Securonix Next-Gen SIEM Reviews

We are using it for Azure logins outside of US and Azure brute force use cases. We have use cases for our firewalls, like Palo Alto. These are use cases that we created ourselves. These are not the use cases out-of-the-box that Securonix provided us.

Without this product, my organization would not be able to function at all. It is our main monitoring product for our clients. We monitor everything through it. Securonix Security Analytics is the main process of providing services to our client because we are a 24/7/365 security operations center. So, Securonix is helping me out on daily basis all the time, every minute.

Security Analytics helps provide actionable intelligence on threats related to our use cases, which is very important. They are improving it almost on a daily basis. They send it to us and keep it running on the back-end for all the tenants. If anything gets raised, according to the threat intelligence that they have generated, we will get an alert. We will then start digging into those events. After that, we work with clients to respond to that incident.

The product can help increase efficiency. My analysts were working 12-hour shifts when we started. Now, they are working eight-hour shifts. However, it also depends on the person and how efficient they want to be. My analysts are monitoring, training, and doing their certifications all at the same time. This definitely divides their attention.

Features, like Spotter, are the most valuable. Spotter is a wide range of research for any of the incidents that happened under my clients' data. 

They also have a feature that separates violations according to top violators. So, I can go in and see all the use cases that got preserved under them. It is an intensive search type of thing. You can just keep digging in. There are other policies attached to it. There are some remediation steps and recommendations attached to it. 

Securonix’s analytics-driven approach for helping to find sophisticated threats and reduce false positives is pretty good. We are allowed to fine tune according to our requirements and our clients' requirements, which does reduce false positives. In the last 24 hours, the total number of policies with triggers was 233. When I started with this product, the false positives were 561. Therefore, the solution has helped by tuning or reducing false positives.

It helps us find sophisticated threats.

The monitoring, analysis, and visualization of data that Securonix provides is good. However, there are some things that I would love Securonix to change. For example, they don't allow us to make changes on the graphical reports that they have integrated into the platform. We have to create our own. If we just want to take out one thing, our page should allow us to change that template just for our platform. I'm not talking about changing others' platforms; this is just for my platform. They should allow me to make changes according to my scalability. I would like a little bit more changes in the analytics and visual views that they already have out-of-the-box in the platform. They are working on this, but I have not heard from them for a while. I'm satisfied with the visualization that they have, but I would like to get some more out of it. For example, I am taking the report and manually making changes. I want all those changes already integrated and automated, so they are automatically done in the product.

I would not say its threat hunting is easy or difficult to use. It is medium because it totally depends on the data that is coming to you. It does not depend on the platform. It depends on whether you can find the correct attribute that you need to look at, then you can go further on that. They are working on this. They are introducing more features, e.g., they have a couple of updates pending at this time. They are working on it to cut down the steps. If I am doing 28 steps right now just to onboard our data, then they are cutting those steps down. They are also putting more automation in the solution. While they are working on these improvements, it is just a matter of time. 

It ingests 85% of all our log sources already built into the product when investigating threats. If the data sources have the functionality, Securonix will create a custom parser for us on a request. If the functionality is not there in the product, then there is a difficulty, but we can still ingest it through the file base, etc. However, I am not a big fan of the file base because a user is creating a file per day for data that was generated the day before. Specifically for activity that has already taken place, we can prevent it, but we cannot stop the activity.

I have been using it for a year and three months.

It is pretty stable. Out of 100%, I would rate the stability between 80% to 85%. 20% can be unstable for any product. There can be bugs. There can be a failure in the core or a syntax error in the core. When I notify the support of these types of issues, they quickly fix the problem for me.

We have experienced a few performance issues, about 10%, when Security Analytics is ingesting our log sources. This can happen with any product. We informed them that we are facing this issue and get pretty good support on it. 

Scalability is pretty good. It does grow with our license. We work according to EPS. So, as our EPS pool grows, the solution will keep growing.

Cloud Scale is super scalable. You can scale Securonix pretty well. Even if you have too much data coming in, you can figure things out or put more resources on it. Securonix is pretty good at doing these things. For example, they have load balancers already in place, which automatically take care of these things.

There are 12 of us right now using the solution. I'm the senior engineer, and I have eight analysts who are using it. I have a senior manager who is also using it.

Six months ago, if someone asked me about the support, I would say, "Not good." Now, the support is pretty effective. They try to resolve problems ASAP. For example, if it's a critical ticket, they get it fixed within an hour.

I would rate the support as eight out of 10.

Positive

We had a generic system previously, which has none of the things which have helped us by using Security Analytics. This solution automatically detects threats. There is a response bar that we can deploy. There is an email notification. So, if I am not available, then I will get an email that I can respond to pretty quickly. As far as threat detection, we get policy updates every three minutes. Therefore, if anything is detected, it will be right there on my screen.

I have previously trained on FortiGate and Splunk. Securonix and Splunk are not that different. Splunk has a lot of things on one screen. Whereas, Securonix tries to clean it up.

If you follow the documentation, it is straightforward. If you don't want to read, it will be complex. I don't review documentation anymore. I did it twice when I started, then I went in, wrote a batch script, and automated the whole process. Now, I just need to make some changes before running that script.

The deployment takes 35 minutes on the client side.

I am the only person involved in the managing and deployment of the solution.

If there is any kind of setup that needs to be done on the cloud side, Securonix does that for us. I integrate clients with my platform, but Securonix takes care of the back-end.

The Securonix cloud-native platform helps minimize infrastructure management. We don't need that much manpower. If there is infrastructure to maintain, I need an engineer to maintain infrastructure, a software engineer who will look for the application, a security unit who will look for the threats and attacks, and a response person. Now, I don't need a software engineer or infrastructure engineer. That has gone away. Currently, I need only a security engineer and response person, which one person can do. We can also hire two people to do the different jobs. That is no problem. 

We don't have to put more focus on infrastructure, which helps. There is a little bit of an infrastructure included, but that is a one-time setup thing. You don't need to go and maintain it again and again.

Securonix Security Analytics adds contextual information into security events. For example, on a generic system, if I used to put in an hour, now I'm putting in 35 to 40 minutes on this. So, it's saving me about 20 minutes of time.

Compared to the pricing of other products, Securonix's pricing is pretty good. Clients can get half of the price of other companies by going with Securonix. Other products, like IBM and Splunk, have pretty high pricing. Nowadays, we see CrowdStrike as up and coming, and they are pretty expensive. 

Pricing does depend on what model you are looking for, e.g., are you going for an MSP or single tenant?

I don't find a lot of difference between solutions. Everybody tries to improve their product over time. I do free testing for multiple products, and they are basically copying each other's functions.

I like Securonix because I am familiar with it and can do threat hunting in 10 minutes instead of the 30 minutes that it might take if I used other solutions.

