We use Securonix Next-Gen SIEM to provide managed security services. We have an MSSP delivery model using the Securonix asset platform tool that delivers the solution to multiple customers using their multi-tenant approach. It is a shared service delivery model, and we have close to five customers using the tool in our MSSP model.
We get very positive responses from the customer regarding their lock management and storage.
The two major features of this product we extensively use are the UEBA capability and the multi-tenant approach with the centralized data logs system. Customers are very happy with these features.
Regarding the analysis of security events on the SOC side, Securonix Next-Gen SIEM needs to improve its automation capabilities. Other products have machine learning and AI algorithms that can trigger alerts automatically. This is a key feature that Securonix Next-Gen SIEM needs to be improved.
I have been using Securonix Next-Gen SIEM for three years now. We use the solution's latest version.
There are many integration issues. I rate the solution’s stability a seven out of ten.
I rate the solution’s scalability a seven out of ten.
We have worked with QRadar SIEM, Splunk, and Microsoft Sentinel. We use Securonix because we have a managed services model.
We rely entirely on Securonix's production services for maintenance. They handle this, so we do not need to be involved in maintenance. In that area, I recommend this product. Overall, I rate the solution an eight out of ten.
We mostly use it for user-behavior analytics. It is used for all the behaviors related to users. In terms of the environment, there are multiple connections at different sites and locations, and there is also integration with other platforms. For some endpoint use cases, I have to do integrations with different customers who already have the platform.
Its deployment is hybrid. The cloud providers are Amazon and Google Cloud Platform.
When we have an endpoint threat, we have to move very quickly. We detect it through another tool that is associated with Securonix, and automatically the endpoint is isolated from the network. We also get some information for investigation and forensics allowing us to understand the type of threat. We get to know whether it is related to the endpoint or user behavior. We can get information on web-application firewalls and other solutions connected to Securonix, which allows us to understand the depth of the threat for a specific use case.
It provides actionable intelligence on threats related to our use case. After the alerts, we can isolate the endpoints and make some modifications. We can also do some searches about the related IP on the internet and intelligence platforms. That's very nice.
This actionable intelligence is pretty important. When we integrate different platforms, Securonix provides a lot of visibility and allows us to see the whole environment, not just a part. I have been working mostly on the endpoint side, but other people who are working on wider use cases can see all the dashboards and improve the security posture with Securonix.
Its analytics-driven approach to finding sophisticated threats and reducing false positives is very important. With other similar tools, we have to work a lot to reduce or manage false positives. We have to improve the rules and integrations because there are a lot of false positives. With Securonix, we have fewer false positives, and there is also automatic recognition for false positives allowing us to move very quickly.
It adds contextual information related to the use cases. My use case is very specific, but my partners and other teams get a lot of contextual information related to the whole company. It provides a lot of analytics related to a threat in terms of user behavior, environment, and target applications, such as databases, which is very important.
It has saved a lot of investigation time. As compared to other solutions, it has saved more than 50% time.
It has improved the threat detection response and reduced noise from false positives as compared to our previous SIEM solutions. The improvement in the response time is dependent on the scenario, but generally, it is about 40% more effective. When it comes to false positives, it is about 60% more effective.
It has been helpful in detecting advanced threats faster and lowering response times, but I don't have the metrics.
Its console is very easy to use and configure. It is very intuitive for our use cases. App integrations are also pretty nice.
It could be improved a little bit more for admin users. There should be more administrative options related to security for admin users. For example, for forensic purposes, the admin should be able to stop a specific user from erasing some information. I would be helpful in certain situations, such as during an internal fraud.
I have used it for two years separately, in 2020 and the last year, 2021.
Its stability is pretty nice because we don't have too many problems with it. The complexity is related to what we want to see. There are no issues with the performance. We have not experienced any performance issues when the solution is ingesting all of our log sources.
It is 100% cloud. So, its scalability is pretty nice. We have all the capabilities and options to grow. Our environment has more or less four locations with about 1,000 devices. We don't have any plans to increase its usage in the near future.
I have had to call support three or four times, and I would rate them a ten out of ten.
Positive
I have worked with Splunk and LogRhythm. I am using Securonix because, in this company, most of our clients are using Securonix. So, I had to learn how it works and understand its architecture and capabilities. It is very easy to understand for anyone who has worked with similar solutions. It is 90% easier than Splunk, which has a lot of code. Securonix is very radical and intuitive.
I wasn't involved in its setup and onboarding process, but I would assume that it is very quick. That's because it is very simple to use for my use cases, and they have nice support and help.
Its maintenance is pretty lightweight. We have another team that is in charge of that. There are most probably two people who take care of SIEM and cybersecurity solutions.
Securonix cloud-native platform helps to minimize infrastructure management. It allows us to focus on threats versus engineering or managing the platform.
We have surely seen an ROI when we look at multiple threats that we have been able to prevent.
It improves analysts' efficiency to do more with less time. By using the contextual information that it provides, we can be more accurate in our investigation. It has saved about 30% time.
