Andres Fuentes - PeerSpot reviewer
SOC Analyst at ComWare S.A
Real User
Top 20
Integration with third-party sources enables us to correlate and act on internal and external events
Pros and Cons
  • "One of the most valuable features is the integration of all types of data sources to extract relevant information regarding events. It is a good solution when it comes to the correlations that it makes within all the data handled in our company."
  • "We would like a little more face-to-face training. Securonix has several tutorials on its website, but we want there to be a person in Colombia who does training or workshops to give us a better understanding of the platform."

What is our primary use case?

We use it for the correlation of security events.

How has it helped my organization?

Securonix provides feedback from integrations with third parties so that it is always up to date regarding security events that occur daily.

It has helped a lot because previously we did not have as much control over the procedures or things that the company's users did. With Securonix, we have been able to monitor the activities of both internal and external users in the company.

Securonix has published a lot of information regarding how to use the platform. They have a lot of information online that has helped us add contextual information to security events. In the event of a security breach or a risk, it helps us monitor things. So far, with the solution in place, we have not witnessed any attacks, but it has helped us to monitor possible events that, if not taken into account, could be security breaches. It has helped us to mitigate potential gaps.

With this solution, we have saved hours in case management. It has helped us detect things faster and the integration with third-party sources has given us the ability to correlate and act on internal and external events, such as malicious attacks or malicious sites. We have improved in our response to certain incidents and types of browsing thanks to external lists that Securonix has provided us with. We can automatically detect threats.

Another benefit has been the ability to integrate practically all our specialists from different areas, including Windows, security, virtualization, et cetera, to respond with better quality. It has improved the efficiency of analysis.

It has also helped with data loss events in a certain way, through integration with our email accounts. In an event of data loss, the loss for our organization would be incalculable.

What is most valuable?

One of the most valuable features is the integration of all types of data sources to extract relevant information regarding events. It is a good solution when it comes to the correlations that it makes within all the data handled in our company. It has provided us with a lot of information and research.

What needs improvement?

We would like a little more face-to-face training. Securonix has several tutorials on its website, but we want there to be a person in Colombia who does training or workshops to give us a better understanding of the platform.

Buyer's Guide
Securonix Next-Gen SIEM
February 2024
Learn what your peers think about Securonix Next-Gen SIEM. Get advice and tips from experienced pros sharing their opinions. Updated: February 2024.
756,650 professionals have used our research since 2012.

For how long have I used the solution?

We have been using Securonix Next-Gen SIEM for about a year.

What do I think about the stability of the solution?

It has not presented us with problems. Most of our support cases are related to the generation of policies, but the platform has not been an issue for us.

What do I think about the scalability of the solution?

Securonix carried out an analysis of our entire infrastructure. It provides us with the level of processing required and, if you are planning to take on new clients, you can always increase the EPS.

How are customer service and support?

I would rate their support at 8.5 to nine out of 10. Sometimes it has taken a little while because the investigation team has already begun to analyze other cases, but they always resolve our issues. While they are a little slow in certain cases, most of the time they solve them quickly and efficiently.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We used McAfee before. The person who was in charge left the company just when Securonix came in and that is when I started working here.

One of the main differences is having service through the cloud. Before Securonix, we had the service locally. Now, the service is processed in the cloud and when a case is generated on the platform, they have always been willing to help us.

How was the initial setup?

Securonix is in the cloud. We have a virtual machine that stores certain platform configuration information, and since it is in the cloud, we can manage the platform from anywhere. The cloud-native platform helps minimize infrastructure management. Having everything integrated into one place makes things much easier for us.

I was only involved a little in the implementation of Securonix, but from what I heard, their team was helping our entire company, day and night, to get the implementation out as soon as possible. There may have been some problems in integration, but support cases were created and their team was always there with updates and new ways to connect our sources with their platform. Overall, it was not that complicated.

On our side, we had specialists involved from each department that wanted to be integrated with the platform, such as Windows, networking, security, et cetera. The Securonix staff was always present.

Securonix has provided us with a consultant here in Colombia. We are in contact regarding configuration of the platform to rule out possible false positives and help us focus on events that we must take into account.

It took us four months to incorporate all the sources.

There are no maintenance requirements on our part. They are constantly notifying us of updates and, before making changes, they let us know if there are going to be any interruptions in the service. 

What was our ROI?

Our company is already trying to sell Securonix services, although it is a fairly new solution in the company. First, it is being handled internally, but they are already beginning the process of selling the service. That is the best return on investment.

What's my experience with pricing, setup cost, and licensing?

Compared to other brands it seems more affordable to us.

There are no costs in addition to the standard licensing fees.

Which other solutions did I evaluate?

The Securonix interface is very intuitive. McAfee had some good features and we have only been with Securonix for a short time, but it has not presented us with any problems. It seems to us much better compared to McAfee, in terms of event correlation and case tracking.

What other advice do I have?

Securonix seems to be a good solution that has met all our requirements. 

If you want to have a more centralized solution to improve the performance of case and incident analysis and management, Securonix seems like a very good option.

The most important lesson is that you can always improve. There are features that may be unknown to you in the service but, through the documentation, you can realize all the benefits of things that might not be used initially.

Foreign Language:(Spanish)

¿Cuál es nuestro caso de uso principal?

Lo usamos para la correlación de eventos de seguridad.

¿Cómo ha ayudado a mi organización?

Securonix brinda retroalimentación de integraciones con terceros para que siempre esté actualizado sobre los eventos de seguridad que ocurren a diario.

Ha ayudado mucho porque antes no teníamos tanto control sobre los trámites o cosas que hacían los usuarios de la empresa. Con Securonix, hemos podido monitorear las actividades de los usuarios tanto internos como externos en la empresa.

Securonix ha publicado mucha información sobre cómo usar la plataforma. Tienen mucha información en línea que nos ha ayudado a agregar información contextual a los eventos de seguridad. En caso de una brecha de seguridad o un riesgo, nos ayuda a monitorear las cosas. Hasta el momento, con la solución implementada, no hemos sido testigos de ningún ataque, pero nos ha ayudado a monitorear posibles eventos que, si no se tienen en cuenta, podrían ser brechas de seguridad. Nos ha ayudado a mitigar posibles brechas.

Con esta solución hemos ahorrado horas en la gestión de casos. Nos ha ayudado a detectar cosas más rápido y la integración con fuentes de terceros nos ha dado la capacidad de correlacionar y actuar sobre eventos internos y externos, como ataques maliciosos o sitios maliciosos. Hemos mejorado en nuestra respuesta a determinadas incidencias y tipos de navegación gracias a listados externos que nos ha facilitado Securonix. Podemos detectar amenazas automáticamente.
Otro beneficio ha sido la capacidad de integrar prácticamente a todos nuestros especialistas de diferentes áreas, incluyendo Windows, seguridad, virtualización, etcétera, para responder con mejor calidad. Ha mejorado la eficiencia del análisis.

También ha ayudado con eventos de pérdida de datos de cierta manera, a través de la integración con nuestras cuentas de correo electrónico. En caso de pérdida de datos, la pérdida para nuestra organización sería incalculable.

¿Qué es lo más valioso?

Una de las características más valiosas es la integración de todo tipo de fuentes de datos para extraer información relevante sobre eventos. Es una buena solución en cuanto a las correlaciones que realiza dentro de todos los datos que se manejan en nuestra empresa. Nos ha proporcionado mucha información e investigación.

¿Qué necesita mejorar?

Nos gustaría un poco más de formación presencial. Securonix tiene varios tutoriales en su sitio web, pero queremos que haya una persona en Colombia que haga capacitaciones o talleres para que entendamos mejor la plataforma.

¿Por cuánto tiempo he usado la solución?

Hemos estado usando Securonix Next-Gen SIEM durante aproximadamente un año.

¿Qué pienso sobre la estabilidad de la solución?

No nos ha presentado problemas. La mayoría de nuestros casos de soporte están relacionados con la generación de pólizas, pero la plataforma no ha sido un problema para nosotros.

¿Qué opino de la escalabilidad de la solución?

Securonix realizó un análisis de toda nuestra infraestructura. Nos proporciona el nivel de procesamiento requerido y, si está planeando captar nuevos clientes, siempre puede aumentar el EPS.

¿Cómo son el servicio de atención al cliente y el soporte?

Calificaría su apoyo con un 8,5 a nueve del 1 al 10. A veces ha tardado un poco porque el equipo de investigación ya ha comenzado a analizar otros casos, pero siempre resuelven nuestros problemas. Si bien son un poco lentos en ciertos casos, la mayoría de las veces los resuelven de manera rápida y eficiente.

¿Cómo calificaría el servicio y soporte al cliente?

Positivo.

¿Qué solución usé anteriormente y por qué cambié?

Usábamos McAfee antes. La persona que estaba a cargo dejó la empresa justo cuando entró Securonix y ahí fue cuando empecé a trabajar aquí.