According to my clients and the security world, I cannot eliminate all the false positives because you cannot let false positives go. You need to make sure that there are no attacks attached to that false positive. So, we have a team of analysts who monitor it every time. So, if a false positive policy gets an alert, then we just go ahead and make sure to analyze it. That is okay. If it is a false positive, then we mark it as one. We did eliminate a lot of false positives, but not all of them. It is our choice, not Securonix's, what we want to keep or eliminate.

I would rate Securonix as nine out of 10.

We provide cyber SOC services by using it as an event correlator.

At the level of user visibility, it enriches a lot of data that the user might not otherwise know about and allows you to enrich other platforms with that data.

The contextual information added by Securonix has helped reduce investigation time by minutes because we no longer consult multiple sources and everything is centralized in one place.

It has helped improve our threat detection response and reduced noise from false positives, although it depends a lot on which network is being configured. The native ones trigger a lot, so we have introduced additional context in them.
But we have saved time in threat detection and noise reduction. It allows us to automate more use cases. I'm not sure if it has improved our level of threat investigation.

The solution has also helped detect advanced threats faster through the threat modeling. Several use cases are incorporated and it warns you about any behavior and more advanced threats. You don't need to review each threat but it informs you of the behaviors that you must take into account and it is easier to deduce them.

The dashboards that Securonix uses have helped us to do more in less time because if you need to see an anomaly or a specific event, the dashboard provides you with a summary of the data about that event.

Another benefit is that the platform has helped minimize infrastructure management. We invest less time in giving support and troubleshooting. 

The most valuable feature is what Securonix calls enrichment. Securonix is very powerful because of all the data it can process and automatically enrich. The actionable intelligence it provides is one of its benefits, due to the processing capacity it has. Something to keep in mind is that Securonix needs a lot of initial work to be able to properly enrich itself, but once installed it is very powerful.

It's very good in helping to ingest all our log sources when investigating threats. That is back to the enrichment theme. It's very powerful. When you ingest data to Securonix, what it does is feed back to other sources like your firewall, and antivirus proxy, and vice versa. And the use cases filter data.

The UEBA capabilities are also very valuable.

The analytics-driven approach for finding sophisticated threats and reducing false positives is positive and good, but the platform requires a more dynamic concept. Everything is a bit static.

Also, the Autonomous Threat Sweeper is very enriching but, that being said, the threat detection report lacks a little context. The feature to sweep autonomously is good. The way they could improve the ATS would be to use more awareness and communication with the user. They don't give us much detail in the threat detection report. It would be very helpful if they explained the impact to us.

We have been using Securonix Next-Gen SIEM for about four months. We are service providers, not the final customers. At the moment, we only have the implementation in one location.

So far, we haven't had any problems. It's very stable.

At the moment, we don't have enough records to scale, but based on the infrastructure and from what I have seen, Securonix is very practical and it is possible to increase its capacity.

Support is an area for improvement because it takes a little time for them to attend to tickets. And regarding more complex configurations, for example, when you want to generate a change in the platform, you have to submit a ticket and you cannot modify templates or create things. That can only be done by administrators since it is a SaaS service.

In general, the tech support seems good. They solve the problems that occur, but their response times are not very good.

Neutral

First, we saw how many events we had in the past SIEM. Under that same report, the infrastructure was made in Securonix, the RING was built, the platforms were connected, and then we let Securonix enrich in the system while the platform was configured. After that, the monitoring started.

There were particularities. The implementation of the infrastructure was simple, but the integration was complex due to integration issues in one of the solutions.

It took approximately three weeks until we implemented everything. In terms of staff from our side, there were two technicians, one who was in charge of integrations and another in charge of configurations in the SIEM. My responsibility was more on the strategic approach. Additionally, two integration managers from the Securonix team were involved.

Securonix notifies us when it needs to do maintenance. We only have to take care of the RING since it is local and not part of the SaaS infrastructure.

The pricing is good, but by adding more things, the licensing becomes more complex because an EPS license fluctuates a lot. This licensing concept is going to be problematic in the long run.

Securonix is very easy and very intuitive compared to the other platforms. At the access level, it is much more practical. However, there are other platforms with better research levels and data ingestion than Securonix.

We evaluated Splunk, which is very similar to Securonix. We went with Securonix because we wanted to understand more about UEBA and enrichment, and for financial reasons.

In terms of threat investigations and onboarding, versus previous solutions that we have used, having access to UEBA allows you to analyze threats based more on behavior. But if you were to manually model, in other SIEMs, all the use cases that Securonix has, they would be very similar. Something that Securonix has in its favor is the enrichment prior to those threat detections. It took us about three to four weeks to get all the sources into the Securonix platform.

When it comes to adding contextual information to security events, I would give it an eight or a nine out of 10. It enriches things a lot. But the concept by which Securonix works, which is to enrich by source and by modules, makes it very cumbersome to configure. If you set it all up, you can overload the SIEM. They tell you it's possible to set everything to the maximum capacity but this approach is not recommended.

Overall, it is a powerful platform. The cons are minimal and only require small attention and tedious initial work. Once Securonix is operative, it is very powerful.

It is a very good platform for discovering unknown information and is great at helping to visualize and review data. Thus, it indirectly supports data correlation. Thanks to Securonix, I learned that there are always things to discover. That's not only in the materialization of threats, but also in terms of discovery of permissions, users, and information about entities belonging to the company. And the enrichment gives you visibility that you didn't know about.

Foreign Language:(Spanish)

¿Cuál es nuestro caso de uso principal?

Brindamos servicios de SOC cibernético usando a SECURONIX como un correlacionador de eventos.

¿Cómo ha ayudado a mi organización?

A nivel de visibilidad del usuario, enriquece una gran cantidad de datos que el usuario podría no conocer de otra manera y le permite enriquecer otras plataformas con esos datos.

La información contextual agregada por Securonix ha ayudado a reducir el tiempo de investigación en minutos porque ya no consultamos múltiples fuentes y todo está centralizado en un solo lugar.

Ha ayudado a mejorar nuestra respuesta de detección de amenazas y ha reducido el ruido de los falsos positivos, aunque depende mucho de la red que se esté configurando. Los nativos se activan mucho, por lo que hemos introducido contexto adicional en ellos.

Pero hemos ahorrado tiempo en la detección de amenazas y reducción de ruido. Nos permite automatizar más casos de uso. No estoy seguro si ha mejorado nuestro nivel de investigación de amenazas.

La solución también ayudó a detectar amenazas avanzadas más rápido a través del modelado de amenazas. Se incorporan varios casos de uso y te advierte sobre cualquier comportamiento y amenazas más avanzadas. No necesitas revisar cada amenaza sino que te informa de los comportamientos que debes tener en cuenta y es más fácil deducirlos.

Los tableros que usa Securonix nos han ayudado a hacer más en menos tiempo porque si necesita ver una anomalía o un evento específico, el tablero le brinda un resumen de los datos sobre ese evento.