Its pricing is quite similar to others and is very competitive. The other solutions have different types of licensing, but when you do the math, it is competitive.
You should know your environment and connectivity requirements very well. You should understand the analytics that Securonix is providing for the team. You can make a lot of improvements based on those analytics.
I would rate it a ten out of ten.
We were using it for data loss prevention and data acceleration. We wanted a platform with a proper ticketing facility, and as and when we reviewed a user, we also needed a proper documentation setup. Securonix provided that. We were able to integrate playbooks and a lot of other modules so that we not only looked at a particular problem area but also at other factors. We didn't only want to look at exfiltration but also at any lateral movement inside the company by a user. We wanted to look at the outliers in a better way, not only in terms of a user's activity but also in relation to the peer activity to show that it is not a team; it is just a team member doing something wrong.
We most probably were using version 6.0.
It was very easy for us to do our manual threat hunting. We had a lot of instances where we found our internal users exfiltrating data. We were able to see that they were exfiltrating data. We could confirm that through the platform by taking a deeper look, which was very nice. It is user-friendly and handy. It allowed us to look at all kinds of activities and logs.
It provides actionable intelligence on threats related to the use cases. After you have done the configuration, it triggers an alert for any incident. This actionable intelligence is very important because it allows us to respond in time without missing the window of being able to take an action. Sometimes, threats are small, and the indicators do not pop up, but with manual analysis, we can get a complete view. So, it is very important to have real-time triggers.
We have been able to find a few true positives. Based on the triggers from the tool, we got to know that people have been exfiltrating data over a period of time. They had been doing it in small amounts, and that's why it went unnoticed. After the tool notified us, we discovered that one or two users have exponentially exfiltrated data over a period of time. Without the solution, just by looking at the logs, we wouldn't have known that. The tool understood the behavior and triggered a notification, and we got to know that. The users were not just sending our data to themselves but also to another vendor. They were contractors, and they were exfiltrating the data to another vendor. They were about to leave the company, and we were able to catch them before they left.
It reduces the amount of time required for investigations. If I had to check logs from different log sources or tools from different vendors and create tickets, it would have taken time. With SNYPR, we were able to perform a lot of actions within the same platform, and we were also able to push tickets to our SOAR management tool. Everything was in one place. We didn't have to navigate between different things. It was helpful for incident management. It took time for analysts to check whether an alert was a false positive or not and provide the right evidence. Having incident management within the tool reduced time in creating and closing some of the incidents. Instead of 30 minutes before, it was reduced to 10 to 15 minutes per incident. We didn't have back-and-forth navigation. Everything was in one place.
It saved us a couple of hours of our day-to-day activity because everything was consolidated. Once I logged in, one or two hours were enough for me to look at everything and identify things to take an action on.
It has definitely helped us with threat management. Because of the sample use cases that we saw from Securonix, we were able to design a few of our own use cases. We would not have thought of those use cases in the past. We were able to add use cases that were helpful for our data internally. We were able to understand logs even better and create our specific use cases. It was good learning.
It is user-friendly. Its user interface is better than the other tools.
I like the playbook integration. In the beginning, we had a few hiccups because the tool was developing, but after that, the threat intelligence tool that we integrated got more accurate and better. The whitelisting and blacklisting of IPs, domains, or users were also working.
Risk scoring was nice. We could exactly see which user had the highest risk score, and then we could pick it up and work on it.
Securonix accommodates customer requests in the upcoming versions very well. They do their best to bring in the features required by a customer. We were able to have custom widgets for different departments or specific use cases. All tools do not provide such customization. Securonix was good at taking a request, reviewing it, and if it made sense, adding it. We got at least one or two features added.
When they did upgrades or applied patches, sometimes, there was downtime, which required the backfill of data. There were times when we had to reach out and get a lot of things validated.
I have been using this solution for about 2.5 years. Right now, I'm not using it, but I have used it in the last 18 months.
Initially, during patch management, we did see a few downtimes, which required a backfill of data. Before I moved out of the previous company, patch management and upgrades had improved, and the tool had become stable. The queries we were running weren’t breaking the tool. We were able to fetch reports for more roles and data as compared to when we started.
The company that I was working with was midsize. We didn't have a huge amount of data. We were accommodated pretty well. We didn't have any thresholds or limits, but I cannot speak for companies that have a huge amount of data.
Their archiving and deletion policies also worked well for us. We didn't see any performance issues when the solution was ingesting all log sources. Its scalability was pretty nice. We started with six to seven data sources, and then we moved on to add a few more. It could easily accommodate any increase in the number of users or data. We didn't have to just stop at a particular point.
With on-prem, customers have control over the infrastructure, and they can tweak it, but a cloud solution is more simplified. You don't have the headache and overhead of maintaining your resources. So, it is definitely scalable. They partition you based on how big the company is. So, even if you move to a bigger scale, more resources get added to make it work better. It is seamless. We didn't have many issues. We had a few slowness issues at times, but they were resolved. We didn't have to deal with them for a long period of time.
