Securonix Next-Gen SIEM Reviews

We were using it for data loss prevention and data acceleration. We wanted a platform with a proper ticketing facility, and as and when we reviewed a user, we also needed a proper documentation setup. Securonix provided that. We were able to integrate playbooks and a lot of other modules so that we not only looked at a particular problem area but also at other factors. We didn't only want to look at exfiltration but also at any lateral movement inside the company by a user. We wanted to look at the outliers in a better way, not only in terms of a user's activity but also in relation to the peer activity to show that it is not a team; it is just a team member doing something wrong.

We most probably were using version 6.0.

It was very easy for us to do our manual threat hunting. We had a lot of instances where we found our internal users exfiltrating data. We were able to see that they were exfiltrating data. We could confirm that through the platform by taking a deeper look, which was very nice. It is user-friendly and handy. It allowed us to look at all kinds of activities and logs.

It provides actionable intelligence on threats related to the use cases. After you have done the configuration, it triggers an alert for any incident. This actionable intelligence is very important because it allows us to respond in time without missing the window of being able to take an action. Sometimes, threats are small, and the indicators do not pop up, but with manual analysis, we can get a complete view. So, it is very important to have real-time triggers.

We have been able to find a few true positives. Based on the triggers from the tool, we got to know that people have been exfiltrating data over a period of time. They had been doing it in small amounts, and that's why it went unnoticed. After the tool notified us, we discovered that one or two users have exponentially exfiltrated data over a period of time. Without the solution, just by looking at the logs, we wouldn't have known that. The tool understood the behavior and triggered a notification, and we got to know that. The users were not just sending our data to themselves but also to another vendor. They were contractors, and they were exfiltrating the data to another vendor. They were about to leave the company, and we were able to catch them before they left.

It reduces the amount of time required for investigations. If I had to check logs from different log sources or tools from different vendors and create tickets, it would have taken time. With SNYPR, we were able to perform a lot of actions within the same platform, and we were also able to push tickets to our SOAR management tool. Everything was in one place. We didn't have to navigate between different things. It was helpful for incident management. It took time for analysts to check whether an alert was a false positive or not and provide the right evidence. Having incident management within the tool reduced time in creating and closing some of the incidents. Instead of 30 minutes before, it was reduced to 10 to 15 minutes per incident. We didn't have back-and-forth navigation. Everything was in one place. 

It saved us a couple of hours of our day-to-day activity because everything was consolidated. Once I logged in, one or two hours were enough for me to look at everything and identify things to take an action on.

It has definitely helped us with threat management. Because of the sample use cases that we saw from Securonix, we were able to design a few of our own use cases. We would not have thought of those use cases in the past. We were able to add use cases that were helpful for our data internally. We were able to understand logs even better and create our specific use cases. It was good learning.

It is user-friendly. Its user interface is better than the other tools.

I like the playbook integration. In the beginning, we had a few hiccups because the tool was developing, but after that, the threat intelligence tool that we integrated got more accurate and better. The whitelisting and blacklisting of IPs, domains, or users were also working. 

Risk scoring was nice. We could exactly see which user had the highest risk score, and then we could pick it up and work on it. 

Securonix accommodates customer requests in the upcoming versions very well. They do their best to bring in the features required by a customer. We were able to have custom widgets for different departments or specific use cases. All tools do not provide such customization. Securonix was good at taking a request, reviewing it, and if it made sense, adding it. We got at least one or two features added. 

When they did upgrades or applied patches, sometimes, there was downtime, which required the backfill of data. There were times when we had to reach out and get a lot of things validated. 

I have been using this solution for about 2.5 years. Right now, I'm not using it, but I have used it in the last 18 months.

Initially, during patch management, we did see a few downtimes, which required a backfill of data. Before I moved out of the previous company, patch management and upgrades had improved, and the tool had become stable. The queries we were running weren’t breaking the tool. We were able to fetch reports for more roles and data as compared to when we started.

The company that I was working with was midsize. We didn't have a huge amount of data. We were accommodated pretty well. We didn't have any thresholds or limits, but I cannot speak for companies that have a huge amount of data. 

Their archiving and deletion policies also worked well for us. We didn't see any performance issues when the solution was ingesting all log sources. Its scalability was pretty nice. We started with six to seven data sources, and then we moved on to add a few more. It could easily accommodate any increase in the number of users or data. We didn't have to just stop at a particular point.

With on-prem, customers have control over the infrastructure, and they can tweak it, but a cloud solution is more simplified. You don't have the headache and overhead of maintaining your resources. So, it is definitely scalable. They partition you based on how big the company is. So, even if you move to a bigger scale, more resources get added to make it work better. It is seamless. We didn't have many issues. We had a few slowness issues at times, but they were resolved. We didn't have to deal with them for a long period of time.

Their support was pretty good. We didn't have any issues there. They were pretty fast. Anytime we had downtime or any issue, we were certainly helped. We got emails telling us how long it will take, and they would stick by it. There were a few times when there was a one-day or two-day delay in response, but eventually, it all worked out. We didn't have major issues. I would rate them a nine out of ten.

They also provide a review with their content team. For the initial few months, they did a lot of threat hunting and showed us why they think a user is doing something in the company and why it is something that is worth taking a look at. It was helpful to have analysts from their side and see how the users are doing it and what are the patterns.

Positive

I have only worked with this solution.

We had another engineering team that took care of its deployment. My involvement in its setup was only for providing the type of data that we need to pull into Securonix. Some log sources took a while in terms of the data format that we wanted and accommodating it with the APIs on the Securonix end. We only had issues with a few data sources. It wasn't a very difficult process, but it did take some time. It took about two months.

Overall, its onboarding was pretty smooth because we were on SaaS. In terms of the strategy, we had to provide the data sources that we needed. They were divided into three levels. We first integrated one or two data sources, and when we saw it triggering, we integrated a few more. We also worked on fine-tuning it for false positives with their content team. They trained us on various use cases and algorithms behind those use cases. If there was any incorrect trigger, they explained the reason for it. It did take quite some time to configure it for our own custom use cases. This phase took more time than the initial integration of data sources. It took at least two to three months to onboard all the sources.

Because it was a SaaS solution, they did the maintenance. It didn't require any effort from our end. It minimizes infrastructure management. In case of downtime or outage, they used to notify us and fix the issue. It did not require our intervention, except monitoring and checking if things are running fine.

They provided flexibility in terms of features and patches. If we wanted to stay on a particular patch or have a few features in the next version, they were able to accommodate that. They were able to add our features even when other customers did not need them. 

There were two people on the engineering team from our side, but I am not sure how many people were there from the Securonix side. For integration, two people were there, and then there were four analysts at the beginning to support the tool and give feedback.

We most probably did see an ROI. I was working only at the analyst level. I do not have the numbers, but it did improve the efficiency to do more in less time. In the beginning, we were hesitant to use a new tool, but it soon became our go-to tool for checking and verifying any issues. We started engaging with the tool quite a lot, and it probably saved four to five hours a day. Documentation and ticketing were the biggest challenges, and it helped in having everything in one place. We could just click on a ticket and see everything.

I had heard that it was much cheaper than Splunk and some of the other tools, and they gave us a nice package with support. They accommodated the number of users and support very well.

My team had definitely looked at other tools, but I was not involved in the PoC. 

I would advise having a look at it. The user experience or the user interface is definitely better than other tools, but you need to see how it interacts with your data sources and how easy it is to integrate it with those data sources.

It took us at least four to five months to realize the benefits of the solution from the time of its deployment. It depends on the log sources you are concentrating on and want to fine-tune. Most SIEM tools, including Securonix, have a lot of use cases that can be tied to Windows, VPN, etc. Modifying and tuning just one log source is not enough. You should tie different log sources so that you get an idea about any lateral movements. Everything that flows into a SIEM solution has to be tuned. If I'm sending a raw log in any format, it needs to be properly sanitized and tuned for my security requirements, which takes time. We had to go back and forth and get a lot of things fixed. It takes a while for the tool to understand and start triggering based on a specific activity.

False positives will always exist. They won't completely go away. When we first deployed it, it used to trigger alerts for 500 to 600 users, which had come down to 20 to 30. It needed continuous fine-tuning, but as an analyst, I was no longer overwhelmed by hundreds of alerts. It took a while to get to that stage and involved a lot of blacklisting and whitelisting. Even though the false positive rate had come down to a pretty good number, we still had to intervene and verify whether it was a false positive or not, but it was easier to do.

