Netsurion Reviews

We use Netsurion to find out what's going on in our environment. It lets us know if we have strange actions acting out. It's a deny-all policy, so there's an access list on each machine. It was effortless to tune it for our software because we have four pieces of intellectual property used in-house, and that was super easy to get up and running compared to some of the other solutions I've seen. For the most part, it's set-it-and-forget-it protection.

We've been under attack since the day we opened. Our company has a web base that hosts more than 100 different websites, and we're constantly facing attacks — our mail servers too. Of course, we knew we were under attack, but Netsurion provides excellent visibility into how often it's happening and what services they were using. We had a relatively decent idea of that ahead of time, but it solidified a lot of issues we thought we had and allowed us to tailor some solutions to mitigate those issues a little bit easier than it had been when we didn't have all the actionable intelligence.

You can't protect against what you don't know. My instincts told me certain issues were happening. There were a couple of records of it here and there, but it's easier to zero in on what you need to do if you can see what attacks are occurring and how often. It helps you identify gaps you may not be aware of. Netsurion helped shore up our security posture by verifying that some of the initial steps I had taken to protect us against some of these outside attacks were correct. I don't want to go into it too deeply, but it also showed us the usefulness of some best practices out there that many people aren't following. 

It also gave me some insight into what the attacker is going through. When I looked at the thousands of logins we get a day, and I was surprised to see the different languages attackers were using. I thought that was kind of interesting, but for the most part, it showed that many of the early countermeasures we put in place 20 years ago were still protecting us effectively versus a lot of the threats out there. 

We've been able to consolidate cybersecurity technology for our endpoint security. It's a deny-all policy. We reinforce it with other products behind it to ensure that nothing's getting through, but it was still a paradigm shift for us. Instead of just using signature-based threat protection methodology, it allowed us to really get a better grip on what was running inside of our network. That includes some attacks that aren't even nefarious, but just some chatty stuff. We were able to clean up our network a little bit based on some of the things we had seen.

It helps that everything's in one pane of glass by limiting the number of dashboards we have to look at. Consolidating services really helped us gain C-level buy-in. This wasn't just to monitor logs and check for some malicious entries — it was a complete solution that allowed us to recoup monies in other areas because we could consolidate everything in one product.

Neturion's managed security didn't reduce the amount of time we had to devote to everything else, but it supplemented our visibility, giving us the ability to see more than we could on our own. They also got us up and running in a week, whereas we would've probably spent months trying to get this running with the resources we had at the time. Even if I were fully staffed, this would have been a difficult task for us to pull off on our own. So while I won't say that it freed up my staff to do other tasks, it saved me from having to assign staff or take staff away from current projects they were working on to get this implemented and keep it running. I know it would've taken a lot of my time — at least two to three weeks — plus the time of my techs.

It's good to have the SOC team analyzing, monitoring, and getting reports that have actionable items. We were a small shop, to begin with, and when the pandemic hit, we lost 60 percent of our workforce, including my department and the other technology services departments here. We needed something actionable to get an assessment of our threats, what we needed to do, and where our vulnerabilities were. It exposed us to issues we knew, but it could give us accounts.

The threat detection and response are excellent. It shows you exactly where you're vulnerable, and it helped us get some of our early PCI compliance laid out, too. We're doing internal PCI scans now based on what we originally discovered with this product, and it's a necessary piece of our overall threat protection landscape. I had known for years about specific surface attacks I wanted to limit or certain servers I tried to get rid of because I felt like it was exposing us to too much liability or possible liability on the internet. This just pointed me in the right direction to show me that my instincts were correct in what I was seeing. It gave me something actionable I could take back to the VP or my CFO and say, "Listen, this is exactly what we need to do."

I also like that the monitoring is 24/7. It never stops. Netsurion helps with the MITRE ATT&CK framework. It gives us a lot of that. It doesn't scan inside and give us reports like my other PCI compliance scanning tools do, but it gives us a base idea of what's going on in those machines and where our surface attack vector could be. The embedded MITRE ATT&CK framework helps us pinpoint exactly what we should be looking at. It's nice to have a vehicle that drives you to where you need to be, and you don't have to find a map to get things settled up at the last minute. 

I would like to see more communication with the SOC. I believe they are communicating quite a bit, but I think that relationship could be better. There was maybe one person, and I don't know if they can afford the time. We get a report generated on a particular day of the week and we go through it, trying to mitigate problems and make sure we're seeing everything that's happening. It would be helpful if the SOC spent a little more time with us going through some of those reports.

We have been using Netsurion for around 18 months.

I've never known Netsurion to go down.

We haven't had to scale up. We needed to scale down, but I haven't seen problems scaling this. If we could afford to expand our usage of Netsurion's products, we would. There's another product they offered us called Deep Instinct. It just didn't fit into our budget, but I would love to have it. There's more I'd like to do with Netsurion once our budgets get back intact.

I give Netsurion's support an eight out of 10. I never give a 10, so eight is a relatively high mark for me because I always think there's room for improvement no matter what you're doing. They're great. It may take 24 hours to get a response on something we need, but they do respond and they take care of problems rather quickly. We're working with a team in India, so there is a large time difference. My team probably should be working overnight when we're working, but I'm always wondering if we kind of cross over where they're leaving early in the morning when we're coming in, or maybe we're coming in, and they're on a skeleton crew when we're on. That'd be the only thing is sometimes it does take a little bit of time to get an answer, but I would say we're getting answers quickly enough 90 percent of the time.

The SOC component is crucial. It's nice to know that I can reach back out to them if there's something we don't quite understand or something we're not getting. We know we have a team we can contact and get help to ensure we're mitigating things correctly. In the time we've been working together, I've found that I do like the SOC team. They're a good bunch of folks to work with. 

Additionally, we do quarterly follow-ups and everything, too. I think the SOC is an essential part of it, and I believe the Symphonic portion is equally important. You can have the SOC, but if you're getting a bunch of noise, the SOC isn't going to be able to do much. The fact that the SOC then takes the time to filter out a lot of the noise and then gives you that directed report is beneficial.

The SOC understands the peculiarities of our environment. They are an active partner whether they agree with our idiosyncrasies. We're getting a lot better at working with them to manage threats now that we've been doing it for a couple of years, but at least initially there was a lot to go through. The SOC was also instrumental in helping us with the onboarding process. We worked with them to get some agents installed, and they had us up and running fast.

They showed us how to make sure that we were only listening for things initially and not blocking anything. It was super helpful. Again, it was a two-hour call compared to three to four weeks of our time and then on top of it, another six months of monitoring beyond that. At least they have the knowledge of the tool that they know initially where they need to start quieting it down, where we wouldn't have had that knowledge to start off with.

It's not much of a problem for us that the SOC is located outside of the United States. I would say that's life nowadays. Maybe pre-pandemic, that would've been a big concern. I have a friend that owns a US-based SOC that I also work with, and he is having a hard time staffing it. It's hard to find technicians in the United States. You're going to have to make some trade-offs in the number of people who can help you work your solution and maybe some coverage because of the lack of technicians available if you're really concerned about keeping things inside of the US.

Positive

We were collecting event logs into our RMM product that we used to patch and maintain our systems, so we received alerts that way. However, it was all emails, and we'd have to sift through it to decide where the problems were and what was happening. It was more reactive compared to what we're doing today with Neturion. We can be more proactive because we know where the patterns have been in the past. We know what we're seeing, we have a better idea of where to place our assets strategically, and we know how to protect those assets.

Netsurion was easy to deploy. I have worked with other systems that were a little less complex, but they weren't quite as easy to deploy. It's on every machine we have in the enterprise, so technically, every person I have in this company is using the software, whether they realize it or not. My entire team is involved in going through reports and remediating. 

We didn't have to do anything. Netsurion did everything. We sat down, we told them, "Here's what we feel are our key pieces of software. Here's what we've designed." They showed us how to exclude that inside of their software. I want to say that we did 30 days of just listening to the network and bringing them reports. From our side, we mostly conferred with them initially and spent time with them explaining what intellectual property we had running and what programs were essential to use on the network. It was super simple.

If we were to do this on our own, we would need at least one full-time person in a high salary range, so $80,000 to $150,000. That would be a security analyst at minimum. 

Any security solution won't be cheap, but I think Netsurion is well placed to make it affordable on any enterprise's budget.

We looked at other solutions, but nobody had a comprehensive SOC and fine-tuning like Netsurion. I had even used some other solutions before this in some trials when we were getting ready for a tool like this. As far as I know, I may have found one or two later after we implemented this that offer some of the same features, but I still think this is the best solution for the money.