Una de las principales diferencias es tener servicio a través de la nube. Antes de Securonix, teníamos el servicio localmente. Ahora el servicio se tramita en la nube y cuando se genera un caso en la plataforma siempre han estado dispuestos a ayudarnos.

¿Cómo fue la configuración inicial?

Securonix está en la nube. Tenemos una máquina virtual que almacena cierta información de configuración de la plataforma, y como está en la nube, podemos administrar la plataforma desde cualquier lugar. La plataforma nativa de la nube ayuda a minimizar la gestión de la infraestructura. Tener todo integrado en un solo lugar nos facilita mucho las cosas.

Solo participé un poco en la implementación de Securonix, pero por lo que escuché, su equipo estaba ayudando a toda nuestra empresa, día y noche, a implementar la implementación lo antes posible. Es posible que haya habido algunos problemas en la integración, pero se crearon casos de soporte y su equipo siempre estuvo ahí con actualizaciones y nuevas formas de conectar nuestras fuentes con su plataforma. En general, no fue tan complicado.

De nuestro lado, teníamos especialistas involucrados de cada departamento que quería integrarse con la plataforma, como Windows, redes, seguridad, etcétera. El personal de Securonix siempre estuvo presente.

Securonix nos ha proporcionado un consultor aquí en Colombia. Estamos en contacto con respecto a la configuración de la plataforma para descartar posibles falsos positivos y ayudarnos a centrarnos en los eventos que debemos tener en cuenta.

Nos llevó cuatro meses incorporar todas las fuentes.
No hay requisitos de mantenimiento por nuestra parte. Constantemente nos avisan de las actualizaciones y, antes de hacer cambios, nos avisan si va a haber alguna interrupción en el servicio.

¿Cuál fue nuestro Retorno de Inversión?

Nuestra empresa ya está intentando vender los servicios de Securonix, aunque es una solución bastante nueva en la empresa. Primero se está manejando internamente, pero ya están iniciando el proceso de venta del servicio. Ese es el mejor retorno de la inversión.

¿Cuál es mi experiencia con los precios, el costo de configuración y las licencias?

Comparado con otras marcas nos parece más asequible.

No hay costos además de las tarifas de licencia estándar.

¿Qué otras soluciones evalué?

La interfaz de Securonix es muy intuitiva. McAfee tenía algunas buenas funciones y solo llevamos poco tiempo con Securonix, pero no nos ha presentado ningún problema. Nos parece mucho mejor en comparación con McAfee, en términos de correlación de eventos y seguimiento de casos.

¿Qué otro consejo tengo?

Securonix parece ser una buena solución que ha cumplido con todos nuestros requisitos.

Si desea tener una solución más centralizada para mejorar el rendimiento del análisis y la gestión de casos e incidentes, Securonix parece una muy buena opción.

La lección más importante es que siempre se puede mejorar. Hay características que pueden ser desconocidas para usted en el servicio pero, a través de la documentación, puede darse cuenta de todos los beneficios de las cosas que podrían no usarse inicialmente.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Sebastian Velazquez - PeerSpot reviewer
Cyber Intelligence Supervisor at a tech services company with 201-500 employees
Real User
Top 20
Enrichment helps us discover information, and platform is great for visualizing and reviewing data
Pros and Cons
  • "The most valuable feature is what Securonix calls enrichment. Securonix is very powerful because of all the data it can process and automatically enrich. The actionable intelligence it provides is one of its benefits, due to the processing capacity it has."
  • "The analytics-driven approach for finding sophisticated threats and reducing false positives is positive and good, but the platform requires a more dynamic concept. Everything is a bit static."

What is our primary use case?

We provide cyber SOC services by using it as an event correlator.

How has it helped my organization?

At the level of user visibility, it enriches a lot of data that the user might not otherwise know about and allows you to enrich other platforms with that data.

The contextual information added by Securonix has helped reduce investigation time by minutes because we no longer consult multiple sources and everything is centralized in one place.

It has helped improve our threat detection response and reduced noise from false positives, although it depends a lot on which network is being configured. The native ones trigger a lot, so we have introduced additional context in them.
But we have saved time in threat detection and noise reduction. It allows us to automate more use cases. I'm not sure if it has improved our level of threat investigation.

The solution has also helped detect advanced threats faster through the threat modeling. Several use cases are incorporated and it warns you about any behavior and more advanced threats. You don't need to review each threat but it informs you of the behaviors that you must take into account and it is easier to deduce them.

The dashboards that Securonix uses have helped us to do more in less time because if you need to see an anomaly or a specific event, the dashboard provides you with a summary of the data about that event.

Another benefit is that the platform has helped minimize infrastructure management. We invest less time in giving support and troubleshooting. 

What is most valuable?

The most valuable feature is what Securonix calls enrichment. Securonix is very powerful because of all the data it can process and automatically enrich. The actionable intelligence it provides is one of its benefits, due to the processing capacity it has. Something to keep in mind is that Securonix needs a lot of initial work to be able to properly enrich itself, but once installed it is very powerful.

It's very good in helping to ingest all our log sources when investigating threats. That is back to the enrichment theme. It's very powerful. When you ingest data to Securonix, what it does is feed back to other sources like your firewall, and antivirus proxy, and vice versa. And the use cases filter data.

The UEBA capabilities are also very valuable.

What needs improvement?

The analytics-driven approach for finding sophisticated threats and reducing false positives is positive and good, but the platform requires a more dynamic concept. Everything is a bit static.

Also, the Autonomous Threat Sweeper is very enriching but, that being said, the threat detection report lacks a little context. The feature to sweep autonomously is good. The way they could improve the ATS would be to use more awareness and communication with the user. They don't give us much detail in the threat detection report. It would be very helpful if they explained the impact to us.

For how long have I used the solution?

We have been using Securonix Next-Gen SIEM for about four months. We are service providers, not the final customers. At the moment, we only have the implementation in one location.

What do I think about the stability of the solution?

So far, we haven't had any problems. It's very stable.

What do I think about the scalability of the solution?

At the moment, we don't have enough records to scale, but based on the infrastructure and from what I have seen, Securonix is very practical and it is possible to increase its capacity.

How are customer service and support?

Support is an area for improvement because it takes a little time for them to attend to tickets. And regarding more complex configurations, for example, when you want to generate a change in the platform, you have to submit a ticket and you cannot modify templates or create things. That can only be done by administrators since it is a SaaS service.

In general, the tech support seems good. They solve the problems that occur, but their response times are not very good.

How would you rate customer service and support?

Neutral

How was the initial setup?

First, we saw how many events we had in the past SIEM. Under that same report, the infrastructure was made in Securonix, the RING was built, the platforms were connected, and then we let Securonix enrich in the system while the platform was configured. After that, the monitoring started.

There were particularities. The implementation of the infrastructure was simple, but the integration was complex due to integration issues in one of the solutions.

It took approximately three weeks until we implemented everything. In terms of staff from our side, there were two technicians, one who was in charge of integrations and another in charge of configurations in the SIEM. My responsibility was more on the strategic approach. Additionally, two integration managers from the Securonix team were involved.

Securonix notifies us when it needs to do maintenance. We only have to take care of the RING since it is local and not part of the SaaS infrastructure.

What's my experience with pricing, setup cost, and licensing?

The pricing is good, but by adding more things, the licensing becomes more complex because an EPS license fluctuates a lot. This licensing concept is going to be problematic in the long run.

Which other solutions did I evaluate?

Securonix is very easy and very intuitive compared to the other platforms. At the access level, it is much more practical. However, there are other platforms with better research levels and data ingestion than Securonix.

We evaluated Splunk, which is very similar to Securonix. We went with Securonix because we wanted to understand more about UEBA and enrichment, and for financial reasons.

In terms of threat investigations and onboarding, versus previous solutions that we have used, having access to UEBA allows you to analyze threats based more on behavior. But if you were to manually model, in other SIEMs, all the use cases that Securonix has, they would be very similar. Something that Securonix has in its favor is the enrichment prior to those threat detections. It took us about three to four weeks to get all the sources into the Securonix platform.

What other advice do I have?

When it comes to adding contextual information to security events, I would give it an eight or a nine out of 10. It enriches things a lot. But the concept by which Securonix works, which is to enrich by source and by modules, makes it very cumbersome to configure. If you set it all up, you can overload the SIEM. They tell you it's possible to set everything to the maximum capacity but this approach is not recommended.

Overall, it is a powerful platform. The cons are minimal and only require small attention and tedious initial work. Once Securonix is operative, it is very powerful.

It is a very good platform for discovering unknown information and is great at helping to visualize and review data. Thus, it indirectly supports data correlation. Thanks to Securonix, I learned that there are always things to discover. That's not only in the materialization of threats, but also in terms of discovery of permissions, users, and information about entities belonging to the company. And the enrichment gives you visibility that you didn't know about.