It hasn't helped to prevent data loss events, but it has helped to reduce further loss of data. We got to know about an event only when it had already started to happen. When the tool identified that something was happening, it would alert us. If an analyst was active enough to understand that and put a stop to it, it could have prevented any further loss, but I am not sure how much a data loss event would have cost our organization, especially in intellectual property. However, we figured out that about 40 to 50 GB of data was sent over a period of time. It was sent in small bits, and it included confidential reports, meeting keynotes, etc. We would not have known that if the tool had not notified us.

I would rate it a 10 out of 10 based on the experience I had. We didn't have any major issues related to slowness or querying the tool. Querying was pretty simplified, and there were also documents to know the processes. Their support was good, and they were also good in terms of the expansion of the tool. When we wanted a new data source, they were there to review it and modify it with us. They provided good assistance.

We are using it for Azure logins outside of US and Azure brute force use cases. We have use cases for our firewalls, like Palo Alto. These are use cases that we created ourselves. These are not the use cases out-of-the-box that Securonix provided us.

Without this product, my organization would not be able to function at all. It is our main monitoring product for our clients. We monitor everything through it. Securonix Security Analytics is the main process of providing services to our client because we are a 24/7/365 security operations center. So, Securonix is helping me out on daily basis all the time, every minute.

Security Analytics helps provide actionable intelligence on threats related to our use cases, which is very important. They are improving it almost on a daily basis. They send it to us and keep it running on the back-end for all the tenants. If anything gets raised, according to the threat intelligence that they have generated, we will get an alert. We will then start digging into those events. After that, we work with clients to respond to that incident.

The product can help increase efficiency. My analysts were working 12-hour shifts when we started. Now, they are working eight-hour shifts. However, it also depends on the person and how efficient they want to be. My analysts are monitoring, training, and doing their certifications all at the same time. This definitely divides their attention.

Features, like Spotter, are the most valuable. Spotter is a wide range of research for any of the incidents that happened under my clients' data. 

They also have a feature that separates violations according to top violators. So, I can go in and see all the use cases that got preserved under them. It is an intensive search type of thing. You can just keep digging in. There are other policies attached to it. There are some remediation steps and recommendations attached to it. 

Securonix’s analytics-driven approach for helping to find sophisticated threats and reduce false positives is pretty good. We are allowed to fine tune according to our requirements and our clients' requirements, which does reduce false positives. In the last 24 hours, the total number of policies with triggers was 233. When I started with this product, the false positives were 561. Therefore, the solution has helped by tuning or reducing false positives.

It helps us find sophisticated threats.

The monitoring, analysis, and visualization of data that Securonix provides is good. However, there are some things that I would love Securonix to change. For example, they don't allow us to make changes on the graphical reports that they have integrated into the platform. We have to create our own. If we just want to take out one thing, our page should allow us to change that template just for our platform. I'm not talking about changing others' platforms; this is just for my platform. They should allow me to make changes according to my scalability. I would like a little bit more changes in the analytics and visual views that they already have out-of-the-box in the platform. They are working on this, but I have not heard from them for a while. I'm satisfied with the visualization that they have, but I would like to get some more out of it. For example, I am taking the report and manually making changes. I want all those changes already integrated and automated, so they are automatically done in the product.

I would not say its threat hunting is easy or difficult to use. It is medium because it totally depends on the data that is coming to you. It does not depend on the platform. It depends on whether you can find the correct attribute that you need to look at, then you can go further on that. They are working on this. They are introducing more features, e.g., they have a couple of updates pending at this time. They are working on it to cut down the steps. If I am doing 28 steps right now just to onboard our data, then they are cutting those steps down. They are also putting more automation in the solution. While they are working on these improvements, it is just a matter of time. 

It ingests 85% of all our log sources already built into the product when investigating threats. If the data sources have the functionality, Securonix will create a custom parser for us on a request. If the functionality is not there in the product, then there is a difficulty, but we can still ingest it through the file base, etc. However, I am not a big fan of the file base because a user is creating a file per day for data that was generated the day before. Specifically for activity that has already taken place, we can prevent it, but we cannot stop the activity.

I have been using it for a year and three months.

It is pretty stable. Out of 100%, I would rate the stability between 80% to 85%. 20% can be unstable for any product. There can be bugs. There can be a failure in the core or a syntax error in the core. When I notify the support of these types of issues, they quickly fix the problem for me.

We have experienced a few performance issues, about 10%, when Security Analytics is ingesting our log sources. This can happen with any product. We informed them that we are facing this issue and get pretty good support on it. 

Scalability is pretty good. It does grow with our license. We work according to EPS. So, as our EPS pool grows, the solution will keep growing.

Cloud Scale is super scalable. You can scale Securonix pretty well. Even if you have too much data coming in, you can figure things out or put more resources on it. Securonix is pretty good at doing these things. For example, they have load balancers already in place, which automatically take care of these things.

There are 12 of us right now using the solution. I'm the senior engineer, and I have eight analysts who are using it. I have a senior manager who is also using it.

Six months ago, if someone asked me about the support, I would say, "Not good." Now, the support is pretty effective. They try to resolve problems ASAP. For example, if it's a critical ticket, they get it fixed within an hour.

I would rate the support as eight out of 10.

Positive

We had a generic system previously, which has none of the things which have helped us by using Security Analytics. This solution automatically detects threats. There is a response bar that we can deploy. There is an email notification. So, if I am not available, then I will get an email that I can respond to pretty quickly. As far as threat detection, we get policy updates every three minutes. Therefore, if anything is detected, it will be right there on my screen.

I have previously trained on FortiGate and Splunk. Securonix and Splunk are not that different. Splunk has a lot of things on one screen. Whereas, Securonix tries to clean it up.

If you follow the documentation, it is straightforward. If you don't want to read, it will be complex. I don't review documentation anymore. I did it twice when I started, then I went in, wrote a batch script, and automated the whole process. Now, I just need to make some changes before running that script.

The deployment takes 35 minutes on the client side.

I am the only person involved in the managing and deployment of the solution.

If there is any kind of setup that needs to be done on the cloud side, Securonix does that for us. I integrate clients with my platform, but Securonix takes care of the back-end.

The Securonix cloud-native platform helps minimize infrastructure management. We don't need that much manpower. If there is infrastructure to maintain, I need an engineer to maintain infrastructure, a software engineer who will look for the application, a security unit who will look for the threats and attacks, and a response person. Now, I don't need a software engineer or infrastructure engineer. That has gone away. Currently, I need only a security engineer and response person, which one person can do. We can also hire two people to do the different jobs. That is no problem. 

We don't have to put more focus on infrastructure, which helps. There is a little bit of an infrastructure included, but that is a one-time setup thing. You don't need to go and maintain it again and again.

Securonix Security Analytics adds contextual information into security events. For example, on a generic system, if I used to put in an hour, now I'm putting in 35 to 40 minutes on this. So, it's saving me about 20 minutes of time.

Compared to the pricing of other products, Securonix's pricing is pretty good. Clients can get half of the price of other companies by going with Securonix. Other products, like IBM and Splunk, have pretty high pricing. Nowadays, we see CrowdStrike as up and coming, and they are pretty expensive. 

Pricing does depend on what model you are looking for, e.g., are you going for an MSP or single tenant?

I don't find a lot of difference between solutions. Everybody tries to improve their product over time. I do free testing for multiple products, and they are basically copying each other's functions.

I like Securonix because I am familiar with it and can do threat hunting in 10 minutes instead of the 30 minutes that it might take if I used other solutions.

According to my clients and the security world, I cannot eliminate all the false positives because you cannot let false positives go. You need to make sure that there are no attacks attached to that false positive. So, we have a team of analysts who monitor it every time. So, if a false positive policy gets an alert, then we just go ahead and make sure to analyze it. That is okay. If it is a false positive, then we mark it as one. We did eliminate a lot of false positives, but not all of them. It is our choice, not Securonix's, what we want to keep or eliminate.

I would rate Securonix as nine out of 10.

We are using it for monitoring firewalls, Windows operating systems, some Linux operating systems, active directories, and some of the solutions in the cloud such as Office.

In terms of deployment, everything is in the cloud. Our licenses are on the cloud. We don't deploy anything on premises except the RIN.

We are a managed service provider, and we offer this service to third-party clients. Most of our clients are very happy with the solution. We can detect a lot of threats, which are not false positives, and we can describe the threats very well. A lot of information can be obtained from this SIEM, and we can provide very good incident reports to our clients.