Otro beneficio es que la plataforma ha ayudado a minimizar la gestión de la infraestructura. Invertimos menos tiempo en dar soporte y solucionar problemas.

¿Qué es lo más valioso?

La característica más valiosa es lo que en Securonix llaman enriquecimiento. Securonix es muy poderoso debido a todos los datos que puede procesar y enriquecer automáticamente. La inteligencia accionable que proporciona es uno de sus beneficios debido a la capacidad de procesamiento que posee. Algo a tener en cuenta es que Securonix necesita mucho trabajo inicial para poder enriquecerse adecuadamente, pero una vez instalado es muy potente.

Es muy bueno para ayudar a ingerir todas nuestras fuentes de registro al investigar amenazas. Volviendo al tema del enriquecimiento. Es muy poderoso. Cuando ingiere datos a Securonix, lo que hace es retroalimentar a otras fuentes como su firewall y proxy antivirus, y viceversa. Y los casos de uso filtran datos.

Las capacidades de UEBA también son muy valiosas.

¿Qué necesita mejorar?

El enfoque basado en análisis para encontrar amenazas sofisticadas y reducir los falsos positivos es positivo y bueno, pero la plataforma requiere un concepto más dinámico. Todo es un poco estático.

Además, el barrido autónomo de amenazas es muy enriquecedor pero, dicho esto, el informe de detección de amenazas carece de un poco de contexto. La característica de barrer de forma autónoma es buena. La forma en que podrían mejorar el ATS sería usar más conciencia y comunicación con el usuario. No nos dan muchos detalles en el informe de detección de amenazas. Sería muy útil que nos explicaran el impacto.

¿Por cuánto tiempo he usado la solución?

Hemos estado usando Securonix Next-Gen SIEM durante cuatro meses aproximadamente. Somos proveedores de servicios, no clientes finales. Por el momento, solo tenemos la implementación en una ubicación.

¿Qué pienso sobre la estabilidad de la solución

Hasta ahora, no hemos tenido ningún problema. Es muy estable.

¿Qué opino de la escalabilidad de la solución?

Por el momento, no tenemos suficientes registros para escalar, pero en base a la infraestructura y por lo que he visto, Securonix es muy práctico y es posible aumentar su capacidad.

¿Cómo son el servicio de atención al cliente y el soporte?

El soporte es un área a mejorar porque les toma un poco de tiempo atender los tickets. Y en cuanto a configuraciones más complejas, por ejemplo, cuando quieres generar un cambio en la plataforma, tienes que enviar un ticket y no puedes modificar plantillas ni crear cosas. Eso solo lo pueden hacer los administradores ya que es un servicio SaaS.

En general, el soporte técnico me parece bueno. Solucionan los problemas que se presentan, pero sus tiempos de respuesta no son muy buenos.

¿Cómo calificaría el servicio y soporte al cliente?

Neutral

¿Cómo fue la configuración inicial?

Primero, vimos cuántos eventos tuvimos en el pasado SIEM. Bajo ese mismo informe, se hizo la infraestructura en Securonix, se construyó el RING, se conectaron las plataformas y luego dejamos que Securonix enriqueciera en el sistema mientras se configuraba la plataforma. Después de eso, comenzó el monitoreo.

Había particularidades. La implementación de la infraestructura fue simple, pero la integración fue compleja debido a problemas de integración en una de las soluciones.

Pasaron aproximadamente tres semanas hasta que implementamos todo. En cuanto al personal de nuestra parte, había dos técnicos, uno que estaba a cargo de las integraciones y otro a cargo de las configuraciones en el SIEM. Mi responsabilidad estaba más en el enfoque estratégico. Además, participaron dos gerentes de integración del equipo de Securonix.

Securonix nos avisa cuando necesita hacer mantenimiento. Solo tenemos que cuidar el RING ya que es local y no parte de la infraestructura SaaS.

¿Cuál es mi experiencia con los precios, el costo de configuración y las licencias?

El precio es bueno, pero al agregar más cosas, la licencia se vuelve más compleja porque una licencia EPS fluctúa mucho. Este concepto de licencia va a ser problemático a largo plazo.

¿Qué otras soluciones evalué?

Securonix es muy fácil y muy intuitivo en comparación con las otras plataformas. A nivel de acceso, es mucho más práctico. Sin embargo, existen otras plataformas con mejores niveles de investigación e ingesta de datos que Securonix.

Evaluamos Splunk, que es muy similar a Securonix. Elegimos Securonix porque queríamos saber más sobre UEBA y el enriquecimiento, y por razones financieras.

En términos de investigaciones e incorporación de amenazas, en comparación con las soluciones anteriores que hemos utilizado, tener acceso a UEBA te permite analizar las amenazas en función del comportamiento. Pero si tuvieras que modelar manualmente, en otros SIEMs, todos los casos de uso que tiene Securonix, serían muy similares. Algo que tiene Securonix a su favor es el enriquecimiento previo a esas detecciones de amenazas. Nos llevó entre tres y cuatro semanas incorporar todas las fuentes a la plataforma Securonix.

¿Qué otro consejo tengo?

A la hora de añadir información contextual a los eventos de seguridad le daría un ocho o un nueve sobre 10. Enriquece mucho las cosas. Pero el concepto por el que trabaja Securonix, que es enriquecer por fuente y por módulos, lo hace muy engorroso de configurar. Si lo configura todo, puede sobrecargar el SIEM. Te dicen que es posible configurar todo a la capacidad máxima, pero no se recomienda este enfoque.

En general, es una plataforma poderosa. Las desventajas son mínimas y sólo requieren poca atención y un tedioso trabajo inicial. Una vez que Securonix está operativo, es muy poderoso.

Es una muy buena plataforma para descubrir información desconocida y es excelente para ayudar a visualizar y revisar datos. Por lo tanto, admite indirectamente la correlación de datos. Gracias a Securonix, aprendí que siempre hay cosas por descubrir. Eso no es solo en la materialización de amenazas, sino también en términos de descubrimiento de permisos, usuarios e información sobre entidades pertenecientes a la empresa. Y el enriquecimiento te da una visibilidad que no conocías antes.

We use it for the correlation of security events.

Securonix provides feedback from integrations with third parties so that it is always up to date regarding security events that occur daily.

It has helped a lot because previously we did not have as much control over the procedures or things that the company's users did. With Securonix, we have been able to monitor the activities of both internal and external users in the company.

Securonix has published a lot of information regarding how to use the platform. They have a lot of information online that has helped us add contextual information to security events. In the event of a security breach or a risk, it helps us monitor things. So far, with the solution in place, we have not witnessed any attacks, but it has helped us to monitor possible events that, if not taken into account, could be security breaches. It has helped us to mitigate potential gaps.

With this solution, we have saved hours in case management. It has helped us detect things faster and the integration with third-party sources has given us the ability to correlate and act on internal and external events, such as malicious attacks or malicious sites. We have improved in our response to certain incidents and types of browsing thanks to external lists that Securonix has provided us with. We can automatically detect threats.

