IT Central Station is now PeerSpot: Here's why

Netsurion Managed Threat Protection OverviewUNIXBusinessApplication

Netsurion Managed Threat Protection Buyer's Guide

Download the Netsurion Managed Threat Protection Buyer's Guide including reviews and more. Updated: July 2022

What is Netsurion Managed Threat Protection?

Netsurion® Managed Threat Protection is a managed open XDR solution that delivers greater attack surface coverage, guided threat remediation, and compliance management support. Our 24x7 SOC operates as your trusted cybersecurity partner, working closely with your IT team to strengthen your cybersecurity posture so you can confidently focus on your core business. Our smart, flexible packaging allows small- to mid-sized organizations to access​ advanced cybersecurity solutions at the most cost-effective price.

And Netsurion Managed Threat Protection is MSP-ready to protect your business and your clients through multi-tenant management, Open XDR to work with your existing security stack, and “Pay-as-you-Grow” pricing.

Netsurion Managed Threat Protection Video

Netsurion Managed Threat Protection Pricing Advice

What users are saying about Netsurion Managed Threat Protection pricing:
  • "We put together the package of what we needed. It was based pretty much on the number of agents that we were deploying. If we needed to manage logging from certain specific applications, like Active Directory and SQL Server, there has been no additional cost for that. We had agents deployed for those specific servers and the applications were included, then there was just an additional installation that they had to do for us."
  • "Netsurion's pricing is competitive. At the same time, they're the only ones who do what we want to do the way we want it. I can't say we would've paid more, but we would've had to have come up with our own solution if they weren't providing that."
  • "Our budget follows the calendar year. We just started a new budget year at the beginning of the month. We did budget for an increase in our threat management system selection. Therefore, we have the budget to implement and accommodate a threat management system change, including an increase for the quoted actions that we received to improve EventTracker. We are just waiting on our council to approve that budget, which might not be for a little while. Hopefully, when they do, we will be able to jump on doing something."
  • "You are paying for different levels, especially as far as the monitoring goes and how often you review it with the team. The other factor that figures in is how many nodes are on your network, such as clients, network equipment, servers, etc. There are some additional pieces on top of that, but it's laid out pretty simply, as far as how much you're going to pay for a node."
  • "We have seen time and cost savings. It prevents us from having to hire specialized people for this type of work. We would need to hire six staff members to accommodate the same service."
  • Netsurion Managed Threat Protection Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Randy Carr - PeerSpot reviewer
    VP of IT Systems at Carteret-Craven Electric Cooperative
    Real User
    Top 20Leaderboard
    Takes the load off of our systems administrator from having to manage, vet, and analyze logs
    Pros and Cons
    • "When I looked last week, we probably averaged about 20 million log entries a day. So, we certainly can't individually manage that. Just looking at the reports, then trying to go back and find anything that was questionable, was a challenge. Therefore, the managed service has been invaluable to us in terms of being able to narrow the scope of what really needs to be looked at and bringing those things to our attention to be dealt with."
    • "I would like to see a faster response when we see things like 15,000 lockouts. I really wished that I had known that on Friday afternoon rather than waiting until I got the weekly report today. By the same token, they are looking at it from the point of view that this is a system or software malfunction. This is not a bad actor repeating the exact same password three times a second. Therefore, they can tell that this is not a bad thing. However, it's not a security event but it is an operational event for me. Knowing this sort of thing would help my team and me out more because then we would be able to clear out a lot of network traffic that we didn't know was going on. So, we would like quicker updates on non-high security events."

    What is our primary use case?

    Our main concern is IT security. We are looking at it from a point of view of making sure that we are fully PCI compliant. PCI is the compliance driver for us above all others. The log management, event management, and managed services are all fairly pricey services for a small business like us, but we felt the need to be able to take all the logging traffic that we are storing, then make some sense out of it. We needed someone with that expertise because we don't have a dedicated, trained security professional in our organization or in our small group. We turned to Netsurion for that service and have been happy with it.

    How has it helped my organization?

    It takes the load off of our systems administrator from having to manage, vet, and analyze logs. Even though they come out in a good format and we have reports from them, there is still an incredible amount of data moving through that system. 

    When I looked last week, we probably averaged about 20 million log entries a day. So, we certainly can't individually manage that. Just looking at the reports, then trying to go back and find anything that was questionable, was a challenge. Therefore, the managed service has been invaluable to us in terms of being able to narrow the scope of what really needs to be looked at and bringing those things to our attention to be dealt with.

    The solution provides 24/7 monitoring and alerting. When we have third-party security assessors come in and do our annual pentest and security review, they have ranked us as being a very mature small business compared to others that they deal with. So, we rank fairly high in terms of cybersecurity maturity compared to other small businesses with 75 employees, such as ourselves.

    We don't do a lot of network analysis, but it certainly meets all of the correlation requirements that we have so we can be able to spot logins at unusual times. Or, I just got a report, not 30 minutes ago, and called one of my guys, saying, "Hey, go check on this PC because it is showing 15,000 incorrect password attempts to get to the file server. What is going on?" Obviously, it's not necessarily an indication of a breach of any kind. It is an indication of some kind of software malfunction. So, we were able to look at that and get those reports, and say, "Hey, we have something that needs our attention. I have one user account hitting a file server from one PC, and we know that a password was changed on the day that started, but we also know that the password is not locked out. This helps us analyze what the real problem is, then we are able to eliminate that it is not an Active Directory problem nor a Windows problem. We know what caused it, and it's not an intrusion attempt. However, this narrows down all those issues so we can focus on where the problem might really be.

    What is most valuable?

    We found the EventTracker product to be so much easier versus our previous solution with our limited experience and expertise to be able to install and get our logs, at least to meet minimum compliance. So, we appreciate the ease of use of it. 

    When it comes to threat detection and response, it is done well. When we have our annual network penetration tests, they often will find things that are questionable and report on those things, usually within a weekly update report. So, we will normally see the events that took place. There have been instances where they have contacted us right away, but those have been fairly limited. We haven't had incidents that rose to the level of needing immediate attention very often, but they do confirm what we expect to be confirmed, which is that we have somebody doing things on our network with our permission who notifies us about it.

    What needs improvement?

    I would like to see a faster response when we see things like 15,000 lockouts. I really wished that I had known that on Friday afternoon rather than waiting until I got the weekly report today. By the same token, they are looking at it from the point of view that this is a system or software malfunction. This is not a bad actor repeating the exact same password three times a second. Therefore, they can tell that this is not a bad thing. However, it's not a security event but it is an operational event for me. Knowing this sort of thing would help my team and me out more because then we would be able to clear out a lot of network traffic that we didn't know was going on. So, we would like quicker updates on non-high security events.

    Buyer's Guide
    Netsurion Managed Threat Protection
    July 2022
    Learn what your peers think about Netsurion Managed Threat Protection. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
    620,600 professionals have used our research since 2012.

    For how long have I used the solution?

    We have been on their managed services for a little over two years.

    What do I think about the stability of the solution?

    It has been very stable. We have had no major problems with it. We might need to put in one or two calls because of an issue logging into the software. I think we had a problem one time with a disk partition filling up, which hauls a lot of data in and out. So, that is something where you just have to be aware of it, but they have always been very responsive. There have been a few times when we might have had to go in and re-enable their remote access. They always notify us when they are going to be on that server, so we are able to tell when that outside third-party is accessing the server. So, stability has been good.

    What do I think about the scalability of the solution?

    We are at a terabyte of data that we are holding right now, and we have been on for two years. We have grown to the capacity that we expect to maintain unless we begin adding more endpoints to manage or watch. We don't manage every endpoint in our environment, only the ones that we consider touch anything dealing with business security. So, it is as scalable as we need it to be, but we really haven't tested that beyond the one terabyte of disk storage.

    We may increase usage as we get down the road a little bit, depending on our circumstances and what changes. Right now, we are not looking at increasing it, but that could change.

    How are customer service and support?

    There is a dedicated team available to us. I don't call a number or leave an email, then have to deal with unknown people. Instead, it is the same folks whom I talk to every three months that host a call with us. I am grateful for the fact that these are people whom I speak to often and know our situation. They know what things are important to us. They have helped us out with some specialized reporting along the way. So, I find this gives an extra level of confidence to us that we are being looked at by people who know what is important to us.