Their support was pretty good. We didn't have any issues there. They were pretty fast. Anytime we had downtime or any issue, we were certainly helped. We got emails telling us how long it will take, and they would stick by it. There were a few times when there was a one-day or two-day delay in response, but eventually, it all worked out. We didn't have major issues. I would rate them a nine out of ten.
They also provide a review with their content team. For the initial few months, they did a lot of threat hunting and showed us why they think a user is doing something in the company and why it is something that is worth taking a look at. It was helpful to have analysts from their side and see how the users are doing it and what are the patterns.
Positive
I have only worked with this solution.
We had another engineering team that took care of its deployment. My involvement in its setup was only for providing the type of data that we need to pull into Securonix. Some log sources took a while in terms of the data format that we wanted and accommodating it with the APIs on the Securonix end. We only had issues with a few data sources. It wasn't a very difficult process, but it did take some time. It took about two months.
Overall, its onboarding was pretty smooth because we were on SaaS. In terms of the strategy, we had to provide the data sources that we needed. They were divided into three levels. We first integrated one or two data sources, and when we saw it triggering, we integrated a few more. We also worked on fine-tuning it for false positives with their content team. They trained us on various use cases and algorithms behind those use cases. If there was any incorrect trigger, they explained the reason for it. It did take quite some time to configure it for our own custom use cases. This phase took more time than the initial integration of data sources. It took at least two to three months to onboard all the sources.
Because it was a SaaS solution, they did the maintenance. It didn't require any effort from our end. It minimizes infrastructure management. In case of downtime or outage, they used to notify us and fix the issue. It did not require our intervention, except monitoring and checking if things are running fine.
They provided flexibility in terms of features and patches. If we wanted to stay on a particular patch or have a few features in the next version, they were able to accommodate that. They were able to add our features even when other customers did not need them.
There were two people on the engineering team from our side, but I am not sure how many people were there from the Securonix side. For integration, two people were there, and then there were four analysts at the beginning to support the tool and give feedback.
We most probably did see an ROI. I was working only at the analyst level. I do not have the numbers, but it did improve the efficiency to do more in less time. In the beginning, we were hesitant to use a new tool, but it soon became our go-to tool for checking and verifying any issues. We started engaging with the tool quite a lot, and it probably saved four to five hours a day. Documentation and ticketing were the biggest challenges, and it helped in having everything in one place. We could just click on a ticket and see everything.
I had heard that it was much cheaper than Splunk and some of the other tools, and they gave us a nice package with support. They accommodated the number of users and support very well.
My team had definitely looked at other tools, but I was not involved in the PoC.
I would advise having a look at it. The user experience or the user interface is definitely better than other tools, but you need to see how it interacts with your data sources and how easy it is to integrate it with those data sources.
It took us at least four to five months to realize the benefits of the solution from the time of its deployment. It depends on the log sources you are concentrating on and want to fine-tune. Most SIEM tools, including Securonix, have a lot of use cases that can be tied to Windows, VPN, etc. Modifying and tuning just one log source is not enough. You should tie different log sources so that you get an idea about any lateral movements. Everything that flows into a SIEM solution has to be tuned. If I'm sending a raw log in any format, it needs to be properly sanitized and tuned for my security requirements, which takes time. We had to go back and forth and get a lot of things fixed. It takes a while for the tool to understand and start triggering based on a specific activity.
False positives will always exist. They won't completely go away. When we first deployed it, it used to trigger alerts for 500 to 600 users, which had come down to 20 to 30. It needed continuous fine-tuning, but as an analyst, I was no longer overwhelmed by hundreds of alerts. It took a while to get to that stage and involved a lot of blacklisting and whitelisting. Even though the false positive rate had come down to a pretty good number, we still had to intervene and verify whether it was a false positive or not, but it was easier to do.
It hasn't helped to prevent data loss events, but it has helped to reduce further loss of data. We got to know about an event only when it had already started to happen. When the tool identified that something was happening, it would alert us. If an analyst was active enough to understand that and put a stop to it, it could have prevented any further loss, but I am not sure how much a data loss event would have cost our organization, especially in intellectual property. However, we figured out that about 40 to 50 GB of data was sent over a period of time. It was sent in small bits, and it included confidential reports, meeting keynotes, etc. We would not have known that if the tool had not notified us.
I would rate it a 10 out of 10 based on the experience I had. We didn't have any major issues related to slowness or querying the tool. Querying was pretty simplified, and there were also documents to know the processes. Their support was good, and they were also good in terms of the expansion of the tool. When we wanted a new data source, they were there to review it and modify it with us. They provided good assistance.
From my experience, clients have been enjoying the product because it enables faster threat detection. We use it daily for hunting and developing strategies, which are much more extensive compared to the results from a traditional SIEM.
With Next-Gen SIEM, we are achieving more with less effort. We can gather more information from the logs and organize it in a different product view, which reduces the need for a large workforce. So we can achieve more with fewer people, and this is particularly advantageous in my line of work, where we need to hire additional staff as we sell more products. However, with this kind of solution bringing in more information about threats and improvements for the organization, we can handle the workload with fewer personnel.
