We changed our name from IT Central Station: Here's why

Netsurion EventTracker OverviewUNIXBusinessApplication

Netsurion EventTracker is #13 ranked solution in Log Management Software and #15 ranked solution in top Security Information and Event Management (SIEM) tools. PeerSpot users give Netsurion EventTracker an average rating of 10 out of 10. Netsurion EventTracker is most commonly compared to IBM QRadar: Netsurion EventTracker vs IBM QRadar. The top industry researching this solution are professionals from a computer software company, accounting for 31% of all views.
What is Netsurion EventTracker?

EventTracker by Netsurion is a co-managed security solution that delivers actionable security intelligence that empowers organizations of any size to effectively detect and respond to insider threats as well as advanced cyber criminals.

Netsurion EventTracker defends your organization against advanced threats and streamlines IT compliance management by converging multiple layers of security technology such as SIEM, EDR, UEBA, IDS, and more. Most importantly, we augment the technology with our 24/7 SOC for continual monitoring, threat remediation, and system tuning. With EventTracker, you can orchestrate all the critical capabilities needed to predict, prevent, detect, and respond to cybersecurity incidents. We monitor for anomalies and suspicious network activities and respond with built-in response rules to block or terminate harmful activities. 

Netsurion strengthens your security defenses, controls costs, and optimizes your team’s capabilities to respond quickly with a single end-to-end solution. We increase your efficiency and effectiveness by reducing false positives and enabling audit-ready compliance reports. Netsurion provides a comprehensive, scalable platform for security monitoring, threat detection and response, and compliance – as a software solution, in the cloud and on-premises, or as a co-managed solution that augments your IT team.

Netsurion EventTracker was previously known as EventTracker SIEMphonic, EventTracker Essentials, EventTracker Log Management, EventTracker Security Center .

Buyer's Guide

Download the Security Information and Event Management (SIEM) Buyer's Guide including reviews and more. Updated: January 2022

Netsurion EventTracker Customers

The Salvation Army, The FRESH Market, Pacific Western Bank, NASA, American Academy of Orthopaedic Surgeons (AAOS), and Talbot’s Stores

Netsurion EventTracker Video

Netsurion EventTracker Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
JohnBandy
Chief Information Security Officer at Samford University
Real User
Real-time alerts and managed services reports give me a view of the landscape, things that might have slipped through the cracks
Pros and Cons
  • "The real-time alerting for things such as people getting dropped into a VPN group or the domain admin group — things like that which really shouldn't happen without proper change management, but we all know the reality, they do from time to time — gives me real-time visibility into what's going on."
  • "They have what they call Elasticsearch which is very quick, although that's only available for the last seven days' worth of data. It used to be that, if I wanted to do a search from three days ago, it might take me 10 to 15 minutes because it had to actually unzip some archive files. So I really like that feature. It's almost instantaneous for anything within the last seven days."
  • "With version 8, there are quite a few things. The query tool was one of the big ones, and the query speed was one of the big ones, but they've made some great strides between versions 8 and 9. There were also issues in version 8 around the ability to get the data back out. It's one thing to collect data, but it's a whole other thing to be able to present it or run it in a timely manner. The old tool, depending on how far back I was looking, might even time out and I would have to run it again."

What is our primary use case?

We use it for real-time alerts for things like domain admins being added. And we have the managed services provide weekly reports for us for VPN logins, after hours logins and several other similar alerts. 

And of course, at any time I can do individual investigations and searches on interesting traffic that might be reported to me by EventTracker or that we find on our own.

How has it helped my organization?

The solution saves me at least half an FTE, some 20 hours a week. If I didn't have the managed services, I would have to have another half an FTE just to do the work that they do for us.

EventTracker has assisted our server administration team as well. If they're having software problems or access problems or the like, they have the ability, with all the logs now centralized in one place, to go to one place and do those searches, rather than to go individually, server by server by server, and try to figure it out. 

It's also tied into our enterprise firewall, which is Palo Alto. It really helps them in their troubleshooting time if they're having an issue. 