Another benefit has been the ability to integrate practically all our specialists from different areas, including Windows, security, virtualization, et cetera, to respond with better quality. It has improved the efficiency of analysis.

It has also helped with data loss events in a certain way, through integration with our email accounts. In an event of data loss, the loss for our organization would be incalculable.

One of the most valuable features is the integration of all types of data sources to extract relevant information regarding events. It is a good solution when it comes to the correlations that it makes within all the data handled in our company. It has provided us with a lot of information and research.

We would like a little more face-to-face training. Securonix has several tutorials on its website, but we want there to be a person in Colombia who does training or workshops to give us a better understanding of the platform.

We have been using Securonix Next-Gen SIEM for about a year.

It has not presented us with problems. Most of our support cases are related to the generation of policies, but the platform has not been an issue for us.

Securonix carried out an analysis of our entire infrastructure. It provides us with the level of processing required and, if you are planning to take on new clients, you can always increase the EPS.

I would rate their support at 8.5 to nine out of 10. Sometimes it has taken a little while because the investigation team has already begun to analyze other cases, but they always resolve our issues. While they are a little slow in certain cases, most of the time they solve them quickly and efficiently.

Positive

We used McAfee before. The person who was in charge left the company just when Securonix came in and that is when I started working here.

One of the main differences is having service through the cloud. Before Securonix, we had the service locally. Now, the service is processed in the cloud and when a case is generated on the platform, they have always been willing to help us.

Securonix is in the cloud. We have a virtual machine that stores certain platform configuration information, and since it is in the cloud, we can manage the platform from anywhere. The cloud-native platform helps minimize infrastructure management. Having everything integrated into one place makes things much easier for us.

I was only involved a little in the implementation of Securonix, but from what I heard, their team was helping our entire company, day and night, to get the implementation out as soon as possible. There may have been some problems in integration, but support cases were created and their team was always there with updates and new ways to connect our sources with their platform. Overall, it was not that complicated.

On our side, we had specialists involved from each department that wanted to be integrated with the platform, such as Windows, networking, security, et cetera. The Securonix staff was always present.

Securonix has provided us with a consultant here in Colombia. We are in contact regarding configuration of the platform to rule out possible false positives and help us focus on events that we must take into account.

It took us four months to incorporate all the sources.

There are no maintenance requirements on our part. They are constantly notifying us of updates and, before making changes, they let us know if there are going to be any interruptions in the service. 

Our company is already trying to sell Securonix services, although it is a fairly new solution in the company. First, it is being handled internally, but they are already beginning the process of selling the service. That is the best return on investment.

Compared to other brands it seems more affordable to us.

There are no costs in addition to the standard licensing fees.

The Securonix interface is very intuitive. McAfee had some good features and we have only been with Securonix for a short time, but it has not presented us with any problems. It seems to us much better compared to McAfee, in terms of event correlation and case tracking.

Securonix seems to be a good solution that has met all our requirements. 

If you want to have a more centralized solution to improve the performance of case and incident analysis and management, Securonix seems like a very good option.

The most important lesson is that you can always improve. There are features that may be unknown to you in the service but, through the documentation, you can realize all the benefits of things that might not be used initially.

Foreign Language:(Spanish)

¿Cuál es nuestro caso de uso principal?

Lo usamos para la correlación de eventos de seguridad.

¿Cómo ha ayudado a mi organización?

Securonix brinda retroalimentación de integraciones con terceros para que siempre esté actualizado sobre los eventos de seguridad que ocurren a diario.

Ha ayudado mucho porque antes no teníamos tanto control sobre los trámites o cosas que hacían los usuarios de la empresa. Con Securonix, hemos podido monitorear las actividades de los usuarios tanto internos como externos en la empresa.

Securonix ha publicado mucha información sobre cómo usar la plataforma. Tienen mucha información en línea que nos ha ayudado a agregar información contextual a los eventos de seguridad. En caso de una brecha de seguridad o un riesgo, nos ayuda a monitorear las cosas. Hasta el momento, con la solución implementada, no hemos sido testigos de ningún ataque, pero nos ha ayudado a monitorear posibles eventos que, si no se tienen en cuenta, podrían ser brechas de seguridad. Nos ha ayudado a mitigar posibles brechas.

Con esta solución hemos ahorrado horas en la gestión de casos. Nos ha ayudado a detectar cosas más rápido y la integración con fuentes de terceros nos ha dado la capacidad de correlacionar y actuar sobre eventos internos y externos, como ataques maliciosos o sitios maliciosos. Hemos mejorado en nuestra respuesta a determinadas incidencias y tipos de navegación gracias a listados externos que nos ha facilitado Securonix. Podemos detectar amenazas automáticamente.
Otro beneficio ha sido la capacidad de integrar prácticamente a todos nuestros especialistas de diferentes áreas, incluyendo Windows, seguridad, virtualización, etcétera, para responder con mejor calidad. Ha mejorado la eficiencia del análisis.

También ha ayudado con eventos de pérdida de datos de cierta manera, a través de la integración con nuestras cuentas de correo electrónico. En caso de pérdida de datos, la pérdida para nuestra organización sería incalculable.

¿Qué es lo más valioso?

Una de las características más valiosas es la integración de todo tipo de fuentes de datos para extraer información relevante sobre eventos. Es una buena solución en cuanto a las correlaciones que realiza dentro de todos los datos que se manejan en nuestra empresa. Nos ha proporcionado mucha información e investigación.

¿Qué necesita mejorar?

Nos gustaría un poco más de formación presencial. Securonix tiene varios tutoriales en su sitio web, pero queremos que haya una persona en Colombia que haga capacitaciones o talleres para que entendamos mejor la plataforma.

¿Por cuánto tiempo he usado la solución?

Hemos estado usando Securonix Next-Gen SIEM durante aproximadamente un año.

¿Qué pienso sobre la estabilidad de la solución?

No nos ha presentado problemas. La mayoría de nuestros casos de soporte están relacionados con la generación de pólizas, pero la plataforma no ha sido un problema para nosotros.

¿Qué opino de la escalabilidad de la solución?

Securonix realizó un análisis de toda nuestra infraestructura. Nos proporciona el nivel de procesamiento requerido y, si está planeando captar nuevos clientes, siempre puede aumentar el EPS.

¿Cómo son el servicio de atención al cliente y el soporte?

Calificaría su apoyo con un 8,5 a nueve del 1 al 10. A veces ha tardado un poco porque el equipo de investigación ya ha comenzado a analizar otros casos, pero siempre resuelven nuestros problemas. Si bien son un poco lentos en ciertos casos, la mayoría de las veces los resuelven de manera rápida y eficiente.

¿Cómo calificaría el servicio y soporte al cliente?

Positivo.

¿Qué solución usé anteriormente y por qué cambié?