The most valuable aspect is the ability to automate tasks, particularly user behavior analytics. It streamlines processes and makes it very efficient to work with, both for me and the users in my company.
I work in Brazil, and the solution is not very well known here. The market for technology in Brazil, not related to the quality of the product, is not very favorable yet. I see this as a challenge. We need to invest more effort in raising awareness and educating people about the product's capabilities.
Additionally, one aspect that could be improved is the pricing of the product in Brazil. It is reasonable, but when compared to similar tools or products that are more common in Brazil, it tends to be a bit higher.
I started to use this solution about two years ago; my company started to work with Next-Gen SIEM.
To say the truth, neither I nor my colleagues who work with me have encountered any complaints about stability. As the leading company in Brazil for Securonix or the biggest seller of Securonix in Brazil, we have had no issues with stability up to this point. It has been very reliable, and there have been no instances of lagging, crashing, or any significant downtime reported.
The solution is highly scalable since it operates in a public cloud environment. This allows us to store and process a large amount of information as needed. The scalability is one of the remarkable qualities of this product, which makes it very effective, especially when we are dealing with substantial data volumes in the cloud.
Since I work in the sales team, I didn't need technical support. My role is mainly focused on discussing and selling the product to customers, highlighting its advantages.
So, if any technical assistance is required, it would be handled by the partner or someone else in the client-facing team. I have mostly been involved in the sales process, and I haven't had the need to engage with the technical support team.
I work with two options for Securonix. I use the Legacy and the Advantage versions. The Advantage option is beneficial because it includes the features of the Legacy version at the price of the Legacy package. However, it gets complicated when dealing with User and Entity Behavior Analytics (UBA) and other additional features. The EPS (Events Per Second) quantity grows significantly, leading to the need for more resources to handle the workload when using UBA and other advanced features.
If Securonix aims to grow more and improve its position in the Brazilian market, it might need to consider adjusting its pricing to be more competitive. Currently, as we work with AI solutions, the price might need to go down to better grow its presence in the Brazilian market.
I believe in the quality of the product, so I would rate the pricing as a seven out of ten, where one is low pricing, and ten is high pricing.
When we talk about SIEM, it's important to understand how it brings the necessary information to the company and how we can apply the right intelligence to extract insights about threats and other relevant aspects. I suggest investing time to clearly define what you want to achieve with the SIEM solution. If you don't have a clear understanding of your objectives, the results may not meet your expectations. Take the time to thoroughly understand your requirements to make the most out of the system.
In my market and environment, I compete with Splunk, QRadar, and IBM. I've also heard about Hexabeam, but it's not a major competitor here in Brazil. Another one we're considering, which has posed some challenges, is Google Chronicle. However, the two biggest competitors for me are Splunk and QRadar.
When comparing Securonix to Splunk, one issue is the pricing; I believe even Securonix is on the higher side. However, in terms of working with cloud environments, Securonix has an advantage as it performs exceptionally well in the cloud. Unlike Splunk, which struggles in cloud setups, Securonix handles it perfectly. Additionally, in terms of crunching work in the database (DB), Securonix performs better and more efficiently than Splunk, making it a better choice for such tasks.
Other products seem to have a more established market presence, and people are familiar with them, but they might not be as acquainted with Securonix. However, I am confident about the quality of Securonix, and when I get the chance to demonstrate how it works, people tend to like it.
Furthermore, in comparison to IBM, I don't encounter any technical problems with Securonix. The quality of Securonix is solid, and I have no issues discussing its capabilities. When it comes to pricing, Securonix offers a more competitive solution. Even if it's only ten percent better than Splunk in some aspects, the overall value makes it a better option in the end. If the price difference is not as significant, it's more likely that customers will choose Securonix over other options.
Overall, I would rate the solution an eight out of ten.
Securonix or SNYPR is a UEBA tool. It has all the features. It can work as a traditional SIEM as well as do behavior-based analysis.
In terms of deployment, it is on the cloud. It is hosted with Securonix. We are using it as a service, however i have worked on premise deployements as well.
We have this tool to monitor all types of log activities. It can monitor whatever is happening. It can monitor traffic-related things, and it can monitor EDR and all types of logs. It has a set of use cases, and it can alert us if any abnormal activities are happening and if there is any suspicious and malicious traffic. It definitely does 24x7 monitoring of the activities happening in our environment and the type of possible attack that can happen in any of the environments.
It provides a lot of analytics. For handling alerts, we have a manual approach, and it is a team effort. Whenever there is a flag or violation, we check the behavior in the tool or in the UI itself. We can check each and everything in the tool itself. On the basis of that, we identify whether something is a false positive or not. If it is a false positive, we work on the policy condition.
An analyst's efficiency is all about the analytics present in the tool. They provide sufficient analytics. Recently, they have added one more analytics. They already have more than 15 analytics for threat detection purposes. They definitely help us to do more in less time.