I'd rate Netsurion nine out of 10. It's not a fancy product, and I don't mean to say that it's not comprehensive or it doesn't do what it needs to do. I guess what I'm trying to say is it's like driving an old Chevy Nova. It's easy to work on. If something goes wrong, it's easy to fix, and it gets you down the road. Netsurion does a good job, and it's reliable. I haven't known it to ever go out on us. 

If someone is wondering why they should implement Netsurion, I would say, you don't know what you don't know. That's what it comes down to, and it's a matter of whether you want to sleep easy at night thinking you've done enough. You know how bad it is out there and that these attacks never stop. We get thousands of attacks daily, and we're not a big company. We're a US-based company that isn't in a volatile field. Our significant lines of business are restaurants, health clubs, and travel. You wouldn't think that is a huge target, but we had almost a quarter of a billion attacks against us last week.

A lot is happening out there, and it's nice to get some affirmation from the executives that everything you've done is working and keeping you safe. It's also giving you some benefits you may not be thinking about, so you know where you might have to apply some of these new things or come up with some new best practices that will work out better for you going forward.

Your SIM is only as effective as the reports you get out of it and the actual items you can get from it. While you can spend a lot of time and energy doing this yourself, it helps to have a professional team on your side walking through this. Maybe after three years, we won't need the entire SOC, but I can't see that happening. It's better to have them generating these reports for me than one of my teammates having to go through this and spend all week doing this as their job. We have to wear too many hats here to be able to commit to a person like that.

We use it for real-time alerts for things like domain admins being added. And we have the managed services provide weekly reports for us for VPN logins, after hours logins and several other similar alerts. 

And of course, at any time I can do individual investigations and searches on interesting traffic that might be reported to me by Netsurion or that we find on our own.

The solution saves me at least half an FTE, some 20 hours a week. If I didn't have the managed services, I would have to have another half an FTE just to do the work that they do for us.

Netsurion has assisted our server administration team as well. If they're having software problems or access problems or the like, they have the ability, with all the logs now centralized in one place, to go to one place and do those searches, rather than to go individually, server by server by server, and try to figure it out. 

It's also tied into our enterprise firewall, which is Palo Alto. It really helps them in their troubleshooting time if they're having an issue. 

There are 3 aspects that Netsurion is very helpful to our organization.  One side is the information security side where it helps us quickly investigate an incident including false-positives. A second aspect is operational efficiency.  It would really take a lot of time to try to figure it out server by server but with Netsurion they can go to one place which has all those server logs. The third aspect is log archives. Once it makes it to Netsurion, they can keep local log storage space pretty low and don't have to burn a lot disk space on the local servers.

I also feel that Netsurion has better integration. Almost any product could integrate with just about anything else, given enough time and resources. But that's part of the managed services that we contract with Netsurion. We have integrations into Sophos (for antivirus), Office 365 (for email) and for our enterprise firewall (Palo Alto), and our Cisco networking equipment. So we've got all the critical infrastructure pieces integrated and all of those were integrations out-of-the-box-that I probably could have figured out if I had enough time. But I tell them what I'm trying to do and either they have a white paper which gives me one, two, three steps to do it, or they actually take over. I give them a service account. They take over, they do it, we do some testing and we go live with it.

Everything we have is a real-time feed. We don't have anything that is just batch and then it reads it in later. Especially on those real-time alerts that I mentioned, I know about each of those literally within minutes after it happens, because it's a real-time feed. The alert fires and sends me an email or a text, whichever I have set up.

We're also very impressed with Netsurion SIEMphonic. That's what they've renamed their SIEM tool. We use it quite a bit now. They've got something called potential insider threats that we look daily. Those are things like account creations and the like. A SIEM tool doesn't necessarily know, just because an account is created, whether it should have been created or if somebody created it to try to hide their tracks. Also, seeing things like logs being cleared on servers has been very helpful to us. We would have no other good way to get visibility into those types of things. An extension of that is the alerts that we talked about. It's really been really invaluable for us to get insight into our environment. There'd be no other way for us to really get that without either SIEMphonic or one of its competitors.

Really, all of the features are valuable. Probably the most valuable are the real-time alerts and the weekly reports. They would like to send me the reports daily, but because I'm a one-person shop, I just don't have the time to pour through them. Those weekly reports really give me a view of the landscape and of things that might have slipped through the cracks.

The real-time alerting for things such as people getting dropped into a VPN group or the domain admin group — things like that which really shouldn't happen without proper change management, but we all know the reality, that they do from time to time — gives me real-time visibility into what's going on.

I do like, with version 9, that they have what they call Elasticsearch which is very quick, although that's only available for the last seven days' worth of data. It used to be that, if I wanted to do a search from three days ago, it might take me 10 to 15 minutes because it had to actually unzip some archive files. So I really like that feature. It's almost instantaneous for anything within the last seven days. I can go back as far as I have archived, which for us is a set of six months. It all depends on how much you want to store. We store one semester's worth of data. That real-time, very quick access is very helpful for our workflow and the ability to investigate things.

Also with version 9, the overall UI is much better. It's more like Splunk, which is one of their competitors. It has more of that kind of look and feel. You literally drag and drop different fields and elements that you want in your reporting. And with that Elasticsearch, where it's almost instantaneous, it's so much more helpful. Their old query tool was okay, but it had the old look and feel. You picked the field you need and you chose an operator like "equals," etc. This new look and feel really is drag-and-drop. It's so much more modern and very useful. It makes it very efficient if you're looking for something.

With version 9 there are so many areas where they changed the look and feel and it is so much easier. I really don't have anything that is a pain point or that I have to work around or that I would like to be a little better or easier.

With version 8, there are quite a few things. The query tool was one of the big ones, and the query speed was one of the big ones, but they've made some great strides between versions 8 and 9.

There were also issues in version 8 around the ability to get the data back out. It's one thing to collect data, but it's a whole other thing to be able to present it or run it in a timely manner. The old tool, depending on how far back I was looking, might even time out and I would have to run it again. 

We don't have any of those issues with version 9, as long as we're staying within that seven-day window. You get outside the seven-day window and it still performs the same sort of way. And it's not Netsurion or SIEMphonic's fault; it's just the way they store the data and have to be able to open the data back up. But the look and feel of the query tool is still exactly the same as it was. It's just a matter of whether you are looking at that real-time, very quick access, or you are looking at more of an archive-type.

I've been using Netsurion for about four years.

The stability has been really great.

On the older version — and this might have even been with version 7 — we had one or two instances where we had a problem logging in with our Active Directory account. We never really got a lot of details, but I can tell you that in less than 15 minutes they had it corrected. They have VPN capability as part of the managed services to be able to get in anytime they want. That VPN capability has two-factor authentication on it. We opened a ticket with them, told them what was going on, and they came in via VPN and corrected the situation.

We did have this issue twice, about nine months apart. But we have not had that problem in version 8 or 9. I don't know if it was something within the server configuration or something else. Other than that, we've never had any stability problems. 

The query timeouts, again, were just due to the sheer volume of data that we were trying to extract out of the thing. It was something we were able to work around. We could do a couple of extractions and bring them back together. It wasn't anything that was a big pain for us. It was a little bit of a learning curve and understanding.

In the early days of it we were really trying to get everything. But they were really great and said, "Well, that's great, but after you get everything, then you've got to pare it down anyway. So why don't you just build your query in a way that is smart enough to get only what you really want to begin with. So when you do get your extract, it's ready to work on." That was part of a learning curve for us and their suggestion really helped out a lot.

We haven't had any big problem with scalability.

When I got here, we were keeping a year's worth of data. The reason we're now only keeping six months instead of a year is our own backup speeds and/or how much disk space it's taking up. We talked to our CIO and several senior leaders. Everyone was comfortable, as long as we could go back and investigate within the same semester. We felt that reducing from a year to six months was acceptable. That also fixed our backup times which were taking so long and how much total disk it was taking up. It had zero to do with the product. It was strictly a matter that storing so much data was taking that much space and that long to back up.

Today, in our organization, it's used as needed. We may have five security incidents a month. The server admins use it for operational needs once a month or every other month. So we don't have super-heavy use here. Most of my investigations come out of those weekly reports or things that come up within the environment in real-time. There's not a tremendous need to be able to use it more often, because of the real-time alerting and those timely, weekly reports. A lot of those were custom reports that we asked them to build for us. We really get visibility right into what we want to see all the time. So we're able to address situations very quickly and not have to hunt around and figure things out.