Usábamos McAfee antes. La persona que estaba a cargo dejó la empresa justo cuando entró Securonix y ahí fue cuando empecé a trabajar aquí.

Una de las principales diferencias es tener servicio a través de la nube. Antes de Securonix, teníamos el servicio localmente. Ahora el servicio se tramita en la nube y cuando se genera un caso en la plataforma siempre han estado dispuestos a ayudarnos.

¿Cómo fue la configuración inicial?

Securonix está en la nube. Tenemos una máquina virtual que almacena cierta información de configuración de la plataforma, y como está en la nube, podemos administrar la plataforma desde cualquier lugar. La plataforma nativa de la nube ayuda a minimizar la gestión de la infraestructura. Tener todo integrado en un solo lugar nos facilita mucho las cosas.

Solo participé un poco en la implementación de Securonix, pero por lo que escuché, su equipo estaba ayudando a toda nuestra empresa, día y noche, a implementar la implementación lo antes posible. Es posible que haya habido algunos problemas en la integración, pero se crearon casos de soporte y su equipo siempre estuvo ahí con actualizaciones y nuevas formas de conectar nuestras fuentes con su plataforma. En general, no fue tan complicado.

De nuestro lado, teníamos especialistas involucrados de cada departamento que quería integrarse con la plataforma, como Windows, redes, seguridad, etcétera. El personal de Securonix siempre estuvo presente.

Securonix nos ha proporcionado un consultor aquí en Colombia. Estamos en contacto con respecto a la configuración de la plataforma para descartar posibles falsos positivos y ayudarnos a centrarnos en los eventos que debemos tener en cuenta.

Nos llevó cuatro meses incorporar todas las fuentes.
No hay requisitos de mantenimiento por nuestra parte. Constantemente nos avisan de las actualizaciones y, antes de hacer cambios, nos avisan si va a haber alguna interrupción en el servicio.

¿Cuál fue nuestro Retorno de Inversión?

Nuestra empresa ya está intentando vender los servicios de Securonix, aunque es una solución bastante nueva en la empresa. Primero se está manejando internamente, pero ya están iniciando el proceso de venta del servicio. Ese es el mejor retorno de la inversión.

¿Cuál es mi experiencia con los precios, el costo de configuración y las licencias?

Comparado con otras marcas nos parece más asequible.

No hay costos además de las tarifas de licencia estándar.

¿Qué otras soluciones evalué?

La interfaz de Securonix es muy intuitiva. McAfee tenía algunas buenas funciones y solo llevamos poco tiempo con Securonix, pero no nos ha presentado ningún problema. Nos parece mucho mejor en comparación con McAfee, en términos de correlación de eventos y seguimiento de casos.

¿Qué otro consejo tengo?

Securonix parece ser una buena solución que ha cumplido con todos nuestros requisitos.

Si desea tener una solución más centralizada para mejorar el rendimiento del análisis y la gestión de casos e incidentes, Securonix parece una muy buena opción.

La lección más importante es que siempre se puede mejorar. Hay características que pueden ser desconocidas para usted en el servicio pero, a través de la documentación, puede darse cuenta de todos los beneficios de las cosas que podrían no usarse inicialmente.

We have created correlation rules. When the condition matches, we get the alerts. We start analyzing the alerts and then create tickets for it in ServiceNow. We have also created dashboards in Securonix. If any breaches of data or unpredictable work is detected, it will show in the dashboard.

Securonix is a money-sharing tool. Its price range is very low compared to other tools.

The most beneficial feature is the option for a resource group name. We don't have to type the query specifically. We can select the resource group name or functionality directly of which type of security tool logs we want. We don't need to write the query for that; we just have to select.

I face slowness issues sometimes, especially when we write a query to search specific logs from the resource group. Apart from that, there should be GUI changes.

I have been working with the Securonix solution for eight to ten months.

Securonix is stable, yet sometimes there is slowness.

The solution is scalable.

We are not raising any questions with customer service or support.

Positive

I was using Splunk for six months.

The initial setup was straightforward, and I did not face any challenges.

For new users, it is good to use. For experienced users, they need fast query resolution; otherwise, it will be difficult for them to use. It does not require much maintenance.

I'd rate the solution eight out of ten.

Securonix provides us with a fine-tuned environment. It helps eliminate false positives with certain parameters.

It is a SIEM that works automatically when it comes to behavior and the analysis of certain parameters that we did not have visibility into before. It is very productive for our business. So far, from what we have seen, Securonix is very useful.

Securonix provides "enrichment" of event information thanks to connectors with Third Party Intelligence and that has helped to make us more efficient in our investigations. Threat hunting that used to take two to three hours can now be done in less than one hour because we have certain graphs configured within the platform that allow us to search for more detailed events in a shorter amount of time. The training we have received has been absorbed quickly by our analysts and we have managed to do more in less time.

Another benefit is that, as a SaaS environment, it allows us to free ourselves from support issues. We escalate everything directly with Securonix.

Among the most valuable features are its

• reporting capacity
• graphics 
• UEBA analytics.

The UEBA functionality indicates a lot about behaviors that are not found through a traditional SIEM. We have exploited that more than anything since we started using it.

The autonomous threat sweeper also seems very good to me. It is a very striking and productive tool for our business. It's highly important to implement ATS because it allows us to scan for specific events that may happen.

Also, the ease of searching that the Spotter tool offers us is a welcome feature and the data insights have been very useful for our research work.

It seems to me that within Securonix there is no option for completely visualizing the types of sources or if there is any loss of logs. I've heard that they have an additional module to validate those types of cases, but in terms of the platform itself only, I can only see how often it sends data but not any specific detail.

I have been using Securonix Next-Gen SIEM for six months.

We have not had any major problems with the platform since we started working with it. There has only been one problem that had to do with something that did not load on the platform, but that was it.

We have had no problems ingesting all our log sources.

Being a cloud environment, it gives us unlimited scalability. When we have integrated larger sources we have not experienced any problems.

We have had some slightly delayed response times from technical support, but it is nothing out of the ordinary.

Positive

We use platforms such as RSA enVision, QRadar, and McAfee. We have not eliminated these platforms but we are more inclined toward Securonix because it provides us with UEBA analytics, which is something that we have not been able to exploit as much on other platforms. The solution's UEBA data analysis is what caught our attention.

I was involved in a certain part of the implementation that focused on the RING installation. The implementation was simple. They shared an interactive manual with us and there were no problems. Onboarding the sources was not such a complicated process. We needed three to five employees for the implementation.

They also provided guided training in which a representative from Securonix helped us with the queries we had.

Maintenance is mostly managed by Securonix. We are hardly involved in it.

More than anything, we have seen ROI thanks to the metrics we get from Securonix.

Securonix is very user-friendly and intuitive. In terms of nomenclature, it is very easy to understand where the information you want is located. Compared to other platforms, there are several UI qualities in favor of Securonix. It puts everything at your fingertips and the options tab is very accessible.