    There have only been a few times when we have needed to address a question to the SOC, but usually those have been dealt with immediately or within the day. There have been a couple of times when we have asked for custom reports and those have gotten done. Sometimes, there is a little back and forth to really understand what it is I am asking for and have them explain to me what the capability is from the logs that they are receiving from a device. However, they have been very quick and responsive to our needs, even when it is not a priority security event.

    They are very familiar with our network and company. We have spent almost a year tuning the SIEM managed service. Since that time, we have continued to meet quarterly and talk about if there are modules that need to be installed or other products that we need to consider. We ask questions like, "Is there a way for you to be able to deliver this type of report to me?" They are very upfront about "yes" or "no".

    We have an assigned team, so they are not sending something into a help desk then hoping it goes to the correct tech, i.e., Level 1, Level 2, or Level 3. We know their team. Anytime we send something in, we copy the supervisor for that team who will make sure it gets dealt with. So, they have been very responsive with good customer service.

    Overall, I am going to give the product an eight (out of 10). It could be bigger and more mature, but then it probably would be in a niche that would have ruled them out for us. From my point of view, they are meeting our needs well. I think they are continuing to develop the product and expanding their portfolio, which is all good.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We used a competitor, Tripwire, to Netsurion for a few years prior to moving over. We found it very difficult to configure and maintain for doing in-house work. This was prior to managed services.

    We switched from Tripwire to Netsurion because of cost and complexity. Tripwire was a good bit cheaper than Tripwire. With Tripwire, we needed a third-party that helped out with making changes to it and adding additional endpoints. It just was a very complex system to set up and watch, so we made the change after being with Tripwire for a few years.

    We initially just did log management within, watching the logs ourselves. They set up the system for us. We were getting reports out of it every day and trying to look at what we thought was important, but ultimately it just proved to be too much for us internally with a staff of three.

    In our case, it was almost like we had an event management platform before with Tripwire, but we still didn't fully understand what could be done with it. You couldn't come ask me what I want to do with it. I don't even know what it did because we are just general purpose IT people here. We are not experts in this field.

    How was the initial setup?

    It is complex because we didn't really get that involved in the initial setup. They were the ones who called us, and said, "Okay, we're going to have this meeting. In this meeting, we are going to ask you a series of questions and whatever you tell us is what we are going to take care of." For example, what do you want your normal workday hours to be so we can tell that if an employee logs in at a certain time, which employees should be logging in after hours, and what systems should be talking over the weekend. They guided that discussion. It was a very easy discussion to have because they talked to us in terms of our business, not in terms of SIEM events. So, that was very good.

    The initial deployment was 90 days. We signed on in August, then there was a 90-day period where we had to make sure that everything was operational. We knew this upfront. Next, we scheduled a few meetings after that. We used those next few meetings to tune the SIEM. So, we got everything in there that we expected to have over a period of weeks. They went through everything. It wasn't like drinking through a fire hose.

    They were able to guide us, not giving us more information than we could handle. After we got past the initial setup period, we were able to start seeing reports. The first ones didn't make a whole lot of sense to us. However, over time, we were able to ask questions and the reports became more valuable because they were more tuned to our real environment. They began to suggest, "We now need to add in the connectors to SQL and Active Directory." We run an IBM i system, which is not a typical syslog or Windows event system. We were able to get that system set up and tuned with some reports so we could really look at our most critical systems from a security perspective. All of that happened over a period of time, yet it wasn't too rushed nor was it too slow.

    What about the implementation team?

    When I started looking for a managed SIEM, consultants looked over the specs and compared us with some of the bigger players. They addressed concerns that they had to me, then we dealt with those concerns in the early days of installing the SIEM. Knowing that I have a seal of approval from those consultants was very important to me, and Netsurion rose to the level of getting that approval from them. They seem satisfied with what they have seen in terms of our ability to meet all of our compliance requirements and general security needs.

    The vendor’s assistance in the onboarding process helped with the product’s time-to-value and return on investment.

    What was our ROI?

    It enables us to devote our time to other projects that demand more of our attention. We are saving about an hour a day. 

    The fact that I can walk away from this network and know that not only have I got a managed intrusion prevention system with another vendor who is looking at the edge of our network, but now I have a system which looks at the internal devices on our network. So, I have two sets of SOCs looking at what could go wrong. Between those two and our endpoint solution, I am much more comfortable thinking that if one thing misses it than another one will pick it up. So, they are part of that trifecta of products that I would expect to find a bad actor in my network. We have several other security components, but those three large products are really key to our comfort level, with being able to say, "I don't believe there is anything bad going on in my network today. If something bad did start happening, we would see it within a matter of hours, if not minutes."

    We were very careful and slow to get into this world because it is fairly expensive, but I do not regret at all being there today. I just did a presentation for our board of directors on what we do for security. That was last night. I got quite a few questions from our board. One of the topics that we discussed was event management and logging. The question that came back to me was, "What else do you need to do in order to be more secure?" So, I felt that they understood what we had done and how we had done it. They were very supportive of any other features that we needed to take advantage of. Sometimes, it is just making sure that the people in management understand the risks and what is going on in the real world. That is how you sell it to them.

    What's my experience with pricing, setup cost, and licensing?

    We put together the package of what we needed. It was based pretty much on the number of agents that we were deploying. If we needed to manage logging from certain specific applications, like Active Directory and SQL Server, there has been no additional cost for that. We had agents deployed for those specific servers and the applications were included, then there was just an additional installation that they had to do for us.

    Which other solutions did I evaluate?

    This was a lower cost solution for us. That was the main reason that we looked in this direction. When I bought a lower cost solution, I didn't expect it to deliver even the value that we are getting out of it. I talked to some of my counterparts and other utilities, who were using it, and they were very happy and satisfied with it. So, I haven't really looked outside of that box very much.

    Tripwire and LogRhythm were the two vendors who had support for an agent that could watch an IBM i system server, which is a mid-range platform server. When we went to EventTracker, we looked around at some others, but EventTracker was the only other one that we found later on that supported that integration. 

    LogRhythm would probably have been a good solution as well. However, after talking to some of my counterparts, I decided that EventTracker would be a very good solution because they spoke very highly of it. They had been very pleased with its service as well as their managed SIEM service as well.

    Netsurion Managed Threat Protection is more small business-friendly. It has been good to have a company who suggests things along the way without pushing things on us. For example, they will say, "Here is something that you want to do, but ask your auditors." My auditors can't tell me what we should be logging or watching. They can't tell me that. Maybe a Fortune 500 company's auditors can tell them that, but our auditors don't tell us that. We pay a lot of money to auditors every year, but they don't come in, and say, "Are you watching for every disabled login?" They don't give us that level of detail. Instead, I need people who understand a small business and the realities of working with a small business budget and are able to guide us on the number one, two, or three priorities, then tell me why those are priorities. After that, I can then take it back to our security auditors and financial auditors, and say, "Okay, here's what we are doing. Are we doing enough? Is there something that we are leaving out?" 

    It has been good to be able to work with people who are not high pressure on sales. They are not here to tell us that you need to do it a certain way. The door is open to whatever we want to do. Where we don't have the knowledge or experience with it, they have filled in those gaps.

    The market is moving to where vendors are trying to be the single vendor who does it all for you. Frankly, I'm not comfortable with that. I'm okay with a vendor who doesn't do every piece of my security stack, because I don't really want that company. Other people may be looking for that, but I am not one of them.

    What other advice do I have?

    It doesn't matter whether a solution is outside or inside the US. When we look at our firewall logs, most of our spam and ransomware attacks are coming from inside the US. That is where the majority of that traffic is coming from. We shut down everything from the outside that shouldn't have access. We determine who gets on our server and when they get on it. We control it as well from the outside as we would from inside the country. There doesn't seem to be any national barriers that seem to have anything to do with whether you are really secure or not anymore. Certainly, there is a lot of risk from certain rogue countries, but vendors are vendors, you just have to vet the vendor as well.

    Everything in life is a risk. You need to determine what your risk tolerance is. In our case, we take the risk of not logging every single device on our network. We don't log the laptops of the guys who work in the field all day, then come in just to do payroll. We don't care what goes on their PCs, but we do care once it touches another server somewhere. Therefore, we log those servers. It is all about risk tolerance. At the end of the day, you need to balance your budget one way or another.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    PeerSpot user
    Brian Stearns - PeerSpot reviewer
    IT Director at Global Connections Inc
    Real User
    Leaderboard
    The threat detection and response show you exactly where you're vulnerable
    Pros and Cons
    • "Netsurion was easy to deploy. I have worked with other systems that were a little less complex, but they weren't quite as easy to deploy."
    • "We get a report generated on a particular day of the week and we go through it, trying to mitigate problems and make sure we're seeing everything that's happening. It would be helpful if the SOC spent a little more time with us going through some of those reports."