In our environment, we do not have external TPI integrated. So, we don't have any external sources for IOCs. With Securonix, all the IOCs are available in their Threat Lab. We are using that feature, and we are also receiving the reports. They check our environment against the IOCs available in their lab and provide us with the report. So far, we haven't got any high severity or medium severity issues. Whatever we got has been of low severity. Sometimes, we see traffic coming from a particular IP address continually, which is blocked in our fiber. We get to know that we have to be very careful about this external, malicious IP address that is trying to hit our environment. Because we do not have the external IOCs or TPIs integrated, we find this report very useful.
It adds contextual information to security events, which is very helpful.
SNYPR has a bundle of features. It has the UEBA feature that tells you about the behavior of a person or entity. In the tool itself, there is an incident management feature, which is definitely valuable. It is a value-added item. It also has third-party TPI.
SNYPR is valuable for any organization because it is not only a traditional SIEM. It is also a UEBA tool. It does behavior analytics. As a UEBA tool, it has a lot of features. You can see a lot of things in the UI itself. It provides a lot of analytics. You can see how a policy is working and how it is giving you the flags if you want to reduce false positives. You can have all the visibility in the UI itself. You don't need to check anything in the backend for this.
It has a feature called Threat Model to identify a threat. For intelligence, it has a feature called Autonomous Threat Sweep that is valuable.
Sometimes, there is instability in the data in terms of the customization of the time. They should work on stability on tool. However 6.4 jupiter version is much more stable.
I have been working with this tool since 2018 till today.
They have improved it a lot over time. We don't see a lot of issues related to stability in our environment. Sometimes, we see instability issues, but they are not very regular.
Performance-wise, it is good. It has a lot of analytics. We see the value in having this tool. Our management is also happy with the tool. It is reliable. We had a lot of configuration mistakes in our environment, and we could detect them with the tool.
It is scalable. We have 1,500 active users. We are operating in the US at three locations.
In terms of the integration of the data sources or the log sources with the Securonix tool, if the connectors are available, we never see any difficulty. I have integrated more than 50 log sources with Securonix. However, if they don't have a connector, we won't have any option for integration. This is common to all the SIEM tools. It isn't something that's specific to this. In any of the SIEM tools, if the connector isn't available, you won't have any option to integrate.
Their support has improved it a lot, They do support us or they do reply to us, but they need to be very fast. They need to be very quick. I would rate them nine out of ten in terms of support.
Positive
I started with Securonix itself. I have read about other solutions such as QRadar and Splunk, but I did not get a chance to work on these tools.
It was not at all difficult for me to use Securonix's interface. This is the first tool that I used. It was not difficult for me to learn. Its interface is very user-friendly, and I don't think anyone will face difficulty operating the tool. Everything is displayed nicely.
When we have a cloud deployment or we take it as a service, we don't get involved in the deployment of the SNYPR application, but we do get involved with on-prem Remote Ingester. So, application deployment is done by Securonix, but the integration with other sources is done by us. We don't have any difficulties with the integration because we have been working with it for a long time. So, we're aware of the backend and how to integrate. It is quite simple and easy. We also have a call with Securonix SME twice a week.
The maintenance is handled by Securonix themselves. They sometimes do the monthly maintenance. We only get the notification, and we know of the maintenance window. After maintenance, we check everything. We just validate that everything is working fine. They also validate from their end, but we also validate. We haven't had any difficulty after the maintenance or upgrade. It always works fine. There are no issues.
The Securonix cloud-native platform helps minimize infrastructure management. We don't need to buy a server. We don't need to manage it.
It is a good solution, but it definitely requires some improvements. It has already improved a lot. They are upgrading it in every build, and it is getting better. They work on policy decommission. Whenever a policy gets old or replicated, they remove the policy. They work on the content refresh. For example, last year when we had the Log4j vulnerability, they immediately updated their content and applied the policy. They provided an update for the Log4j vulnerability.
I would definitely recommend this tool. It is really a good tool. It has all the features available. I don't know anything about the pricing. I don't know if it is more expensive or cheap as compared to the other tools, but as a UEBA tool, I would definitely recommend it to everyone.
Overall, I would rate it an 9.5 out of ten.
We have customized the uses of the platform for our benefit. In general, we use it for failed access attempts, network issues, and allowed/blocked, and we have use cases for platforms such as Windows Server.
We are a service company and partners of various vendors. We provide support to customers. Our strategy is that each piece of equipment sold to customers comes with value-added service, and Securonix protects our customers.
It is an excellent tool that helps us optimize threat-hunting operations, detect intrusive events on the network, and respond to security incidents. It is a tool that helps debug false positives and eliminate noisy alerts. It helps us focus on the alerts that we should take into account for analysis.
Using old, traditional SIEMs did not provide us with the same responsiveness and ability to operate. And if they did provide us with something similar, we needed more staff to review things, event by event. That meant some risky events could occur unnoticed. With Securonix, those issues no longer exist. Securonix shows us information that we must consider as a threat and helps us know when to start an investigation to avoid an incident.
It's very good at adding contextual information to security events. It has reduced the time spent by admins on the dashboard. They can now see information connected to attack risks or even users. The single dashboard alerts them and quickly reports if there is any threat.