Their technical support is really good. We've got a dedicated service manager.

The only thing — and it's not a problem, but I do like to mention it — is because they are in a different time zone, it's not that they won't respond, but it depends on how severe the ticket is that I open. If it's anything much past noon or 1:00 p.m., I know because of the time difference that it's going to be the next day before they get back to me, unless it's something that's really hot.

They do have 24/7 coverage, but unless it's something that's really down or a real issue, if it can wait till the next day, you won't necessarily be able to get somebody on the phone that afternoon. The great thing is, I start at 7:00 a.m. Central anyway, so there is overlap for five hours of my time and that's been sufficient.

They have U.S. sales, but not necessarily U.S. support, but that's okay. It hasn't been a problem.

It's not hard to escalate when necessary. If I send a second ticket or ask for some kind of update, that dedicated service manager responds pretty quickly. Most of the time, he'll actually be calling me and seeing what else they can do. They've been really great about turnaround speed and communication.

Netsurion's SOC team is who I report my issues to if I want to open a ticket. It's part of the managed services but it's not the only piece of that service.

When I got here, the CISO before me was retiring, and he was about 75 percent of the way through the implementation. I did about the last 25 percent of the agents. So I can't really speak to the setup.

But I can speak to upgrades, and those have gone seamlessly. That is part of the managed services that we contract with them. They do all the upgrades for us and make sure they perform correctly and make sure all the agent endpoints upgrade correctly. And if they don't upgrade correctly, they have to take whatever actions are necessary.

But I don't see why the initial setup wouldn't have been fairly straightforward, because of everything else I've seen in the tool. They seem to have really good documentation and they definitely have really good support staff, if I've got any kind of questions or problems at all.

The time an upgrade takes depends on if it's a major or a minor. If it's a minor upgrade, like a 0.1-type of upgrade, those usually take place overnight. Their headquarters are in Europe, so by the time I get into work at 7:00 a.m. Central, the smaller ones will often be done. Otherwise, they'll give us the outage window, and it depends. The 8.0 to 9.0 was almost like a forklift. It was almost like a whole new product. That one took six to eight hours.

But the great thing, the way their product is designed, is if the endpoints can't deliver their logs, they will just keep on collecting them locally. As soon as the server comes back online, they deliver them. I never lose anything. It's just I didn't have the ability to query during the upgrade period. That's another thing that's wonderful. It's not like I have some little moment in time that I sure hope something hasn't happened, because I don't have visibility. I do have visibility. It's just a matter of whether it is actually in the query tool yet or not.

When I first got here, we had some problems pushing out some updates and we never did really resolve it. It was something within our environment. They don't have that problem in other customers' environments. But they came up with a workaround. They're responsible for doing those, and it's been flawless.

We didn't have a competing product. This solution was just slowly pushed out to the various things that we wanted to collect data from. Initially, all of our on-prem servers had agents installed, including various versions of Windows, Unix, and Linux-type hosts, as well as to our networking equipment and our firewall. Some of those things collect syslogs, while the Windows boxes, for example, have a real agent on them.

The process was that the console was stood up and we slowly we went after our prioritized endpoints. Things like our domain controllers were first. We slowly moved down the priority list until we got to the low-value assets. Those were the ones that I implemented. So the critical components were already in place when I got here.

We feel that we're getting a real ROI. Between having the managed services and having the product on-premise, we feel like we're almost getting the managed services for free. They've given us a very good price.

Based on industry standards, it's saving me at least $25,000 to $30,000 a year.

If you look at competing products, Netsurion is less than 50 percent more expensive, and I pick up all those managed services. I pick up half an FTE without having to pay benefits.

I don't know the reasons why they put this in right away, because we were in a three-year contract — but at the end of that three years the price was going up. I don't know that we had done the math on it before, and we thought, "Whoa, wait a minute."

So I actually did look at AlienVault, which was a good competitor technically, but I could never find anybody who could give me any decent price to help with that managed service. So either I was going to have to pay a lot more, and sometimes upwards of double what I'm paying Netsurion, or I was going to have to hire an FTE to do it. There's no way that that would work out financially. When they heard that we were shopping other products, we negotiated with them and they came back and agreed to put a cap on the price. We've been thrilled with that. It's worked out really well.

Compared to others, Netsurion also has even more services. We have bi-monthly calls, reviews of what happened in the last 2 months, including things that might still be outstanding. They've reported things to us and we'll say, "Hey, we need an update on this." Or, "Are we closing this issue?" They bring those things up every other month. There are a lot more things that we could license if we could afford it. We would love to license all of our workstations. It's not that they're trying to price-gouge, it's just the size of the environment. And you have to determine what other tools, besides a SIEMphonic-type tool, you want. We've been pretty happy with what we've been able to deliver.

One thing that differentiates Netsurion is that they have the total package, or as much as you want. They can run the thing for you, as they do for us. They can offer all kinds of different services beyond just the SIEMphonic services. They're also a much more robust company and one that offers a lot more than somebody who's competing for just any single item that they offer.

When we were negotiating the price, we had bought more licenses than we really needed for our servers. But you can slice and dice and change things up. Even within the managed services, they can run the weekly reports for you or not. They can do the upgrades for you or not. They can do the bi-monthly calls or not. There are all kinds of different things they can do. So we right-sized those services and "trued-up" our licenses to what we really needed, with a little bit extra for growth. We came to a good agreement. It was a bit of a win for them. We gave up a few things that we didn't really need anyway and we were able to maintain our level of service that we had had and had come to expect.

My advice is to get your PO out and make a purchase. I have referred several other companies. I'm involved in several security organizations and it really is one of these diamonds in the rough. I know they have US sales but I think they're a lot stronger over in Europe. I think they're a little-known, hidden secret in the U.S. I know they're in the industry review reports, but I don't think they get the press and the prestige that they should, because they have a really excellent product.

Of course, certain government organizations can't do business with support overseas; there can be limitations. But I'm definitely an evangelist for them. We really like their product and plan to keep it for a long time, provided, pricing-wise, it doesn't get out of hand. But I think we've reached a good agreement that we can all live with. We definitely feel like we're getting value for it. We have no problem writing the check every year.

This is the first time I've really worked, on a regular basis, with an overseas-support vendor. The biggest thing was getting our support hours lined up. I don't want to sound like I'm dissing them, that if we were in a world of hurt and had something that really had to be taken care of that they wouldn't respond to that. But we had to adjust our workflows knowing that, if we really need to get them on the phone, our morning is the best time to do that.

Other than that, the convenience of it, being able to think of how else we can use it and what other kinds of data we could send to Netsurion to help us out, has been instructive. For example, we have a mail product called Proofpoint that actually front ends our email and pulls out spam emails and those sorts of things. We were able to send the over the logs from that and look for any emails that were going to more than a hundred recipients. And Netsurion could give us real-time alerts and that would often tell us if an account was compromised. So there are unique ways like that to think about using it. What are some of the data of things we're trying to track down that we could send over to Netsurion and have them alert us in real-time so we don't have to run a rapport or figure out, three days later, that something went on? We can find out right in the heat of the battle what we need to do.

Netsurion's dashboard is probably good. I don't log into the console every day and I don't use it operationally, in the way some people would if they didn't have those managed services. So dashboard-wise, I don't use it as much. I do use their intrusions worldwide map from time-to-time, but beyond that, because I don't get into the console on a regular basis, it's not as useful to me. But I feel like the console would be very powerful with the widgets they can add to it. They've demoed it for me but it's just not the way my workflow is.

I usually view Netsurion on just a single, 23-inch Windows screen. I don't have any real-time thing running all the time. I strictly use it on a desktop.

In terms of deployment and maintenance of the solution, we don't have anybody additional here. There was a CISO that I replaced and everything else was from the managed service side. We do have one system engineer here who maintains the box, the virtual server that it runs on. But that is a part-time responsibility. He really hasn't had to get involved since I've been here. So there has really been no additional staff. It was just an additional tool that was put into the environment and one that is a tremendous asset for us. There are four individuals besides me who use it and they're all in the server admin group.

Version 9 was a tremendous step forward for them. I don't know how long they developed that one, but they really took the right direction with the product. 

Overall, we're really thrilled with them. If I didn't have the managed services — and it wouldn't be the product's fault — I wouldn't be as thrilled with them. But that service really takes a lot off my plate and frees me up to be able to do the other things I need to do in the organization.

It's a system incident and event management platform. The typical use cases that go along with that are alerting and syslog aggregation.