    What is our primary use case?

    We use Netsurion to find out what's going on in our environment. It lets us know if we have strange actions acting out. It's a deny-all policy, so there's an access list on each machine. It was effortless to tune it for our software because we have four pieces of intellectual property used in-house, and that was super easy to get up and running compared to some of the other solutions I've seen. For the most part, it's set-it-and-forget-it protection.

    How has it helped my organization?

    We've been under attack since the day we opened. Our company has a web base that hosts more than 100 different websites, and we're constantly facing attacks — our mail servers too. Of course, we knew we were under attack, but Netsurion provides excellent visibility into how often it's happening and what services they were using. We had a relatively decent idea of that ahead of time, but it solidified a lot of issues we thought we had and allowed us to tailor some solutions to mitigate those issues a little bit easier than it had been when we didn't have all the actionable intelligence.

    You can't protect against what you don't know. My instincts told me certain issues were happening. There were a couple of records of it here and there, but it's easier to zero in on what you need to do if you can see what attacks are occurring and how often. It helps you identify gaps you may not be aware of. Netsurion helped shore up our security posture by verifying that some of the initial steps I had taken to protect us against some of these outside attacks were correct. I don't want to go into it too deeply, but it also showed us the usefulness of some best practices out there that many people aren't following. 

    It also gave me some insight into what the attacker is going through. When I looked at the thousands of logins we get a day, and I was surprised to see the different languages attackers were using. I thought that was kind of interesting, but for the most part, it showed that many of the early countermeasures we put in place 20 years ago were still protecting us effectively versus a lot of the threats out there. 

    We've been able to consolidate cybersecurity technology for our endpoint security. It's a deny-all policy. We reinforce it with other products behind it to ensure that nothing's getting through, but it was still a paradigm shift for us. Instead of just using signature-based threat protection methodology, it allowed us to really get a better grip on what was running inside of our network. That includes some attacks that aren't even nefarious, but just some chatty stuff. We were able to clean up our network a little bit based on some of the things we had seen.

    It helps that everything's in one pane of glass by limiting the number of dashboards we have to look at. Consolidating services really helped us gain C-level buy-in. This wasn't just to monitor logs and check for some malicious entries — it was a complete solution that allowed us to recoup monies in other areas because we could consolidate everything in one product.

    Neturion's managed security didn't reduce the amount of time we had to devote to everything else, but it supplemented our visibility, giving us the ability to see more than we could on our own. They also got us up and running in a week, whereas we would've probably spent months trying to get this running with the resources we had at the time. Even if I were fully staffed, this would have been a difficult task for us to pull off on our own. So while I won't say that it freed up my staff to do other tasks, it saved me from having to assign staff or take staff away from current projects they were working on to get this implemented and keep it running. I know it would've taken a lot of my time — at least two to three weeks — plus the time of my techs.

    What is most valuable?

    It's good to have the SOC team analyzing, monitoring, and getting reports that have actionable items. We were a small shop, to begin with, and when the pandemic hit, we lost 60 percent of our workforce, including my department and the other technology services departments here. We needed something actionable to get an assessment of our threats, what we needed to do, and where our vulnerabilities were. It exposed us to issues we knew, but it could give us accounts.

    The threat detection and response are excellent. It shows you exactly where you're vulnerable, and it helped us get some of our early PCI compliance laid out, too. We're doing internal PCI scans now based on what we originally discovered with this product, and it's a necessary piece of our overall threat protection landscape. I had known for years about specific surface attacks I wanted to limit or certain servers I tried to get rid of because I felt like it was exposing us to too much liability or possible liability on the internet. This just pointed me in the right direction to show me that my instincts were correct in what I was seeing. It gave me something actionable I could take back to the VP or my CFO and say, "Listen, this is exactly what we need to do."

    I also like that the monitoring is 24/7. It never stops. Netsurion helps with the MITRE ATT&CK framework. It gives us a lot of that. It doesn't scan inside and give us reports like my other PCI compliance scanning tools do, but it gives us a base idea of what's going on in those machines and where our surface attack vector could be. The embedded MITRE ATT&CK framework helps us pinpoint exactly what we should be looking at. It's nice to have a vehicle that drives you to where you need to be, and you don't have to find a map to get things settled up at the last minute. 

    What needs improvement?

    I would like to see more communication with the SOC. I believe they are communicating quite a bit, but I think that relationship could be better. There was maybe one person, and I don't know if they can afford the time. We get a report generated on a particular day of the week and we go through it, trying to mitigate problems and make sure we're seeing everything that's happening. It would be helpful if the SOC spent a little more time with us going through some of those reports.

    For how long have I used the solution?

    We have been using Netsurion for around 18 months.

    What do I think about the stability of the solution?

    I've never known Netsurion to go down.

    What do I think about the scalability of the solution?

    We haven't had to scale up. We needed to scale down, but I haven't seen problems scaling this. If we could afford to expand our usage of Netsurion's products, we would. There's another product they offered us called Deep Instinct. It just didn't fit into our budget, but I would love to have it. There's more I'd like to do with Netsurion once our budgets get back intact.

    How are customer service and support?

    I give Netsurion's support an eight out of 10. I never give a 10, so eight is a relatively high mark for me because I always think there's room for improvement no matter what you're doing. They're great. It may take 24 hours to get a response on something we need, but they do respond and they take care of problems rather quickly. We're working with a team in India, so there is a large time difference. My team probably should be working overnight when we're working, but I'm always wondering if we kind of cross over where they're leaving early in the morning when we're coming in, or maybe we're coming in, and they're on a skeleton crew when we're on. That'd be the only thing is sometimes it does take a little bit of time to get an answer, but I would say we're getting answers quickly enough 90 percent of the time.

    The SOC component is crucial. It's nice to know that I can reach back out to them if there's something we don't quite understand or something we're not getting. We know we have a team we can contact and get help to ensure we're mitigating things correctly. In the time we've been working together, I've found that I do like the SOC team. They're a good bunch of folks to work with. 

    Additionally, we do quarterly follow-ups and everything, too. I think the SOC is an essential part of it, and I believe the Symphonic portion is equally important. You can have the SOC, but if you're getting a bunch of noise, the SOC isn't going to be able to do much. The fact that the SOC then takes the time to filter out a lot of the noise and then gives you that directed report is beneficial.

    The SOC understands the peculiarities of our environment. They are an active partner whether they agree with our idiosyncrasies. We're getting a lot better at working with them to manage threats now that we've been doing it for a couple of years, but at least initially there was a lot to go through. The SOC was also instrumental in helping us with the onboarding process. We worked with them to get some agents installed, and they had us up and running fast.

    They showed us how to make sure that we were only listening for things initially and not blocking anything. It was super helpful. Again, it was a two-hour call compared to three to four weeks of our time and then on top of it, another six months of monitoring beyond that. At least they have the knowledge of the tool that they know initially where they need to start quieting it down, where we wouldn't have had that knowledge to start off with.

    It's not much of a problem for us that the SOC is located outside of the United States. I would say that's life nowadays. Maybe pre-pandemic, that would've been a big concern. I have a friend that owns a US-based SOC that I also work with, and he is having a hard time staffing it. It's hard to find technicians in the United States. You're going to have to make some trade-offs in the number of people who can help you work your solution and maybe some coverage because of the lack of technicians available if you're really concerned about keeping things inside of the US.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We were collecting event logs into our RMM product that we used to patch and maintain our systems, so we received alerts that way. However, it was all emails, and we'd have to sift through it to decide where the problems were and what was happening. It was more reactive compared to what we're doing today with Neturion. We can be more proactive because we know where the patterns have been in the past. We know what we're seeing, we have a better idea of where to place our assets strategically, and we know how to protect those assets.

    How was the initial setup?

    Netsurion was easy to deploy. I have worked with other systems that were a little less complex, but they weren't quite as easy to deploy. It's on every machine we have in the enterprise, so technically, every person I have in this company is using the software, whether they realize it or not. My entire team is involved in going through reports and remediating. 

    What about the implementation team?

