What is our primary use case?
We deployed the solution for a client for both Windows and non-Windows servers.
They didn't want to have a complete prevention feature. They were using it for any anomaly detection on the critical host and for complete system lockdowns for a few of the database servers.
What is most valuable?
The beauty of the product is the complete system lockdown feature. It ingests all the logs over a month, including the daily processes, tasks, legitimate users, and activities. The tool will then detect any anomalies, such as an intruder who has breached the network, which can trigger the system lockdown feature if it's enabled and meets the defined threshold.
The prevention feature, for which we could restrict the users, is useful. Let's say there were one Lotus Notes or there was one Domino server that had the directory of all the email users in the organization, and there were around 40,000 users with email accounts in that particular customer location. Apart from a few on top, for example, trusted administrators, no one in the organization should have access to be able to change anything. Even the server admin owner who has created that server cannot do anything and cannot apply a dot or delete that dot from the directory through this particular tool.
We configured it in such a manner so that, apart from those five administrators, no one from the entire organization or an attacker will not be able to make any changes in the directory itself. They cannot spoil it, and they cannot use the information. Even the read access of that particular directory can be revoked from an administrator.
What needs improvement?
The negative aspect of that particular product is the fact it has a very, very, very complex policy structure. A user or administrator making the policy in the DCS should have a very thorough knowledge of the operating system or policy making. You have to be very specific about the data structure.
If you want to secure a Linux server, an administrator should be very confident about how the directory structure of Linux, how Linux works, and where it puts the important logs. You have to be very cautious about the complete path, and you have to write it over there in the policy part. If you are not very specific, there will be a lot of noise in the system. You're going to receive thousands of events that are false positives. The fine-tuning of the policy is a very complex thing in the DCS itself.
Another negative aspect that I have observed is if the product gets installed on the kernel level of any non-Windows server, it has some issues, comparability issues. Sometimes the product doesn't work properly, so it shuts down the machine and crashes the system. There are many cases in which I've observed the DCS crashing the system.
For how long have I used the solution?
I've worked with the solution for approximately four years.
What do I think about the stability of the solution?
It's not stable. You install this particular product to secure your most critical assets of the organization, and if this particular product is not allowing them to work properly as they're intended to, it shuts them down or can corrupt their Kerberos files. Every time we reach out to Broadcom or Symantec, they say, "Please share the kernel K dump of that, the kernel level dump of that particular machine." After checking, every time, they give us the same answer: "You have to upgrade the version of the product."
If you are using an RHE machine, Red Hat Enterprise Linux 7.1, and you have installed a DCS agent, after applying some patches or if you find that particular server has vulnerabilities, you need to upgrade to another version. However, it might be possible that a particular version of the agent is not compatible with the RHE server. It can eventually bring that server down. That's a major negative aspect of this product.
I'd rate the stability a two out of five in terms of its reliability. For Windows, it works well. However, for non-Windows options, it is not stable.
What do I think about the scalability of the solution?
The scalability is unnecessary as it provides you with all the out-of-the-box features. You don't need to look for another type of scalability apart from what they offer. You don't need to scale or add anything. I'd rate the scalability three out of five.
The company has 40,000 users and five admins.
How are customer service and support?
Technical support is decent enough. that said, I found that many of their good engineers or engineers from the BlackLine team have already left the organization. There were a few people I was working with since 2015. Since this Broadcom has taken over, the support has deteriorated. I would not recommend the support.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
Now, our customer is moving away from Symantec Data Center Security, and they have the license of Trend Micro Deep Security. That particular tool also has HIDS features within it. Since it's a lightweight agent, it does not crash any production server, so they want to replace the existing solution Symantec solution with Trend Micro Deep Security. However, Trend Micro Deep Security lacks full system lockdowns. It, unfortunately, allows a user apart from the administrator to make the changes over the critical server.
How was the initial setup?
The product installation is straightforward. However, the policy configuration is highly complex. For the initial deployment, I rate the tool five out of five in terms of ease of setup.
the deployment was very easy. It typically took 20 to 25 days, and that was due to the fact that we had dependencies on other teams. We depended on the SQL team to create a particular instance of SQL DB. We depended on the network team to provide the IP address and open the ports on the firewall. Due to dependencies, it took around one and a half months.
The post-installation activities that require PCs and which require some policy testing, configuration, and agent installation, took more than six months.
Since we were running 24/7 operations, I cannot commit how many people were required from beginning to end.
Maybe in another organization, the customer could easily provide the product on time - if they have redundancy or a well-established HA network. At least four associates are required for the deployment part and policy configuration, and you have to monitor the events daily as well, eventually. There would be a lot of events.
We're providing maintenance for the company currently. We have two people responsible for maintenance tasks.
What about the implementation team?
I handled the installation and deployment myself alongside the OEM.
One person from Symantec was aligned with me. That said, the post-installation activity required the complete team. Every day, we had some downtime. Every agent that needs to be deployed on the critical servers required downtime. They had to reboot the server, pre-installation, and post-installation.
That is something that affects the customer; you don't get downtime very easily from the customer. That's the main challenge we were having.
What's my experience with pricing, setup cost, and licensing?
I'm not aware of the licensing costs. I do not handle the financial side of the product.
Which other solutions did I evaluate?
We looked at a few OEMs like McAfee, Symantec, and Trend Micro. Out of those products, we chose Symantec Data Center Security.
What other advice do I have?
We are just a customer.
I rate the solution six out of ten.
If you are a customer, you need to have a dedicated team who can maintain the product with the operating system upgrades. Otherwise, you will be facing some consequences.
You have to plan for the upgrade of the DCS tool first eventually. If you can plan out several reboots and maintenance of that product, and you have those admins who have a deep knowledge of the operating system, then this tool is very useful. It will go very well with the organization.
However, if you are a user who doesn't have that much technical knowledge of the operating system, you don't have any dedicated team, and you want some automation and require no physical effort required to check the logs, you'll have issues. You'll face a lot of problems and noise, and you will not be able to configure the policies according to the requirements. It will not be a good product for you.
Which deployment model are you using for this solution?
Disclosure: I am a real user, and this review is based on my own experience and opinions.