It has helped us to better understand what is happening in our network through the indicators of compromise. We have saved days of work. And it optimizes the time that analysts take to review events, compared to other tools that do not have as much intelligence and as many indicators. With Securonix, the information automatically enters and adds intelligence to the indicators. This saves a lot of time that would otherwise be spent reviewing noisy data. It saves our analyst between four and eight hours when analyzing events.
When it comes to advanced threats, it shows us the threats or events that have been detected, with their risk level. It shows us a vulnerability bar and that helps us see who is looking at us, who is trying to deliver certain information to our systems, who exploited us, or if there is any alert due to someone extracting certain information. The automation of information delivery has facilitated everything, saving us three or four days.
For optimization and data analysis, it has a good evaluation engine for repeat offenders and that has helped us to detect, on time, what other basic SIEMs did not detect. Those other solutions needed more time to detect at that same level.
We can customize our use cases with the tools provided by Securonix.
It is an excellent tool that can ingest data in different ways and is very flexible.
Securonix could open up information regarding the indicators of compromise or cyber-threat intelligence databases that they use. The idea is that they share what threats they are detecting.
I have been using Securonix Next-Gen SIEM for about a year.
It is stable, both in the cloud and on the servers. We have never had access problems or experienced any performance issues.
Scaling is flexible. If we fall short in terms of EPS, we would simply increase the EPS. And if the RIN server has low resources, as it is a virtual machine we could increase the resources according to the data quantity.
It is an excellent option for the cloud in terms of scalability. It is flexible for both us and our clients. We have plans to increase usage for certain customers.
The support is excellent. At the service level, they attend to us quickly. We have a post-sale person who follows up in some cases. He can also see the tickets and can escalate something according to the urgency.
Positive
We used a traditional SIEM where everything was very manual. It did not have threat intelligence or threat hunting of compromises, while Securonix has those features.
We changed because we wanted a good tool to automate certain manual processes so that everything is more flexible. With Securonix, you have the option of integrating with other indicator-of-compromise services, and that helps create a more powerful platform and eliminate false positives.
I started the process of design and continued with onboarding and implementation. The initial implementation was simple, but we had some delays because we had new solutions and we had to create new templates. But in general, if you have traditional solutions that have a template, it is easy to implement. It would take a week.
As for our implementation strategy, the tool that we had previously had a forwarding functionality, so what we did was deploy information to the RIN and, from there, sent the information to the cloud. After that, we created a pipeline and sent the rest of the events so that we could take the previous SIEM out of production.
The sources took a month to incorporate. It took us a month to get access to the teams because we do not manage certain teams. It was a bureaucratic process.
Securonix does the maintenance. It doesn't require work from us. They send us emails indicating that the system is going to have a brief reboot and it takes a short amount of time.
We hired an onboarding engineer from Securonix who helped us with the implementation of the RIN. He explained the process to us until we understood everything.
Our experience with the onboarding engineer was good. He helped us with any questions we had and followed up through emails.
For the implementation of Securonix, we only needed one person from our side. I was the point of contact with our other areas.
Where we see our best return on investment is in the time and manpower we save. Before Securonix, our staff had to investigate events constantly. Now, one engineer with some expertise is enough to speed things up and give the rest of the admins time to do other things.
The pricing is fine compared to the market but I think that at some point the competitors will catch up on price. It would be good if, for example, there were an option to offer customers who have used the solution for more than a year some kind of additional trial or service.
There is no cost outside of the standard licensing fee, other than an initial installation service charge. Otherwise, there is simply a monthly cost for the service.
We were thinking about Splunk, QRadar, and Rapid7. One of the drawbacks of those systems would be the infrastructure. Many of the other platforms, including McAfee, need boxes or deployment servers in our infrastructure or our clients' infrastructures and, in many cases, the infrastructure is growing continuously.
With Securonix, that does not happen. It is a cloud solution that only requires a small deployment server with low resources, depending on how many events are received. And all that information is stored in the cloud as well.
The cost, compared to other solutions, is better.
Compared to other platforms, it is very simple yet, at the same time, it is very efficient because it packs information into a glance. After that, it gives you the option of hunting threats and that can be initiated on the dashboard.
It is very intuitive. A person who has a certain notion of cyber security can move quickly since it gives you information about any attack. It gives you a summary and it gives you links to receive information. And if you don't have much knowledge of the tool, you can always take the courses that are free on the web. Doing so helped us understand the solution.
This is a solution that will help you a lot in hardware processing and in optimizing the time it takes to review events, which is what admins often spend their time doing.
There are things on the network that you can't see with traditional tools. There are tools that don't give you the visibility that Securonix gives you.
(Spanish)
Hemos personalizado los usos de la plataforma para nuestro beneficio. En general, lo usamos para intentos de acceso fallidos, problemas de red y permisos/bloqueos, y tenemos casos de uso para plataformas como Windows Server.