Foreign Language:(Spanish)

¿Cuál es nuestro caso de uso principal?

Brindamos servicios de SOC cibernético usando a SECURONIX como un correlacionador de eventos.

¿Cómo ha ayudado a mi organización?

A nivel de visibilidad del usuario, enriquece una gran cantidad de datos que el usuario podría no conocer de otra manera y le permite enriquecer otras plataformas con esos datos.

La información contextual agregada por Securonix ha ayudado a reducir el tiempo de investigación en minutos porque ya no consultamos múltiples fuentes y todo está centralizado en un solo lugar.

Ha ayudado a mejorar nuestra respuesta de detección de amenazas y ha reducido el ruido de los falsos positivos, aunque depende mucho de la red que se esté configurando. Los nativos se activan mucho, por lo que hemos introducido contexto adicional en ellos.

Pero hemos ahorrado tiempo en la detección de amenazas y reducción de ruido. Nos permite automatizar más casos de uso. No estoy seguro si ha mejorado nuestro nivel de investigación de amenazas.

La solución también ayudó a detectar amenazas avanzadas más rápido a través del modelado de amenazas. Se incorporan varios casos de uso y te advierte sobre cualquier comportamiento y amenazas más avanzadas. No necesitas revisar cada amenaza sino que te informa de los comportamientos que debes tener en cuenta y es más fácil deducirlos.

Los tableros que usa Securonix nos han ayudado a hacer más en menos tiempo porque si necesita ver una anomalía o un evento específico, el tablero le brinda un resumen de los datos sobre ese evento.

Otro beneficio es que la plataforma ha ayudado a minimizar la gestión de la infraestructura. Invertimos menos tiempo en dar soporte y solucionar problemas.

¿Qué es lo más valioso?

La característica más valiosa es lo que en Securonix llaman enriquecimiento. Securonix es muy poderoso debido a todos los datos que puede procesar y enriquecer automáticamente. La inteligencia accionable que proporciona es uno de sus beneficios debido a la capacidad de procesamiento que posee. Algo a tener en cuenta es que Securonix necesita mucho trabajo inicial para poder enriquecerse adecuadamente, pero una vez instalado es muy potente.

Es muy bueno para ayudar a ingerir todas nuestras fuentes de registro al investigar amenazas. Volviendo al tema del enriquecimiento. Es muy poderoso. Cuando ingiere datos a Securonix, lo que hace es retroalimentar a otras fuentes como su firewall y proxy antivirus, y viceversa. Y los casos de uso filtran datos.

Las capacidades de UEBA también son muy valiosas.

¿Qué necesita mejorar?

El enfoque basado en análisis para encontrar amenazas sofisticadas y reducir los falsos positivos es positivo y bueno, pero la plataforma requiere un concepto más dinámico. Todo es un poco estático.

Además, el barrido autónomo de amenazas es muy enriquecedor pero, dicho esto, el informe de detección de amenazas carece de un poco de contexto. La característica de barrer de forma autónoma es buena. La forma en que podrían mejorar el ATS sería usar más conciencia y comunicación con el usuario. No nos dan muchos detalles en el informe de detección de amenazas. Sería muy útil que nos explicaran el impacto.

¿Por cuánto tiempo he usado la solución?

Hemos estado usando Securonix Next-Gen SIEM durante cuatro meses aproximadamente. Somos proveedores de servicios, no clientes finales. Por el momento, solo tenemos la implementación en una ubicación.

¿Qué pienso sobre la estabilidad de la solución

Hasta ahora, no hemos tenido ningún problema. Es muy estable.

¿Qué opino de la escalabilidad de la solución?

Por el momento, no tenemos suficientes registros para escalar, pero en base a la infraestructura y por lo que he visto, Securonix es muy práctico y es posible aumentar su capacidad.

¿Cómo son el servicio de atención al cliente y el soporte?

El soporte es un área a mejorar porque les toma un poco de tiempo atender los tickets. Y en cuanto a configuraciones más complejas, por ejemplo, cuando quieres generar un cambio en la plataforma, tienes que enviar un ticket y no puedes modificar plantillas ni crear cosas. Eso solo lo pueden hacer los administradores ya que es un servicio SaaS.

En general, el soporte técnico me parece bueno. Solucionan los problemas que se presentan, pero sus tiempos de respuesta no son muy buenos.

¿Cómo calificaría el servicio y soporte al cliente?

Neutral

¿Cómo fue la configuración inicial?

Primero, vimos cuántos eventos tuvimos en el pasado SIEM. Bajo ese mismo informe, se hizo la infraestructura en Securonix, se construyó el RING, se conectaron las plataformas y luego dejamos que Securonix enriqueciera en el sistema mientras se configuraba la plataforma. Después de eso, comenzó el monitoreo.

Había particularidades. La implementación de la infraestructura fue simple, pero la integración fue compleja debido a problemas de integración en una de las soluciones.

Pasaron aproximadamente tres semanas hasta que implementamos todo. En cuanto al personal de nuestra parte, había dos técnicos, uno que estaba a cargo de las integraciones y otro a cargo de las configuraciones en el SIEM. Mi responsabilidad estaba más en el enfoque estratégico. Además, participaron dos gerentes de integración del equipo de Securonix.

Securonix nos avisa cuando necesita hacer mantenimiento. Solo tenemos que cuidar el RING ya que es local y no parte de la infraestructura SaaS.

¿Cuál es mi experiencia con los precios, el costo de configuración y las licencias?

El precio es bueno, pero al agregar más cosas, la licencia se vuelve más compleja porque una licencia EPS fluctúa mucho. Este concepto de licencia va a ser problemático a largo plazo.

¿Qué otras soluciones evalué?

Securonix es muy fácil y muy intuitivo en comparación con las otras plataformas. A nivel de acceso, es mucho más práctico. Sin embargo, existen otras plataformas con mejores niveles de investigación e ingesta de datos que Securonix.

Evaluamos Splunk, que es muy similar a Securonix. Elegimos Securonix porque queríamos saber más sobre UEBA y el enriquecimiento, y por razones financieras.

En términos de investigaciones e incorporación de amenazas, en comparación con las soluciones anteriores que hemos utilizado, tener acceso a UEBA te permite analizar las amenazas en función del comportamiento. Pero si tuvieras que modelar manualmente, en otros SIEMs, todos los casos de uso que tiene Securonix, serían muy similares. Algo que tiene Securonix a su favor es el enriquecimiento previo a esas detecciones de amenazas. Nos llevó entre tres y cuatro semanas incorporar todas las fuentes a la plataforma Securonix.

¿Qué otro consejo tengo?

A la hora de añadir información contextual a los eventos de seguridad le daría un ocho o un nueve sobre 10. Enriquece mucho las cosas. Pero el concepto por el que trabaja Securonix, que es enriquecer por fuente y por módulos, lo hace muy engorroso de configurar. Si lo configura todo, puede sobrecargar el SIEM. Te dicen que es posible configurar todo a la capacidad máxima, pero no se recomienda este enfoque.

En general, es una plataforma poderosa. Las desventajas son mínimas y sólo requieren poca atención y un tedioso trabajo inicial. Una vez que Securonix está operativo, es muy poderoso.

Es una muy buena plataforma para descubrir información desconocida y es excelente para ayudar a visualizar y revisar datos. Por lo tanto, admite indirectamente la correlación de datos. Gracias a Securonix, aprendí que siempre hay cosas por descubrir. Eso no es solo en la materialización de amenazas, sino también en términos de descubrimiento de permisos, usuarios e información sobre entidades pertenecientes a la empresa. Y el enriquecimiento te da una visibilidad que no conocías antes.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
Securonix Next-Gen SIEM
February 2024
Learn what your peers think about Securonix Next-Gen SIEM. Get advice and tips from experienced pros sharing their opinions. Updated: February 2024.
756,650 professionals have used our research since 2012.
Security Developer at a tech consulting company with 201-500 employees
Real User
Enrichment of event data via connectors to Third Party Intelligence had made investigations more efficient
Pros and Cons
  • "The UEBA functionality indicates a lot about behaviors that are not found through a traditional SIEM. We have exploited that more than anything since we started using it."
  • "It seems to me that within Securonix there is no option for completely visualizing the types of sources or if there is any loss of logs. I've heard that they have an additional module to validate those types of cases, but in terms of the platform itself only, I can only see how often it sends data but not any specific detail."

How has it helped my organization?

Securonix provides us with a fine-tuned environment. It helps eliminate false positives with certain parameters.

It is a SIEM that works automatically when it comes to behavior and the analysis of certain parameters that we did not have visibility into before. It is very productive for our business. So far, from what we have seen, Securonix is very useful.