There are 3 aspects that EventTracker is very helpful to our organization.  One side is the information security side where it helps us quickly investigate an incident including false-positives. A second aspect is operational efficiency.  It would really take a lot of time to try to figure it out server by server but with EventTracker they can go to one place which has all those server logs. The third aspect is log archives. Once it makes it to EventTracker, they can keep local log storage space pretty low and don't have to burn a lot disk space on the local servers.

I also feel that EventTracker has better integration. Almost any product could integrate with just about anything else, given enough time and resources. But that's part of the managed services that we contract with EventTracker. We have integrations into Sophos (for antivirus), Office 365 (for email) and for our enterprise firewall (Palo Alto), and our Cisco networking equipment. So we've got all the critical infrastructure pieces integrated and all of those were integrations out-of-the-box-that I probably could have figured out if I had enough time. But I tell them what I'm trying to do and either they have a white paper which gives me one, two, three steps to do it, or they actually take over. I give them a service account. They take over, they do it, we do some testing and we go live with it.

Everything we have is a real-time feed. We don't have anything that is just batch and then it reads it in later. Especially on those real-time alerts that I mentioned, I know about each of those literally within minutes after it happens, because it's a real-time feed. The alert fires and sends me an email or a text, whichever I have set up.

We're also very impressed with EventTracker SIEMphonic. That's what they've renamed their SIEM tool. We use it quite a bit now. They've got something called potential insider threats that we look daily. Those are things like account creations and the like. A SIEM tool doesn't necessarily know, just because an account is created, whether it should have been created or if somebody created it to try to hide their tracks. Also, seeing things like logs being cleared on servers has been very helpful to us. We would have no other good way to get visibility into those types of things. An extension of that is the alerts that we talked about. It's really been really invaluable for us to get insight into our environment. There'd be no other way for us to really get that without either SIEMphonic or one of its competitors.

What is most valuable?

Really, all of the features are valuable. Probably the most valuable are the real-time alerts and the weekly reports. They would like to send me the reports daily, but because I'm a one-person shop, I just don't have the time to pour through them. Those weekly reports really give me a view of the landscape and of things that might have slipped through the cracks.

The real-time alerting for things such as people getting dropped into a VPN group or the domain admin group — things like that which really shouldn't happen without proper change management, but we all know the reality, that they do from time to time — gives me real-time visibility into what's going on.

I do like, with version 9, that they have what they call Elasticsearch which is very quick, although that's only available for the last seven days' worth of data. It used to be that, if I wanted to do a search from three days ago, it might take me 10 to 15 minutes because it had to actually unzip some archive files. So I really like that feature. It's almost instantaneous for anything within the last seven days. I can go back as far as I have archived, which for us is a set of six months. It all depends on how much you want to store. We store one semester's worth of data. That real-time, very quick access is very helpful for our workflow and the ability to investigate things.

Also with version 9, the overall UI is much better. It's more like Splunk, which is one of their competitors. It has more of that kind of look and feel. You literally drag and drop different fields and elements that you want in your reporting. And with that Elasticsearch, where it's almost instantaneous, it's so much more helpful. Their old query tool was okay, but it had the old look and feel. You picked the field you need and you chose an operator like "equals," etc. This new look and feel really is drag-and-drop. It's so much more modern and very useful. It makes it very efficient if you're looking for something.

What needs improvement?

With version 9 there are so many areas where they changed the look and feel and it is so much easier. I really don't have anything that is a pain point or that I have to work around or that I would like to be a little better or easier.

With version 8, there are quite a few things. The query tool was one of the big ones, and the query speed was one of the big ones, but they've made some great strides between versions 8 and 9.

There were also issues in version 8 around the ability to get the data back out. It's one thing to collect data, but it's a whole other thing to be able to present it or run it in a timely manner. The old tool, depending on how far back I was looking, might even time out and I would have to run it again. 

We don't have any of those issues with version 9, as long as we're staying within that seven-day window. You get outside the seven-day window and it still performs the same sort of way. And it's not EventTracker or SIEMphonic's fault; it's just the way they store the data and have to be able to open the data back up. But the look and feel of the query tool is still exactly the same as it was. It's just a matter of whether you are looking at that real-time, very quick access, or you are looking at more of an archive-type.