We were using another solution previously. The other solution couldn't compete with the features and functionality that we were looking for as a managed service provider. Some clients ask for specific features, and we couldn't complete those needs with other products. They were more about calculations, such as events per second (EPS). With Securonix, it is easier to sell the product and make quotes for our clients. It has helped us a lot at the administration, commercial, and operation levels.

It provides actionable intelligence on threats related to our use cases. It can detect violations and reduce false positives. This actionable intelligence is one of the most important parts because we have suffered with some of the other solutions in terms of receiving a lot of events and alarms where most of them were false positives, which made it a bit difficult for us to investigate and generate incident reports. Securonix is handy for engineers and the security operations center.

Its analytics-driven approach is pretty good at finding sophisticated threats and reducing false positives. When it comes to monitoring network devices, such as firewalls, it can detect behaviors that would be difficult for other solutions to detect or for normal engineers to detect manually. It has a lot of violation policies, and it is very handy and helpful at this level.

It adds contextual information to security events, which is one of the most important points. We can fill a lot of information into our reports for our clients.

Everything is saved for us and indexed. We can review any event we need within three or six months. We can review even when the data is in the cold phase. We never faced any case where we lost any event data. When clients asked about some events in the past, we could find them very easily and without any issues by using the queries.

It improves analysts' efficiency to do more with less time. Spotter is one of the best tools for me for searching and visualizing various things such as policies. With the Spotter language, you can search for whatever you need. You can search for any endpoint, any IP, any hostname, or any violation name. Even though it is not very fast, it is fine for us. Splunk or Elasticsearch is faster than Securonix because this is their job. Even though Spotter is not as fast, it has been helpful for us.

The detection of threats and reduction of false positive alarms as compared to other solutions are valuable features. It has improved threat detection response and reduced a lot of noise from false positives as compared to our previous SIEM solutions. This was one of the reasons we decided to try or move to Securonix. Other products generated thousands of events, and a lot of them were false positives, which made it difficult for us to handle all the events. For example, we were monitoring a firewall internally, and that firewall generated about five million events per month. The previous product detected almost 1,000 to 1,500 events as positive events, whereas Securonix generates less than 200 events, and most of them are not false positives.

It can integrate with a lot of solutions. Being able to ingest all our log sources when investigating threats is one of the good points of Securonix. After we started to use Securonix, we could integrate a lot of solutions, which we couldn’t do previously. It works with many devices, platforms, and cloud solutions. It is pretty good in terms of integration.

The incident response area should be improved.

It is more difficult than other products, but overall, it is good. The platform has a lot of options and functionality. So, you need to check almost everything. For new engineers or people who don’t have much experience with this kind of platform, it is a bit difficult, but for experienced engineers, it is not that difficult.

When you have been doing a lot of work for about one or two hours, and you have a lot of tabs open, it slows down or gets stuck. There is a delay of 10 to 15 seconds in opening tabs or dashboards. I don't know why this happens, but for me, it is not a big issue. I just wait, and that's all.

I have been using this solution for one year.

It is stable, but it slows down or gets stuck when you have a lot of tabs open.

Overall, it is scalable, but when you are investigating a lot and you have a lot of tabs open and are involved in big work, it sometimes becomes slow or gets stuck.

In terms of its users, our SOC team has three engineers, and I am the fourth one. We have three clients for now for Securonix. We use it internally to monitor our company. Overall, there are five or six users using the interface, investigating, and reporting to the clients.

Most of the time, their support is very good, but sometimes, we had to escalate the issues. Sometimes, we opened a ticket, and we immediately received an answer for fixing the issue, but at other times, we got a response after one, two, three, or even seven days. I guess it is based on the impact or severity, but when we have an urgent issue or problem, Securonix solves it very fast. I would rate them an 8 out of 10.

Positive

We were previously using Splunk, and we wanted to continue, but when we did the evaluation, we found Splunk to be more difficult to implement than others. It is fine to operate it, but its implementation is more difficult. It also had fewer features than Securonix. Securonix is dedicated to security information event management, but this is not the main functionality of Splunk. Even though Splunk is very strong in security, and we have been using it, when it comes to, for example, machine learning, Securonix has pre-configured policies. So, we don't have to spend that much time, whereas when it comes to Splunk, we have to configure everything. We have to install the applications and configure the dashboards. Considering the functionalities, features, and pricing, we felt that Securonix would be the best option.

It is better than previous solutions in terms of threat investigations and onboarding. That's because most of the other solutions are based on rules. Sometimes, there is no intelligence when it comes to detection, whereas Securonix has policies that are a collection of rules. Securonix doesn't only extract the log and tells us that it is a low-impact event or informative event. It also tries to correlate most of the events according to the policies and takes us to the main point. This is how Securonix has helped us to reduce a lot of false positives. Other solutions only worked with rules, and they only sent us events. We had to review most of those events, which is not the case with Securonix. It has a lot of policies for all types of detections. There are almost 1,000 policies, and Securonix can correlate various types of behaviors and pieces of evidence to detect advanced threats. It is good at this level.

We have the cloud license of Securonix. Everything is on the cloud. We only implement RIN on-premises, which is straightforward. You just download the executable, give it permission, and execute it. You provide the information it asks. There are a few packages that you need to install previously, but overall, it is very handy and straightforward.

I implemented it on my own. 

Its price is fine. We found it to be cheaper than LogRhythm, Exabeam, Splunk, as well as Elastic Security. A few months ago, when we were comparing Securonix with Elastic Security, we found Securonix to be cheaper than Elasticsearch. We were pretty surprised that Elastic Security is more expensive than Securonix because Elasticsearch is just starting, and it cannot compete with Securonix at this time. So, the pricing of Securonix is pretty good for now.

We tried to evaluate some of the other products, but we decided to go with Securonix for the business part. It was easier for us to meet the needs of our clients related to calculations.

We evaluated LogRhythm. The first problem that we faced with LogRhythm was that it would have been pretty difficult for engineers to handle in terms of the user interface. As compared to Securonix, it was also very expensive. Securonix had most of the features or functionalities that we were looking for. We also evaluated Exabeam, and we had the same problem with the price and features.

It has somewhat reduced the amount of time we require for investigation. It hasn't probably helped in detecting advanced threats faster along with lower response times because there is this gap between the RIN receiving the information and then sending this information to the cloud. This gap makes it a little bit late as compared to other solutions. Other than that, it is good.

I would rate it a 9 out of 10.

We have customized the uses of the platform for our benefit. In general, we use it for failed access attempts, network issues, and allowed/blocked, and we have use cases for platforms such as Windows Server.

We are a service company and partners of various vendors. We provide support to customers. Our strategy is that each piece of equipment sold to customers comes with value-added service, and Securonix protects our customers.

It is an excellent tool that helps us optimize threat-hunting operations, detect intrusive events on the network, and respond to security incidents. It is a tool that helps debug false positives and eliminate noisy alerts. It helps us focus on the alerts that we should take into account for analysis.

Using old, traditional SIEMs did not provide us with the same responsiveness and ability to operate. And if they did provide us with something similar, we needed more staff to review things, event by event. That meant some risky events could occur unnoticed. With Securonix, those issues no longer exist. Securonix shows us information that we must consider as a threat and helps us know when to start an investigation to avoid an incident.

It's very good at adding contextual information to security events. It has reduced the time spent by admins on the dashboard. They can now see information connected to attack risks or even users. The single dashboard alerts them and quickly reports if there is any threat.

It has helped us to better understand what is happening in our network through the indicators of compromise. We have saved days of work. And it optimizes the time that analysts take to review events, compared to other tools that do not have as much intelligence and as many indicators. With Securonix, the information automatically enters and adds intelligence to the indicators. This saves a lot of time that would otherwise be spent reviewing noisy data. It saves our analyst between four and eight hours when analyzing events.

When it comes to advanced threats, it shows us the threats or events that have been detected, with their risk level. It shows us a vulnerability bar and that helps us see who is looking at us, who is trying to deliver certain information to our systems, who exploited us, or if there is any alert due to someone extracting certain information. The automation of information delivery has facilitated everything, saving us three or four days.

For optimization and data analysis, it has a good evaluation engine for repeat offenders and that has helped us to detect, on time, what other basic SIEMs did not detect. Those other solutions needed more time to detect at that same level.

We can customize our use cases with the tools provided by Securonix.

It is an excellent tool that can ingest data in different ways and is very flexible.

Securonix could open up information regarding the indicators of compromise or cyber-threat intelligence databases that they use. The idea is that they share what threats they are detecting.

I have been using Securonix Next-Gen SIEM for about a year.

It is stable, both in the cloud and on the servers. We have never had access problems or experienced any performance issues.