Securonix provides "enrichment" of event information thanks to connectors with Third Party Intelligence and that has helped to make us more efficient in our investigations. Threat hunting that used to take two to three hours can now be done in less than one hour because we have certain graphs configured within the platform that allow us to search for more detailed events in a shorter amount of time. The training we have received has been absorbed quickly by our analysts and we have managed to do more in less time.

Another benefit is that, as a SaaS environment, it allows us to free ourselves from support issues. We escalate everything directly with Securonix.

What is most valuable?

Among the most valuable features are its

  • reporting capacity
  • graphics 
  • UEBA analytics.

The UEBA functionality indicates a lot about behaviors that are not found through a traditional SIEM. We have exploited that more than anything since we started using it.

The autonomous threat sweeper also seems very good to me. It is a very striking and productive tool for our business. It's highly important to implement ATS because it allows us to scan for specific events that may happen.

Also, the ease of searching that the Spotter tool offers us is a welcome feature and the data insights have been very useful for our research work.

What needs improvement?

It seems to me that within Securonix there is no option for completely visualizing the types of sources or if there is any loss of logs. I've heard that they have an additional module to validate those types of cases, but in terms of the platform itself only, I can only see how often it sends data but not any specific detail.

For how long have I used the solution?

I have been using Securonix Next-Gen SIEM for six months.

What do I think about the stability of the solution?

We have not had any major problems with the platform since we started working with it. There has only been one problem that had to do with something that did not load on the platform, but that was it.

We have had no problems ingesting all our log sources.

What do I think about the scalability of the solution?

Being a cloud environment, it gives us unlimited scalability. When we have integrated larger sources we have not experienced any problems.

How are customer service and support?

We have had some slightly delayed response times from technical support, but it is nothing out of the ordinary.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We use platforms such as RSA enVision, QRadar, and McAfee. We have not eliminated these platforms but we are more inclined toward Securonix because it provides us with UEBA analytics, which is something that we have not been able to exploit as much on other platforms. The solution's UEBA data analysis is what caught our attention.

How was the initial setup?

I was involved in a certain part of the implementation that focused on the RING installation. The implementation was simple. They shared an interactive manual with us and there were no problems. Onboarding the sources was not such a complicated process. We needed three to five employees for the implementation.

They also provided guided training in which a representative from Securonix helped us with the queries we had.

Maintenance is mostly managed by Securonix. We are hardly involved in it.

What was our ROI?

More than anything, we have seen ROI thanks to the metrics we get from Securonix.

Which other solutions did I evaluate?

Securonix is very user-friendly and intuitive. In terms of nomenclature, it is very easy to understand where the information you want is located. Compared to other platforms, there are several UI qualities in favor of Securonix. It puts everything at your fingertips and the options tab is very accessible.

In terms of reducing false positives, we have not seen much difference between Securonix and other platforms at the moment.

What other advice do I have?

Information about Securonix is all available within the online documentation and it enables you to get to know the platform independently. It is very beneficial if you're looking for a high-quality SIEM.

The most important thing I have learned by using Securonix is the exploitation of UEBA analytics. I had not seen that in another SIEM and it has been a definite benefit for me.

Foreign Language:(Spanish)

¿Cómo ha ayudado a mi organización?

Securonix nos proporciona un entorno optimizado. Ayuda a eliminar falsos positivos con ciertos parámetros.

Es un SIEM que funciona de forma automática en respecto a comportamientos y análisis de ciertos parámetros que no eran visibles antes. Es muy productivo para nuestro negocio. Hasta ahora, por lo que hemos visto, Securonix es muy útil.

Securonix proporciona un "enriquecimiento" de la información de eventos gracias a conexiones con Third Party Intelligence, esto nos ha ayudado a ser más eficientes en nuestras investigaciones. La búsqueda de amenazas que antes tomaba de dos a tres horas ahora se puede hacer en menos de una hora porque tenemos ciertos gráficos configurados dentro de la plataforma que nos permiten buscar eventos más detallados en menos tiempo. La formación que hemos recibido ha sido absorbida rápidamente por nuestros analistas y hemos conseguido hacer más en menos tiempo.

Otro beneficio que tiene es que, como se trata de un entorno SaaS, nos permite liberarnos de los problemas de soporte. Escalamos todo directamente con Securonix.

¿Qué es lo más valioso?

Entre las características más valiosas se encuentran..

  • capacidad de reporte
  • gráficos
  • analíticas UEBA.

La funcionalidad de UEBA indica mucho sobre comportamientos que no se encuentran a través de un SIEM tradicional. Eso lo hemos explotado más que nada desde que empezamos a usarlo.

El barredor de amenazas autónomo también me parece muy bueno. Es una herramienta muy llamativa y productiva para nuestro negocio. Es muy importante implementar ATS porque nos permite buscar eventos específicos que puedan ocurrir.

Además, la facilidad de búsqueda que nos ofrece la herramienta Spotter es una característica beneficiosa y la información de los datos ha sido muy útil para nuestro trabajo de investigación.

¿Qué necesita mejorar?

Me parece que dentro de Securonix no hay opción de visualizar completamente los tipos de fuentes ni tampoco si hay alguna pérdida de logs. Escuché que tienen un módulo adicional para validar ese tipo de casos, pero en términos de la plataforma en sí, solo puedo ver la frecuencia con la que envía datos, pero ningún detalle específico

¿Por cuánto tiempo he usado la solución?

He estado usando Securonix Next-Gen SIEM durante seis meses.

¿Qué pienso sobre la estabilidad de la solución?

No hemos tenido mayores problemas con la plataforma desde que empezamos a trabajar con ella. Solo ha habido un problema que tenía que ver con algo que no cargaba en la plataforma, pero eso fue todo.

No hemos tenido problemas para ingerir todas nuestras fuentes de registro.

¿Qué opino de la escalabilidad de la solución?

Al ser un entorno en la nube, nos brinda una escalabilidad ilimitada. Cuando hemos integrado fuentes más grandes no hemos experimentado ningún problema.

¿Y el servicio de atención al cliente y el soporte?

Hemos tenido algunos tiempos de respuesta ligeramente retrasados por parte del soporte técnico, pero no es nada fuera de lo común.

¿Cómo calificaría el servicio y soporte al cliente?

Positivo

¿Qué solución usé anteriormente y por qué cambié?

Utilizamos plataformas como RSA enVision, QRadar y McAfee. No hemos eliminado estas plataformas, pero nos inclinamos más por Securonix porque nos brinda análisis UEBA, que es algo que no hemos podido explotar tanto en otras plataformas. El análisis de datos UEBA de la solución es lo que llamó nuestra atención.

¿Cómo fue la configuración inicial?

Estuve involucrado en cierta parte de la implementación que se centró en la instalación de RING. La implementación fue sencilla. Compartieron un manual interactivo con nosotros y no hubo problemas. Incorporar las fuentes no fue un proceso tan complicado. Necesitábamos de tres a cinco empleados para la implementación.

También brindaron capacitación guiada en la que un representante de Securonix nos ayudó con las consultas que teníamos.

El mantenimiento es administrado principalmente por Securonix. Apenas estamos involucrados en eso.

¿Cuál fue nuestro Retorno de Inversión?

Más que nada, hemos visto el Retorno de Inversión gracias a las métricas que obtenemos de Securonix.

¿Qué otras soluciones evalué?

Securonix es muy fácil de usar e intuitivo. En cuanto a la nomenclatura, es muy fácil entender dónde se encuentra la información que buscas. En comparación con otras plataformas, hay varias cualidades de interfaz de usuario a favor de Securonix. Pone todo al alcance de tu mano y la pestaña de opciones es muy accesible.

En términos de reducción de falsos positivos, no hemos visto mucha diferencia entre Securonix y otras plataformas por el momento.

¿Qué otro consejo tengo?

Toda la información sobre Securonix está disponible en la documentación en línea y te permite conocer la plataforma de forma independiente. Es muy beneficioso si estás buscando un SIEM de alta calidad.

Lo más importante que he aprendido usando Securonix es la explotación de análisis UEBA. Eso no lo había visto en otro SIEM y definitivamente ha sido un beneficio para mí.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Lead Security Engineer at a tech services company with 1-10 employees
Reseller
The solution has helped by reducing the number of false positives in half

What is our primary use case?

We are using it for Azure logins outside of US and Azure brute force use cases. We have use cases for our firewalls, like Palo Alto. These are use cases that we created ourselves. These are not the use cases out-of-the-box that Securonix provided us.

How has it helped my organization?

Without this product, my organization would not be able to function at all. It is our main monitoring product for our clients. We monitor everything through it. Securonix Security Analytics is the main process of providing services to our client because we are a 24/7/365 security operations center. So, Securonix is helping me out on daily basis all the time, every minute.

Security Analytics helps provide actionable intelligence on threats related to our use cases, which is very important. They are improving it almost on a daily basis. They send it to us and keep it running on the back-end for all the tenants. If anything gets raised, according to the threat intelligence that they have generated, we will get an alert. We will then start digging into those events. After that, we work with clients to respond to that incident.