In terms of reducing false positives, we have not seen much difference between Securonix and other platforms at the moment.

Information about Securonix is all available within the online documentation and it enables you to get to know the platform independently. It is very beneficial if you're looking for a high-quality SIEM.

The most important thing I have learned by using Securonix is the exploitation of UEBA analytics. I had not seen that in another SIEM and it has been a definite benefit for me.

Foreign Language:(Spanish)

¿Cómo ha ayudado a mi organización?

Securonix nos proporciona un entorno optimizado. Ayuda a eliminar falsos positivos con ciertos parámetros.

Es un SIEM que funciona de forma automática en respecto a comportamientos y análisis de ciertos parámetros que no eran visibles antes. Es muy productivo para nuestro negocio. Hasta ahora, por lo que hemos visto, Securonix es muy útil.

Securonix proporciona un "enriquecimiento" de la información de eventos gracias a conexiones con Third Party Intelligence, esto nos ha ayudado a ser más eficientes en nuestras investigaciones. La búsqueda de amenazas que antes tomaba de dos a tres horas ahora se puede hacer en menos de una hora porque tenemos ciertos gráficos configurados dentro de la plataforma que nos permiten buscar eventos más detallados en menos tiempo. La formación que hemos recibido ha sido absorbida rápidamente por nuestros analistas y hemos conseguido hacer más en menos tiempo.

Otro beneficio que tiene es que, como se trata de un entorno SaaS, nos permite liberarnos de los problemas de soporte. Escalamos todo directamente con Securonix.

¿Qué es lo más valioso?

Entre las características más valiosas se encuentran..

• capacidad de reporte
• gráficos
• analíticas UEBA.

La funcionalidad de UEBA indica mucho sobre comportamientos que no se encuentran a través de un SIEM tradicional. Eso lo hemos explotado más que nada desde que empezamos a usarlo.

El barredor de amenazas autónomo también me parece muy bueno. Es una herramienta muy llamativa y productiva para nuestro negocio. Es muy importante implementar ATS porque nos permite buscar eventos específicos que puedan ocurrir.

Además, la facilidad de búsqueda que nos ofrece la herramienta Spotter es una característica beneficiosa y la información de los datos ha sido muy útil para nuestro trabajo de investigación.

¿Qué necesita mejorar?

Me parece que dentro de Securonix no hay opción de visualizar completamente los tipos de fuentes ni tampoco si hay alguna pérdida de logs. Escuché que tienen un módulo adicional para validar ese tipo de casos, pero en términos de la plataforma en sí, solo puedo ver la frecuencia con la que envía datos, pero ningún detalle específico

¿Por cuánto tiempo he usado la solución?

He estado usando Securonix Next-Gen SIEM durante seis meses.

¿Qué pienso sobre la estabilidad de la solución?

No hemos tenido mayores problemas con la plataforma desde que empezamos a trabajar con ella. Solo ha habido un problema que tenía que ver con algo que no cargaba en la plataforma, pero eso fue todo.

No hemos tenido problemas para ingerir todas nuestras fuentes de registro.

¿Qué opino de la escalabilidad de la solución?

Al ser un entorno en la nube, nos brinda una escalabilidad ilimitada. Cuando hemos integrado fuentes más grandes no hemos experimentado ningún problema.

¿Y el servicio de atención al cliente y el soporte?

Hemos tenido algunos tiempos de respuesta ligeramente retrasados por parte del soporte técnico, pero no es nada fuera de lo común.

¿Cómo calificaría el servicio y soporte al cliente?

Positivo

¿Qué solución usé anteriormente y por qué cambié?

Utilizamos plataformas como RSA enVision, QRadar y McAfee. No hemos eliminado estas plataformas, pero nos inclinamos más por Securonix porque nos brinda análisis UEBA, que es algo que no hemos podido explotar tanto en otras plataformas. El análisis de datos UEBA de la solución es lo que llamó nuestra atención.

¿Cómo fue la configuración inicial?

Estuve involucrado en cierta parte de la implementación que se centró en la instalación de RING. La implementación fue sencilla. Compartieron un manual interactivo con nosotros y no hubo problemas. Incorporar las fuentes no fue un proceso tan complicado. Necesitábamos de tres a cinco empleados para la implementación.

También brindaron capacitación guiada en la que un representante de Securonix nos ayudó con las consultas que teníamos.

El mantenimiento es administrado principalmente por Securonix. Apenas estamos involucrados en eso.

¿Cuál fue nuestro Retorno de Inversión?

Más que nada, hemos visto el Retorno de Inversión gracias a las métricas que obtenemos de Securonix.

¿Qué otras soluciones evalué?

Securonix es muy fácil de usar e intuitivo. En cuanto a la nomenclatura, es muy fácil entender dónde se encuentra la información que buscas. En comparación con otras plataformas, hay varias cualidades de interfaz de usuario a favor de Securonix. Pone todo al alcance de tu mano y la pestaña de opciones es muy accesible.

En términos de reducción de falsos positivos, no hemos visto mucha diferencia entre Securonix y otras plataformas por el momento.

¿Qué otro consejo tengo?

Toda la información sobre Securonix está disponible en la documentación en línea y te permite conocer la plataforma de forma independiente. Es muy beneficioso si estás buscando un SIEM de alta calidad.

Lo más importante que he aprendido usando Securonix es la explotación de análisis UEBA. Eso no lo había visto en otro SIEM y definitivamente ha sido un beneficio para mí.

Our company does manage a stock of solutions for our customers. We use some tools like Splunk SIEM and some other technologies as well.

The reason why a customer chooses the solution for its features depends on the customer. Customers may choose it based on budget or the features they're looking for, and it varies, honestly.

I am from the sales team and the technical team, because of which I can't speak much about its features.

Customers may plan their next year's budget. If customers find that they haven't derived value from the solution, they might think about the prices, and then they would reevaluate the solution, after which they choose another solution.

The technical support of the solution is an area with shortcomings and needs improvement. My customers didn't face any issues regarding support from the solution's vendor, but it could be from the partner or from those providing support for the solution. Support could be more flexible, and they can delegate the support part of their operations to partners.

I have been using Securonix Next-Gen SIEM for three or four years. My company acts as a system integrator and reseller while also having a partnership with Securonix.

The solution has proven to be stable so far.

The solution is easy to scale up.

My customers who use the solution are enterprise-sized businesses.

Technical support for Securonix is good. I rate the technical support an eight out of ten. I don't give a ten out of ten rating because all the solutions need a marginal score to improve. None of the solutions would have a hundred percent satisfaction from customers.

Positive

I work with Splunk. The pros and cons of a solution depend on its features, customers, and the scale of the customer.

As per our technical team, the initial setup was fine. It wasn't really difficult.

I am from the sales department, so I don't get involved in the implementation.

The solution is deployed on-premises.