    We didn't have to do anything. Netsurion did everything. We sat down, we told them, "Here's what we feel are our key pieces of software. Here's what we've designed." They showed us how to exclude that inside of their software. I want to say that we did 30 days of just listening to the network and bringing them reports. From our side, we mostly conferred with them initially and spent time with them explaining what intellectual property we had running and what programs were essential to use on the network. It was super simple.

    What was our ROI?

    If we were to do this on our own, we would need at least one full-time person in a high salary range, so $80,000 to $150,000. That would be a security analyst at minimum. 

    What's my experience with pricing, setup cost, and licensing?

    Any security solution won't be cheap, but I think Netsurion is well placed to make it affordable on any enterprise's budget.

    Which other solutions did I evaluate?

    We looked at other solutions, but nobody had a comprehensive SOC and fine-tuning like Netsurion. I had even used some other solutions before this in some trials when we were getting ready for a tool like this. As far as I know, I may have found one or two later after we implemented this that offer some of the same features, but I still think this is the best solution for the money.

    What other advice do I have?

    I'd rate Netsurion nine out of 10. It's not a fancy product, and I don't mean to say that it's not comprehensive or it doesn't do what it needs to do. I guess what I'm trying to say is it's like driving an old Chevy Nova. It's easy to work on. If something goes wrong, it's easy to fix, and it gets you down the road. Netsurion does a good job, and it's reliable. I haven't known it to ever go out on us. 

    If someone is wondering why they should implement Netsurion, I would say, you don't know what you don't know. That's what it comes down to, and it's a matter of whether you want to sleep easy at night thinking you've done enough. You know how bad it is out there and that these attacks never stop. We get thousands of attacks daily, and we're not a big company. We're a US-based company that isn't in a volatile field. Our significant lines of business are restaurants, health clubs, and travel. You wouldn't think that is a huge target, but we had almost a quarter of a billion attacks against us last week.

    A lot is happening out there, and it's nice to get some affirmation from the executives that everything you've done is working and keeping you safe. It's also giving you some benefits you may not be thinking about, so you know where you might have to apply some of these new things or come up with some new best practices that will work out better for you going forward.

    Your SIM is only as effective as the reports you get out of it and the actual items you can get from it. While you can spend a lot of time and energy doing this yourself, it helps to have a professional team on your side walking through this. Maybe after three years, we won't need the entire SOC, but I can't see that happening. It's better to have them generating these reports for me than one of my teammates having to go through this and spend all week doing this as their job. We have to wear too many hats here to be able to commit to a person like that.

    Which deployment model are you using for this solution?

    Private Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Netsurion Managed Threat Protection
    July 2022
    Learn what your peers think about Netsurion Managed Threat Protection. Get advice and tips from experienced pros sharing their opinions. Updated: July 2022.
    620,600 professionals have used our research since 2012.
    Cyber Security Specialist at a financial services firm with 11-50 employees
    Real User
    Top 20Leaderboard
    Allowed us to consolidate cybersecurity technology but there's a steep learning curve for onboarding and deployment
    Pros and Cons
    • "I think Netsurion scales well. We've gone from a small number of agents up to thousands. So I would imagine that it would continue to scale. I don't see any issue with that."
    • "The agents on the endpoints seem to fail quite a bit, requiring manual involvement from the local administrators. I would like to see their product be much more ad hoc and update automatically."

    What is our primary use case?

    I manage 13 companies that have 300 to 400 companies underneath them altogether. We're a private equity company, so we manage one company, and they control 10 to 20 companies themselves. Our operations are decentralized, so there aren't many existing products suitable for our use cases. 

    When we initially deployed, Netsurion didn't seem like a particularly robust solution. We had the reporting, and if I told them to look for something specific, they could look for it and report on it. We haven't given them anything outside of the box to look at. It tells us everything that you see. We haven't whittled it down to specific events yet.

    Netsurion is on the endpoints. You install it, and it speaks to a web server. We have it on workstations and servers on AWS, Google Cloud Platform, Azure, and everything else. We're using it as a decentralized SIEM product, and it's one of the only ones out there. We use Netsurion for things like log forwarding, and we deploy it on every workstation. It's a manual process. There is an installed agent, and as long as it has internet connectivity, it goes and talks to the centralized server, and Netsurion's SOC monitors the logs for all those devices.

    Because we don't have a centralized enterprise network, there are a lot of different companies involved, and they could be anywhere. They could be working from home, or there could be several employees in a coworking space. The Netsurion agent has to be installed on every endpoint and allowed to communicate directly to the internet.

    How has it helped my organization?

    We don't have the security staff needed to monitor log data constantly. It's too much data. You have to send it to a third party like Netsurion that specializes in that, and they have a 24/7 security operation center. We don't have the in-house staffing or the time, so we offloaded the task to a third party, and they only report on critical incidents. Then they have reporting criteria, so if it's urgent, they call us. If it's not so critical, then they email us. We don't have the capacity to do that ourselves.

    Netsurion has allowed us to consolidate cybersecurity technology, including SIEM and network traffic analysis. It's not a decisive factor, but it's important. Having multiple tools keeps it centralized.

    What is most valuable?

    Netsurion's security operations center is critical for us because they provide 24/7 monitoring. We've never had another company meet the same need in the past. It's a valuable tool to have. Netsurion provides us with a lot of actionable threat intelligence. Their security people don't come in, but they know who to call. We tell them specifically who to call for a specific event or certain companies and they're good at that.

    What needs improvement?

    The product is based on an agent initially intended to talk internally, and they've simply tweaked it to talk externally. It's inside of a network versus talking on the internet. If they redeveloped the product to use internet options that are part of the operating system, it would add more security. Netsurion would keep pace with the computer as it updates and the technologies change. 

    If it were to talk using the internet options inherent in the operating system, the communication would be better and more frequent. It would be part of the operating system. It would work like opening a browser and hitting the internet rather than being a standalone solution. I've suggested redeveloping the application to work more fluidly with current technology instead of working as an old solution in a new application.

    For how long have I used the solution?

    We've been using Netsurion for about a year or so now.

    What do I think about the stability of the solution?

    Netsurion is highly stable. I haven't had any issues. However, the agents on the endpoints seem to fail quite a bit, requiring manual involvement from the local administrators. I would like to see their product be much more ad hoc and update automatically. I'd like to know if it has errors or issues to support that. Otherwise, local people need to uninstall and reinstall, and it's very time-consuming to maintain the installed product. This should be automatic. We shouldn't have to deal with that on a routine basis.

    What do I think about the scalability of the solution?

    I think Netsurion scales well. We've gone from a small number of agents up to thousands. I would imagine that it would continue to scale. I don't see any issue with that.

    How are customer service and support?

    Our SLA with Netsurion doesn't require them to respond immediately. But I haven't had any issues with them from a communication perspective. They've been very good at communicating. If we're talking about the entire process from onboarding to scaling operations, I will give their support a six out of 10, and I'm only giving them a six because they're one of the only companies that provide this service. The installation and customer care at the beginning of the process have a lot of room for improvement.

    The fact that Netsurion's SOC is outside the United States hasn't been an issue for us. Most IT labor is offshored, but the communication server and the information are warehoused within the United States on Azure, I believe. I can't recall exactly what they have, but I know it is located in the US. The data itself is still housed domestically, and the third party monitors it. So I don't have a concern with it, and I think over the last 10 or 15 years, the IT industry has pretty much gone that way for the labor component.

    How would you rate customer service and support?

    Neutral

    How was the initial setup?

    The onboarding process was complex. There was quite a learning curve, and few of our technical staff knew what they were talking about on the Netsurion side. But we were expected to do all the work. There were issues with the installers and the availability of people who could work through the code. I had a lot of concerns about what was being installed and how it was communicating online. It was not communicating securely.

    I was hoping Netsurion could meet my expectations and have their developers fix the application to work more smoothly. Unfortunately, it took quite a bit longer than it should have to onboard. I have five companies that have a bunch of subsidiaries. Those five are using this product on probably a thousand endpoints total. We started with the first one about this time last year, and we've only just finished onboarding. The onboarding should have taken less than a month or two, but it ended up taking a year. That was a problem that we had with them, and it could potentially impact future business.

    After we onboarded the first company, the learning curve went down. I found most of the cybersecurity issues in the initial deployment and would not move forward until we resolved them. That took a few months of our time. Netsurion showed some organization from a project management perspective, but there should have been more of a technical push from their side. 