The product can help increase efficiency. My analysts were working 12-hour shifts when we started. Now, they are working eight-hour shifts. However, it also depends on the person and how efficient they want to be. My analysts are monitoring, training, and doing their certifications all at the same time. This definitely divides their attention.

What is most valuable?

Features, like Spotter, are the most valuable. Spotter is a wide range of research for any of the incidents that happened under my clients' data. 

They also have a feature that separates violations according to top violators. So, I can go in and see all the use cases that got preserved under them. It is an intensive search type of thing. You can just keep digging in. There are other policies attached to it. There are some remediation steps and recommendations attached to it. 

Securonix’s analytics-driven approach for helping to find sophisticated threats and reduce false positives is pretty good. We are allowed to fine tune according to our requirements and our clients' requirements, which does reduce false positives. In the last 24 hours, the total number of policies with triggers was 233. When I started with this product, the false positives were 561. Therefore, the solution has helped by tuning or reducing false positives.

It helps us find sophisticated threats.

What needs improvement?

The monitoring, analysis, and visualization of data that Securonix provides is good. However, there are some things that I would love Securonix to change. For example, they don't allow us to make changes on the graphical reports that they have integrated into the platform. We have to create our own. If we just want to take out one thing, our page should allow us to change that template just for our platform. I'm not talking about changing others' platforms; this is just for my platform. They should allow me to make changes according to my scalability. I would like a little bit more changes in the analytics and visual views that they already have out-of-the-box in the platform. They are working on this, but I have not heard from them for a while. I'm satisfied with the visualization that they have, but I would like to get some more out of it. For example, I am taking the report and manually making changes. I want all those changes already integrated and automated, so they are automatically done in the product.

I would not say its threat hunting is easy or difficult to use. It is medium because it totally depends on the data that is coming to you. It does not depend on the platform. It depends on whether you can find the correct attribute that you need to look at, then you can go further on that. They are working on this. They are introducing more features, e.g., they have a couple of updates pending at this time. They are working on it to cut down the steps. If I am doing 28 steps right now just to onboard our data, then they are cutting those steps down. They are also putting more automation in the solution. While they are working on these improvements, it is just a matter of time. 

It ingests 85% of all our log sources already built into the product when investigating threats. If the data sources have the functionality, Securonix will create a custom parser for us on a request. If the functionality is not there in the product, then there is a difficulty, but we can still ingest it through the file base, etc. However, I am not a big fan of the file base because a user is creating a file per day for data that was generated the day before. Specifically for activity that has already taken place, we can prevent it, but we cannot stop the activity.

For how long have I used the solution?

I have been using it for a year and three months.

What do I think about the stability of the solution?

It is pretty stable. Out of 100%, I would rate the stability between 80% to 85%. 20% can be unstable for any product. There can be bugs. There can be a failure in the core or a syntax error in the core. When I notify the support of these types of issues, they quickly fix the problem for me.

We have experienced a few performance issues, about 10%, when Security Analytics is ingesting our log sources. This can happen with any product. We informed them that we are facing this issue and get pretty good support on it. 

What do I think about the scalability of the solution?

Scalability is pretty good. It does grow with our license. We work according to EPS. So, as our EPS pool grows, the solution will keep growing.

Cloud Scale is super scalable. You can scale Securonix pretty well. Even if you have too much data coming in, you can figure things out or put more resources on it. Securonix is pretty good at doing these things. For example, they have load balancers already in place, which automatically take care of these things.

There are 12 of us right now using the solution. I'm the senior engineer, and I have eight analysts who are using it. I have a senior manager who is also using it.

How are customer service and support?

Six months ago, if someone asked me about the support, I would say, "Not good." Now, the support is pretty effective. They try to resolve problems ASAP. For example, if it's a critical ticket, they get it fixed within an hour.

I would rate the support as eight out of 10.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We had a generic system previously, which has none of the things which have helped us by using Security Analytics. This solution automatically detects threats. There is a response bar that we can deploy. There is an email notification. So, if I am not available, then I will get an email that I can respond to pretty quickly. As far as threat detection, we get policy updates every three minutes. Therefore, if anything is detected, it will be right there on my screen.

I have previously trained on FortiGate and Splunk. Securonix and Splunk are not that different. Splunk has a lot of things on one screen. Whereas, Securonix tries to clean it up.

How was the initial setup?

If you follow the documentation, it is straightforward. If you don't want to read, it will be complex. I don't review documentation anymore. I did it twice when I started, then I went in, wrote a batch script, and automated the whole process. Now, I just need to make some changes before running that script.

The deployment takes 35 minutes on the client side.

What about the implementation team?

I am the only person involved in the managing and deployment of the solution.

If there is any kind of setup that needs to be done on the cloud side, Securonix does that for us. I integrate clients with my platform, but Securonix takes care of the back-end.

What was our ROI?

The Securonix cloud-native platform helps minimize infrastructure management. We don't need that much manpower. If there is infrastructure to maintain, I need an engineer to maintain infrastructure, a software engineer who will look for the application, a security unit who will look for the threats and attacks, and a response person. Now, I don't need a software engineer or infrastructure engineer. That has gone away. Currently, I need only a security engineer and response person, which one person can do. We can also hire two people to do the different jobs. That is no problem. 

We don't have to put more focus on infrastructure, which helps. There is a little bit of an infrastructure included, but that is a one-time setup thing. You don't need to go and maintain it again and again.

Securonix Security Analytics adds contextual information into security events. For example, on a generic system, if I used to put in an hour, now I'm putting in 35 to 40 minutes on this. So, it's saving me about 20 minutes of time.

What's my experience with pricing, setup cost, and licensing?

Compared to the pricing of other products, Securonix's pricing is pretty good. Clients can get half of the price of other companies by going with Securonix. Other products, like IBM and Splunk, have pretty high pricing. Nowadays, we see CrowdStrike as up and coming, and they are pretty expensive. 

Pricing does depend on what model you are looking for, e.g., are you going for an MSP or single tenant?

Which other solutions did I evaluate?

I don't find a lot of difference between solutions. Everybody tries to improve their product over time. I do free testing for multiple products, and they are basically copying each other's functions.

I like Securonix because I am familiar with it and can do threat hunting in 10 minutes instead of the 30 minutes that it might take if I used other solutions.

What other advice do I have?

According to my clients and the security world, I cannot eliminate all the false positives because you cannot let false positives go. You need to make sure that there are no attacks attached to that false positive. So, we have a team of analysts who monitor it every time. So, if a false positive policy gets an alert, then we just go ahead and make sure to analyze it. That is okay. If it is a false positive, then we mark it as one. We did eliminate a lot of false positives, but not all of them. It is our choice, not Securonix's, what we want to keep or eliminate.

I would rate Securonix as nine out of 10.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner - MSP
PeerSpot user
Leader - Investigations, Insider Threat at a tech services company with 5,001-10,000 employees
Real User
With a lot of data in one console, the time we require to investigate alerts and threats has decreased
Pros and Cons
  • "The customizability of the tool is valuable. We are able to customize the use cases and create them easily without a large amount of Securonix assistance. It's very flexible. We do not have to rely on Professional Services to modify or create a new use case."
  • "Other than issues with the training, there have been issues with the encryption. There have also been issues with some of the reporting, minor glitches that they have fixed as they've gone along."

What is our primary use case?

Data loss protection and account misuse are our primary use cases. We're utilizing it to help identify and correlate user behavior to identify potential data loss as well as to detect certain types of fraud.

How has it helped my organization?

The behavior analytics of Securonix has helped to prioritize advanced threats for us. We're still working through it, but it has helped. For example, it enables us to customize widgets, risk scores, and dashboards to identify what we want to see and gives us the ability to base the risk score on our business model and what we consider to be a high priority.

While we would have detected the threats that we do without the solution, it helps us have a central point to manage and detect those threats. It would have taken a little bit more work or additional tools to identify them after the fact. For example, it helps us in identifying and detecting fraud in the early stages.

The solution has decreased the time required to investigate alerts and threats because a lot of the data is in one console. We're not having to go to three or four different consoles. It also helps to surface high-risk events that require immediate action, such as identification of penetration testing.

What is most valuable?

The customizability of the tool is valuable. We are able to customize the use cases and create them easily without a large amount of Securonix assistance. It's very flexible. We do not have to rely on Professional Services to modify or create a new use case.

The solution's behavior analytics, in detecting cyber and insider threats, are good. The tool does what it's supposed to, as long as the data coming in is accurate.

What needs improvement?

Other than issues with the training, there have been issues with the encryption. There have also been issues with some of the reporting, minor glitches that they have fixed as they've gone along.

I think they have fixed the encryption piece and they have supposedly fixed training. I haven't seen the new training modules yet. The reporting and metrics will be improved in the next release, from what I understand.