Their run-and-watch service (now renamed SIEMphonic) has saved from having to hire at least one FTE. In addition, having an expert set of eyes on things and their assistance with rules has been a huge time saver. They've been a really good partner.

We are logging everything from Windows client workstations through our server stack, through important, critical web and cloud pieces, like Office 365 logs and web server logs. The latter would include IIS and Apache. All of that information is being streamed directly into, and assimilated by, the EventTracker product. It seems to be doing the job quite well. Having that visibility into the data is useful. Their interface is simple enough for us to be able to use but advanced enough that if we wanted to do some more advanced queries — which some of their competitors admittedly do a little better out-of-the-box — it hits the wheelhouse perfectly.

We're signed up for their weekly observations, so if they find something big they're going to notify us immediately. But having a management-level synopsis once a week has allowed us to not only replace the one FTE, but also streamline our prioritization of work, based off that data, as well.

Other than the log aggregation and alerting, their reports modules have come a long way. But for the most part, we stay right in the wheelhouse of the product to use it to the fullest extent.

The previous version, version 8, had a somewhat antiquated UI. The new version 9 is much easier to use and brings it into the current realm of development. It's very easy, very sleek, and designed relatively well. The version 8 to version 9 upgrade was complete night-and-day. It's significantly improved, and they're putting resources into it to make sure that they continue to stay up to date.

I like EventTracker's dashboard. I see it every time I log in because it's the first thing you get to. We have our own widgets that we use. For the sake of transparency, there are a few widgets that we look at there and then we move out from there. We're into the product looking more at the log information at that point. Among the particularly helpful widgets, the not-reporting widget is a big one. The number-of-logs-processed is also a good one. We call that log volume. They're helpful, but we try to dig in a little deeper, off the dashboard, more often than not.

In terms of advanced queries, I wouldn't say EventTracker is lagging behind its peers. The latter just make it easier to get to them. EventTracker is designed more for a small to medium type business, which is where we fit. With a competitive tool like Splunk or LogRhythm, you're not going to get what you get with these guys out-of-the-box. With EventTracker, you're going to have to build all that yourself from scratch. You're going to have to learn that markup language to do so.

I want to stress: We're very happy with not having to deal with that out-of-the-gate. If we need to, we can always call support and they can assist us in writing those more advanced queries. The functionality exists to do advanced queries, they're just not right in your face like they are in a competitive product. But for us, that's what we want.

There's always room for improvement in terms of performance and alerting options. It would be great if they had a client for phones by which they could push a notification to us, as opposed to via email. But those are all things that they'll grow into over time.

We've been using EventTracker for just a smidge over three years.

It has been extremely stable. Very rarely do we even realize that it's still running, and that's good.

We did have a few concerns with the scalability in the beginning. Our initial concerns were about scaling it and, if we blew it out, were we going to run into performance issues with their agent piece using too many resources on the client or running out of space on the server? But those concerns proved to be unfounded. We have 700 or 800 endpoints streaming data into it without any noticeable performance or any other issues.

We're using it almost to its full extent at this point. We're in that 90 percent range. We currently don't have any plans to move away from it. We're utilizing the features that pertain to us. Anytime that there's a patch or release, we look at the new features to see if they're applicable for us.

The EventTracker team itself has been great. We can call them for pretty much anything related to their product. They will offer suggestions, advice, and best practices on ways to do things. It's like having another team member here at our disposal, working with their product. I believe that is their standard tech support.

We're paying for the run-and-watch (SIEMphonic) so we're getting an extra set of eyes on things, but when we call in, their support is top-notch. I would give their support team a 10 out of 10. That is a given. Of all the products and vendors that we've used, I've never had a more positive experience with a support team than with EventTracker's support team.

We did not have a previous solution. We do annual audits, and the lack of a SIEM showed up in one of our audits as a piece that we needed to start investigating, four or five years ago. We knew that issue was coming. We were too busy dealing with some other things, but when it showed up in the audit, we pushed it up the priority food-chain. We weren't really having any issues by not having a SIEM, but having all the logs in one place sure makes troubleshooting a whole lot easier. if there was an Achilles heel, that was it.

We were looking for an easy-to-manage SIEM that provided the functionality that we needed. Since we're a relatively small IT staff, the part that really made EventTracker stand out to us was the run-and-watch service (SIEMphonic), where they are an active partner, reviewing the data that we get, so we don't miss anything. They're acting as a backstop to us.

The initial setup was completely painless. They gave us a spec sheet for the on-premise server. We built a VM that matched that spec, and they then installed their software and got it up and running. We could be as involved or as uninvolved as we wanted to be; that was our choice. When it came to deploying the client pieces, they worked with us to identify which machine should get it and when. They took care of the pushing of that information out. When we started getting the data in, and it came time to start tweaking the rules, they took the lead on that as well. It really, truly was a painless process.

The deployment took less than a week. We had an analyst at that time who was running point on it. I wasn't even involved. I didn't need to be involved in it at that level. One of our entry-level analysts was able to work with them to get everything caught up.

I and one analyst are involved in the day-to-day maintenance of the application. Our entire IT staff, nine people, uses it for log review and incident correlation. We try to put the information out there for the rest of our team members to use.

We have been able to save at least one full FTE. The amount we would have to pay that FTE, including benefits, is way more than what we're paying EventTracker for the annual maintenance. It had a positive return on investment almost immediately for us.

Our cost is significantly less than what it would have been for one of the competitor's products, and that includes the run-and-watch service (SIEMphonic). You can go with one-, two-, or three-year agreements. We pay annually for maintenance on the product.

When we acquired EventTracker, we went through an assessment process, reviewing five or six different manufacturers of SIEMs. The frontrunners were the typical players: Splunk and LogRhythm. There were a couple of freeware options out there, but what really set EventTracker apart was their SIEMphonic. That was the big differentiator. We were able to get much more value for our money, and it met all the requirements that we had set out when we started the research.

There weren't really major differences between EventTracker and the other players. Ultimately, SIEMs do the same things. They collect logs, they index those logs, and they make them searchable. There's not really a difference on the surface.

The biggest lesson really isn't an EventTracker lesson, it's more of a SIEM lesson. And that lesson is: It's a lot of data. When you have a lot of data, it's going to take a while to study and learn that data, so you can react appropriately. Not all data is actionable.

Be prepared for the data. Be prepared to know what you didn't know before. And be prepared to weed out the noise from the actual data. That's where EventTracker's SIEMphonic becomes very helpful. My advice would be, if you're going to go with EventTracker, to go with the SIEMphonic service and leverage their support team to get your knowledge up to speed. So far, our experience with their support has been top-notch.

In terms of how we view EventTracker, we're typically just in a browser, so it's on whatever our standard is. I've got a couple of 20-inch monitors on my desk. It's sleek enough that it will work on a normal 15-inch laptop screen too. I have not looked at it on mobile yet, given the fact that it's an on-premise service. If I'm in the building, getting VPN'ed in across my phone is a little tough. But that would be the next iteration of the product, if we would decide to push up towards the cloud instead of being on-prem. We would definitely be looking for some sort of a mobile or a tablet-based mobile interface.

We have not integrated EventTracker with other products. Our service-desk tool is a tool called Samanage, which was recently acquired by SolarWinds and has been renamed Solar Winds Service Desk. We have not integrated anything with that since SolarWinds acquired it, because we wanted to see what SolarWinds was going to do with it. Integrating it into EventTracker is on the list. We'll do it if it makes sense.

I never rate anything a 10 out of 10, because nothing is ever perfect. But this solution would be at the upper end of that range. This partnership with EventTracker has been one of our better ones.

We are using it to centralize all of our logs and have alerting on security issues. 

We primarily import Windows systems and Windows Server logs (2012 and 2016). We also import Cisco ASA logs, then Cisco router and switch logs. The import works well. 

We send the Snort IDS alerts to EventTracker, e.g., high level ones like Ransomware and data leak type alerts, we are sending the Snort alerts to EventTracker. For things like ransomware, data leaks, and data exfiltration, we have higher incident reports created, so then it also gets sent to our email and phone. As an example, this Saturday night around four o'clock, we were alerted to an incident from EventTracker. They got a Snort alert about a data leakage or data exfiltration. It was a false positive, and that is good. But, this is just one way we use EventTracker.

It is fairly easy to use. I am mainly just a one man shop. I look at EventTracker about once a day as far as different incidents and stuff goes. I don't have enough time to be tweaking all types of different things. It is a fairly easy to use as far as the UI goes.