    As the customer, we had to provide many technical solutions, and I believe the onboarding would have gone faster if Netsurion had provided more technical resources, not just project people. The project people would push things to the next week instead of scheduling a technical person to fix that issue specifically. They were just logging hours rather than helping us move forward.

    We expected that we would be fully deployed on all the discovered devices discussed before the start of the project within 90 days after we signed the contract. Things happen, so I wouldn't expect it all to get done in 90 days, but it should've been mostly done. You need to be at 80 to 90 percent before going to the SOC level and getting reports. That should've happened in under 90 days. Regardless of how many endpoints there are, there should be a real push to bring everything in within the first 90 days.

    I think that's a short deadline. At 90 days, I would expect to have the devices onboarded at a minimum. At between 90 and 120 days, I expect to start seeing reports, even if they're very generalized. I expect to see what's talking and what's not. And If we're talking about the total maintenance, it's split. I would hope that Netsurion would be managing their web server, which is the receiving server that takes all the logs in. I'm doing some sorting that allows the agent that's installed to talk back. 

    What was our ROI?

    It saves us from hiring someone to do the same thing. IT is a cost center, so we don't make money. We spend it. But in terms of a return on investment, it's cheaper than hiring an employee and it's providing actionable results about threats like ransomware that could be costly if we don't catch them in time. That's a kind of savings, but it's theoretical. It's not something that was accrued. It's a potential for loss. I would say that there's a return in that sense. 

    I don't have a hard number because there wasn't a pre-existing solution to compare it to. But to manage the logs the same way that Netsurion does, we would need someone working at least 40 hours a week. To hire someone at the SOC analyst level, you would have to pay an annual salary of between $70,000 to $100,000. However, paying a full-time analyst 40 hours a week still wouldn't give us 24/7 service like Netsurion.  

    What's my experience with pricing, setup cost, and licensing?

    Netsurion's pricing is competitive. At the same time, they're the only ones who do what we want to do the way we want it. I can't say we would've paid more, but we would've had to have come up with our own solution if they weren't providing that. I believe they have a good niche where they're the only ones providing this type of service that we specifically need in our business model. 

    Which other solutions did I evaluate?

    We tried out a couple of competing solutions, including Comodo and Arctic Wolf.

    What other advice do I have?

    I'd rate Netsurion six out of 10. I'm only going above the five because there aren't a lot of other products in that niche for a decentralized SIEM product. To anyone skeptical about the need for managed security services, I would say that they need to look at whether they have the resources to provide the service themselves. I think most don't, and I believe that the cost of hiring even temporary personnel to provide that function doesn't make business sense compared to bringing in a third party like Netsurion. Cost savings, management, and 24/7 monitoring — you can't get all that for the same price.

    Which deployment model are you using for this solution?

    Hybrid Cloud
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    PeerSpot user
    Gene Anderson - PeerSpot reviewer
    IT Coordinator at a government with 51-200 employees
    Real User
    Leaderboard
    Having a managed SOC reach out and contact us when something pops up is useful, but the threat detection and response is passive
    Pros and Cons
    • "We don't have the eyeballs available to stare and watch for things, or even have the capability of building internal alert systems. So, the managed SOC has been huge for freeing up staff to work on other responsibilities. We are saving on at least one full-time employee."
    • "The threat detection and response is passive. We have asked if there were options for taking action, and we have not gotten any feedback on that, which would be useful to know. Depending on the situation and threat, some actions may not be possible, but we haven't gotten any feedback on what options could be directed and actionable with the understanding that it may have an extra cost. It would be nice to know or find out if it is actually possible to take actions by a SIEM service or a SIEM agent."

    How has it helped my organization?

    Having a managed SOC reach out and contact us when something pops up is useful, since we're not, as IT staff, able to have eyeballs watching for things. We are dealing with staff, devices, services, etc. all the time, so we are not able to watch for things. There is also not the expertise available all the time for all our escalations of threat management. Having someone who can notify us, "This is urgent. I will call (or email) them based on the runbook that we have," and, "I need to follow up in however many days," depending on the urgency of the issue, has been really helpful.

    Given that the solution is passive, it hasn't had much impact other than occupying space on our server infrastructure.

    They offer 24/7 monitoring and alerting with the understanding that our boots-on-the-ground staff are not 24/7. Being that it is passive, if they are calling us to do something, then depending on the time of day or even the day, our staff aren't working. We don't have a 24/7 rotation, given that there are only two IT staff positions for the entire organization.

    EventTracker gathers the logs from our Sophos cloud provider, amalgamating it all into our on-premise SIEM. Then, the SOC is performing all the analysis, reporting, and alerting for us. This is pretty important given that we have very limited staffing, so we need to be able to have that handled for us.

    There haven't been a lot of incidents in the last six months, which has been nice. Most of the incidents that we have reported have been false positives in the last few months. It has been quiet since August.

    What is most valuable?

    Its threat detection and response is pretty good.

    We had a staff member who downloaded something, and I can't remember if they had had the authority to install it in this scenario. Anyhow, they downloaded something and were running something that was connecting to services in Europe which had a bad public reputation. The database or listing that they had referenced was either malware class or spyware. The visibility of seeing somebody had downloaded something that they weren't supposed to, and they weren't following organizational procedures for software procurement, was very helpful and useful. 

    What needs improvement?

    The threat detection and response is passive. We have asked if there were options for taking action, and we have not gotten any feedback on that, which would be useful to know. Depending on the situation and threat, some actions may not be possible, but we haven't gotten any feedback on what options could be directed and actionable with the understanding that it may have an extra cost. 

    It would be nice to know or find out if it is actually possible to take actions by a SIEM service or a SIEM agent. To clarify, we did get a price quote but not a demonstration. I was hoping for a demonstration of what exactly was possible and doable. We did get the pricing for it, but I was hoping for a demonstration of what it would actually look like.

    For how long have I used the solution?

    We started using it in 2019.

    What do I think about the stability of the solution?

    The stability has been mostly okay. There have been the odd times where agents weren't able to report in. For example, there was the odd time where the software agent had issues on clients, then reported as offline or not reporting, even though it was online. That was a bit annoying at times. The hosted on-premise hardware that we were using was having issues. This is the only time that I will call "Fault" to the hosted SOC. The performance of it was horrendous, but we weren't using it. It was being all done through the SOC and the performance was horrendous. If it was that bad, why wouldn't they have perhaps said something? Why were they struggling with delivering reports or fighting with the server on our behalf? If it was struggling that bad, why wouldn't they have said, "Hey, this machine has problems. We need to do something about it"? 

    We didn't know or do anything about it until we needed to check on something, then realized that the performance on it was horrendous and there were severe hardware problems with the server. Then, that spiraled into actually replacing it and the SOC team didn't mention anything. So, that was a bit of a frustration. If they were struggling with something that bad, then why didn't they say something?

    How are customer service and support?

    The bigger false positives have been when we are doing things, such as actions, remediation, or normal operations through our remote management system. It can sometimes trigger a whole bunch of alerts by scripts, and that is expected. We quite often inform the SOC center, "This is expected behavior. This account is supposed to do these things."

    Any time something comes up with a false positive or was unexpected, the managed SOC team follows through and asks, "What's going on?" Then, we will do an update to say, "Yes, this is expected behavior." We keep updating the runbook anytime there are false positives, and they get to know us a bit better.

    Which solution did I use previously and why did I switch?

    We had an antivirus, firewall, and malware previously, but we didn't have a threat management system before EventTracker. 

    The 24/7 monitoring and alerting has been a huge step up, given that we didn't have anything before. This was our first step into having an enterprise-level security threat monitoring system in place, which was a huge step forward as they provide actionable threat intelligence. The next step would have to be something that can take some sort of action.

    The MITRE ATT&CK Framework wasn't something that we were aware of when we started with EventTracker. Our remote management system has MITRE scanning and mitigation measures as well. While EventTracker hasn't identified anything, it is still nice that it is there.

    How was the initial setup?

    The initial setup was very straightforward. I have my own in-house expertise and experience when dealing with some log collection services. I know all the infrastructure. I handle all the infrastructure. From our standpoint, it was relatively straightforward because we are not that big of a shop.

    Start-to-finish, the deployment took awhile. It was over the course of several weeks, given that they had to schedule their staff as well as our staff because of the boots-on-the-ground stuff that we had to do. So, it did take time over the course of several weeks.

    What about the implementation team?