For how long have I used the solution?

I've been using EventTracker for about four years.

What do I think about the stability of the solution?

The stability has been really great.

On the older version — and this might have even been with version 7 — we had one or two instances where we had a problem logging in with our Active Directory account. We never really got a lot of details, but I can tell you that in less than 15 minutes they had it corrected. They have VPN capability as part of the managed services to be able to get in anytime they want. That VPN capability has two-factor authentication on it. We opened a ticket with them, told them what was going on, and they came in via VPN and corrected the situation.

We did have this issue twice, about nine months apart. But we have not had that problem in version 8 or 9. I don't know if it was something within the server configuration or something else. Other than that, we've never had any stability problems. 

The query timeouts, again, were just due to the sheer volume of data that we were trying to extract out of the thing. It was something we were able to work around. We could do a couple of extractions and bring them back together. It wasn't anything that was a big pain for us. It was a little bit of a learning curve and understanding.

In the early days of it we were really trying to get everything. But they were really great and said, "Well, that's great, but after you get everything, then you've got to pare it down anyway. So why don't you just build your query in a way that is smart enough to get only what you really want to begin with. So when you do get your extract, it's ready to work on." That was part of a learning curve for us and their suggestion really helped out a lot.

What do I think about the scalability of the solution?

We haven't had any big problem with scalability.

When I got here, we were keeping a year's worth of data. The reason we're now only keeping six months instead of a year is our own backup speeds and/or how much disk space it's taking up. We talked to our CIO and several senior leaders. Everyone was comfortable, as long as we could go back and investigate within the same semester. We felt that reducing from a year to six months was acceptable. That also fixed our backup times which were taking so long and how much total disk it was taking up. It had zero to do with the product. It was strictly a matter that storing so much data was taking that much space and that long to back up.

Today, in our organization, it's used as needed. We may have five security incidents a month. The server admins use it for operational needs once a month or every other month. So we don't have super-heavy use here. Most of my investigations come out of those weekly reports or things that come up within the environment in real-time. There's not a tremendous need to be able to use it more often, because of the real-time alerting and those timely, weekly reports. A lot of those were custom reports that we asked them to build for us. We really get visibility right into what we want to see all the time. So we're able to address situations very quickly and not have to hunt around and figure things out.

How are customer service and technical support?

Their technical support is really good. We've got a dedicated service manager.

The only thing — and it's not a problem, but I do like to mention it — is because they are in a different time zone, it's not that they won't respond, but it depends on how severe the ticket is that I open. If it's anything much past noon or 1:00 p.m., I know because of the time difference that it's going to be the next day before they get back to me, unless it's something that's really hot.

They do have 24/7 coverage, but unless it's something that's really down or a real issue, if it can wait till the next day, you won't necessarily be able to get somebody on the phone that afternoon. The great thing is, I start at 7:00 a.m. Central anyway, so there is overlap for five hours of my time and that's been sufficient.

They have U.S. sales, but not necessarily U.S. support, but that's okay. It hasn't been a problem.

It's not hard to escalate when necessary. If I send a second ticket or ask for some kind of update, that dedicated service manager responds pretty quickly. Most of the time, he'll actually be calling me and seeing what else they can do. They've been really great about turnaround speed and communication.

EventTracker's SOC team is who I report my issues to if I want to open a ticket. It's part of the managed services but it's not the only piece of that service.

How was the initial setup?

When I got here, the CISO before me was retiring, and he was about 75 percent of the way through the implementation. I did about the last 25 percent of the agents. So I can't really speak to the setup.

But I can speak to upgrades, and those have gone seamlessly. That is part of the managed services that we contract with them. They do all the upgrades for us and make sure they perform correctly and make sure all the agent endpoints upgrade correctly. And if they don't upgrade correctly, they have to take whatever actions are necessary.