If I were to look at logs manually, there's no way I could do that. As an example, they are 48 million logs processed a day. There is no way I could look at all 48 million of those. So, it gives me a good structure to be able to look at the different incidents which are created and do different searches.

The solution's dashboard is okay. The one thing that we ran into are issues when we upgraded to the newer version. It uses Elasticsearch for the different dashboard entries. So, we were running on spinning disks, and Elasticsearch didn't work that well. A number of the different dashboards, like my dashboard or different things like that, pull from Elasticsearch. Since Elasticsearch really wasn't working, we were having some issues with that, but we just migrated. We just got a new fan, which is all-flash. Last week, the server was migrated from spinning disks to the new flash. Now, we have moved from hard drives to SSDs, and Elasticsearch is working a lot faster.

EventTracker's UI is okay. There are some issues that I have ran into. Some stuff doesn't display on different browsers, which you think would. You think you are missing something, and you actually are. If you use a different browser at work, it works differently. That is sort of frustrating. The big thing is they have a newer version or something out other than a new update to version 9. I don't know if they're on version 9.1 or 10 (or whatever). We weren't going to update until we could try to get the Elasticsearch capability (which we now have) and migrate over to the new SAN thing. 

There are a couple things that we had to tweak. One of the other things is we are getting DNS and DHCP logs from servers, which we thought required a different Microsoft hotfix, but it didn't. EventTracker's documentation wasn't current. So, it took a little while to get the DNS and DHCP logging figured out. Once we finally got it figured out, we got those set.

The searching capability has room for improvement. I know they are working on it. They have Microsoft SQL, then Elasticsearch, and it's hard to determine when I am searching what exactly it's searching through, as there is the Elasticsearch archive thing, RAID and the Microsoft SQL searching, and some like cache search things. So, there are about three different searches, and sometimes it takes a bit of trial and error to figure out what information I am actually getting.

Users need to be on SSDs in order for Elasticsearch to work well.

We have been using EventTracker for about five or six years now.

I use it on a desktop machine with a wide screen, like 20-inch monitor.

It's okay for what it does. They're trying to add more different capabilities. One thing that I will be interested in, when and if we upgrade to a new version, would be the different types of alerts offered. They do have some different type of prebuilt alerts. The big thing is it's hard to know what things EventTracker may not be alerting on. They do have the behavior correlation part, but when I looked at that, it was using Elasticsearch. Since our Elasticsearch wasn't working that well, this was sort of problematic as there are a bunch of different false positives and stuff.

We sort of knew there would be issues when we did the upgrade because of Elasticsearch and our spinning disks. The searching isn't as easy as it could be, as far as the three different search things that you can do. 

This is same with the different dashboards, as related to Elasticsearch. If we were to implement a brand new version and didn't have the hardware already, we would say, "Okay, we'll wait until we get the SSDs." But, we sort of earmarked a server. The hardware was on the old EventTracker. So, when we did the upgrade, we knew it was going to be an issue, but we didn't know how big of an issue it was going to be.

I know it's been working well for all the different log sources and stuff that we've been throwing at it. The big thing is we just have it on one big virtualized box. So, we haven't really had any instance or need to scale it beyond that.

I'm mainly the only user. My boss will occasionally use it when I'm out of the office, or something like that, but it's either going to be him or me.

We have it pretty much on all of our servers, firewalls, and routers. The big thing is we have a 500 license count. So, we have a number of different other switches and stuff which would be nice to be able to get logs and stuff from. At the same time, we are getting close to hitting up our 500 license count. Therefore, we're trying to figure out where we need to go as far as what systems are a must-have and what systems are a nice-to-have type of thing.

I find EventTracker support to be quite helpful. They have been quite responsive whenever I've had any issues. For the most part, they have been good to work with. There have been a couple times where there have been some issues that have taken a bit of time to try to get resolved and figured out. However, that is sort of par for the course for different products.

Before EventTracker, we did use another solution. I think it was a Symantec SIEM, but they discontinued it. So, we were looking for a different solution. 

The initial setup was several years ago, so I don't remember too much about it. The one thing that I do remember is there was like a database account that needed to be created, and there was some back and forth on that aspect. So, it took a little while to set up and get going.

Initially, we got it up and running, then we were going to deploy the agents on some noncritical servers to make sure that the EventTracker agent on the servers worked properly with collecting logs. 

In the security space, it's hard to quantify your return on investment. So, I don't. We spend about $40,000 a year and so. It's hard to say if the SIEM saved that much money.

When we first got the EventTracker product, we were using SIEM Simplified. At the time they didn't call it that, but it was more of a service thing. So, there was a bit more hand-holding and getting stuff set up, along with failure reports, that they did during the first one to two years. Then, we decided that the the additional money to have someone do these daily reports wasn't terribly useful, so we discontinued that service.

Licensing is interesting. By doing it by device, in some aspects, that can work to your advantage, and in some aspects, it can't. 

There are different licensing models. Back in the day, it used to be events per second and trying to figure out the number of events per second during the year that all of your devices are generating. If you didn't necessarily have a solution in place to begin with, this was a little frustrating. You might add another device and all of a sudden your events per second shoot up quite a bit. With a number of system-based licenses, it's been good. The big thing is is when you get up on that license account, do you continue to add additional licenses or start removing some systems that may be not as critical as others? Like, do we need to be getting logs from different Windows test servers out there? Ideally, yes. But it all depends on the pricing.

EventTracker's subscription-based model is interesting as far as yearly license type stuff. It's nice because you know what it's going to be next year. We haven't really looked at any other solutions. The pricing at the time compared to the other solutions was a lot less. A couple of years ago, we actually looked at Splunk. The amount in Splunk's licensing model is based on 20 gigs a day, or something like that. Based on our number of logs and stuff that we were already generating, the costs would be substantially more for the amount of logs that we would be getting.

We looked at a handful of different solutions out there. When we were looking at SIEM solutions out there, we were looking to replace Symantec. We were looking at Arctic Wolf, EiQ Networks, Secureworks, and Trustwave.

The primary reason we went with EventTracker and the SIEM Simplified service was the CIO wanted something that was a 24/7 monitoring type of thing. That's why we went with that service. But, when we found out at the time it really wasn't 24/7, and we wanted 24/7 monitoring from more of a SOC/NOC type of thing. The EventTracker support said, "We do have that." However, that wasn't necessarily the case. It was primarily an eight to five type of thing. Supposedly, in the last couple of years, they have changed it, and it is more of a SOC/NOC type of thing. 

This was one of the reasons: We were looking for a hybrid approach. Basically a SIEM that we could have on-premise where we could have someone else monitor when I was not in the office. EventTracker was able to create the different alerts and stuff like that. So, when I'm not in the office, I get alerts generated. However, we wanted some more active monitoring type stuff.

I would rate the product as a seven (out of 10). 

We don't use the dashboard widgets, but we are planning on it.

We use Netsurion as a managed SOC provider for them to be able to do visibility scanning on all of the devices within our network and to look through the log events that we have coming out of the devices and SaaS products that we have. They are looking at the logins through Microsoft Azure and Google Workspace, aggregating all that, and doing some investigative work to see if there are any incidents where there might be a possible malicious activity or any possible intrusions into the network. If there are any problems or issues that may occur and if they do find things, they are able to notify our team of those things or those findings that may be a problem for us. They send us an email to let us know what to look into and how to remediate things. That is how we have been using them.

We do not have a security team. By implementing Netsurion, we could utilize an external team to be able to investigate those things where we do not have the expertise or people to do that. That was the number one reason why we went to them and asked for help from them. We purchased their services to monitor all those things.

The integration of Netsurion with our security tools gives a unified view of our threat landscape. It brings everything into one single pane of glass type of view. We can see everything going on in our infrastructure. It is pretty important for us to be able to see everything in a single report rather than going through ten different tools, which can be a bit annoying. Having Netsurion describe everything in detail in one report has been pretty valuable.

Netsurion has been a pretty flexible solution for helping us protect our entire IT environment. For everything that I have asked from them in terms of adding certain SaaS products, devices, or anything like that, they usually had a solution to get them integrated into their product. It might not be the best integration, but they have figured out a way to get our security stuff into Netsurion.

There have been some incidents in the past where we had a scare of a possible virus infecting one of our machines or of possible intrusion. We pushed it up to their SOC team. They did investigative work and came back and told us their findings, such as things being fine on those devices and so on and so forth. Their SOC team has been pretty good in the sense of being able to jump on things and be able to work with us on possible issues that crop up.