Somos una empresa de servicios y socios de varios proveedores. Brindamos soporte a los clientes. Nuestra estrategia es que cada equipo vendido a los clientes venga con un servicio de valor agregado, y Securonix protege a nuestros clientes.
Para optimización y análisis de datos tiene un buen motor de evaluación de reincidentes y eso nos ha ayudado a detectar, a tiempo, lo que otros SIEM básicos no detectaban. Esas otras soluciones necesitaban más tiempo para detectar al mismo nivel.
Podemos personalizar nuestros casos de uso con las herramientas proporcionadas por Securonix.
Es una excelente herramienta que puede ingerir datos de diferentes maneras y es muy flexible.
He estado usando Securonix Next-Gen SIEM durante un año aproximadamente.
El escalado es flexible. Si nos quedamos cortos en términos de EPS, simplemente aumentaríamos el EPS. Y si el servidor RIN tiene pocos recursos, al ser una máquina virtual podríamos aumentar los recursos según la cantidad de datos.
Es una excelente opción para la nube en términos de escalabilidad. Es flexible tanto para nosotros como para nuestros clientes. Tenemos planes para aumentar el uso para ciertos clientes.
El soporte es excelente. A nivel de servicio nos atienden rápido. Contamos con una persona de post venta que da seguimiento en algunos casos. También puede ver los tickets y puede escalar algo según la urgencia.
Positivo.
Usamos un SIEM tradicional donde todo era muy manual. No tenía inteligencia de amenazas o búsqueda de amenazas de compromisos, mientras que Securonix tiene esas características.
Cambiamos porque queríamos una buena herramienta para automatizar ciertos procesos manuales para que todo sea más flexible. Con Securonix, tienes la opción de integrarte con otros servicios de indicadores de compromiso, y eso ayuda a crear una plataforma más poderosa y eliminar los falsos positivos.
Comencé el proceso de diseño y continué con la incorporación e implementación. La implementación inicial fue simple, pero tuvimos algunos retrasos porque teníamos nuevas soluciones y tuvimos que crear nuevos modelos. Pero, en general, si tiene soluciones tradicionales que tienen un modelo creado, es fácil de implementar. Tardaría una semana.\
En cuanto a nuestra estrategia de implementación, la herramienta que teníamos anteriormente tenía una funcionalidad de reenvío, entonces lo que hicimos fue desplegar información al RIN y de ahí enviamos la información a la nube. Después de eso, creamos una canalización y enviamos el resto de los eventos para que pudiéramos sacar de producción el SIEM anterior.
Las fuentes tardaron un mes en incorporarse. Nos tomó un mes tener acceso a los equipos porque no administramos ciertos equipos. Fue un proceso burocrático.\
Securonix hace el mantenimiento. No requiere trabajo de nosotros. Nos envían correos electrónicos que indican que el sistema se reiniciará brevemente y normalmente no tarda mucho.
Contratamos a un ingeniero de incorporación de Securonix que nos ayudó con la implementación del RIN. Nos explicó el proceso hasta que entendimos todo.
Nuestra experiencia con el ingeniero de incorporación fue buena. Nos ayudó con cualquier pregunta que tuviéramos y nos dio seguimiento a través de correos electrónicos.
Para la implementación de Securonix, solo necesitábamos una persona de nuestro lado. Yo era el punto de contacto con nuestras otras áreas.
Donde vemos nuestro mejor retorno de la inversión es en el tiempo y la mano de obra que ahorramos. Antes de Securonix, nuestro personal tenía que investigar eventos constantemente. Ahora, un ingeniero con algo de experiencia es suficiente para acelerar las cosas y dar tiempo al resto de los administradores para hacer otras cosas.
El precio está bien en comparación con el mercado, pero creo que en algún momento los competidores alcanzarán el precio. Sería bueno que, por ejemplo, hubiera una opción para ofrecer a los clientes que han utilizado la solución durante más de un año algún tipo de servicio adicional.
No hay ningún costo fuera de la tarifa de licencia estándar, aparte de un cargo por servicio de instalación inicial. De lo contrario, simplemente hay un costo mensual por el servicio.
Estábamos pensando en Splunk, QRadar y Rapid7. Uno de los inconvenientes de esos sistemas sería la infraestructura. Muchas de las otras plataformas, incluida McAfee, necesitan cajas o servidores de implementación en nuestra infraestructura o en las infraestructuras de nuestros clientes y, en muchos casos, la infraestructura crece continuamente.
Con Securonix, eso no sucede. Es una solución en la nube que solo requiere un pequeño servidor de implementación con pocos recursos, dependiendo de cuántos eventos se reciban. Y toda esa información también se almacena en la nube.
El costo, en comparación con otras soluciones, es mejor.
Comparado con otras plataformas, es muy simple pero, al mismo tiempo, es muy eficiente porque empaqueta la información en un vistazo. Después de eso, le da la opción de cazar amenazas y eso puede iniciarse en el tablero.