For how long have I used the solution?

I have been using Securonix for two years.

What do I think about the stability of the solution?

The solution is very stable. We haven't had any issues.

What do I think about the scalability of the solution?

We were able to increase it. It's scalable, but with some work on-prem; we're not cloud. But it is scalable. The issues were mostly from our environment: networking and support.

My team only is the only team that's using it and it's one hundred percent part of our daily functions. We have plans to increase usage, and extensively. We're about 50 percent of the way to where we want it to be.

How are customer service and technical support?

Technical support is excellent.

Which solution did I use previously and why did I switch?

We did not have a previous solution.

How was the initial setup?

The setup was complex. The data mapping was complex because of our own structure and environment. From start to finish, it took us about three-and-a-half months before we went to production.

In terms of an implementation strategy, we worked with Securonix to develop a statement of work and we followed that. It included development and identification of data sources, implementing or ingesting those data sources, and applying use cases to those data sources as we fed them in.

What about the implementation team?

Securonix helped us to deploy the solution. Our experience with them was very good; excellent.

What was our ROI?

So far we have seen ROI. We would like to see even better ROI. 

What's my experience with pricing, setup cost, and licensing?

We pay yearly.

Which other solutions did I evaluate?

We did a PoC between two solutions and we chose Securonix. The other solution was Exabeam. One of the reasons we went with it is that someone had used Securonix at a different company. The scalability, the interface, and the results that it provided were also factors in our decision to go with it.

What other advice do I have?

The biggest lesson we have learned from using Securonix is to start small. Don't throw everything at it. Start with one single use case and build out. Don't throw all the use cases into it at once. Otherwise, it's too much work, you get flooded with too much data, you can't focus on what's important, and you can't clean it as quickly. You can clean it, but it will take a lot of time.

My advice is to go with the cloud solution and, as I said, start small. Don't try to ingest everything at once. And don't create use cases for everything under the sun.

Because we're on-prem, we've had to both focus on threats and on the engineering of the platform. They provide support, but we still have some engineering overhead on our side.

We have five users using it and they're all investigator-analysts. We deployed with the help of four people who are security engineers, and maintenance is pretty much done by the two Securonix support people we have.

Overall, I would rate Securonix at eight out of ten. We're still going through it, developing, learning, and we find issues.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Lead Cyber Security Engineer at a insurance company with 1,001-5,000 employees
Real User
Open platform allows us to modify policies and tune policies as needed
Pros and Cons
  • "The feature that is most valuable is the fact that it's an open platform, so it allows us to modify policies and tune policies as needed. There's also a feature called Data Insights which allows us to create different dashboards on specific things of interest for us."
  • "Securonix implements risk scores based on different policies that are triggered. We've seen some challenges with the risk scores and how they trigger. These are things that Securonix has recognized and they've been working with us to help improve things."

What is our primary use case?

Our primary use case is privileged-account monitoring. We wanted the ability to monitor what privileged accounts do, what time of day they typically log in, what machines they log in from, what type of configuration changes they make, etc.

We're using the SNYPR Cloud UEBA.

How has it helped my organization?

The areas where behavior analytics helps in terms of advanced threats are around some of the rarity-based policies. An example would be if someone is logging in to a machine for the first time, someone who has never logged in to that machine before. Another would be a rare time of day when somebody is logging in. Policies such as rare suspicious-process also help. We have a list of processes that we typically don't expect many users to run, so if somebody's running one of them in the environment for the first time, it helps us understand that something potentially malicious or at least suspicious is taking place.

We had a recent internal penetration test to try to simulate attacker activity, and Securonix really stood out regarding some of its detection capabilities versus our traditional SIEM, with a lot of the policies that we have for rare-process running on a machine. The enumeration-type activities, where it's looking for an increase in the number of, say, accounts that are accessed, or the number of machines or file share that are accessed, was something that stood out significantly for us.

An example where the solution detected a threat that would otherwise have gone unnoticed recently was a Word document that launched PowerShell and tried downloading a malicious file. We have a policy which is looking for a rare process launched from a child process, and that detected a specific type of malware.

Also, given that the solution is offered as a cloud platform, it probably reduced the potential need for additional headcount. Had we gone with an on-premise solution - because it would have a lot of the administrative tasks of maintaining the hardware and doing updates, and some operational costs - we probably would have required an additional headcount. By going with the cloud, it didn't require us to add to our headcount, and yet we were able to add this new technology.

The solution has also enabled our team to focus on threats rather than on engineering of the platform. We're a very hands-on organization. We've done some of the engineering, whether it be to create new policies specific to our environment or specific to a threat that we're looking for. So it has helped us to focus on threats, but we also do a decent amount of engineering.

Securonix has decreased the time required to investigate alerts or threats. A lot of the information is right there for us, so it's easy to search and try to help with an investigation. In terms of how much time it has saved us, it's really a case-by-case scenario. It would be difficult to pinpoint an exact time on it.

As for the solution surfacing high-risk events that require immediate action, Securonix correlates different policy-violations together into what it calls threat models. There have been a few examples of threat models that have been triggered which gave us a high degree of confidence that there's a threat that we want to investigate right away. Using the threat models has really helped prioritize events of interest for us.

What is most valuable?

  • The feature that is most valuable is the fact that it's an open platform, so it allows us to modify policies and tune policies as needed. 
  • There's also a feature called Data Insights which allows us to create different dashboards on specific things of interest for us. 
  • Finally, there is Spotter. Spotter allows us to search and investigate different events of interest for us.

In terms of behavior analytics, we're using cyber more than insider threats. With UEBA being a relatively new space when we looked at it close to two years ago, we were concerned about how well it worked and whether they were truly behavioral-based rules or if that was just marketing terminology for the "latest greatest system." But it exceeds what our initial expectations were for being able to detect different cyber threats. We're doing a lot around the network firewall and endpoint detection for rare process connections, rare network connections, etc.

What needs improvement?

Securonix implements risk scores based on different policies that are triggered. We've seen some challenges with the risk scores and how they trigger. These are things that Securonix has recognized and they've been working with us to help improve things.

For how long have I used the solution?

We've been using Securonix for a year-and-a-half now, as a production customer. We started a pilot back in July of 2017, so if you consider the pilot time, it's about two years in total.

What do I think about the stability of the solution?

Initially, within the first six to eight months, we had some issues with stability. In the last year we've really had no stability issues. There's been no downtime. Any time there are updates, we're always notified when they will take place, with adequate notice. After the updates, there's very minimal downtime as a result.

The earlier instability was growing pains. At the time, we were one of the largest customers going to their cloud solution. It was just a matter of some of the growing pains as they were trying to scale to handle the quantity of logs that we were sending to it.

They've also added additional features and enhancements, and we haven't had any issues with it or any downtime as a result of that.

What do I think about the scalability of the solution?

We haven't had any issues with scalability. We've been able to send more log sources to it and we haven't had any issues with them being able to handle the volume.

We have close to 6,000 employees. We have about 9,000 servers and workstations in total, and we're sending about 5,000 events per second.

We have plans to increase our use of Securonix. Right now we use a different vendor for SIEM, LogRhythm, and we use Securonix for UEBA. We're looking at potential options to consolidate to one platform.

How are customer service and technical support?

Their technical support has been pretty helpful. We have a lot of direct contacts with some of the higher-level support, people who help with the integration. A lot of times, when we have issues, we may email them directly and they're able to work on a resolution relatively quickly. 

That being said, we do have a technical account manager and that person does a really good job of prioritizing resources to make sure that, if we do have any issues, they get addressed in a timely fashion.

Which solution did I use previously and why did I switch?

We piloted Exabeam but we didn't go forward with them.

How was the initial setup?

The initial setup was a little complex, but going into it we knew it's a complex solution. We didn't expect that it would be out-of-the-box. Our expectation was that it was going to take a little bit of time to get it set up and integrated and then to learn different profiles on users. It was somewhat complex, but it wasn't anything that we weren't expecting.

Our case is a unique situation where we aren't using Securonix as our SIEM so we had to send logs from our SIEM over to Securonix. There was some tweaking of the parsing that we had to do; how they were able to normalize the log and stuff like that. That took a little while to get up and running.

Overall, our deployment took about two to three months.

In terms of an implementation strategy, we had Professional Services from Securonix help with the implementation. They did a lot of the heavy lifting for us.

What about the implementation team?

Our experience with Securonix Professional Services was very good. They were able to do the integration. It didn't really require a heavy amount of effort from us to work with them. It was just time-consuming. They were updating the parses to support our environment for several weeks.

What was our ROI?

We have definitely seen ROI using Securonix.

Which other solutions did I evaluate?

We piloted Exabeam but we didn't go forward with them. We looked a little bit at LogRhythm's UEBA capability as well. At the time they were in the beta stages, so we didn't feel comfortable going with them. 