Netsurion's SOC is pretty good for eliminating false positives. They have done a pretty good job of going through a lot of the log data that we have. They go through hundreds of tickets in a month, but we only see the reports. They only come up with critical or warning items. We get a handful of those compared to all the tickets that they create on their side that may look like suspicious things on their end. They do a pretty good job of looking and working out a lot of false positives on their end.

Netsurion has helped to boost our SecOps productivity by decreasing tedious SecOps management tasks. They have been able to provide a way of monitoring things so that we do not have to do that. They have been watching the environment and only bringing things to our attention when we really need to. That is something that we did not have in the past. We never had a security team, and we needed someone to watch everything. They are able to watch everything and look through everything that we have on our infrastructure, such as SaaS products and other products. They have shown value by only bringing up the cases that truly need interaction from our side. My team is able to go into a system or one of the SaaS products that we use and take action on certain things. They do the investigative work, and they do the penetration scanning and things like that and notice things. They bring anything they find to our attention. They have steps or procedures to take action on those things. Once we get all that information, our team goes into those devices or services to make changes based on their recommendations for the issues they found. In the case of a security incident, Netsurion has improved our ability to remediate.

They have a number of integrations with different products. Google Workspace is one of them, and Microsoft Azure is another one. They integrate with a number of other things, such as Duo for multi-factor authentication. They can pull the logs from Duo to see if users are coming from bad repeatable IPs or if there are malicious known IPs that may be popping up in the logs. They are able to see that, and they can identify that. Some of the other integrations they do are from inside your network. For firewalls, they can integrate with SonicWall, Cisco, Fortinet, etc. They have a pretty wide variety of things to integrate with and be able to pull the logins from those devices.

Integration-wise, there is a pretty vast area of things that they are able to integrate with, but some of the tools they have are not so great. One of my pet peeves right now is the maturity of the agents that you install on Windows and Linux devices. On the Linux side, it has not been a great experience. They support CentOS and Ubuntu, but the client tends to be a little bit cumbersome and not so great. It is just okay. It is not so great because the agent that they use is basically like a SysLog forwarder of the log system of the Linux system. When it gets pushed out, they do not receive the data as a hostname. It just comes back as an IP, so they are not able to detect the hostname. There are little tedious things here and there that I have not been happy about. This is one of them.

They have their programs and tools that you have to put into your own environment. We basically ingest all the log data and then push it out to them. I wish it was a little bit different than that where we just push directly towards them. I do not know if that is a function that they thought would be better in terms of security, but I wish that instead of doing that, it should go from the device to them and not from the device to another system and then out to them. There seem to be some drawbacks to doing that.

They need to work on the tools they have. The UI of EventTracker, which is a proprietary piece of software that they built, needs improvement. It is not the friendliest thing in the world. Those are the things that they should probably work on. I know that a lot of their tools have been specifically built around their team, and their team is very familiar with it, but that is an area they probably need to work on to get their customers or even get more clients. They need to work on the UI of EventTracker.

I have been using Netsurion for a little over two years.

I have not seen anything that has been detrimental in using the services. However, using the tool tends to be slow sometimes.

It is pretty scalable. They can handle a pretty large environment if they want to. Our environment is comparatively small compared to other corporate environments out there.

We have not necessarily contacted them. We probably only sent them emails a couple of times in the beginning when we had some issues with getting some of the integrations done. I would rate their support team an eight out of ten.

Positive

We did not use any other solution previously.

Some of it is a bit tedious. I am trying to get everything integrated for a lot of our servers and devices. That is a part of getting any managed SOC and intertwining them into our environment so they can start watching things.

In terms of maintenance, client-wise, when they do send out patches or any sort of client updates, we have to push them.

It is a bit expensive as compared to some of the other products that have come out in recent years. Expense-wise, the only downside is that it is not cheap.

We looked at a couple of solutions.

If you want a team that is pretty devoted to making sure your environment is secure, you should go for Netsurion. They have been on top of a lot of things. We have constant emails coming in. They jump on things. Their support team has been pretty good to work with for working through issues. However, on the software side, they are just okay. They need to work on some of their tools. They need some work on that side, but if you are looking for a pretty devoted team to watch your environment, they are pretty good.

Overall, I would rate Netsurion an eight out of ten.

Since we can't have 24/7 operations for our SOC, we hire out for that and have it as a managed service. This makes much more sense and allows us to focus on the day-to-day activities of the company.

Since it is a managed service, they take care of everything for us and just reach out when they have a question, there is an incident, or an important alert. That is the most important part for me because that allows me to focus elsewhere.

It allows us to avoid needing to employ people to stay during evening hours, which is a positive.

The solution provides an embedded MITRE ATT&CK framework. The framework is relatively new. I like that it is a curated knowledge base now. It is very important because it lets everyone know what is going on and being observed in the real world. It definitely helps in the analysis of whatever threat is found. Remediation is already built into the framework.

Their SOC team manages vulnerability management and IOC reviews. They stop bad processes when they happen. The best thing is their weekly reviews of what has been going on in the infrastructure as well as the things that they see and what we should look out for.

We haven't had any incidents, which is a good thing. It is a valuable product.

The solution provides actionable threat intelligence. It is not a passive service. They go in and perform mitigations on whatever they find. It is timely. They provide context, so it is understood by anyone who receives these reports.

It is important that Netsurion Managed Threat Protection has enabled us to consolidate cybersecurity technology, including SIEM, network traffic analysis, and endpoint security.

I would like faster responses when things are found. For example, when they inform me, it is usually when they begin to respond.

The MITRE ATT&CK framework could be faster when identifying and understanding sophisticated threats. Whenever something happens, we usually get notified a couple hours later.

Their SOC team can't understand our network because they haven't worked in the actual company. This does negatively affect security posture, e.g., if you don't have knowledge about the network, then you will miss things.

Personally, I would have deployed it on its own independent server. It uses a lot of IOPS and resources. Now, we have contention between our other servers on the same cluster.

I have been using it for at least three years. It was installed at the company before I joined.

It scales fine.

It is being used throughout all our systems non-stop, so we don't have plans to increase the usage or utilize it in different ways.

One person can maintain and work with the solution.

The SOC component is the most important part of the solution. I know who the SOC team is, so it is not someone different every time. I have seen changes in the team. However, for the most part, the team is usually steady. They are professionals in this and do a good job. 

They could improve by having faster communications. They always get back to us on the same day, but it is usually a few hours later. It would be nice if it was within an hour.

Neutral

We have seen time and cost savings. It prevents us from having to hire specialized people for this type of work. We would need to hire six staff members to accommodate the same service.

If you are not going to go for their managed service, then you will need to hire a SOC team, and if you are not going to hire a SOC team, then you are messing up.

I am sure that other companies have their own SOC teams instead of having a SOC-managed service, but this solution makes it cost effective for us.

I would rate it as a six out of 10.

EventTracker analyzes all of the different types of security events, it both aggregates and correlates. They send us a daily report of things like servers that aren't responding that normally respond and any kind of events that they see from the day before. If there is a serious perceived security event, they will call. I have two folks at InfoSec, so they will call directly and say, "Hey, we're seeing something here." Then between the two of them, they'll try and identify whether it is a true event or not, and then monthly, we sit down with them on a call where we talk about what's going on and if there are opportunities for improvement.

If there was an event that we felt they shouldn't have escalated to us then we'll let them know and we'll talk about how it could have been avoided or vice versa or if there was an event that we didn't get escalated but it should have been. We don't get a lot of those, mostly it's about, "Hey, we're adding this new device, we want to make sure it's on the list, so it's getting monitored", and things like that.

EventTracker enables us to keep on top of our work. We're a hospital, so we're 24/7. We don't have enough staff to do that, so they're able to monitor things off-hours, and then even during hours I get two people from InfoSec. They can't be sitting there staring at a screen all the time, they have to go out and do other things and attend meetings, etc. and so they're able to rely on the tool to correlate and then notify them either via pager or phone call if something comes up that is deemed to be important enough to be notified. That's huge for us because we don't have the budget from a staffing standpoint to have people on-site 24/7.

Back in the day, I used to work for Intel and we had a whole room full of people who just sat there and stared at the screen for events. It was in their data center group. We don't have that kind of staff. The only people half staring at a screen all day long are the call center, and they're the ones who take tickets and talk to end-users but they don't have the time to sit there and monitor the event logs and all of the other things. That's the value the tool gives us. I can have people doing real work and then things that need to be escalated are escalated. It saves us roughly two full-time employees. It cuts my team in half. 