Es muy intuitivo. Una persona que tiene cierta noción de ciberseguridad puede moverse rápidamente ya que te da información sobre cualquier ataque. Te da un resumen y te da enlaces para recibir información. Y si no tienes mucho conocimiento de la herramienta, siempre puedes tomar los cursos que están gratis en la web. Hacerlo nos ayudó a comprender la solución.
Esta es una solución que ayudará mucho en el procesamiento de hardware y en la optimización del tiempo que lleva revisar los eventos, que es a lo que los administradores suelen dedicar su tiempo.\
Hay cosas en la red que no puedes ver con las herramientas tradicionales. Hay herramientas que no te dan la visibilidad que te da Securonix.
We mainly use Securonix for SIEM software architecture and for logs. We generate all the logs from different APIs and firewalls. We also have created other policies. Securonix is the primary tool we use to get everything done for our projects and architecture. We even use it for other solutions like AD.
Primarily, I work on violations and policies, not the backend. As an analyst, I work on SIEM.
The solution is deployed on a private cloud. It is deployed with Microsoft Azure.
Everyone has access to SIEM, but they don't have admin access. We mainly have three people and a team lead on the Azure Securonix team. I am the backup and work on the operational side of that team. Everyone has read-only access except the three team members.
Securonix primarily helps with our log code situation. We found a vulnerability last December, so it helped us gather logs for that. We informed our vendor, and they provided some queries on how to get those vulnerabilities and logs.
I normally work on policies and face a lot of false positives. We reduced many false positives since using this solution. Securonix has definitely helped improve our threat detection response and reduced noise from false positives.
Sometimes we face threats and sign-in logs from different countries, but we're able to resolve those. Sometimes we face malicious activities from traffic but it's very rare. It happens about twice a month.
Securonix helps a lot with monitoring. My project is in the monitoring and operational stage, so it's a primary tool I use to monitor everything. The implementation stage has already been completed. We have created policies for all kinds of tools and APIs.
As we are the client, most of us don't have the SIEM threat model feature. There isn't a lot of proper information about how to implement that. Customer service doesn't have a proper idea either. We are lagging in this area, but it's good overall.
In some cases, we have observed that people start getting login failures, so we checked the logs from Securonix and resolved the issue. In that way, it's helped.
Securonix Next-Gen helps us detect advanced threats faster and gives us lower response times. Sometimes we face a data source delay and it's impacted badly, but overall it serves us a lot.
I haven't faced any data loss since using Securonix.
The most valuable feature is that it works on user behavior and event rarities. Those features are in Splunk too, but they're not as effective. Securonix's customer service is also pretty good.
It's not difficult to use the interface, but there's a lot of documentation to read.
We haven't experienced any performance issues when ingesting log sources and investigating threats. The response is good.
Parsing needs to be improved. Every time we integrate a new, specific data source, we face a lot of problems in parsing, even for the old data source. That should be updated on a regular basis.
In some of the policies, the geographical location for a single IP is from a specific country, but the IP doesn't match. For instance, if the log is from China, the actual location of that IP will be from somewhere else, not China.
I have been using this solution for more than a year.
It's reliable and very stable. We haven't faced any major or even minor issues with security.
It's definitely scalable and fulfills my needs.
Technical support is good, but sometimes we face delays with responses.
I would rate technical support as nine out of ten.
Positive
The solution was already in the mid-stage of implementation when I joined the organization. I mostly worked on fine-tuning the policies.
We have a team that takes care of maintenance updates. The solution needed some updates because the user behavior wasn't working properly for some of the policies. As of now, instead of using user behavior, we use event rarity. After version 6.4 is implemented, the issue will be resolved. There are two or three more issues we have that will be resolved after the update.
I would rate this solution a nine out of ten.
My advice is to get a proper idea of the tool you are working on and be sure to read the documentation.
It is a good tool. My company uses it for all our SIEM projects.
It doesn't take as much time to work on policies or injectors, saving us time.
We can now process more data in 20 minutes.
It has improved analyst efficiency by 30%.
We haven't experienced any data loss, which is good.
The policy violation feature is quite interesting. Policy violations trigger before the end of the month and they go into effect.
We haven't seen any security complaints or data breaches, reducing the time needed for investigations by 30%.
The user interface is easy to learn and navigate.
Sometimes, the injectors lag and are not loading. It would be nice if that could be improved.
Securonix Next-Gen SIEM is good for helping us ingest all our log sources when investigating threats. However, there is a glitch where we can't get it up and running. They are working on this issue, which is good.
I have been using Securonix Next-Gen SIEM for the last eight months. Before that, I didn't have much experience in Securonix. These days, I am training people on how to use the solution.
It is quite stable.
The solution hasn't required maintenance so far.
It is scalable.
The technical support is fine. I would rate them as eight out of 10.
Positive
We haven't used another solution apart from this one.
I am just an analyst. I didn't take part in the deployment.
It took us a month to realize the solution's benefits.
This is one of the best tools that I have seen.
When we started, there were a lot of false positives. Now, the amount of false positives has been reduced. It is much better than before.
I would definitely recommend this solution to others. I would rate Securonix Next-Gen SIEM as nine out of 10.