But I don't see why the initial setup wouldn't have been fairly straightforward, because of everything else I've seen in the tool. They seem to have really good documentation and they definitely have really good support staff, if I've got any kind of questions or problems at all.

The time an upgrade takes depends on if it's a major or a minor. If it's a minor upgrade, like a 0.1-type of upgrade, those usually take place overnight. Their headquarters are in Europe, so by the time I get into work at 7:00 a.m. Central, the smaller ones will often be done. Otherwise, they'll give us the outage window, and it depends. The 8.0 to 9.0 was almost like a forklift. It was almost like a whole new product. That one took six to eight hours.

But the great thing, the way their product is designed, is if the endpoints can't deliver their logs, they will just keep on collecting them locally. As soon as the server comes back online, they deliver them. I never lose anything. It's just I didn't have the ability to query during the upgrade period. That's another thing that's wonderful. It's not like I have some little moment in time that I sure hope something hasn't happened, because I don't have visibility. I do have visibility. It's just a matter of whether it is actually in the query tool yet or not.

When I first got here, we had some problems pushing out some updates and we never did really resolve it. It was something within our environment. They don't have that problem in other customers' environments. But they came up with a workaround. They're responsible for doing those, and it's been flawless.

We didn't have a competing product. This solution was just slowly pushed out to the various things that we wanted to collect data from. Initially, all of our on-prem servers had agents installed, including various versions of Windows, Unix, and Linux-type hosts, as well as to our networking equipment and our firewall. Some of those things collect syslogs, while the Windows boxes, for example, have a real agent on them.

The process was that the console was stood up and we slowly we went after our prioritized endpoints. Things like our domain controllers were first. We slowly moved down the priority list until we got to the low-value assets. Those were the ones that I implemented. So the critical components were already in place when I got here.

What was our ROI?

We feel that we're getting a real ROI. Between having the managed services and having the product on-premise, we feel like we're almost getting the managed services for free. They've given us a very good price.

Based on industry standards, it's saving me at least $25,000 to $30,000 a year.

What's my experience with pricing, setup cost, and licensing?

If you look at competing products, EventTracker is less than 50 percent more expensive, and I pick up all those managed services. I pick up half an FTE without having to pay benefits.

Which other solutions did I evaluate?

I don't know the reasons why they put this in right away, because we were in a three-year contract — but at the end of that three years the price was going up. I don't know that we had done the math on it before, and we thought, "Whoa, wait a minute."

So I actually did look at AlienVault, which was a good competitor technically, but I could never find anybody who could give me any decent price to help with that managed service. So either I was going to have to pay a lot more, and sometimes upwards of double what I'm paying EventTracker, or I was going to have to hire an FTE to do it. There's no way that that would work out financially. When they heard that we were shopping other products, we negotiated with them and they came back and agreed to put a cap on the price. We've been thrilled with that. It's worked out really well.

Compared to others, EventTracker also has even more services. We have bi-monthly calls, reviews of what happened in the last 2 months, including things that might still be outstanding. They've reported things to us and we'll say, "Hey, we need an update on this." Or, "Are we closing this issue?" They bring those things up every other month. There are a lot more things that we could license if we could afford it. We would love to license all of our workstations. It's not that they're trying to price-gouge, it's just the size of the environment. And you have to determine what other tools, besides a SIEMphonic-type tool, you want. We've been pretty happy with what we've been able to deliver.

One thing that differentiates EventTracker is that they have the total package, or as much as you want. They can run the thing for you, as they do for us. They can offer all kinds of different services beyond just the SIEMphonic services. They're also a much more robust company and one that offers a lot more than somebody who's competing for just any single item that they offer.

When we were negotiating the price, we had bought more licenses than we really needed for our servers. But you can slice and dice and change things up. Even within the managed services, they can run the weekly reports for you or not. They can do the upgrades for you or not. They can do the bi-monthly calls or not. There are all kinds of different things they can do. So we right-sized those services and "trued-up" our licenses to what we really needed, with a little bit extra for growth. We came to a good agreement. It was a bit of a win for them. We gave up a few things that we didn't really need anyway and we were able to maintain our level of service that we had had and had come to expect.