EventTracker also helps us with compliance mandates. The tool helps us document that we're following best practice, that we're identifying issues and tracking them, and that we have logs of what issues were identified. That allows us to be able to show a lot of the documentation that we are really doing best practice. I just don't physically have enough team members to do that. This allows me to be able to provide that 24/7.

It's not just a tool, it's a service. The secret sauce is not the tool. I could buy a tool from a dozen vendors. I have a tool to be able to aggregate and correlate all of these events and send something to a screen. But if I still have to have somebody sitting there staring at a screen all day long, that's valuable but not as valuable as someone that has a team, that is an essential SOC, that is aware of what's going on in the world and is saying "I'm seeing this in seven places, including El Centro, let's get ahold of El Centro so they can start taking action on it."

There's nobody that's dedicated to internal incident management. I have two information security folks and they do everything from internal incident management to designing new implementations, to reviews of existing annual information, and security audits. They do all of that, but they don't sit there all day long, staring at a screen, looking at incidents, and trying to figure out what to do. That's the value that we get out of it. That's the extra value.

Monitoring our environment and reporting out different events is important. They perform a suite of services. They monitor all of our servers, all of our key infrastructure, like our DNS, our switches, all that stuff. They aggregate and correlate that quarterly. They'll tell us if we're getting a lot of login failures and something is going on or if something's weird.

I like the dashboard. Our security folks look at it all the time. They have it running, they have a big screen monitor in one of their offices and it's up all the time.

I don't use the UI very much but from what I've been told by the security team, it's very easy to use. Compared to other products, the team found it pretty easy to use. We've got the dashboards published on a large screen TV so they can look at it all the time, and then they typically have it on their desk. It is also available on smartphones.

We import log data into EventTracker. It feeds the overall picture of giving us a good quality view of what's going on in our environment.

Communication is always something that can be improved, but I feel that any time we've had a communication issue, it's quickly addressed when we bring those up at the monthly meetings. Usually, it's an individual that wasn't clear in the communication, it's not the process per se. You always have to be able to segregate if the process didn't work or an individual either didn't say the right thing or my people didn't understand what they were being told. So far, I have not understood or heard of any issues that were more process or tool-related, it's individual-related. 

The industry is changing. The landscape is changing all the time and they seem to do a pretty good job of keeping up with that. That's a challenge in information security. That's a target that doesn't just move. It moves from room to room, to room, not just a few inches, one way or the other. You're constantly changing. You're chasing a moving target that's really moving. It boils it down to here's what we think is going on versus our people. If all they did was keep track of what was going on in the industry, that's all they'd do because I only have two people.

I have been using EventTracker since I have been at my company for the past year but it's been at my company for several years. 

It is as stable as a rock. I have not heard of a single outage on it.

We haven't scaled it out to anything other than what we had. They've done a pretty good job of implementing it. Since I've been here, we've had a virtual server primarily here and there, but we have not done a lot of scaling out. There hasn't been a discussion about what limitations there would be.

It monitors all of our infrastructure, all of our servers. It's being very extensively used. As we grow those, we're getting ready to open a new building early next year, all of the equipment that goes into that building will be added to it.

We fully implemented it so I don't know that there's a lot other than organic growth that would need to be done.

My InfoSec team talks to support occasionally. There have been a few cases where they saw something they didn't quite understand, so they would call and ask for information, but it's been few and far between. I have not heard of any issues with support. I heard that their experience with them has been good. 

At a previous company, we used a different tool. It was a much more encompassing tool that does a bunch of different event monitoring, correlation, and aggregation. It was a management suite that did things like backups as well. I know when we implemented it at Intel, it was atrocious. The problem was the process. We had tens of thousands of servers and we implemented the tool and we turned everything on. Events scrolled by the screen so fast, you couldn't even see them. We had to say, "Well, wait a minute. Let's dial this back a little bit." They also didn't do a good job of aggregating or correlating. 

The main difference between that tool and EventTracker is the ease of use. That tool was all CLI based. Everything was command-line based. The syntax that you had to use with that CLI was very challenging and very specific. If you thought you were doing the right thing but something did work and it wouldn't warn you that you didn't do it right.

I have not been told that there were any issues when it was implemented. We have not done any major upgrades since I've been here. We've done incremental patch-type things but I don't know of any issues.

I did hear it was relatively labor-intensive, but that's because of all of the processes around the communication, like what gets communicated and what doesn't. That's to be expected anytime you're doing a lot of workflow work, that takes time.

There's daily maintenance in that they're responding to events or they're working on the tool. There is very little done as far as trying to make changes to the tool itself. Our information security team does respond to events. It's a chunk of their time. We don't have to spend a lot of time at all tweaking the tool. I wouldn't say we spend even an hour a day.

I have two people in InfoSc and a couple of people in my network team that reviews it. My help desk people will review it but they don't really use it per se. They'll see events and that's it. Most of the time that really goes to the information security team.

Our ROI is $160,000 a year before overhead, then adding in the overhead of 30 to 40% with benefits and everything else, it's easily over $200,000 a year.

They've been very fair. I think that we've had to push back a little bit here and there on pricing. 

The biggest lesson I have learned is that the outsourcing of this service has a dramatic impact on the organization. We can't just keep throwing bodies at it internally, we have to leverage somebody else's knowledge.

Some people don't trust outsourcing. I'm not a big outsourcing guy. But I really don't treat them as an outsource, I treat them more as a partner. You're going to have to do this one way or the other, or are you going to get nailed at some point. That's just the way it is. If you're not following these things, you're going to get nailed. If you trust them and you realize that they're doing things that you should be doing or are doing, you're going to save a lot of money out. It's going to be cost-effective for you. It won't just save money, it will be cost-effective.

I would rate EventTracker a ten out of ten. 

Having dealt with a lot of vendors and their sales, they are probably one of the more low-keyed. They're not out there constantly trying to sell me stuff. I don't know if it's because we have everything so there's nothing left to sell or not, but they've been very easy to deal with. Their leadership and their sales organization have been very easy to deal with.

We use it for logging all of our Active Directory activities, including authentication, alterations, and modifications to the AD controls and privileges. We use it for events coming off of both the servers and the desktops. And we also roll in the logs from our various security controls and devices, such as our antivirus tools, backup service, firewalls, the IPS, etc. Those are all rolled back into the EventTracker system. The goal is to eventually start taking advantage of the ability of EventTracker to correlate activity and alert on something that looks a bit unusual that we should then pay attention to.

We get a daily report that they've built, which summarizes all of the activity across all of those areas, on a daily basis for us. The types of log data we import into it include firewalls, server event logs, user workstation event logs, all of the Active Directory activity and authentications, and all of our antivirus logs and our patching service logs.

It's in the cloud. We use their console and we take advantage of their storage. We have them manage our logs and our archivals. 

The result of the reports on activity and the archiving for research has been that the operational teams are more consistent in the usage of standard practice which, from an efficiency perspective, has removed the need for the information security team to investigate issues that are out-of-norm activities. We are no longer doing an internal incident three or four times a week. We may do three or four in a month. That saved us significantly on the incident investigation side. We have pulled back 10 hours a week, on average, just from the security team. I would contend that it's probably also saved time that I'm not able to measure from the operations team because now they're not remediating things that we're pushing to them, and the user community is getting a more consistent experience from the support teams as a result.

There's this downstream value that I don't think people really think of when they look at products like this: What is the cause and the effect that it has on operations? In our case, it was to improve the efficiency and the consistency of the operations which, in turn, resulted in the user community getting a better experience. It's really hard to measure the user community improving its view and opinion of the IT support teams.

The report, each day, of the activities that have happened and the ability to archive and go back and research have been extremely advantageous for us. Examples would be a user having either inappropriately touched a file, or an administrator of the infrastructure altering rights or privileges for a user outside of an approved change-control or approved ticket. We have found that, over time, we've been able to mature the discipline of our operational teams by having the ability to see activity that might have occurred outside of standard practice.

In terms of the log data importing, our data went in very easily. That was one of the things that was appealing to us because the product set we use here for antivirus, single sign-on, the authentication services, and the patching services were all in the supported-product suite. So adding them in was simply getting them pointed over there and getting through the change-control windows.