One of the things that we really liked about Securonix was that it is very open-platform, where we have the ability to tune and tweak and create new policies as needed. With Exabeam, everything required us to go through their Professional Services to make some of those changes. The real benefit that we liked with Securonix over Exabeam was the reporting capabilities. Exabeam pretty much removed almost all their reporting and threat-hunting capabilities. I think there was some bug that was taking place. The other thing that Securonix does that I really like is that they give you the raw log message so you can see all the details. Exabeam was only providing parts of the log message, parts they thought were relevant for an investigation, but they didn't provide everything.

LogRhythm versus Securonix is not one-to-one. We're using LogRhythm for our SIEM, long-term retention, being able to look at things over a 90-day period of time. We're using Securonix more just for the UEBA capabilities. Based on how we're using them today it would be difficult to say the pros and cons of either one. We've had some challenges with LogRhythm support and some of their feature enhancements. Some of the things they've rolled out don't necessarily work as expected or we've experienced a lot of bugs with their product. We haven't had the same issues with Securonix.

What other advice do I have?

From a positive standpoint, with Securonix, or with any UEBA vendor, but specifically Securonix as that's the one that we're using, it definitely overcomes a lot of the challenges with trying to understand what's normal and what's not normal in an environment. With the traditional SIEM rules, it's very difficult to tune some of the policies to understand what is normal for your environment. That's really helped us quite a bit. Another thing that might be helpful regarding understanding the platform is that it takes a little bit of time to come up with the behavior profiles. It might take 30 days, depending on what you're trying to look at, before you start seeing some alerts trigger, because you're looking at things over a longer period of time.

The biggest lesson I've learned using Securonix is that with behavioral analytics, and any UEBA vendor, it does reduce some of the alerts but it also has the potential to create additional volume or additional alerts, which could be good or bad. So just understand that there definitely is the potential to get a lot more security alerts as a result of using the product.

The way we try to work around the increase is through the ability to tune some of the policies to remove some of the few things that produce known noise. The biggest thing is just tuning things out, where applicable. Another is by leveraging their threat models. Correlating several different policies together, which are part of a threat model, might provide a little bit more context. As an example, if two of these three policies fire within a certain period of time, it might be a little more interesting than just, say, this one stand-alone policy triggering by itself.

The behavior analytics probably doesn't help us to prioritize advanced threats. It's just the nature of UEBA, I don't think it's necessarily a reflection of Securonix. But one of the challenges with being able to detect a lot of rare activity or anomalous activity is that you tend to find there's a lot more rare stuff happening in your environment than you would expect. It helps us, but sometimes it has the potential to create a little bit more noise as well.

With SNYPR, they have what's called SNYPREye which monitors the cloud solutions of SNYPR to detect if there is any type of operational issue.

We have five people on our team who use Securonix. They're security threat analysts. They all have the same feelings that I do: That it's very helpful with security monitoring, and that it also provides threat-hunting and investigations on users.

We have shared roles, so I wouldn't say we have dedicated focus on just Securonix. We're a small team that does a little bit of everything. At a minimum, if we didn't have that shared focus, maintenance of Securonix would take one full-time resource.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
SVP Insider Threat at a financial services firm with 10,001+ employees
Real User
Identifies threats that would not have otherwise been identified, but needs better integration with ServiceNow
Pros and Cons
  • "The machine-learning algorithms are the most valuable feature because they're able to identify the 'needle in the haystack.'"
  • "There is room for improvement in the product's integration with ServiceNow and in the reporting features."

What is our primary use case?

We use it for information security.

How has it helped my organization?

It's helped identify risky and/or malicious behavior that otherwise would probably have been overlooked. An example would be flight-risk behavior, meaning employees who are planning to leave the firm and/or who are possibly exfiltrating data. It has identified alerts or threats that would not have originally been identified.

While I wouldn't necessarily say it has surfaced high-risk events that require immediate action, but it has surfaced events that require action.

What is most valuable?

The machine-learning algorithms are the most valuable feature because they're able to identify the "needle in the haystack."

Also, the solution's behavior analytics in terms of detecting cyber and insider threats is fairly good.

What needs improvement?

There is room for improvement in the product's integration with ServiceNow and in the reporting features.

For how long have I used the solution?

We've been using this solution for close to two years.

What do I think about the stability of the solution?

The solution's stability has improved over time. Early on, we had issues with stability, but over the last three to six months, it's been relatively rock-solid.

What do I think about the scalability of the solution?

My understanding is that it's scalable, but I don't get into that piece.

How are customer service and technical support?

Technical support is fairly good. I meet with them on a weekly basis. I give them any concerns, issues, use-case changes, etc. Usually, the following week, they have fixed whatever needed to be fixed or enhanced things according to my requests. It's an acceptable turnaround time, for the most part.

Which solution did I use previously and why did I switch?

We did not have a previous solution.

What about the implementation team?

I believe it was Securonix themselves who did the deployment.

What was our ROI?

We're probably approaching the break-even point.

Which other solutions did I evaluate?

The only other solution that I believe we looked at was Splunk's UBA. It wasn't Splunk at the time and it wasn't mature enough at the time.

What other advice do I have?

I'm not an engineer, I'm a consumer of the tool. It's doing what it's been asked to do. It's really all about use cases and having the data. You have to have your use cases well-defined and make sure you can feed Securonix the data. You should definitely do a PoC. Never buy anything without checking it out first.

I wouldn't say the solution's behavior analytics has helped to prioritize advanced threats.

Regarding the Hadoop piece, I would compare it to the way I drive a car. I put gas in it and I don't care what kind of engine is in there, how the engine works. I just turn the key and the car starts.

The users are our security operations team, which has about a dozen people. We use it on a day-to-day basis. We'll increase the use cases.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Chief Technology Officer at a tech vendor with 51-200 employees
Real User
Gives us actionable results - every finding is worth investigation
Pros and Cons
  • "When we were looking for products for our security monitoring needs, our biggest requirement was that we wanted something based on machine-learning and analytics. If you go with rules, it can raise a lot of noise. Securonix, with its UEBA capability, had the best analytics use-cases."
  • "We have compliance needs. We have investigation needs. And we have situations where an analyst needs to look at threats. These three things require a different view of how they look at the threats. What would be good is to have Securonix create three different views of their Security Command Center so that, depending on the persona of the person logging in, they'd get the relevant data they need and not see everything."

What is our primary use case?

Our primary use case is monitoring attacks on our cloud environment.

How has it helped my organization?

The solution's behavior analytics, in terms of detecting cyber and insider threats, are very effective. We are getting actionable results. When I say actionable results, not every finding is going to be a threat, but every finding is worth investigation. Depending on the investigation, some of them are real threats, some are just bad hygiene, and some are a good finding but not a threat for us. So there is work we still need to do. But whatever they are pointing us to is worth investigating. And that is what I expect from the product.

The solution's behavior analytics help to prioritize advanced threats. That's exactly what I mean by "actionable threats." One of the key pain points for us, previously, was that the solution we were using was giving us a lot of low-value indicators which we couldn't even act on. With this solution we have fewer alerts but they're actionable alerts.

From there on, it is on our analyst to then decide which ones are threats. And based on that, what we have done with a few things. In some cases we have changed our security policies so that we can have more rules in place to give us stronger access control and better governance around our workstation usage policy. There were certain things we could do to improve our employee behavior and it enabled us to take those steps. Based on some of the cyber-related threats it identified, we were able to upgrade the software we were using for our endpoints so that we had the strongest possible defense. There are certain things that are real threats and certain things that are bad hygiene and in both cases it's still valuable for us to take action.

Moving from on-prem to cloud, our analyst's time and effort have been reduced by half. I had to have two people working on the product before we got Securonix. We are a small company so we had two people dedicated: One was creating use cases, maintaining the application; the other was the analyst who was investigating. When we moved to the cloud, the operations part was taken care of by Securonix. They manage the use cases, they manage the upgrades. Now I don't need to have a dedicated person to do that. And my analyst gets higher-value threats to investigate.

In summary: First, I have been able to reduce my overhead by half. And second, my analyst is a lot more efficient and the noise in my environment is reduced by at least 70 percent. I was getting seven times more alerts to look at to get to the same results. Now my analyst can go deeper, versus having to rule out seven other things which are not useful.

Also, there were a couple of instances of insider threats where we had employee accounts compromised through phishing. Someone got an email from an email address that looked like a valid email address but it was not. It had the first name and last name correct, but the company name was misspelled. The employee clicked on it and his account was compromised. That compromised account was then used to access intellectual property in our environment. Securonix was able to detect that threat. If that data had been leaked, that would have been millions of dollars in losses for us because everything we do is our intellectual property. Securonix, with its behavior analytics, was able to detect that this account was behaving differently, that it was trying to scan all our shared folders and access a lot of documents in a very short period of time. They were all source code files and the employee whose account was compromised was not even a developer. That was one of the biggest threats it detected.