What other advice do I have?

My advice is to get your PO out and make a purchase. I have referred several other companies. I'm involved in several security organizations and it really is one of these diamonds in the rough. I know they have US sales but I think they're a lot stronger over in Europe. I think they're a little-known, hidden secret in the U.S. I know they're in the industry review reports, but I don't think they get the press and the prestige that they should, because they have a really excellent product.

Of course, certain government organizations can't do business with support overseas; there can be limitations. But I'm definitely an evangelist for them. We really like their product and plan to keep it for a long time, provided, pricing-wise, it doesn't get out of hand. But I think we've reached a good agreement that we can all live with. We definitely feel like we're getting value for it. We have no problem writing the check every year.

This is the first time I've really worked, on a regular basis, with an overseas-support vendor. The biggest thing was getting our support hours lined up. I don't want to sound like I'm dissing them, that if we were in a world of hurt and had something that really had to be taken care of that they wouldn't respond to that. But we had to adjust our workflows knowing that, if we really need to get them on the phone, our morning is the best time to do that.

Other than that, the convenience of it, being able to think of how else we can use it and what other kinds of data we could send to EventTracker to help us out, has been instructive. For example, we have a mail product called Proofpoint that actually front ends our email and pulls out spam emails and those sorts of things. We were able to send the over the logs from that and look for any emails that were going to more than a hundred recipients. And EventTracker could give us real-time alerts and that would often tell us if an account was compromised. So there are unique ways like that to think about using it. What are some of the data of things we're trying to track down that we could send over to EventTracker and have them alert us in real-time so we don't have to run a rapport or figure out, three days later, that something went on? We can find out right in the heat of the battle what we need to do.

EventTracker's dashboard is probably good. I don't log into the console every day and I don't use it operationally, in the way some people would if they didn't have those managed services. So dashboard-wise, I don't use it as much. I do use their intrusions worldwide map from time-to-time, but beyond that, because I don't get into the console on a regular basis, it's not as useful to me. But I feel like the console would be very powerful with the widgets they can add to it. They've demoed it for me but it's just not the way my workflow is.

I usually view EventTracker on just a single, 23-inch Windows screen. I don't have any real-time thing running all the time. I strictly use it on a desktop.

In terms of deployment and maintenance of the solution, we don't have anybody additional here. There was a CISO that I replaced and everything else was from the managed service side. We do have one system engineer here who maintains the box, the virtual server that it runs on. But that is a part-time responsibility. He really hasn't had to get involved since I've been here. So there has really been no additional staff. It was just an additional tool that was put into the environment and one that is a tremendous asset for us. There are four individuals besides me who use it and they're all in the server admin group.

Version 9 was a tremendous step forward for them. I don't know how long they developed that one, but they really took the right direction with the product. 

Overall, we're really thrilled with them. If I didn't have the managed services — and it wouldn't be the product's fault — I wouldn't be as thrilled with them. But that service really takes a lot off my plate and frees me up to be able to do the other things I need to do in the organization.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
Mark Lauteren
Chief Information Officer at ECRMC
Real User
Top 5
Gives us a good quality view of what's going on in our environment
Pros and Cons
  • "There are a host of things that are most valuable. Obviously monitoring our environment and reporting out different events is important. They perform a suite of services. They monitor all of our servers, all of our key infrastructure, like our DNS, our switches, all that stuff. They aggregate and correlate that quarterly. They'll tell us if we're getting a lot of login failures and something is going on or if something's weird."
  • "Communication is always something that can be improved, but I feel that any time we've had a communication issue, it's quickly addressed when we bring those up at the monthly meetings. Usually, it's an individual that wasn't clear in the communication, it's not the process per se. You always have to be able to segregate if the process didn't work or an individual either didn't say the right thing or my people didn't understand what they were being told."

What is our primary use case?