Scaling is flexible. If we fall short in terms of EPS, we would simply increase the EPS. And if the RIN server has low resources, as it is a virtual machine we could increase the resources according to the data quantity.

It is an excellent option for the cloud in terms of scalability. It is flexible for both us and our clients. We have plans to increase usage for certain customers.

The support is excellent. At the service level, they attend to us quickly. We have a post-sale person who follows up in some cases. He can also see the tickets and can escalate something according to the urgency.

Positive

We used a traditional SIEM where everything was very manual. It did not have threat intelligence or threat hunting of compromises, while Securonix has those features.

We changed because we wanted a good tool to automate certain manual processes so that everything is more flexible. With Securonix, you have the option of integrating with other indicator-of-compromise services, and that helps create a more powerful platform and eliminate false positives.

I started the process of design and continued with onboarding and implementation. The initial implementation was simple, but we had some delays because we had new solutions and we had to create new templates. But in general, if you have traditional solutions that have a template, it is easy to implement. It would take a week.

As for our implementation strategy, the tool that we had previously had a forwarding functionality, so what we did was deploy information to the RIN and, from there, sent the information to the cloud. After that, we created a pipeline and sent the rest of the events so that we could take the previous SIEM out of production.

The sources took a month to incorporate. It took us a month to get access to the teams because we do not manage certain teams. It was a bureaucratic process.

Securonix does the maintenance. It doesn't require work from us. They send us emails indicating that the system is going to have a brief reboot and it takes a short amount of time. 

We hired an onboarding engineer from Securonix who helped us with the implementation of the RIN. He explained the process to us until we understood everything.

Our experience with the onboarding engineer was good. He helped us with any questions we had and followed up through emails.

For the implementation of Securonix, we only needed one person from our side. I was the point of contact with our other areas.

Where we see our best return on investment is in the time and manpower we save. Before Securonix, our staff had to investigate events constantly. Now, one engineer with some expertise is enough to speed things up and give the rest of the admins time to do other things.

The pricing is fine compared to the market but I think that at some point the competitors will catch up on price. It would be good if, for example, there were an option to offer customers who have used the solution for more than a year some kind of additional trial or service.

There is no cost outside of the standard licensing fee, other than an initial installation service charge. Otherwise, there is simply a monthly cost for the service.

We were thinking about Splunk, QRadar, and Rapid7. One of the drawbacks of those systems would be the infrastructure. Many of the other platforms, including McAfee, need boxes or deployment servers in our infrastructure or our clients' infrastructures and, in many cases, the infrastructure is growing continuously.

With Securonix, that does not happen. It is a cloud solution that only requires a small deployment server with low resources, depending on how many events are received. And all that information is stored in the cloud as well.

The cost, compared to other solutions, is better.

Compared to other platforms, it is very simple yet, at the same time, it is very efficient because it packs information into a glance. After that, it gives you the option of hunting threats and that can be initiated on the dashboard.

It is very intuitive. A person who has a certain notion of cyber security can move quickly since it gives you information about any attack. It gives you a summary and it gives you links to receive information. And if you don't have much knowledge of the tool, you can always take the courses that are free on the web. Doing so helped us understand the solution.

This is a solution that will help you a lot in hardware processing and in optimizing the time it takes to review events, which is what admins often spend their time doing.

There are things on the network that you can't see with traditional tools. There are tools that don't give you the visibility that Securonix gives you.

Foreign Language:

(Spanish)

¿Cuál es nuestro caso de uso principal?

Hemos personalizado los usos de la plataforma para nuestro beneficio. En general, lo usamos para intentos de acceso fallidos, problemas de red y permisos/bloqueos, y tenemos casos de uso para plataformas como Windows Server.

Somos una empresa de servicios y socios de varios proveedores. Brindamos soporte a los clientes. Nuestra estrategia es que cada equipo vendido a los clientes venga con un servicio de valor agregado, y Securonix protege a nuestros clientes.

¿Qué es lo más valioso?

Para optimización y análisis de datos tiene un buen motor de evaluación de reincidentes y eso nos ha ayudado a detectar, a tiempo, lo que otros SIEM básicos no detectaban. Esas otras soluciones necesitaban más tiempo para detectar al mismo nivel.

​​Podemos personalizar nuestros casos de uso con las herramientas proporcionadas por Securonix.

Es una excelente herramienta que puede ingerir datos de diferentes maneras y es muy flexible.

¿Por cuánto tiempo he usado la solución?

He estado usando Securonix Next-Gen SIEM durante un año aproximadamente.

¿Qué opino de la escalabilidad de la solución?

El escalado es flexible. Si nos quedamos cortos en términos de EPS, simplemente aumentaríamos el EPS. Y si el servidor RIN tiene pocos recursos, al ser una máquina virtual podríamos aumentar los recursos según la cantidad de datos.

Es una excelente opción para la nube en términos de escalabilidad. Es flexible tanto para nosotros como para nuestros clientes. Tenemos planes para aumentar el uso para ciertos clientes.

¿Cómo son el servicio de atención al cliente y el soporte?

El soporte es excelente. A nivel de servicio nos atienden rápido. Contamos con una persona de post venta que da seguimiento en algunos casos. También puede ver los tickets y puede escalar algo según la urgencia.

¿Cómo calificaría el servicio y soporte al cliente?

Positivo.

¿Qué solución usé anteriormente y por qué cambié?

Usamos un SIEM tradicional donde todo era muy manual. No tenía inteligencia de amenazas o búsqueda de amenazas de compromisos, mientras que Securonix tiene esas características.

Cambiamos porque queríamos una buena herramienta para automatizar ciertos procesos manuales para que todo sea más flexible. Con Securonix, tienes la opción de integrarte con otros servicios de indicadores de compromiso, y eso ayuda a crear una plataforma más poderosa y eliminar los falsos positivos.

¿Cómo fue la configuración inicial?

Comencé el proceso de diseño y continué con la incorporación e implementación. La implementación inicial fue simple, pero tuvimos algunos retrasos porque teníamos nuevas soluciones y tuvimos que crear nuevos modelos. Pero, en general, si tiene soluciones tradicionales que tienen un modelo creado, es fácil de implementar. Tardaría una semana.\

En cuanto a nuestra estrategia de implementación, la herramienta que teníamos anteriormente tenía una funcionalidad de reenvío, entonces lo que hicimos fue desplegar información al RIN y de ahí enviamos la información a la nube. Después de eso, creamos una canalización y enviamos el resto de los eventos para que pudiéramos sacar de producción el SIEM anterior.

Las fuentes tardaron un mes en incorporarse. Nos tomó un mes tener acceso a los equipos porque no administramos ciertos equipos. Fue un proceso burocrático.\

Securonix hace el mantenimiento. No requiere trabajo de nosotros. Nos envían correos electrónicos que indican que el sistema se reiniciará brevemente y normalmente no tarda mucho.

¿Y el equipo de implementación?

Contratamos a un ingeniero de incorporación de Securonix que nos ayudó con la implementación del RIN. Nos explicó el proceso hasta que entendimos todo.

Nuestra experiencia con el ingeniero de incorporación fue buena. Nos ayudó con cualquier pregunta que tuviéramos y nos dio seguimiento a través de correos electrónicos.

Para la implementación de Securonix, solo necesitábamos una persona de nuestro lado. Yo era el punto de contacto con nuestras otras áreas.

¿Cuál fue nuestro Retorno de Inversión?

Donde vemos nuestro mejor retorno de la inversión es en el tiempo y la mano de obra que ahorramos. Antes de Securonix, nuestro personal tenía que investigar eventos constantemente. Ahora, un ingeniero con algo de experiencia es suficiente para acelerar las cosas y dar tiempo al resto de los administradores para hacer otras cosas.

¿Cuál es mi experiencia con los precios, el costo de configuración y las licencias?

El precio está bien en comparación con el mercado, pero creo que en algún momento los competidores alcanzarán el precio. Sería bueno que, por ejemplo, hubiera una opción para ofrecer a los clientes que han utilizado la solución durante más de un año algún tipo de servicio adicional.

No hay ningún costo fuera de la tarifa de licencia estándar, aparte de un cargo por servicio de instalación inicial. De lo contrario, simplemente hay un costo mensual por el servicio.

¿Qué otras soluciones evalué?

Estábamos pensando en Splunk, QRadar y Rapid7. Uno de los inconvenientes de esos sistemas sería la infraestructura. Muchas de las otras plataformas, incluida McAfee, necesitan cajas o servidores de implementación en nuestra infraestructura o en las infraestructuras de nuestros clientes y, en muchos casos, la infraestructura crece continuamente.