The other thing it is very good at identifying is that now, with everything in the cloud, there are no firewalls involved. People can, through social engineering, find out what your email address is and then try to guess your password and access your cloud environment. We see a lot of these brute-force types of activities in the cloud, and Securonix is able to detect a lot of those threats as well. We have some automation in place where we can block or challenge the user with additional credentials. We were able to put that in place as well, as a preventative measure, to stop our cloud environment from being compromised. That's is a big area of concern for us.

In terms of operational overhead, one of the benefits is configuration. With our previous product, the issue was that we had to figure out the use case. It was "do-it-yourself." But Securonix is providing us with packaged "apps" for insider threats or cyber threats. So now I don't have to create my own content. In addition, when we were doing this on-prem, we had to have hardware, to worry about patching the hardware. Then we had to worry about patching the operating system. Then we had to worry about patching the Securonix application. All of that, maintaining compliance, was a full-time job. Now, with SaaS, we don't need to do any of that. Securonix maintains it. The third advantage is availability. With on-prem, if you have a network issue, you tend to lose the data for that period of time. With the cloud solution, we have SLAs with Securonix for 99.9 percent uptime. That means I don't have to worry about an outage in the data center or a loss of data. I can hold the vendor accountable for that. So another overhead that I don't need to worry about is disaster-recovery planning for my implementation internally. That is something that the vendor takes care of and I can just focus on monitoring the SLAs that I have with them.

What is most valuable?

When we were looking for products for our security monitoring needs, our biggest requirement was that we wanted something based on machine-learning and analytics. If you go with rules, it can raise a lot of noise. Securonix, with its UEBA capability, had the best analytics use-cases.

Our number-two criterion comes from the fact that we are a cloud-first company, so we needed a solution that would work in the cloud and work with the cloud. Working in the cloud means it would be a service, a SaaS offering. And working with the cloud means it would integrate with our cloud applications and monitor our cloud environment. Their product was the most-ready SaaS product in the industry.

The solution's cloud-monitoring functionality is the only thing we use, because we are a cloud company. Our Office is Office 365, our HR system is BambooHR. Everything we use is hosted in the cloud. So cloud monitoring is the number-one use case for us. In addition to those applications, the solution monitors Salesforce, which our sales team uses, Concur, which is our time and expense system, and it monitors our own application that we use for providing service to our customers. And finally, it monitors our AWS environment.

They have done a great job building the API-based connectors so they can automatically pull data from these applications. They have packaged use-cases that they provide us and, in certain applications, those use-cases are still a work in progress. But I feel confident that the content they have is good and they're improving on it continuously. There's a lot of development that happens on the cloud front. For example, Office365 changes every three months. Cloud applications are new so there's a lot that goes on with these applications. So vendors have to keep updating their content to align with where the cloud application is. Securonix is doing a good job of staying abreast with the latest and greatest developments on the cloud-vendor side and updating their content. A lot of their competition is very poor. We had QRadar in our environment but it couldn't even connect to Office365. From there to where we are today, it's a huge improvement.

What needs improvement?

The UX could be simpler. I know they're working on it. I would like to have one dashboard that has everything in it. We have compliance needs. We have investigation needs. And we have situations where an analyst needs to look at threats. These three things require a different view of how they look at the threats. What would be good is to have Securonix create three different views of their Security Command Center so that, depending on the persona of the person logging in, they'd get the relevant data they need and not see everything.

For how long have I used the solution?

I've been using the solution since 2017, about two years.

What do I think about the stability of the solution?

It is a SaaS solution. We are looking at 99.9 percent availability. If there's anything less than that, it's an issue for us. So far, they've been able to deliver that. I don't know what they do in the background, but they keep the lights on and that's what I care about.

What do I think about the scalability of the solution?

The good thing about being in a SaaS solution is that we are agnostic to the platform. We don't see the Hadoop platform at all, but it provides benefits in terms of scalability. If we are sending 10,000 events per second and I want to scale that to 15,000 events per second next year, I know the platform can scale. That means I don't have to come up with a different deployment or start from zero again. That is definitely a benefit. I don't have to worry about the complexity, but I get the benefit of it being able to scale.

Which solution did I use previously and why did I switch?

We used QRadar. We switched to Securonix because we wanted something in the cloud. There was just too much work to maintain the previous system. Second, we wanted something that was analytics-based so that it would give us actionable threats, versus noise. Number three was that we wanted something that could integrate with our cloud applications faster.

How was the initial setup?

The initial setup was straightforward for us because it is SaaS. For us, it was just a matter of forwarding the logs to them. Within two days we were able to start seeing our data in their environment. Our previous deployment took us six months. That's what the cloud is. It is so much easier. It's someone else's problem to manage and maintain it.

In terms of our implementation strategy, for us the key was is to prioritize: What was the number-one thing we wanted to start sending and get visibility into? We prioritized our applications and created a multi-phased approach. We specified, in the first three weeks, the three applications that were business-critical which need to be monitored. Then we added some more, then we added some more. Overall, over the course of six months, we had all our data sources integrated, fine-tuned, and ready to go. It was important to follow a phased approach. If we had started to put everything in at once, we would have had too much noise to manage.

What about the implementation team?

We deployed it with the help of Securonix. When we bought the solution we also bought Professional Services from them for four weeks. We needed that help in the first four weeks because we are not product experts, they are. At the end of four weeks, that PS turned into support. We did not need Professional Services, we just needed support when we had questions.

Professional Services were very hands-on and very committed to us. That's the best thing about them: Their customer success team cares about making you successful. I've worked with others, like IBM, in the past. You ask them something, it takes a week, sometimes two weeks, for their PS and support people to get back to you. Working with a smaller company, the good thing is that these guys are motivated, hungry, wanting to make sure they have a reference client. We had a great experience with them.

What was our ROI?

From all the benefits I have talked about, there has been a return on investment. And it was quick return on investment as well. With my previous experience, it took us six months to even get up and ready, so we weren't even talking about an ROI until then. Whereas with Securonix, in two days we started seeing our data in their environment. It was definitely a quick ROI.

What's my experience with pricing, setup cost, and licensing?

A good thing about Securonix is that they don't charge by volume of data or number of devices. I don't have to think twice about what I bring into the system. That was a big pain point for me before because every time I brought something in I had to pay extra. They charge by the number of employees, which is a much more predictable number for me, versus data. Our costs are in the $100,000 range over a three-year subscription. There are no additional costs to the standard licensing fees.

Which other solutions did I evaluate?

Rapid7 was one we looked at because it is also cloud-based. From a SIEM perspective, it was not where we expected it to be. We also looked at Splunk but it was too expensive. Capability-wise, Securonix was far ahead of them.

What other advice do I have?

If you're looking for an analytics-based system, which is what everybody should look at, and if you are thinking of something that provides a quick return on investment, then you should definitely look at Securonix, in addition to doing your due diligence with other products. Definitely have Securonix in the mix if you're looking for actionable threats, flat pricing, and a cloud-based solution.

The biggest eye-opener is how wonderful the cloud environment is. There is a whole new universe of threats that get exposed by moving to the cloud. It has all these benefits, but it also reveals a lot of risks. So there's a lot of work. Businesses will continue to adopt the cloud, and security has a lot of catch-up work to do to secure data in the cloud. But Securonix is bringing those issues to the front and we are coping with them, one thing at a time.

This is our single pane of glass for monitoring threats to our environment. It's being used companywide for monitoring purposes. It's our 24/7 eyes on glass. There are certain applications that we have not integrated yet and there are new applications that we continue to onboard. As we grow, and as we bring in more devices, we will want to integrate them into this platform. It is always a work in progress.

Our analyst who goes in and looks at the threats is the primary user of the system. There are also secondary users. For example, the compliance team looks at all the compliance reports that they need to meet the requirements we are bound by. They have their own use-cases that they look for. As the CTO, I have dashboards that I look at to monitor the overall health of our security posture. We also have investigators who look at specific investigations. If there is something that involves HR or our legal team, that becomes a case that we need to track.

From a deployment perspective, we had one person working part-time with the Securonix PS team for the first four weeks. After that, Securonix went away and that part-time resource continued to work on it. The part-time resource for deployment is a point of contact for Securonix. We need to send them data. We can tell them, "Hey, these are the data sources that we want to prioritize," in the first four weeks, for example, and this is the data we are going to send you. This person is the point of contact for them to coordinate with our internal teams to make sure the data is fed correctly and that we have scheduled the imports, etc. In terms of maintenance, there is none for us because they do it.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Download our free Securonix Next-Gen SIEM Report and get advice and tips from experienced pros sharing their opinions.
Updated: February 2024
Buyer's Guide
Download our free Securonix Next-Gen SIEM Report and get advice and tips from experienced pros sharing their opinions.