Pricing of the solution is an aspect that depends on a customer's budget. Sometimes the price fits a customer's budget. At times, the solution's price becomes a huge burden on the customer.

A yearly payment has to be made toward the solution's licensing costs.

Additional costs other than the solution's licensing costs are for the installation and support.

I rate the pricing an eight on a scale of one to ten, where one is cheap, and ten is very expensive. It is a pretty expensive tool.

The solution requires maintenance, and the people required for maintenance depend on the applied or rolled-out solution's size. If the solution is applied at a larger scale, more team members are needed for maintenance. It is not difficult to maintain the solution.

I recommend the solution to those planning to use it since it is a good solution in the SIEM and SOC space. Some different providers or vendors also work in the SIEM and SOC space. The customers or potential users should evaluate a product before buying it, and everything would be fine.

The solution can fit all sizes. It's not only for enterprises since you'll find some SMBs looking for solutions like Securonix Next-Gen SIEM, but it will be a bit expensive out of their budget. Usually, SMBs don't place a budget for SOC since they can go for a managed SOC. Securonix Next-Gen SIEM could fit the requirements of SMBs as well.

It is a good product that needs to improve.

Overall, I rate the solution an eight out of ten.

In our organization, we handle cybersecurity. As an IT services company, we are limited to setting up the security operations center in different forms for our customers' requirements.

We are in the business of setting up the security operation center for the customers and we also provide other stock services for many of the customers. We do have a lot of service offerings on our stock management platform.

We do MDR via cloud security and its monitoring services, so we are very familiar with the leading platforms in the market today like QRadar and Splunk. We use them in our environment today. I have been searching out the next-gen SIEM. Then I brought Securonix to my board. I came to learn that Securonix is leading in the innovative ideas and innovations on the SIEM platform side. Particularly because my role is a security practice in Veeam SM. If you evaluate the market trends you understand the products released into the market and how best to leverage that integration and make sure that there is no bounce back to the customer in these situations. That's why I started evaluating the Securonix in a typical lead evaluation.

We are not partnered, we have just done a couple of initial discussions with some of the folks here in India. We are still in the stage of evaluating these products, including Securonix.

I noticed that this is more on the open data platform when it comes to managing the locks from a different angle and for different assets. That's one area which is more interesting for us.

Compared to other competitors in the market, what I have seen is that their module is the UEBA, User and Entity Behavior Analytics, module. That is something different which they are offering today.

These are some of the differences I see. Additionally, is the pricing issue. They are moving from DB pricing to the identity-based pricing. But I'm still confused about that identity pricing. I still have to get more clarification from the products.

The feature that I have found most valuable is their analytics platform where they have the open security data-link, which they introduced. This is typically different from the other vendors.

As far as what can be improved, again it is the pricing. I'm not sure how they are proceeding with the identity-based pricing compared with DB pricing which most of the vendors are using today. Some of them are dealing with EPS based pricing.

There is still a need to evaluate the stability because we are very new to this platform. So we need some more time to do that.

The initial setup is straightforward, it is easy to deploy.

We did evaluate other options before choosing Securonix. As an MSSP we use many products. It all depends on the kind of requirements we get from the customer. We evaluated QRadar and Splunk. As an MSSP, we use a combination of tools.

The major difference between Securonix and the rest is that their security data-link is very open and the hosting of that platform is much simpler compared to other vendors.

Because there is no proprietary thing involved here the log management should be much easier compared to others.

On a scale of one to ten I would rate Securonix an eight.

We use the solution for protection of engineering intellectual property. We currently look at engineering data in two systems, one a commercial system and one which is a homegrown system.

We've seen a couple of circumstances where people accessed data, especially in our internal application, and we weren't sure how they did it, because they shouldn't have been authorized to access it. We actually found a backdoor on our side. Their access did not go through that backdoor intentionally, but they did find a backdoor way to get the data. We shut that one down as soon as we found it.

The other thing we do, where it's been a big help, is that we people who, from a process standpoint, bring down a ton more data than they should. They aren't doing something malicious, but there are ways to bring down simplified data subsets. We've been able to educate the users to take down simplified sets. In essence, that saves them time and effort in having to bring all that data down and then call it up and use it. It's really tough to put hard numbers on that but we have certainly seen a reduction in the amount of these high-volume downloads and it's really been because of a process change on the part of the users.

The most valuable feature is being able to look at users' behavioral profiles to see what they typically access. One of the key events that we monitor is people's downloading of objects, files from either the engineering or the homegrown application. It's very easy to see people's patterns, what they typically do. The system might identify somebody who is engaging in anomalous behavior. Especially with the product's rev 6, there are a lot of tools to go in and do investigations, even without talking to the person, to try to determine what were they doing. Is it a case that they normally don't do something but this looks like a legitimate action, or is it something we need to investigate? That is pretty neat.

It's tough in some cases for the solution to do it, but we have a lot of users who, because they're engineers and they're bringing down product data - where, at times, a top-level product could be 10,000 or 15,000 objects - it's difficult for us to determine what should be a concern and what shouldn't be a concern. We work with the Securonix folks to try to come up with better ways to identify that. That's a difficult problem to solve because it's very application-driven and very user-driven, based on what the user's role is.

The stability has been pretty good. On rev 5, once we got it going, it was very stable. We didn't find very many issues.

As we go from rev 5 to rev 6, the architecture's a little bit different and we have run into a couple of issues which they are in the process of fixing. Once those are fixed, we'll discontinue use of rev 5 and use rev 6 because we feel comfortable with what we're seeing in the data for rev 6.

The stability issues I mentioned are definitely bug-related. We had a call with Securonix's development management last week and they gave me a very good technical explanation of what was going on. It made sense but it was complicated. It had to do with the sequence of what they were doing and the data sources and how it's different in the architecture. These are just things they didn't expect to run into. Once they understood it, they started fixing it and making sure that it not only fixes our instance but other customers' instances, where they might have run into something similar.

It's certainly extremely scalable. They have a lot of connectors into different data sources. We haven't identified a data it seems we wouldn't be able to read in.

We certainly have plans to increase usage. We started this as more of a pilot with engineering data access on these two systems. Currently, on our homegrown system, there are about 20,000 users a month. On the commercial system, which houses a lot of the engineering model data, there about 13,000 users. That's the number of people whose activities we're looking at. That's internal, customer employees, as well as contract-contingent workers, onsite and offsite.

We didn't have a previous solution. On our homegrown system, we made a little bit of a homegrown solution, but the only thing it did was that if somebody had a high number of downloads, it would send us a note. On the commercial system, we were trapping things in the log, but the logs are typically about 1.5 million rows a day, and that's really tough to analyze by hand. That is why I said, "I can't do this. I need an analytics tool to do this." This was really the first analytics tool that we deployed for this particular purpose.