EventTracker analyzes all of the different types of security events, it both aggregates and correlates. They send us a daily report of things like servers that aren't responding that normally respond and any kind of events that they see from the day before. If there is a serious perceived security event, they will call. I have two folks at InfoSec, so they will call directly and say, "Hey, we're seeing something here." Then between the two of them, they'll try and identify whether it is a true event or not, and then monthly, we sit down with them on a call where we talk about what's going on and if there are opportunities for improvement.

If there was an event that we felt they shouldn't have escalated to us then we'll let them know and we'll talk about how it could have been avoided or vice versa or if there was an event that we didn't get escalated but it should have been. We don't get a lot of those, mostly it's about, "Hey, we're adding this new device, we want to make sure it's on the list, so it's getting monitored", and things like that.

How has it helped my organization?

EventTracker enables us to keep on top of our work. We're a hospital, so we're 24/7. We don't have enough staff to do that, so they're able to monitor things off-hours, and then even during hours I get two people from InfoSec. They can't be sitting there staring at a screen all the time, they have to go out and do other things and attend meetings, etc. and so they're able to rely on the tool to correlate and then notify them either via pager or phone call if something comes up that is deemed to be important enough to be notified. That's huge for us because we don't have the budget from a staffing standpoint to have people on-site 24/7.

Back in the day, I used to work for Intel and we had a whole room full of people who just sat there and stared at the screen for events. It was in their data center group. We don't have that kind of staff. The only people half staring at a screen all day long are the call center, and they're the ones who take tickets and talk to end-users but they don't have the time to sit there and monitor the event logs and all of the other things. That's the value the tool gives us. I can have people doing real work and then things that need to be escalated are escalated. It saves us roughly two full-time employees. It cuts my team in half. 

EventTracker also helps us with compliance mandates. The tool helps us document that we're following best practice, that we're identifying issues and tracking them, and that we have logs of what issues were identified. That allows us to be able to show a lot of the documentation that we are really doing best practice. I just don't physically have enough team members to do that. This allows me to be able to provide that 24/7.

It's not just a tool, it's a service. The secret sauce is not the tool. I could buy a tool from a dozen vendors. I have a tool to be able to aggregate and correlate all of these events and send something to a screen. But if I still have to have somebody sitting there staring at a screen all day long, that's valuable but not as valuable as someone that has a team, that is an essential SOC, that is aware of what's going on in the world and is saying "I'm seeing this in seven places, including El Centro, let's get ahold of El Centro so they can start taking action on it."

There's nobody that's dedicated to internal incident management. I have two information security folks and they do everything from internal incident management to designing new implementations, to reviews of existing annual information, and security audits. They do all of that, but they don't sit there all day long, staring at a screen, looking at incidents, and trying to figure out what to do. That's the value that we get out of it. That's the extra value.

What is most valuable?

Monitoring our environment and reporting out different events is important. They perform a suite of services. They monitor all of our servers, all of our key infrastructure, like our DNS, our switches, all that stuff. They aggregate and correlate that quarterly. They'll tell us if we're getting a lot of login failures and something is going on or if something's weird.

I like the dashboard. Our security folks look at it all the time. They have it running, they have a big screen monitor in one of their offices and it's up all the time.

I don't use the UI very much but from what I've been told by the security team, it's very easy to use. Compared to other products, the team found it pretty easy to use. We've got the dashboards published on a large screen TV so they can look at it all the time, and then they typically have it on their desk. It is also available on smartphones.

We import log data into EventTracker. It feeds the overall picture of giving us a good quality view of what's going on in our environment.

What needs improvement?

Communication is always something that can be improved, but I feel that any time we've had a communication issue, it's quickly addressed when we bring those up at the monthly meetings. Usually, it's an individual that wasn't clear in the communication, it's not the process per se. You always have to be able to segregate if the process didn't work or an individual either didn't say the right thing or my people didn't understand what they were being told. So far, I have not understood or heard of any issues that were more process or tool-related, it's individual-related. 

The industry is changing. The landscape is changing all the time and they seem to do a pretty good job of keeping up with that. That's a challenge in information security. That's a target that doesn't just move. It moves from room to room, to room, not just a few inches, one way or the other. You're constantly changing. You're chasing a moving target that's really moving. It boils it down to here's what we think is going on versus our people. If all they did was keep track of what was going on in the industry, that's all they'd do because I only have two people.