    Their SOC team had a number of documentation guides. The only one that we struggled with was the Office 365 integration, given that Microsoft keeps moving a number of the admin tools around into different places. Office 365 is going through some fairly frequent adjustments, updates, and changes every couple of quarters. By the time they had published something, we had actually done some of the Office 365 integration parts. They needed to remote screen share with us to walk us through, because everything was in different places. 

    Their assistance meant we weren't fighting to get stuff working.

    What was our ROI?

    The MITRE ATT&CK Framework has affected the time it takes for us to identify and understand sophisticated threats. It has definitely sped things up within the organization. There is just not the in-house expertise to deal with it, understand it, or communicate it to higher ups.

    We don't have the eyeballs available to stare and watch for things, or even have the capability of building internal alert systems. So, the managed SOC has been huge for freeing up staff to work on other responsibilities. We are saving on at least one full-time employee. 

    I would rate the SOC component of the solution as 10 out of 10. It is needed.

    What's my experience with pricing, setup cost, and licensing?

    Our budget follows the calendar year. We just started a new budget year at the beginning of the month. We did budget for an increase in our threat management system selection. Therefore, we have the budget to implement and accommodate a threat management system change, including an increase for the quoted actions that we received to improve EventTracker. We are just waiting on our council to approve that budget, which might not be for a little while. Hopefully, when they do, we will be able to jump on doing something.

    Which other solutions did I evaluate?

    We had a bunch of data security incidents with staff clicking and opening things that they weren't supposed to. We started a security awareness program in 2021. We got a fair bit of traction, which was good and has helped, but we still wanted to pursue some type of threat management system. We looked at three different systems: EventTracker, Trustwave, and LogRhythm. EventTracker was the only one where we could get a good demonstration and quote that was close to our budget. That is why we ended up going with it.

    What other advice do I have?

    Depending on your organization, the type of organization that you are, and the level of risk tolerance your organization has, but say that you don't need threat protection, then you probably don't understand the situation fully.

    Excluding false positives, the accuracy of remediation is pretty straightforward. Things like Exchange Server security vulnerabilities, which came out last year, had all the details included. That came out very well.

    Right now, with EventTracker, a number of their staff are based in India, and there are no concerns with it. They are signing the appropriate NDAs and going through the appropriate certifications for data security and data privacy. As long as they are doing those types of things, there are no concerns on my part as long as they are able to monitor things in our time zones.

    I would rate the solution as seven out of 10. They are definitely areas for improvement. I know for sure that all the areas of improvement aren't solely with the SOC and the product. A lot of it is probably implementation issues and issues within our organization, as this is our first crack at using a threat management protection system and dedicating the appropriate amount of time, attention, and thought to it. Some of that is probably on us. However, we have had struggles. At times, we have needed to think, "Is that because of you or because of us?"

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Network Engineer at a wholesaler/distributor with 201-500 employees
    Real User
    Circumvents the need to hire and manage 24/7 in-house monitoring/alerting, and gives us actionable threat intelligence
    Pros and Cons
    • "When it comes to threat detection and response, it does a very good job detecting and blocking on its own. And the SOC is a nice added value because they're doing analysis on things that aren't as obvious, on things that you can't just detect with a signature or behavior. Also, any SIEM will come with a lot of noise, so having them do a lot of the initial analysis to find out what's critical and what issues are false alarms is very good."
    • "Everything that I've wanted has been added in. EDR was added, and MITRE was added. Those were two big ones that we didn't even have to push for."

    What is our primary use case?

    It's a managed SIEM. It collects our log information, events from different systems. That information gets analyzed to alert us to any problems that are typically security-related issues. We use that database to do our own research as well. For instance, it's handy for figuring out why somebody keeps getting locked out.

    How has it helped my organization?

    The 24/7 monitoring and alerting is definitely a positive because we don't have to have it in-house. These days, finding security people and keeping them is even more of a challenge than it was two years ago.

    Netsurion also provides us with actionable threat intelligence. If an endpoint visits a site that tries to do a download, a "drive-by" type of situation where it tries to run an obfuscated URL through a PowerShell or the like, we'll get an alert from the SOC so we can take remediation actions for that particular endpoint.

    Our detection time is shorter than it was, and they're well within the SLA for both detection time and remediation. Since MITRE was added in, we haven't seen anything take longer than it's supposed to. The detection times are short, and alerting times are also very short. And while the addition of MITRE hasn't increased remediation accuracy, remediation accuracy has always been good with EventTracker. When it's already good, if it only gets a little bit better, it's hard to measure that.

    In addition, the fact that this is a managed security solution has definitely freed up my time to work on other responsibilities. If we didn't have the managed component, I would probably have to spend most of my day in the SIEM, personally. Now, I only have to turn to it once in a while. It has freed up most of my time to work on other projects instead of managing the SIEM. It saves close to 75 percent of an FTE in our existing staff and we also haven't had to add staff. To get 24/7 monitoring, we'd have to have at least three people with no vacations for those people. That would add up to a whole bunch of FTEs.

    What is most valuable?

    The fact that it's a managed solution is very valuable to us, having their SOC do 24/7 analysis and alerting. The SOC is a very important component of the solution. They are responsive when we have questions or when we want something to be analyzed further. We also have periodic reviews with our primary liaison of the state of the solution and the offerings of the SOC.

    When it comes to threat detection and response, it does a very good job detecting and blocking on its own. And the SOC is a nice added value because they're doing analysis on things that aren't as obvious, on things that you can't just detect with a signature or behavior. Also, any SIEM will come with a lot of noise, so having them do a lot of the initial analysis to find out what's critical and what issues are false alarms is very good.

    An important feature that is more specific to the product itself is the EDR component. We get analysis, blocking, and remediation for endpoints. It also does known and unknown malware blocking on its own. It's nice to have another layer of analysis and security from the agent as well.

    What needs improvement?

    Everything that I've wanted has been added in. EDR was added, and MITRE was added. Those were two big ones that we didn't even have to push for. 

    For how long have I used the solution?

    I've been using Netsurion Managed Threat Protection for four years.

    What do I think about the stability of the solution?

    Other than updates, there has been no downtime. It is very stable.

    What do I think about the scalability of the solution?

    I'm not concerned about its scalability. It's very scalable. We could grow greatly in size, and it would just continue to work for us. It's now used everywhere, throughout our organization. There are some additional paid features that we don't have, but we're using everything that we have licensed.

    How are customer service and support?

    Our account representatives within EventTracker, and the handful of people I deal with in the SOC on a regular basis, are familiar with our company and our previous issues. I talk to the same people all the time. Obviously, there has been some turnover throughout the years and people get promoted, but our account manager became a manager in general, and I still talk to him. He still reaches out to me to see how things are going. It's not just a bunch of different names being thrown at you every time.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    Using Netsurion has not meant we have consolidated cybersecurity technologies. We haven't eliminated anything. We added EventTracker into the environment, because nothing catches everything. We were not even looking for something that would replace everything else we had. We wanted the enhancements that we would get from a managed SIEM, versus keeping everything in-house.

    Additional layers and different technologies are looking for different things. Netsurion deploys a technology and algorithms that we didn't already have. And the 24/7 monitoring with the SOC was another reason to add it to our environment.

    How was the initial setup?

    The setup was pretty straightforward. They needed to learn about our environment and I needed to provide a fair amount of information for that. We set up a system for them, and they did the configurations, primarily, and have continued to maintain them. We had an account rep, not a sales rep, but an actual EventTracker manager, who worked with us and their SOC and did the project management on their end. He worked directly with me and we had a number of web meetings and phone calls until it was up and going. Anytime there's a new version or new features, I'm still talking to the same guy.

    Their assistance in the onboarding process certainly helped with the product's time to value. It would have taken a lot more time to set it up if we were doing it by ourselves. The setup required about 20 hours of my time and we had data coming in and being analyzed within a week, maybe a little longer, of the beginning of the project. It didn't take very long to get the core system up and going. After that, it was a matter of configuring all the systems in our environment to start reporting to it.

    They maintain the system itself, but we have to make sure that clients are reporting to it. You get a report, and depending on the service level, a report you can run yourself, anytime you want. It's very easy to run, and you get a list of non-reporting systems. For example, we can see that Bob has been on vacation for two weeks, so it makes sense that his computer hasn't reported in in two weeks. But Joe has been working every day from the office for the same two weeks, and his computer hasn't reported for the last three days, so something probably needs to be looked at on Joe's computer.

