's really easy to use, but for our size organization, we only have about 270 employees. That is not a whole lot of log sources, so it seemed like LogRhythm fit into that profile a lot better for our needs.

      When it comes to the SIEM, LogRhythm was pretty much our go-to. We really wanted to go with LogRhythm and we were hoping that there wasn't any reason not to. Because my manager and myself had some experience with some other SIEMs and knowing what the success rate of those, and then just knowing people who use LogRhythm and who have said good things about it. At that point it turns into, "Is the financial investment going to work out for us?" It turned out that it did. We wanted to go with LogRhythm and we're glad that we're able to make it work out.

      What other advice do I have?

      Smaller, medium-sized companies, I would actually steer them towards LogRhythm and have them look into it, then I would share my lessons learned.

      It is important to have a unified end-to-end platform, but you also do not want to get vendor locked in. Its from a value perspective and a productivity perspective, that is where it is very important.

      You do not want to be stuck with one product that then changes course or evolves. You always want to be with the leader in the market that is innovating. You want to be able to maintain that flexibility and be nimble to switch up when needed but having a real good go-to vendor, and LogRhythm seems like they are developing into that.

      There are a lot of different firewalls out there. There are a lot of different network devices and different servers. They fit their niches, and it is important from a staffing and training perspective to have fewer products and technologies to support, because it is just hard to find people that are experienced.

      You have to balance it out with having the best tools to do your job, because the challenges we face and all the security threats that are out there, you got to take advantage of what's available. If you're using multiple vendors, then so be it, but it is a balance.

      Most important criteria when selecting a vendor:

      • Interoperability with our partners and the rest of our stack that we have.
      • Usability and access to support and documentation are really key.
      • Being able to get the value out of your investment in a security product.

      There are so many security products out there and so many tools. To be successful, you have to understand how the product works, have the documentation, and training available. That is really key. LogRhythm does a pretty good job.

      Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      PeerSpot user
      it_user756402 - PeerSpot reviewer
      Cyber Security Engineer at a healthcare company with 1,001-5,000 employees
      Vendor
      I am impressed with their support. We ran into issues where it was not parsing correctly.
      Pros and Cons
      • "It supports most standard log sources."
      • "It will definitely help if the parsing side would be much easier, meaning it would be better if we could easily make adjustments on the parser, both on standard and non-standard log sources."

      How has it helped my organization?

      • Lower personnel requirements
      • Improved vendor support services
      • Ease of use

      Key challenges are lack of personnel to manage LogRhythm. We are a small shop and we don't have a dedicated person to really manage LogRhythm, so our goal is for us to go to a level where we are doing a lot of automation.

      What is most valuable?

      • The SmartResponse piece of it.
      • It supports most standard log sources.

      What needs improvement?

      We were having some challenges initially, especially ingesting those standard log sources. We ran into issues where it was not parsing correctly. That wasn't our expectation, because we considered them standard log sources, but there was some issue with parsing our logs.

      As far as adding log sources, it is not as straightforward. At the same time, granting access we have noticed it's not using AD groups. It's more of the organizational unit in AD.

      It will definitely help if the parsing side would be much easier, meaning it would be better if we could easily make adjustments on the parser, both on standard and non-standard log sources. The way it works right now, it looks like we have to engage LogRhythm in order for us to make adjustments on the parser.

      What do I think about the stability of the solution?

      In a two month period, we had one hardware issue, which might not be LogRhythm-related. It might be on the hardware side. It's fairly new, so we were expecting that to happen, the actually failure on the platform manager (PM) side.

      What do I think about the scalability of the solution?

      I think it's scalable. So far, we haven't really reached the point where we can say, "Yeah, we can definitely expand the use of it."

      How are customer service and technical support?

      They're pretty good. I'm impressed with their support. It has been easy to reach the right person.

      Which solution did I use previously and why did I switch?

      We are migrating from a different product (Curator) to this product, and we think LogRhythm is better than the older product that we were using. We were looking for a solution with scalability and ease of management. Also, Curator is more expensive.

      How was the initial setup?

      I was involved in the initial deployment and setup. I have used another SIEM solution. It's not easy, but it's not also that really complicated to setup.

      What's my experience with pricing, setup cost, and licensing?

      Look for whatever will give you the most value. That's the main point. It is not one size fits all.

      Which other solutions did I evaluate?

      Splunk. Cost is the main reason LogRhythm stood out.

      What other advice do I have?

      It is important solution be a unified end-to-end platform, especially because we are a small security group. If we can have it in one pl