Con Securonix, eso no sucede. Es una solución en la nube que solo requiere un pequeño servidor de implementación con pocos recursos, dependiendo de cuántos eventos se reciban. Y toda esa información también se almacena en la nube.

El costo, en comparación con otras soluciones, es mejor.

Comparado con otras plataformas, es muy simple pero, al mismo tiempo, es muy eficiente porque empaqueta la información en un vistazo. Después de eso, le da la opción de cazar amenazas y eso puede iniciarse en el tablero.

Es muy intuitivo. Una persona que tiene cierta noción de ciberseguridad puede moverse rápidamente ya que te da información sobre cualquier ataque. Te da un resumen y te da enlaces para recibir información. Y si no tienes mucho conocimiento de la herramienta, siempre puedes tomar los cursos que están gratis en la web. Hacerlo nos ayudó a comprender la solución.

¿Qué otro consejo tengo?

Esta es una solución que ayudará mucho en el procesamiento de hardware y en la optimización del tiempo que lleva revisar los eventos, que es a lo que los administradores suelen dedicar su tiempo.\

Hay cosas en la red que no puedes ver con las herramientas tradicionales. Hay herramientas que no te dan la visibilidad que te da Securonix.

Securonix or SNYPR is a UEBA tool. It has all the features. It can work as a traditional SIEM as well as do behavior-based analysis. 

In terms of deployment, it is on the cloud. It is hosted with Securonix. We are using it as a service, however i have worked on premise deployements as well.

We have this tool to monitor all types of log activities. It can monitor whatever is happening. It can monitor traffic-related things, and it can monitor EDR and all types of logs. It has a set of use cases, and it can alert us if any abnormal activities are happening and if there is any suspicious and malicious traffic. It definitely does 24x7 monitoring of the activities happening in our environment and the type of possible attack that can happen in any of the environments.

It provides a lot of analytics. For handling alerts, we have a manual approach, and it is a team effort. Whenever there is a flag or violation, we check the behavior in the tool or in the UI itself. We can check each and everything in the tool itself. On the basis of that, we identify whether something is a false positive or not. If it is a false positive, we work on the policy condition.

An analyst's efficiency is all about the analytics present in the tool. They provide sufficient analytics. Recently, they have added one more analytics. They already have more than 15 analytics for threat detection purposes. They definitely help us to do more in less time. 

In our environment, we do not have external TPI integrated. So, we don't have any external sources for IOCs. With Securonix, all the IOCs are available in their Threat Lab. We are using that feature, and we are also receiving the reports. They check our environment against the IOCs available in their lab and provide us with the report. So far, we haven't got any high severity or medium severity issues. Whatever we got has been of low severity. Sometimes, we see traffic coming from a particular IP address continually, which is blocked in our fiber. We get to know that we have to be very careful about this external, malicious IP address that is trying to hit our environment. Because we do not have the external IOCs or TPIs integrated, we find this report very useful. 

It adds contextual information to security events, which is very helpful.

SNYPR has a bundle of features. It has the UEBA feature that tells you about the behavior of a person or entity. In the tool itself, there is an incident management feature, which is definitely valuable. It is a value-added item. It also has third-party TPI.

SNYPR is valuable for any organization because it is not only a traditional SIEM. It is also a UEBA tool. It does behavior analytics. As a UEBA tool, it has a lot of features. You can see a lot of things in the UI itself. It provides a lot of analytics. You can see how a policy is working and how it is giving you the flags if you want to reduce false positives. You can have all the visibility in the UI itself. You don't need to check anything in the backend for this.

It has a feature called Threat Model to identify a threat. For intelligence, it has a feature called Autonomous Threat Sweep that is valuable. 

Sometimes, there is instability in the data in terms of the customization of the time. They should work on stability on tool. However 6.4 jupiter version is much more stable.

I have been working with this tool since 2018 till today.

They have improved it a lot over time. We don't see a lot of issues related to stability in our environment. Sometimes, we see instability issues, but they are not very regular.

Performance-wise, it is good. It has a lot of analytics. We see the value in having this tool. Our management is also happy with the tool. It is reliable. We had a lot of configuration mistakes in our environment, and we could detect them with the tool.

It is scalable. We have 1,500 active users. We are operating in the US at three locations.

In terms of the integration of the data sources or the log sources with the Securonix tool, if the connectors are available, we never see any difficulty. I have integrated more than 50 log sources with Securonix. However, if they don't have a connector, we won't have any option for integration. This is common to all the SIEM tools. It isn't something that's specific to this. In any of the SIEM tools, if the connector isn't available, you won't have any option to integrate.

Their support has improved it a lot, They do support us or they do reply to us, but they need to be very fast. They need to be very quick. I would rate them nine out of ten in terms of support.

Positive

I started with Securonix itself. I have read about other solutions such as QRadar and Splunk, but I did not get a chance to work on these tools.

It was not at all difficult for me to use Securonix's interface. This is the first tool that I used. It was not difficult for me to learn. Its interface is very user-friendly, and I don't think anyone will face difficulty operating the tool. Everything is displayed nicely.

When we have a cloud deployment or we take it as a service, we don't get involved in the deployment of the SNYPR application, but we do get involved with on-prem Remote Ingester. So, application deployment is done by Securonix, but the integration with other sources is done by us. We don't have any difficulties with the integration because we have been working with it for a long time. So, we're aware of the backend and how to integrate. It is quite simple and easy. We also have a call with Securonix SME twice a week.

The maintenance is handled by Securonix themselves. They sometimes do the monthly maintenance. We only get the notification, and we know of the maintenance window. After maintenance, we check everything. We just validate that everything is working fine. They also validate from their end, but we also validate. We haven't had any difficulty after the maintenance or upgrade. It always works fine. There are no issues.

The Securonix cloud-native platform helps minimize infrastructure management. We don't need to buy a server. We don't need to manage it. 

It is a good solution, but it definitely requires some improvements. It has already improved a lot. They are upgrading it in every build, and it is getting better. They work on policy decommission. Whenever a policy gets old or replicated, they remove the policy. They work on the content refresh. For example, last year when we had the Log4j vulnerability, they immediately updated their content and applied the policy. They provided an update for the Log4j vulnerability.

I would definitely recommend this tool. It is really a good tool. It has all the features available. I don't know anything about the pricing. I don't know if it is more expensive or cheap as compared to the other tools, but as a UEBA tool, I would definitely recommend it to everyone.

Overall, I would rate it an 9.5 out of ten.

We provide cyber SOC services by using it as an event correlator.

At the level of user visibility, it enriches a lot of data that the user might not otherwise know about and allows you to enrich other platforms with that data.

The contextual information added by Securonix has helped reduce investigation time by minutes because we no longer consult multiple sources and everything is centralized in one place.

It has helped improve our threat detection response and reduced noise from false positives, although it depends a lot on which network is being configured. The native ones trigger a lot, so we have introduced additional context in them.
But we have saved time in threat detection and noise reduction. It allows us to automate more use cases. I'm not sure if it has improved our level of threat investigation.

The solution has also helped detect advanced threats faster through the threat modeling. Several use cases are incorporated and it warns you about any behavior and more advanced threats. You don't need to review each threat but it informs you of the behaviors that you must take into account and it is easier to deduce them.

The dashboards that Securonix uses have helped us to do more in less time because if you need to see an anomaly or a specific event, the dashboard provides you with a summary of the data about that event.

Another benefit is that the platform has helped minimize infrastructure management. We invest less time in giving support and troubleshooting. 

The most valuable feature is what Securonix calls enrichment. Securonix is very powerful because of all the data it can process and automatically enrich. The actionable intelligence it provides is one of its benefits, due to the processing capacity it has. Something to keep in mind is that Securonix needs a lot of initial work to be able to properly enrich itself, but once installed it is very powerful.

It's very good in helping to ingest all our log sources when investigating threats. That is back to the enrichment theme. It's very powerful. When you ingest data to Securonix, what it does is feed back to other sources like your firewall, and antivirus proxy, and vice versa. And the use cases filter data.

The UEBA capabilities are also very valuable.

The analytics-driven approach for finding sophisticated threats and reducing false positives is positive and good, but the platform requires a more dynamic concept. Everything is a bit static.

Also, the Autonomous Threat Sweeper is very enriching but, that being said, the threat detection report lacks a little context. The feature to sweep autonomously is good. The way they could improve the ATS would be to use more awareness and communication with the user. They don't give us much detail in the threat detection report. It would be very helpful if they explained the impact to us.