    What's my experience with pricing, setup cost, and licensing?

    We haven't been hit by any surprises when it comes to pricing and licensing. You are paying for different levels, especially as far as the monitoring goes and how often you review it with the team. The other factor that figures in is how many nodes are on your network, such as clients, network equipment, servers, etc. There are some additional pieces on top of that, but it's laid out pretty simply, as far as how much you're going to pay for a node. And if you want an additional feature, they tell you how much you pay per node to add that on.

    Which other solutions did I evaluate?

    We looked at a few solutions but we narrowed it down quickly to EventTracker. The features offered by the various solutions were pretty close in parity, but EventTracker, at least at that time, had an edge on pricing, and we liked the initial conversations that we had with them.

    Netsurion didn't integrate the MITRE ATT&CK Framework when we brought it on, but it was added afterward. But as MITRE solidified into a pretty important framework, I reached out to Netsurion and asked when it was coming, and it was coming in the next release. They were on top of it. 

    What other advice do I have?

    As for someone being concerned that the solution's SOC is outside of the US, it hasn't been a concern for us. It's 24/7. If the concern is more national or regulatory, you have to follow what your rules are. But if you don't have any regulations or laws restricting you, I wouldn't hesitate just because the SOC isn't in the US.

    If a colleague at another company said he's not sure that they need managed services, part of that conversation would be about what kind of staffing levels they already have and if they already have 24/7 in-house security monitoring. If not, do they think the bad guys only work from 8:00 to 5:00 Eastern?

    It's reliable. It works. With the managed component, we get that personal attention and that consistent team to deal with. To some extent, it's like they're part of our IT team. They're not in our buildings or working with us directly day-to-day, but in some respects, it's close to that.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    PeerSpot user
    Senior Director of Information Security at a healthcare company with 5,001-10,000 employees
    Real User
    Leaderboard
    Its 24/7 monitoring has enhanced the overall security of the company
    Pros and Cons
    • "Netsurion's 24/7 monitoring has enhanced the overall security of the company. They have someone looking at the data 24/7 who will call us as needed. If their team spots a malicious process after hours, they notify the appropriate person by phone. We get a lot of actionable threat intelligence from Netsurion. For example, if a user clicks on a malicious link in a web page and starts an unusual process that isn't on the white-list, Netsurion's team can detect it and prevent it from executing. Afterward, they'll notify us by telephone, so we can respond and clean up whatever damage has occurred."
    • "Netsurion's threat detection and response aren't quite mature. I would expect a little more."

    What is our primary use case?

    We use Netsurion to meet our HIPAA and PCI compliance requirements and to implement best security practices. Before we implemented Netsurion, our company had no visibility into the environment. We use it to alert us about unusual processes that may be executed. After an investigation, we whitelist or blacklist those processes. It also helps us manage our asset inventory and respond to threats as they arrive. 

    How has it helped my organization?

    Netsurion's 24/7 monitoring has enhanced the overall security of the company. They have someone looking at the data 24/7 who will call us as needed. If their team spots a malicious process after hours, they notify the appropriate person by phone. We get a lot of actionable threat intelligence from Netsurion. For example, if a user clicks on a malicious link in a web page and starts an unusual process that isn't on the white-list, Netsurion's team can detect it and prevent it from executing. Afterward, they'll notify us by telephone, so we can respond and clean up whatever damage has occurred.

    With Netsurion, we've also consolidated a lot of our cybersecurity technology. Case in point, Netsurion can aggregate the log files from a Meraki wireless access point, which correlates that data, so that minimizes the time necessary to investigate. They have already taken care of the heavy work. With Netsurion, I take their data, and I know where to start.

    Any security professional will agree that if you don't have a solid understanding of your inventory of assets, it's going to haunt you. In this case, it provided me the opportunity to see what's out there. This is especially crucial given that we have some BYOD devices that are not allowed onto the network. I was able to spot those devices and enable conditional access through our Azure Active Directory.

    It has reduced the amount of time it takes to identify and respond to constantly evolving threats. We don't know everything. So we could have something that we've never seen before and it requires research on my part, which can be very time-consuming. I like to have the reference readily available.

    The managed security solution has freed up IT staff time to work on other things. Our IT team is tiny. I am the only security person in a company with more than 5,000 employees. I don't have to focus on security 24/7, which frees up a lot of time and lets me have a work-life balance. It's equivalent to saving us the cost of three full-time employees at 40 hours a week. The SOC is an essential component. It's crucial to have those individuals correlating and reporting on alerts or taking care of events that don't need to be reported. That's a lot of manual work.

    What is most valuable?

    I'm new to the company and the environment, so it's valuable for me to see what is deployed and what processes are being executed in the environment to ensure that nobody is running something that may have malware or infections. Netsurion's log aggregation feature is something I use heavily. They use Elastic as their SIM tool. I'm able to take the numbers that they provide and correlate events.

    Netsurion also integrates the MITRE ATT&CK framework. Every alert includes a reference to the MITRE number that you can research yourself. I have experience with the MITRE framework, so this is valuable to me. The company did not previously have an understanding of MITRE, so it's essential to me as the security person responsible. This framework has definitely helped us identify threats that we might have missed otherwise. With the MITRE ATT&CK number, I can research in the right direction.

    What needs improvement?

    Netsurion's threat detection and response aren't quite mature. I would expect a little more. Instead of an Excel spreadsheet with a log output, I would rather have a web portal that I could log into and see the event live. In all fairness, they may have that, but they have not provided that to us. They send me an Excel spreadsheet, and I have to aggregate the data manually to find out what I want to look at. It would be better to have a web portal where the data is already aggregated, and I can see where the hotspots are. They could do something like Arctic Wolf, which has a web portal or page we can log into.

    For how long have I used the solution?

    I have been using Netsurion since approximately June of 2020.

    What do I think about the stability of the solution?

    Stability has been okay. We've only had one instance where specific endpoints were not reporting in. During the discovery, we found that devices were pointed to the wrong collector on the Netsurion side, and they fixed that.

    What do I think about the scalability of the solution?

    With Netsurion, we're covering more than 5,000 endpoints without any real difficulties, and I think we could grow even further with that, so I don't have any concerns with scalability. However, I don't know how far they can go.

    How are customer service and support?

    I would give Netsurion support a nine out of 10. Their technical support has been outstanding. There have been some challenges on the administrative side getting the phone tree updated. That's an area where they need a little bit of work. But I have no complaints on the technical support side. They've been accommodating. Their SOC is also excellent. They're working on a mature model, and I think they're going to raise the bar. We also have five other managed service providers that the SOC needs to work with across different time zones. Everybody just needed to get on the same page and align the timing. After that, it went fine.

    How would you rate customer service and support?

    Positive

    How was the initial setup?

    I joined the company while they were in the middle of deploying Netsurion, and I actually led the last phase of implementation, which was getting the agents installed through the endpoint. In my opinion, it was pretty straightforward, and the deployment took about 90 days. The only issue was getting their agent to work on some of the Apple products. The developers had to go back and tweak the agent to get it running on these systems. Netsurion's SOC helped walk us through the onboarding process. Without their support, we would've probably been extremely frustrated and unhappy. 

    What other advice do I have?

    I would rate Netsurion eight out of 10. While there is room for improvement and maturity, I have no complaints about their services. To anyone thinking about adopting Netsurion, I would advise them to research and get references. You should also do a cost-benefit analysis of a managed solution. Doing this work in-house is extremely expensive compared to offshoring it to someone already established who can do the work you need. 

    If someone is concerned about Netsurion's SOC being outside the United States, I would say that this hasn't been a problem for us, given the compliance spectrum we're working with. Some companies may have another view of that, but I work with that team and trust them. They meet all my expectations. I'm pretty satisfied with their service and how it was managed during implementation.

    Which deployment model are you using for this solution?

    Hybrid Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Other
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    PeerSpot user
    Lead Security Analyst at a leisure / travel company with 1,001-5,000 employees
    Real User
    Top 20Leaderboard
    Provides us with detailed search responses and concise alerts that are not overwhelming
    Pros and Cons
    • "We have also integrated our endpoint security into the Netsurion SIEM. That's important because we have all the events in one place; we don't have to manage them in multiple places. In addition, the embedded MITRE ATT&CK Framework was paramount in our decision to choose Managed Threat Protection because the MITRE Framework is the industry standard for threats."
    • "The weekly reporting could use some improvement. For example, when we handed them our landscape document, it took longer than I would have liked for those details to become noticeable within the reports."