For how long have I used the solution?

I have been using EventTracker since I have been at my company for the past year but it's been at my company for several years. 

What do I think about the stability of the solution?

It is as stable as a rock. I have not heard of a single outage on it.

What do I think about the scalability of the solution?

We haven't scaled it out to anything other than what we had. They've done a pretty good job of implementing it. Since I've been here, we've had a virtual server primarily here and there, but we have not done a lot of scaling out. There hasn't been a discussion about what limitations there would be.

It monitors all of our infrastructure, all of our servers. It's being very extensively used. As we grow those, we're getting ready to open a new building early next year, all of the equipment that goes into that building will be added to it.

We fully implemented it so I don't know that there's a lot other than organic growth that would need to be done.

How are customer service and technical support?

My InfoSec team talks to support occasionally. There have been a few cases where they saw something they didn't quite understand, so they would call and ask for information, but it's been few and far between. I have not heard of any issues with support. I heard that their experience with them has been good. 

Which solution did I use previously and why did I switch?

At a previous company, we used a different tool. It was a much more encompassing tool that does a bunch of different event monitoring, correlation, and aggregation. It was a management suite that did things like backups as well. I know when we implemented it at Intel, it was atrocious. The problem was the process. We had tens of thousands of servers and we implemented the tool and we turned everything on. Events scrolled by the screen so fast, you couldn't even see them. We had to say, "Well, wait a minute. Let's dial this back a little bit." They also didn't do a good job of aggregating or correlating. 

The main difference between that tool and EventTracker is the ease of use. That tool was all CLI based. Everything was command-line based. The syntax that you had to use with that CLI was very challenging and very specific. If you thought you were doing the right thing but something did work and it wouldn't warn you that you didn't do it right.

How was the initial setup?

I have not been told that there were any issues when it was implemented. We have not done any major upgrades since I've been here. We've done incremental patch-type things but I don't know of any issues.

I did hear it was relatively labor-intensive, but that's because of all of the processes around the communication, like what gets communicated and what doesn't. That's to be expected anytime you're doing a lot of workflow work, that takes time.

There's daily maintenance in that they're responding to events or they're working on the tool. There is very little done as far as trying to make changes to the tool itself. Our information security team does respond to events. It's a chunk of their time. We don't have to spend a lot of time at all tweaking the tool. I wouldn't say we spend even an hour a day.

I have two people in InfoSc and a couple of people in my network team that reviews it. My help desk people will review it but they don't really use it per se. They'll see events and that's it. Most of the time that really goes to the information security team.

What was our ROI?

Our ROI is $160,000 a year before overhead, then adding in the overhead of 30 to 40% with benefits and everything else, it's easily over $200,000 a year.

What's my experience with pricing, setup cost, and licensing?

They've been very fair. I think that we've had to push back a little bit here and there on pricing. 

What other advice do I have?

The biggest lesson I have learned is that the outsourcing of this service has a dramatic impact on the organization. We can't just keep throwing bodies at it internally, we have to leverage somebody else's knowledge.

Some people don't trust outsourcing. I'm not a big outsourcing guy. But I really don't treat them as an outsource, I treat them more as a partner. You're going to have to do this one way or the other, or are you going to get nailed at some point. That's just the way it is. If you're not following these things, you're going to get nailed. If you trust them and you realize that they're doing things that you should be doing or are doing, you're going to save a lot of money out. It's going to be cost-effective for you. It won't just save money, it will be cost-effective.

I would rate EventTracker a ten out of ten. 

Having dealt with a lot of vendors and their sales, they are probably one of the more low-keyed. They're not out there constantly trying to sell me stuff. I don't know if it's because we have everything so there's nothing left to sell or not, but they've been very easy to deal with. Their leadership and their sales organization have been very easy to deal with.

Which deployment model are you using for this solution?

On-premises
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Download our free Security Information and Event Management (SIEM) Report and find out what your peers are saying about Netsurion, Splunk, IBM, and more!