We have been using Securonix Next-Gen SIEM for about four months. We are service providers, not the final customers. At the moment, we only have the implementation in one location.

So far, we haven't had any problems. It's very stable.

At the moment, we don't have enough records to scale, but based on the infrastructure and from what I have seen, Securonix is very practical and it is possible to increase its capacity.

Support is an area for improvement because it takes a little time for them to attend to tickets. And regarding more complex configurations, for example, when you want to generate a change in the platform, you have to submit a ticket and you cannot modify templates or create things. That can only be done by administrators since it is a SaaS service.

In general, the tech support seems good. They solve the problems that occur, but their response times are not very good.

Neutral

First, we saw how many events we had in the past SIEM. Under that same report, the infrastructure was made in Securonix, the RING was built, the platforms were connected, and then we let Securonix enrich in the system while the platform was configured. After that, the monitoring started.

There were particularities. The implementation of the infrastructure was simple, but the integration was complex due to integration issues in one of the solutions.

It took approximately three weeks until we implemented everything. In terms of staff from our side, there were two technicians, one who was in charge of integrations and another in charge of configurations in the SIEM. My responsibility was more on the strategic approach. Additionally, two integration managers from the Securonix team were involved.

Securonix notifies us when it needs to do maintenance. We only have to take care of the RING since it is local and not part of the SaaS infrastructure.

The pricing is good, but by adding more things, the licensing becomes more complex because an EPS license fluctuates a lot. This licensing concept is going to be problematic in the long run.

Securonix is very easy and very intuitive compared to the other platforms. At the access level, it is much more practical. However, there are other platforms with better research levels and data ingestion than Securonix.

We evaluated Splunk, which is very similar to Securonix. We went with Securonix because we wanted to understand more about UEBA and enrichment, and for financial reasons.

In terms of threat investigations and onboarding, versus previous solutions that we have used, having access to UEBA allows you to analyze threats based more on behavior. But if you were to manually model, in other SIEMs, all the use cases that Securonix has, they would be very similar. Something that Securonix has in its favor is the enrichment prior to those threat detections. It took us about three to four weeks to get all the sources into the Securonix platform.

When it comes to adding contextual information to security events, I would give it an eight or a nine out of 10. It enriches things a lot. But the concept by which Securonix works, which is to enrich by source and by modules, makes it very cumbersome to configure. If you set it all up, you can overload the SIEM. They tell you it's possible to set everything to the maximum capacity but this approach is not recommended.

Overall, it is a powerful platform. The cons are minimal and only require small attention and tedious initial work. Once Securonix is operative, it is very powerful.

It is a very good platform for discovering unknown information and is great at helping to visualize and review data. Thus, it indirectly supports data correlation. Thanks to Securonix, I learned that there are always things to discover. That's not only in the materialization of threats, but also in terms of discovery of permissions, users, and information about entities belonging to the company. And the enrichment gives you visibility that you didn't know about.

Foreign Language:(Spanish)

¿Cuál es nuestro caso de uso principal?

Brindamos servicios de SOC cibernético usando a SECURONIX como un correlacionador de eventos.

¿Cómo ha ayudado a mi organización?

A nivel de visibilidad del usuario, enriquece una gran cantidad de datos que el usuario podría no conocer de otra manera y le permite enriquecer otras plataformas con esos datos.

La información contextual agregada por Securonix ha ayudado a reducir el tiempo de investigación en minutos porque ya no consultamos múltiples fuentes y todo está centralizado en un solo lugar.

Ha ayudado a mejorar nuestra respuesta de detección de amenazas y ha reducido el ruido de los falsos positivos, aunque depende mucho de la red que se esté configurando. Los nativos se activan mucho, por lo que hemos introducido contexto adicional en ellos.

Pero hemos ahorrado tiempo en la detección de amenazas y reducción de ruido. Nos permite automatizar más casos de uso. No estoy seguro si ha mejorado nuestro nivel de investigación de amenazas.

La solución también ayudó a detectar amenazas avanzadas más rápido a través del modelado de amenazas. Se incorporan varios casos de uso y te advierte sobre cualquier comportamiento y amenazas más avanzadas. No necesitas revisar cada amenaza sino que te informa de los comportamientos que debes tener en cuenta y es más fácil deducirlos.

Los tableros que usa Securonix nos han ayudado a hacer más en menos tiempo porque si necesita ver una anomalía o un evento específico, el tablero le brinda un resumen de los datos sobre ese evento.

Otro beneficio es que la plataforma ha ayudado a minimizar la gestión de la infraestructura. Invertimos menos tiempo en dar soporte y solucionar problemas.

¿Qué es lo más valioso?

La característica más valiosa es lo que en Securonix llaman enriquecimiento. Securonix es muy poderoso debido a todos los datos que puede procesar y enriquecer automáticamente. La inteligencia accionable que proporciona es uno de sus beneficios debido a la capacidad de procesamiento que posee. Algo a tener en cuenta es que Securonix necesita mucho trabajo inicial para poder enriquecerse adecuadamente, pero una vez instalado es muy potente.

Es muy bueno para ayudar a ingerir todas nuestras fuentes de registro al investigar amenazas. Volviendo al tema del enriquecimiento. Es muy poderoso. Cuando ingiere datos a Securonix, lo que hace es retroalimentar a otras fuentes como su firewall y proxy antivirus, y viceversa. Y los casos de uso filtran datos.

Las capacidades de UEBA también son muy valiosas.

¿Qué necesita mejorar?

El enfoque basado en análisis para encontrar amenazas sofisticadas y reducir los falsos positivos es positivo y bueno, pero la plataforma requiere un concepto más dinámico. Todo es un poco estático.

Además, el barrido autónomo de amenazas es muy enriquecedor pero, dicho esto, el informe de detección de amenazas carece de un poco de contexto. La característica de barrer de forma autónoma es buena. La forma en que podrían mejorar el ATS sería usar más conciencia y comunicación con el usuario. No nos dan muchos detalles en el informe de detección de amenazas. Sería muy útil que nos explicaran el impacto.

¿Por cuánto tiempo he usado la solución?

Hemos estado usando Securonix Next-Gen SIEM durante cuatro meses aproximadamente. Somos proveedores de servicios, no clientes finales. Por el momento, solo tenemos la implementación en una ubicación.

¿Qué pienso sobre la estabilidad de la solución

Hasta ahora, no hemos tenido ningún problema. Es muy estable.

¿Qué opino de la escalabilidad de la solución?

Por el momento, no tenemos suficientes registros para escalar, pero en base a la infraestructura y por lo que he visto, Securonix es muy práctico y es posible aumentar su capacidad.

¿Cómo son el servicio de atención al cliente y el soporte?

El soporte es un área a mejorar porque les toma un poco de tiempo atender los tickets. Y en cuanto a configuraciones más complejas, por ejemplo, cuando quieres generar un cambio en la plataforma, tienes que enviar un ticket y no puedes modificar plantillas ni crear cosas. Eso solo lo pueden hacer los administradores ya que es un servicio SaaS.

En general, el soporte técnico me parece bueno. Solucionan los problemas que se presentan, pero sus tiempos de respuesta no son muy buenos.

¿Cómo calificaría el servicio y soporte al cliente?

Neutral

¿Cómo fue la configuración inicial?

Primero, vimos cuántos eventos tuvimos en el pasado SIEM. Bajo ese mismo informe, se hizo la infraestructura en Securonix, se construyó el RING, se conectaron las plataformas y luego dejamos que Securonix enriqueciera en el sistema mientras se configuraba la plataforma. Después de eso, comenzó el monitoreo.

Había particularidades. La implementación de la infraestructura fue simple, pero la integración fue compleja debido a problemas de integración en una de las soluciones.

Pasaron aproximadamente tres semanas hasta que implementamos todo. En cuanto al personal de nuestra parte, había dos técnicos, uno que estaba a cargo de las integraciones y otro a cargo de las configuraciones en el SIEM. Mi responsabilidad estaba más en el enfoque estratégico. Además, participaron dos gerentes de integración del equipo de Securonix.

Securonix nos avisa cuando necesita hacer mantenimiento. Solo tenemos que cuidar el RING ya que es local y no parte de la infraestructura SaaS.

¿Cuál es mi experiencia con los precios, el costo de configuración y las licencias?

El precio es bueno, pero al agregar más cosas, la licencia se vuelve más compleja porque una licencia EPS fluctúa mucho. Este concepto de licencia va a ser problemático a largo plazo.

¿Qué otras soluciones evalué?