There are a couple of widgets that I use. One is titled "A Possible Compromise" or "Potential Compromise." I use that because it is generally giving me feedback on the login velocity. I can see people who have authenticated to a system but, geographically, have authenticated to another system, and it's not possible to have done that within the time window that those authentications occurred. I find that it's generally a result of them authenticating to their mobile phones, because you don't necessarily egress the carrier's network from the cell tower you're associated to. In our case, we're in Boston. If you happen to be on an AT&T phone, you actually egress either out of Wisconsin or out of New Jersey. So if you log into your laptop and then you pull up email on your phone, it looks like you logged in from one of those two locations as well. We can dismiss those because we're getting used to what that looks like. 

As a result of that, we have picked up two or three folks who have shared passwords, usually with their administrators. They're traveling, they log in from someplace like Japan or Germany, and their admin happens to log in to help take care of an expense report. We tell them, "You have to stop that." We've picked up a few of those types of events. These are the kinds of things that we look forward to the product giving us more and more of as our usage of it matures.

I like the UI, overall. I like the main page and there are aspects of the search page that I like. When you bring it up, on the left-hand side of the page, as you look at the events, the ability to simply hit and click the plus/minus to pull events in and out of the overall view is well done and is very effective from a threat-hunting and an analysis perspective. I like the detail it shows. It gives some hints.

Occasionally, I'll use EventTracker on my phone because I got a phone call or an alert, but generally, it's on my large panel displays. All of the team has the same setup: multiple, large displays driving off of a laptop.

I tend to like more flexible and detail-structured interfaces. As an example, I don't like to manage my firewalls through the graphical interface. I like to use the command line because it's more granular and it lets me do things a little more quickly. EventTracker has done a nice job in providing both that graphical dashboard and Elasticsearch capabilities. As far as the direct command line goes, I would like there to be a little bit better help in that space. But the fact that they've got both in place is a bonus for the product. As I've learned more about how to do Elasticsearch, it's been beneficial. It's just taking a long time to educate.

I like the dashboard. Where there is an opportunity for improvement is in the interface used for performing the searches. You have to understand Elasticsearch search too well for the security team to be able to take really full advantage of that part of the product. It's not as intuitive as I would like it to be for new staff coming in. The general query capability is a little bit challenging.

Once I expand an event I can usually cut and paste out of there into the Elasticsearch side of it to get a broader view. But it's a multi-step process. I'd would like to see them add something that lets me right-click and immediately search to it, instead of having to walk through a couple of windows. When you're doing research on events, that kind of stuff adds up in your day. It's two or three clicks, but when you're driving through a bunch of analyses, that can start to add up quickly. When it's an event that you've got going on and you need to find out what's truly happening, time is of the essence. Anything that can shorten that would be beneficial.

We've been using it for just under a year.

The only stability issue we've run across would be the log forwarding off of the devices occasionally hanging up. I don't know if that's the EventTracker agent or the server itself, because there are a lot of applications running on those servers. But the console itself, I don't think it's ever been down, other than his patch which we just experienced.

We've done searches going back in the archives all the way to February when we first started, and it surprised me as far as the performance goes. We're not enormous. We're taking in about 3 million events a day. We're about 3,000 employees, worldwide. I don't know that I can give a good analysis on scaling.

It's meeting our needs really well from a scale perspective. We haven't seen a performance issue associated with the volumes we're running with, and we're almost fully deployed. Of the 300 servers, there are only about 10 now that don't have it. All of the 2,500 end-stations have it. It's taking all of that. We're 90 percent where we want it to be with the log sources and it hasn't changed its performance or behavior at all. It has scaled very well so far for us.

Our plans to increase usage are only as we grow. The company has growth plans associated with it, and as new staff comes on and the machines get provisioned, it continues to increase the systems that are feeding to it. We don't have any plans at this point to be putting in any other log sources, other than those we've already identified. I'm thinking of either homegrown applications or unique applications that might generate log files. We don't have anything on the roadmap today for that.

The support team was really good. They've got a very good support organization. Everybody we worked with on the phone, as we were doing the initial setup, and even as we've done different support calls or requests for help, has done a lot of work for us, which is terrific as a company. We'll need to figure something out or we'll need help to investigate a problem. We'll put a ticket in and they'll call us right back. They'll help run queries for us, they'll run reports for us for a specific incident. They're a very responsive support team, and that's their standard tech support.

It's a "wow." It's nice to see a company that does things the way they used to be done. I think it's because they feel they've got a good product. The support team is terrific. I've been doing this a long time and it's one of the better support organizations I've run across in the last 15 years.

We did not have a solution in place prior to EventTracker. Prior to this, in a company I had been at just before I got here, we used IBM's QRadar and, although we did look at that product here, I found that EventTracker was more appropriate for us.

I don't think that QRadar offered the same robust integration opportunities with logs and it did not offer the same correlation capabilities that EventTracker does. Also, we get a much better licensing structure and pricing structure. It's a much better value for the dollar with this product.

The initial setup was very straightforward. They stood it up, we started pointing log sources to it, and away it went.

They built the infrastructure, the receiving side of things, within a week. We were up and shipping logs within two weeks of the contract being signed.

In our particular case, and it's not a product issue but an operational issue, it took us until June or July of this year to get the logs rolled out or captured from the systems, after we started using it in February. The effective time window is that we've probably only had it for about three months. That was not because of the product. It took us that long to get the logs forwarded over to them.

The reason it took us so long was that we were, at the time, a pre-stage pharma. We didn't have product on the market yet. Just as we were bringing EventTracker into production here, we got approval for our first medication, which changed the nature of our operations from a research community to a fully controlled FDA manufacturing firm, as well. Change-control became a much stricter event. We missed the window to be able to push this out quickly, but it's nice to be commercial.

In terms of our deployment strategy, we had built a timeline or a set of change-controls that went through those several months to start rolling out. At the time we were doing this, we were getting to roll out Windows 10. So one of the first things we did was to build the logging into the core golden image. As Windows 10 boxes rolled out, they automatically started logging. We rolled out doing upgrades from Windows 2008 Servers. We did the same thing and put that into the image. On Active Directory it was pretty straightforward. The servers that were part of production, as far as manufacturing goes, those had to go in very specific windows based on production protocols. 

Overall, we built a project plan out such that every week and every month, from a production perspective, we would have windows where we could start to deploy. That's why it took so long.

We did it internally. It's very simple. There was no need for a third-party or assistance. It was a really easy deploy.

The value of a SIEM comes when you are able to detect something and avoid a problem. It is part of that larger "insurance policy"-type function. You never see a return on investment on an insurance policy until it comes time to use it. But we get value from it every day. Do I think that the investment in the product is giving us value for the dollars we're spending? Absolutely.

I look at it this way: If I need a truck to do my job every day, and my job is to haul two-by-fours back and forth between two job sites, do I need the Cadillac pickup truck or do I need the truck with the roll-up windows? They both do the job and they both do it really well, but the value is in the one that has the roll-up windows. It's doing what it's supposed to do. It's doing it well and it lets me retain dollars for other purposes. EventTracker is exactly that. It's giving me all of the features and functions that we need to do our jobs, and at a price point that's incredibly attractive. It allows me to save money and put money into other services to help reduce risk.

It's a simple product. It's a lot easier to implement and deploy than the other SIEMs I've used throughout my career. The advice would be that using it is a good decision. There's no reason to shy away from the product.

From an event-alert perspective, we haven't used them for that purpose yet. That's largely because the current security services we have in place from our vendors, CrowdStrike in particular, provide us a managed event system from the AV side. They proactively manage our antivirus that's on all of our machines and they also proactively remediate the machines. So we haven't felt the need, yet, to take part in EventTracker's alerting of detected cross-events. That will come in this upcoming calendar year. Our program here is only two years old. The security program itself was only in existence for about nine months before we started to engage with EventTracker, and deployment was earlier this year. We're still really in deployment mode.

We haven't integrated EventTracker with any other solutions. We use ServiceNow but we have not made any effort to integrate it. Our roadmap for ServiceNow is to do exactly that and take advantage of that integration capability and have it issue either alert tickets or work requests into ServiceNow for us, so that we don't have to do those manual steps. We are probably a year away from that.

There are two others besides me using it in our organization. They're both security analysts. There really isn't any maintenance. We've occasionally had servers that stopped talking for whatever reason but a reboot took care of that. Generally, what we're finding is it's due to an application memory leak on that server. But it's just working. There is no effort there.

I would rate it a 10 out of 10. The ease of deployment, the support that we receive from them, the dashboard console which I find to be very helpful, are all part of that rating. I would like to see some more assistance in the way that searches are built, but as I've learned how to search, it's getting easier and easier. Overall, it's a well-priced and functionally appropriate SIEM.