For me, the system setup, itself, was of medium complexity because, for both applications, there were standard connections into them. We had to write our own queries. We learned from that. Our homegrown system was fairly easy because we just look for objects downloaded. Our other application looks for more than just these download events. So it was more complicated to come up with the query and then for us to come up with use cases to have the system analyzed. 

We find that that process is ongoing. From when we started, we've never really stopped improving how we're trying to get results with the system. From my experience, you don't set it up and you're done. It's very much an evolutionary process. As you learn more, you can help feed that into the system. You can say, "Oh, I thought this was a problem. You're saying it shouldn't be. Okay, I'll take care of that now and I won't flag that. Or I'll make a different peer group to analyze data against." For us, it's very much a continuous process so that we can improve and hopefully minimize what we think are things that we need to investigate.

In terms of how long our deployment took, to me, it is still evolving. If I look at the initial one that we did on rev 5, the system was set up in October and just after Christmas we were, for both sources, doing pretty well. We were getting very usable results. The homegrown one was very easy to implement and we got that one going before Christmas. The other one is a little more complicated and took about three months. We've constantly refined ever since. 

The implementation strategy, initially, was to apply it to these two applications but we didn't necessarily know what we would find, what the typical behavior would be. So we really needed to understand what people are doing, with our various use cases. Our strategy has been to continue to improve, to reduce the amount of time we take to look at data to see if something is an issue. And then, we're looking at a reading in more engineering data sources.

Currently, we're in the process of figuring out the best way to read in from a SharePoint Azure site, to get data from our SharePoint on what people are using for accessing documents. Then we're also looking at what we call data "exfiltration," which is: Did somebody take the data once they downloaded, did they send it to a printer, did they email it out? Did the data go somewhere off the computer of the user to somewhere else? Our strategy has included taking that to the next step.

When we move from rev 5 to rev 6, there are new capabilities, new enhancements, and so it took a few months to get ready. The best way to describe the move to rev 6 is that it's a totally different system. It's a SaaS environment. The one we have now is on-premise. What you do is re-set up the use cases that you are currently using and your policies and then re-ingest data, but from a shorter timespan. Because of what we were doing, it is a little more work. But the Securonix folks helped us with the initial setup and the data ingest. From our standpoint, it was just a matter of validating on our internal system for rev 5, how the data was looking in rev 6. It certainly took some time.

The consultants from Securonix are key, from our standpoint. I have almost daily calls with them to talk about what are we seeing, what are we doing, how can we improve things. We actually have a team call with some of the Securonix consultants and management every week. We generate a weekly report of what we have run into that we need help on, what our accomplishments have been, and if there are any issues, what their statuses are. We have excellent communication with the Securonix consultant folks. They're very good.

For this kind of solution, unless you find somebody who physically took something and was going to sell it or try to, and you were able to recover it, it's really tough to put a monetary number on intellectual property loss. You would be making an assumption about what might have happened if the competition had it.

Still, I would certainly say that that we have seen a return on investment. We haven't seen a return where we actually stopped our engineering IP from going out the door. Then we would definitely have an ROI because all it takes is stopping one person and you've paid for your investment over and over again.

But what we've been able to do, if nothing else, is to let more people know that we are aware, that we're watching what's going on. We've had factory managers who are actually appreciative and feel more comfortable knowing that someone is watching this information. Again, we're back to these intangibles, but our company very much sees the value in this and, as we move forward, we'll see even more value. It might cost us a little bit more but we'll see more ROI if we find out what's going on with things like data exfiltration.

I can't say anything from a numbers standpoint, but we went in on a three-year agreement which has an annual licensing fee, based upon the number of people that we're monitoring. There have not been any additional costs to the standard licensing fees.

We did evaluate other options. The main competitor was Exabeam. My manager was the one who did a lot of the investigation of the various tools.

At the time, the competitor's system was extremely limited in the number of data sources it could read in, whereas Securonix had a lot of pre-made connectors. In our cases it had out-of-the-box connectors to the two data sources that we needed. We had to write our own query, but it could at least connect directly into the logs that we had.

The other thing that Securonix had, and the other one didn't, is incident-management or case-management functionality. If someone were to download a high number and we decided we needed to investigate it, I could open a case right in the tool. It would be able to directly reference the data that they downloaded and we could open and shut the case directly in the tool, as well as report from it. Since it was all integrated, it was extremely helpful. That was one of the things that we liked. 

Also, at the time, Securonix was the most mature in the user and entity behavioral analytics, among the groups which offered that kind of functionality and software.

The best advice is to make sure that you understand your use cases. For example, we said we want it to trap a high number of downloads, we want to see if people downloaded and then emailed out any of the objects. We came up with the use cases of what we wanted to check for even before we started our implementation. Then the Securonix people were able to better set up the individual threats that we were watching for.

The other thing that we do is we categorize our data. We say a given type of intellectual property is high, medium, or low. That way we know what we really want to protect. Somebody taking a nut or a bolt isn't the same thing as somebody taking a turbocharged engine and trying to sell it to somebody.

It took us a while to actually come up with a standard for categorizing and then to actually categorize, because there were millions and millions of objects or drawings that we needed to classify. That was a project in and of itself. We did that before we did any kind of analytics with Securonix. The first thing we did was classify our data.

When I took this role, they said, "Hey, we want you to protect our high IP." So I smiled and said, "So how can I tell what the high IP is?" And they said, "Oh, well it's in this folder." I said, "What happens when it's out of the folder? How do I know?" I wanted it so that the data could always tell me it's IP level, regardless of what folder it was in or even if it was out on someone's desktop. That's why, to me, that's the first thing that you need to do. Because otherwise, it's just hearsay in terms what's important to protect. If it's important to protect, label it and then we'll understand.

We look for ways for us, and for the system, to improve identifying things. For the majority, we've been happy for what's there. With typical software you run into software issues that might slow you down and you have to get them fixed. They've been very good about resolving issues when we find them, especially because we find stuff that is pretty unique because of what we're doing with application monitoring. It's so specific and it's really customized for how we've set this up.

There are just a handful of users of the solution. I'm the main one who works with the consultants. Otherwise, it's a group of just under ten people who are even able to get into Securonix and look at the information. Like me, most are in IT. There's one person in insider-threat security who helps with coordinating investigations. There's also someone on the business side, even though he is, in a way, more IT-related. He works for the engineering standards group on the business side.

In terms of deployment and maintenance of the product, we certainly rely on the Securonix folks. There was one main person we used for the deployment of Securonix. Sometimes that person had a second, and I was involved as well. Only three people, from our side, were involved in the actual deployment, although I needed people to write the query to ingest the data. But once that was done, I didn't need those people anymore.

Maintenance is done by me and the Securonix consultant. Since it's a SaaS environment, I have no idea how many people they have on their side, making sure that the system's working fine.

For what we're doing and what it can do, on a scale of one to ten, I would put it in the nine to ten range. The only reason I wouldn't say ten is that means it's always perfect. There are always issues. But I'd say it's at least a nine.