Securonix es muy fácil y muy intuitivo en comparación con las otras plataformas. A nivel de acceso, es mucho más práctico. Sin embargo, existen otras plataformas con mejores niveles de investigación e ingesta de datos que Securonix.

Evaluamos Splunk, que es muy similar a Securonix. Elegimos Securonix porque queríamos saber más sobre UEBA y el enriquecimiento, y por razones financieras.

En términos de investigaciones e incorporación de amenazas, en comparación con las soluciones anteriores que hemos utilizado, tener acceso a UEBA te permite analizar las amenazas en función del comportamiento. Pero si tuvieras que modelar manualmente, en otros SIEMs, todos los casos de uso que tiene Securonix, serían muy similares. Algo que tiene Securonix a su favor es el enriquecimiento previo a esas detecciones de amenazas. Nos llevó entre tres y cuatro semanas incorporar todas las fuentes a la plataforma Securonix.

¿Qué otro consejo tengo?

A la hora de añadir información contextual a los eventos de seguridad le daría un ocho o un nueve sobre 10. Enriquece mucho las cosas. Pero el concepto por el que trabaja Securonix, que es enriquecer por fuente y por módulos, lo hace muy engorroso de configurar. Si lo configura todo, puede sobrecargar el SIEM. Te dicen que es posible configurar todo a la capacidad máxima, pero no se recomienda este enfoque.

En general, es una plataforma poderosa. Las desventajas son mínimas y sólo requieren poca atención y un tedioso trabajo inicial. Una vez que Securonix está operativo, es muy poderoso.

Es una muy buena plataforma para descubrir información desconocida y es excelente para ayudar a visualizar y revisar datos. Por lo tanto, admite indirectamente la correlación de datos. Gracias a Securonix, aprendí que siempre hay cosas por descubrir. Eso no es solo en la materialización de amenazas, sino también en términos de descubrimiento de permisos, usuarios e información sobre entidades pertenecientes a la empresa. Y el enriquecimiento te da una visibilidad que no conocías antes.

We use it for the correlation of security events.

Securonix provides feedback from integrations with third parties so that it is always up to date regarding security events that occur daily.

It has helped a lot because previously we did not have as much control over the procedures or things that the company's users did. With Securonix, we have been able to monitor the activities of both internal and external users in the company.

Securonix has published a lot of information regarding how to use the platform. They have a lot of information online that has helped us add contextual information to security events. In the event of a security breach or a risk, it helps us monitor things. So far, with the solution in place, we have not witnessed any attacks, but it has helped us to monitor possible events that, if not taken into account, could be security breaches. It has helped us to mitigate potential gaps.

With this solution, we have saved hours in case management. It has helped us detect things faster and the integration with third-party sources has given us the ability to correlate and act on internal and external events, such as malicious attacks or malicious sites. We have improved in our response to certain incidents and types of browsing thanks to external lists that Securonix has provided us with. We can automatically detect threats.

Another benefit has been the ability to integrate practically all our specialists from different areas, including Windows, security, virtualization, et cetera, to respond with better quality. It has improved the efficiency of analysis.

It has also helped with data loss events in a certain way, through integration with our email accounts. In an event of data loss, the loss for our organization would be incalculable.

One of the most valuable features is the integration of all types of data sources to extract relevant information regarding events. It is a good solution when it comes to the correlations that it makes within all the data handled in our company. It has provided us with a lot of information and research.

We would like a little more face-to-face training. Securonix has several tutorials on its website, but we want there to be a person in Colombia who does training or workshops to give us a better understanding of the platform.

We have been using Securonix Next-Gen SIEM for about a year.

It has not presented us with problems. Most of our support cases are related to the generation of policies, but the platform has not been an issue for us.

Securonix carried out an analysis of our entire infrastructure. It provides us with the level of processing required and, if you are planning to take on new clients, you can always increase the EPS.

I would rate their support at 8.5 to nine out of 10. Sometimes it has taken a little while because the investigation team has already begun to analyze other cases, but they always resolve our issues. While they are a little slow in certain cases, most of the time they solve them quickly and efficiently.

Positive

We used McAfee before. The person who was in charge left the company just when Securonix came in and that is when I started working here.

One of the main differences is having service through the cloud. Before Securonix, we had the service locally. Now, the service is processed in the cloud and when a case is generated on the platform, they have always been willing to help us.

Securonix is in the cloud. We have a virtual machine that stores certain platform configuration information, and since it is in the cloud, we can manage the platform from anywhere. The cloud-native platform helps minimize infrastructure management. Having everything integrated into one place makes things much easier for us.

I was only involved a little in the implementation of Securonix, but from what I heard, their team was helping our entire company, day and night, to get the implementation out as soon as possible. There may have been some problems in integration, but support cases were created and their team was always there with updates and new ways to connect our sources with their platform. Overall, it was not that complicated.

On our side, we had specialists involved from each department that wanted to be integrated with the platform, such as Windows, networking, security, et cetera. The Securonix staff was always present.

Securonix has provided us with a consultant here in Colombia. We are in contact regarding configuration of the platform to rule out possible false positives and help us focus on events that we must take into account.

It took us four months to incorporate all the sources.

There are no maintenance requirements on our part. They are constantly notifying us of updates and, before making changes, they let us know if there are going to be any interruptions in the service. 

Our company is already trying to sell Securonix services, although it is a fairly new solution in the company. First, it is being handled internally, but they are already beginning the process of selling the service. That is the best return on investment.

Compared to other brands it seems more affordable to us.

There are no costs in addition to the standard licensing fees.

The Securonix interface is very intuitive. McAfee had some good features and we have only been with Securonix for a short time, but it has not presented us with any problems. It seems to us much better compared to McAfee, in terms of event correlation and case tracking.

Securonix seems to be a good solution that has met all our requirements. 

If you want to have a more centralized solution to improve the performance of case and incident analysis and management, Securonix seems like a very good option.

The most important lesson is that you can always improve. There are features that may be unknown to you in the service but, through the documentation, you can realize all the benefits of things that might not be used initially.

Foreign Language:(Spanish)

¿Cuál es nuestro caso de uso principal?

Lo usamos para la correlación de eventos de seguridad.

¿Cómo ha ayudado a mi organización?

Securonix brinda retroalimentación de integraciones con terceros para que siempre esté actualizado sobre los eventos de seguridad que ocurren a diario.

Ha ayudado mucho porque antes no teníamos tanto control sobre los trámites o cosas que hacían los usuarios de la empresa. Con Securonix, hemos podido monitorear las actividades de los usuarios tanto internos como externos en la empresa.

Securonix ha publicado mucha información sobre cómo usar la plataforma. Tienen mucha información en línea que nos ha ayudado a agregar información contextual a los eventos de seguridad. En caso de una brecha de seguridad o un riesgo, nos ayuda a monitorear las cosas. Hasta el momento, con la solución implementada, no hemos sido testigos de ningún ataque, pero nos ha ayudado a monitorear posibles eventos que, si no se tienen en cuenta, podrían ser brechas de seguridad. Nos ha ayudado a mitigar posibles brechas.

Con esta solución hemos ahorrado horas en la gestión de casos. Nos ha ayudado a detectar cosas más rápido y la integración con fuentes de terceros nos ha dado la capacidad de correlacionar y actuar sobre eventos internos y externos, como ataques maliciosos o sitios maliciosos. Hemos mejorado en nuestra respuesta a determinadas incidencias y tipos de navegación gracias a listados externos que nos ha facilitado Securonix. Podemos detectar amenazas automáticamente.
Otro beneficio ha sido la capacidad de integrar prácticamente a todos nuestros especialistas de diferentes áreas, incluyendo Windows, seguridad, virtualización, etcétera, para responder con mejor calidad. Ha mejorado la eficiencia del análisis.

También ha ayudado con eventos de pérdida de datos de cierta manera, a través de la integración con nuestras cuentas de correo electrónico. En caso de pérdida de datos, la pérdida para nuestra organización sería incalculable.

¿Qué es lo más valioso?

Una de las características más valiosas es la integración de todo tipo de fuentes de datos para extraer información relevante sobre eventos. Es una buena solución en cuanto a las correlaciones que realiza dentro de todos los datos que se manejan en nuestra empresa. Nos ha proporcionado mucha información e investigación.

¿Qué necesita mejorar?

Nos gustaría un poco más de formación presencial. Securonix tiene varios tutoriales en su sitio web, pero queremos que haya una persona en Colombia que haga capacitaciones o talleres para que entendamos mejor la plataforma.