    What is our primary use case?

    We use it for security incident and event management, and we use Netsurion's hosted SOC service, meaning their SOC team also assesses our events.

    The solution is on-premises. We have the agent running on our Windows systems, and we have the Linux systems pumping the syslog data to the Netsurion server.

    How has it helped my organization?

    The 24/7 monitoring and alerting have positively affected our security maturity because now we have people with eyes on our security events 24/7. They are monitoring our security incidents and alerting us to any incidents that need action on our end. Overall, the SOC component of the Netsurion solution is very important because without it we would need to hire more people internally to do that work. With the hosted SOC, we don't need to have a large team on our side. While their SOC doesn't know our company and what is unique about our environment entirely at this time, they are learning it now.

    What is most valuable?

    All the features are valuable, so far. Some examples are the detailed responses that you find within the searches. The alerts are also valuable because they're concise and not overwhelming. The dashboard layout is also a feature I like, because it's very clear. It's not cumbersome.

    When it comes to threat detection and response, Netsurion is very good. They're good at incident detection and responses. For example, they found some tools that are used by hackers, tools that were running on a system, and they immediately alerted us to that fact. We investigated it and it turned out it was an administrator using that tool. But it was a good process.

    Managed Threat Protection also provides actionable threat intelligence. For example, when there was a vulnerability in the Exchange platform, they alerted us that this new threat had become known, and we were able to take action by patching our Exchange servers to secure them.

    We have also integrated our endpoint security into the Netsurion SIEM. That's important because we have all the events in one place; we don't have to manage them in multiple places.

    In addition, the embedded MITRE ATT&CK Framework was paramount in our decision to choose Managed Threat Protection because the MITRE Framework is the industry standard for threats. While it hasn't yet helped to identify threats we might have missed without it, we're still early on in our deployment, but eventually, once we are more mature, it will. And I believe it has helped with the time it takes Netsurion's SOC to identify and understand sophisticated threats.

    What needs improvement?

    The weekly reporting could use some improvement. For example, when we handed them our landscape document, it took longer than I would have liked for those details to become noticeable within the reports.

    For how long have I used the solution?

    I have been using Netsurion Managed Threat Protection for about 10 months.

    What do I think about the stability of the solution?

    It is very stable.

    What do I think about the scalability of the solution?

    Scaling it would be slightly complex because you would need to consciously keep track of the ports where the logs are being ingested. Scalability is not as straightforward as it could have been.

    We are using it to monitor about 2,500 endpoints and we have two analysts within our organization's security department who work with the solution.

    How are customer service and support?

    Some of the technical forethought for the deployment was not as good as I would have expected. Some of the technical blocks that can exist in an organization of our size, issues that needed to be thought about, were not taken into account at their end. That required more input on our side, so that is why I would rate their support at eight out of 10 overall. But regarding the product itself, their technical skills are a 10. It was more when it came to the difficulties in a more complex environment that they were slightly lacking.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We did not have a previous solution.

    How was the initial setup?

    The initial setup was straightforward. They provided us concise instructions on how to deploy the agents. They provided us packages that we could then deploy within our package deployment mechanisms, and they supplied us with the necessary tools to be able to deploy the agents quickly and easily.

    Netsurion's support during our deployment process was very good. They were very helpful and attentive to us as customers. Their assistance in the onboarding process certainly helped with the product's time-to-value because we were able to deploy the agents in a short period of time and to start getting actionable intelligence pretty quickly.

    Within a couple of weeks of their providing us the packages, we started deploying agents and, within a couple of months, we already had enough logs being ingested to have at least some initial, actionable intelligence.

    The implementation strategy was, first of all, to have enough collectors around our network to ingest the logs from the sources, and enough log source ports to be able to handle the quantity of log sources coming in. After that came the preparation of the agents and the mechanism through which the agents were to be deployed. This strategy helped to make the deployment faster and easier.

    What about the implementation team?

    It was handled internally by our IT operations.

    What was our ROI?

    We have seen ROI in the fact that we had actionable intelligence within six months of deployment.

    What's my experience with pricing, setup cost, and licensing?

    The amount we pay for the service that we get is good. If it were to be much more expensive, it would not have the same value for the money.

    Which other solutions did I evaluate?

    We evaluated McAfee Managed Detection and Response, Splunk, and Rapid7 against Netsurion Managed Threat Protection. The biggest difference was the cost.

    What other advice do I have?

    If you're concerned about Netsurion's SOC being located outside of the US, I would say that location of the SOC is irrelevant. Rather, you should evaluate the skills of the SOC and the SOC management.

    And if someone at another company said they are not sure that they need managed services, I would say to them that they had better make sure they have enough money to have their own internal team.

    My other advice would be to make sure that Netsurion gives you a good deal compared to the other vendors.

    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    PeerSpot user
    Network Administrator at a construction company with 1,001-5,000 employees
    Real User
    Leaderboard
    The SOC team takes care of everything, though I would like faster responses from them
    Pros and Cons
    • "Their SOC team manages vulnerability management and IOC reviews. They stop bad processes when they happen. The best thing is their weekly reviews of what has been going on in the infrastructure as well as the things that they see and what we should look out for."
    • "The MITRE ATT&CK framework could be faster when identifying and understanding sophisticated threats. Whenever something happens, we usually get notified a couple hours later."

    What is our primary use case?

    Since we can't have 24/7 operations for our SOC, we hire out for that and have it as a managed service. This makes much more sense and allows us to focus on the day-to-day activities of the company.

    How has it helped my organization?

    Since it is a managed service, they take care of everything for us and just reach out when they have a question, there is an incident, or an important alert. That is the most important part for me because that allows me to focus elsewhere.

    It allows us to avoid needing to employ people to stay during evening hours, which is a positive.

    The solution provides an embedded MITRE ATT&CK framework. The framework is relatively new. I like that it is a curated knowledge base now. It is very important because it lets everyone know what is going on and being observed in the real world. It definitely helps in the analysis of whatever threat is found. Remediation is already built into the framework.

    What is most valuable?

    Their SOC team manages vulnerability management and IOC reviews. They stop bad processes when they happen. The best thing is their weekly reviews of what has been going on in the infrastructure as well as the things that they see and what we should look out for.

    We haven't had any incidents, which is a good thing. It is a valuable product.

    The solution provides actionable threat intelligence. It is not a passive service. They go in and perform mitigations on whatever they find. It is timely. They provide context, so it is understood by anyone who receives these reports.

    It is important that Netsurion Managed Threat Protection has enabled us to consolidate cybersecurity technology, including SIEM, network traffic analysis, and endpoint security.

    What needs improvement?

    I would like faster responses when things are found. For example, when they inform me, it is usually when they begin to respond.

    The MITRE ATT&CK framework could be faster when identifying and understanding sophisticated threats. Whenever something happens, we usually get notified a couple hours later.

    Their SOC team can't understand our network because they haven't worked in the actual company. This does negatively affect security posture, e.g., if you don't have knowledge about the network, then you will miss things.

    Personally, I would have deployed it on its own independent server. It uses a lot of IOPS and resources. Now, we have contention between our other servers on the same cluster.

    For how long have I used the solution?

    I have been using it for at least three years. It was installed at the company before I joined.

    What do I think about the scalability of the solution?

    It scales fine.

    It is being used throughout all our systems non-stop, so we don't have plans to increase the usage or utilize it in different ways.

    One person can maintain and work with the solution.

    How are customer service and support?

    The SOC component is the most important part of the solution. I know who the SOC team is, so it is not someone different every time. I have seen changes in the team. However, for the most part, the team is usually steady. They are professionals in this and do a good job. 

    They could improve by having faster communications. They always get back to us on the same day, but it is usually a few hours later. It would be nice if it was within an hour.

    How would you rate customer service and support?

    Neutral

    What was our ROI?

    We have seen time and cost savings. It prevents us from having to hire specialized people for this type of work. We would need to hire six staff members to accommodate the same service.

    What other advice do I have?

    If you are not going to go for their managed service, then you will need to hire a SOC team, and if you are not going to hire a SOC team, then you are messing up.

    I am sure that other companies have their own SOC teams instead of having a SOC-managed service, but this solution makes it cost effective for us.

    I would rate it as a six out of 10.

    Which deployment model are you using for this solution?

    On-premises
    Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
    Flag as inappropriate
    PeerSpot user