¿Por cuánto tiempo he usado la solución?

Hemos estado usando Securonix Next-Gen SIEM durante aproximadamente un año.

¿Qué pienso sobre la estabilidad de la solución?

No nos ha presentado problemas. La mayoría de nuestros casos de soporte están relacionados con la generación de pólizas, pero la plataforma no ha sido un problema para nosotros.

¿Qué opino de la escalabilidad de la solución?

Securonix realizó un análisis de toda nuestra infraestructura. Nos proporciona el nivel de procesamiento requerido y, si está planeando captar nuevos clientes, siempre puede aumentar el EPS.

¿Cómo son el servicio de atención al cliente y el soporte?

Calificaría su apoyo con un 8,5 a nueve del 1 al 10. A veces ha tardado un poco porque el equipo de investigación ya ha comenzado a analizar otros casos, pero siempre resuelven nuestros problemas. Si bien son un poco lentos en ciertos casos, la mayoría de las veces los resuelven de manera rápida y eficiente.

¿Cómo calificaría el servicio y soporte al cliente?

Positivo.

¿Qué solución usé anteriormente y por qué cambié?

Usábamos McAfee antes. La persona que estaba a cargo dejó la empresa justo cuando entró Securonix y ahí fue cuando empecé a trabajar aquí.

Una de las principales diferencias es tener servicio a través de la nube. Antes de Securonix, teníamos el servicio localmente. Ahora el servicio se tramita en la nube y cuando se genera un caso en la plataforma siempre han estado dispuestos a ayudarnos.

¿Cómo fue la configuración inicial?

Securonix está en la nube. Tenemos una máquina virtual que almacena cierta información de configuración de la plataforma, y como está en la nube, podemos administrar la plataforma desde cualquier lugar. La plataforma nativa de la nube ayuda a minimizar la gestión de la infraestructura. Tener todo integrado en un solo lugar nos facilita mucho las cosas.

Solo participé un poco en la implementación de Securonix, pero por lo que escuché, su equipo estaba ayudando a toda nuestra empresa, día y noche, a implementar la implementación lo antes posible. Es posible que haya habido algunos problemas en la integración, pero se crearon casos de soporte y su equipo siempre estuvo ahí con actualizaciones y nuevas formas de conectar nuestras fuentes con su plataforma. En general, no fue tan complicado.

De nuestro lado, teníamos especialistas involucrados de cada departamento que quería integrarse con la plataforma, como Windows, redes, seguridad, etcétera. El personal de Securonix siempre estuvo presente.

Securonix nos ha proporcionado un consultor aquí en Colombia. Estamos en contacto con respecto a la configuración de la plataforma para descartar posibles falsos positivos y ayudarnos a centrarnos en los eventos que debemos tener en cuenta.

Nos llevó cuatro meses incorporar todas las fuentes.
No hay requisitos de mantenimiento por nuestra parte. Constantemente nos avisan de las actualizaciones y, antes de hacer cambios, nos avisan si va a haber alguna interrupción en el servicio.

¿Cuál fue nuestro Retorno de Inversión?

Nuestra empresa ya está intentando vender los servicios de Securonix, aunque es una solución bastante nueva en la empresa. Primero se está manejando internamente, pero ya están iniciando el proceso de venta del servicio. Ese es el mejor retorno de la inversión.

¿Cuál es mi experiencia con los precios, el costo de configuración y las licencias?

Comparado con otras marcas nos parece más asequible.

No hay costos además de las tarifas de licencia estándar.

¿Qué otras soluciones evalué?

La interfaz de Securonix es muy intuitiva. McAfee tenía algunas buenas funciones y solo llevamos poco tiempo con Securonix, pero no nos ha presentado ningún problema. Nos parece mucho mejor en comparación con McAfee, en términos de correlación de eventos y seguimiento de casos.

¿Qué otro consejo tengo?

Securonix parece ser una buena solución que ha cumplido con todos nuestros requisitos.

Si desea tener una solución más centralizada para mejorar el rendimiento del análisis y la gestión de casos e incidentes, Securonix parece una muy buena opción.

La lección más importante es que siempre se puede mejorar. Hay características que pueden ser desconocidas para usted en el servicio pero, a través de la documentación, puede darse cuenta de todos los beneficios de las cosas que podrían no usarse inicialmente.

We use Securonix to monitor attempted malware attacks. It sends us alerts, so we can investigate suspicious entities. We'll refer it to the consent team, who will give their solution or comments. 

We have a server where all the data is stored. The Securonix people will take the data from that server, encrypt it, and send it back to the application. From there, we can work on the alert and monitor the data.

The product reduced our investigation times by about 85 percent. Data and geolocation enrichment are the two essential components of the detection part. When there is an IPS alert, we generally need to check to see where the IP is located. Securonix will tell you where the IP is located in the city and country. Securonix helped a lot when the Log4j cybersecurity attack broke out last year. It enabled us to investigate that threat deeper. 

The behavioral analytics features reduce our false positive rate compared to traditional antivirus and cut the time spent detecting and responding to threats by about two hours each week. 

Next-Gen SIEM provides valuable contextual information about security events. We are adding all the information, like user data, from Active Directory. Whenever a user is terminated or retires, we will get an alert stating that the user has separated. 

The built-in management tool improved our security teams' efficiency. You can raise a ticket with one click when you see something suspicious. You can work on it and do your analysis in the backend. It will open a ticket and send it to the teams. 

The analysis will be completed in 15 to 25 minutes. The solution will email the consent team to tell them they need immediate action. In other tools, we have to go to another third-party tool to raise a ticket, and we need to escalate the issue ourselves. There is typically another procedure, but Securonix has a built-in management tool. This reduces a process that would typically take an hour to about 15 or 25 minutes.

It also helped us avoid data loss because we integrated SharePoint into Securonix. We get a notification when someone deletes files in Sharepoint that reports the SharePoint link, the user, deleted files, etc. We will investigate whether it's a legitimate activity or something else. 

The most attractive feature of Next-Gen SIEM is UEBA. The solution creates a user baseline and detects spikes and outliers. Before we started using Next-Gen SIEM, we used traditional signature-based detection. Signature-based detection checks whether a malware signature exists in the database, whereas behavioral detection analyzes all the data.

For example, let's say a given user accessed a device ten times in the last 30 days during regular business hours on weekdays. Next-Gen SIEM will send an alert if the user accesses the device on the weekend or 20 times in a single day. Based on that, we will investigate and email the manager.

The correlation rules and the Spotter carriers are essential in any SIEM. One new feature I like is the Autonomous Threat Sweeper. We will get a notification that a recent attack has entered the environment. They'll provide all the information we need to investigate. It's an excellent feature, but we've only been using it for three to four months. Threat Sweeper does the job in the background whenever we all have some other work. We go through the notifications and decide whether they're essential or not. 

Threat Sweeper is handy. It will clearly show where the anomaly in the data occurs. There is clear information about the IOCs, IP addresses, domain names, etc. We can easily run it in the background and forward the same threat detection report to the other consult teams, like the network and server teams. Another new feature is XDR. I haven't used it, but I've heard it uses signatures and behavioral analysis efficiently.

When I started to use Securonix, I was a little confused, but I could pick it up after a week. Everything is UI-based, and all the information is available on one page, so you don't need to go to different tabs to get what you need. It's very user-friendly. With a click, you can open all the reports you want and generate as many queries as you need. There's no need to use commands.

It takes too long to generate Spotter reports. For example, a 90-day report is around 100 megabytes. That takes a while, but a one-day report can be generated in a few seconds. We would be happy if they sped up the process. 

I have been using Securonix for about a year and a half.

We can rely on Securonix. Whenever we get a new solution or new part, we'll always follow the vendor's suggestions, and they will give us an idea about what is happening or what we have to do.

Securonix is scalable.

I rate the technical support a nine out of ten. They're friendly. Whenever we have a P1 issue, we write an email and our issue is resolved in one or two hours. 

I previously used McAfee's SIEM solution. I switched because I shifted to another project using Securonix. Securonix is faster and more user-friendly. McAfee takes five minutes to load, whereas Securonix will load in the blink of an eye, and I never face any slowness in the application in Securonix. It takes an hour to generate a report on McAfee. It's no competition for Securonix.

I joined after the implementation, but it requires very little maintenance after deployment. We have one or two hours of downtime for quarterly maintenance. 

I rate Securonix Next-Gen SIEM nine out of ten. If you plan to implement Securonix, I recommend buying it now because they're offering a limited-time discount. It's an excellent SIEM, and anyone can afford it right now.