Elastic Security Reviews

We really like that it integrates into the overall ELK Stack, and we're using that as our theme. We were looking for a product compatible with that. We like the detailed investigation features of the platform as you're able to get a lot of detail as to what's going on on the host when you do investigations. We like the quarantine feature.

We chose the product based on the ability to scan for malware using a malware behavioral model as opposed to just a traditional hash-based antivirus. Therefore, it's not as intensive. We have a lot of satellite communications, and it's not as intensive since we don't require updates to calm down on a regular basis for updated DAT files for hashes on a regular basis. We only have to update quarterly against the new malware model. It's also a lot less impactful from a performance perspective on a machine.

It's a pretty solid product. It's pretty easy to use as it's not a full endpoint protection suite. We're actually dependent on using Windows Defender for a firewall and traditional antivirus when it's required. It could use maybe a little more on the Linux side. Now that the product line is getting picked up by Elastic, they're going to continue to build out and make the Linux feature set more robust. However, I would say that right now the Linux feature set is a little limited.

I've been using the solution for about a year.

Stability is very good. It's a very stable product. We haven't had any issues with stability at all.

For what we use it for, scalability has been great. Our environments tend to be smaller. We're only talking about 200 to 1,000 systems. Therefore, I don't know that I could speak to a real large scale since that's not our implementation level.

We are kind of in an interesting use case as we're not actually using it on a day-to-day basis. We are a production house, and we shift suites out to customers to use. As far as what the user feedback is on a regular basis, we don't really see a ton of that unless we kind of go out and hunt for it.

We're using the Microsoft Defender product. It's just what's embedded inside of the operating system. It's not the full Defender for Endpoint. It's just Windows and antivirus.

The Endgame itself is extremely straightforward to set up and you just filled out the ISO and you follow a couple of wizards you're done. It's very easy. I would say the ELK Stack is a little more complicated, however, that's due to the way we implement PKI in our environment. The product in itself is fairly straightforward to implement. It's our choice of certificate implementation that's making it a little more complicated.

We targeted it to be able to be maintained by one person. In a lot of cases, our scenario is that we only have one person available to maintain the product. It's very easy to maintain. There's not a ton going on. In a scene, you always have to have somebody watching the log of traffic if you want it to be effective. However, outside of that, there's no extreme maintenance associated with the product.

I do not know approximately how much it costs per month or per year. I'm not the one who makes the purchases.

We are just customers. 

I'd rate the solution an eight out of ten. 

We use it as a SIEM for monitoring a client's environment.

One of the most valuable features of this solution is that it is more flexible than AlienVault. 

It is difficult to anticipate and understand the space utilization, so more clarity there would be great.

My company has been using this solution for two years.

It is a very stable solution.

The solution is very scalable.

The technical support is adequate.

Neutral

We currently use AlienVault for some clients and Elastic Security for others. We chose Elastic Security because we felt it was the most flexible, cost-effective solution to provide the results needed.

In certain respects, the setup of this solution is more straightforward than other solutions, but in other respects, it's more complex because it needs more fine-tuning than Splunk or AlienVault.

We implemented through an in-house team and it took about two months.

The licensing cost depends on the size of the environment it's monitoring. Everything is based on volume, as with all SIEMs. When compared to other products, the price is average or on the low side.

We evaluated several options, including Monster SIEM, Splunk, and Wazuh.

There's a lot of fine-tuning involved with this solution. When you go to a diner, and the menu has everything on it, and you can't figure out which part to look at first, it's a double-edged sword. You can do everything with this solution, which means you have to figure out which part of "everything" makes sense for your company to do.

I would rate this solution as an eight out of ten. It's a good value for money and a  reliable solution, but it's heavily reliant on appropriate configuration.

I worked for a telco client for the security model of Elastic, but my role was unit manager. I don't have a lot of technical expertise, but I decided on the solution for a client, and I was responsible for the delivery.

I worked with the security of the mobile app. I see all the logs in Elastic for SIEM. I monitored the logging and some logs from the machine for a UNIX system with some use cases like the machine's file system.

This solution is deployed on-premise.

We provide this solution to our customers, which are telcos, in the finance industry, and in retail.

I think that it's a good solution for a SIEM.

Elastic doesn't have the features like other competitors in SIEM. For example, Dynatrace as a solution for SIEM has features that Elastic actually don't have.

With Elastic, you have to build the use cases for the specific requirement. Other products have a simple integration and more use cases to integrate out-of-the-box solutions for SIEM. That's the improvement I would like to see.

The product is stable.

Other products like Splunk are better than Elastic for a SIEM because there are some use cases already available for a client. Elastic doesn't have this, so the user must build the SIEM solution. I think that Elastic has to increase the features for the SIEM.

It's not very complicated to install Elastic, but I didn't deploy it.

I would rate this solution 7 out of 10.

It's a good solution and I would recommend it, but there are other products that have more features that Elastic doesn't have.

Overall, the solution is good.

The machine learning aspect of the solution has been great.

The deployment is not that complicated.

ELK is open-source, and it will give you the framework you need to build everything from scratch.

The SIEM modules in Logstash, need more improvement. In the future, the modules could be more advanced as right now there are only very basic modules.

We are facing an issue with the engineers. In the region, there are not many available. Only a few people might be available in our particular region, which is a problem. 

There isn't really a very good user experience. You need a lot of training. There is an interface with limited options. You need to work with the coding and you need to work with the scripts. It's not simple. If you want to configure something, for example, you need to be a proper programmer.

It would ideal if they had a dashboard. Right now, the only way to see what you need to see is to go through all of the logs. 

I've used the solution for one and a half years.

The stability of the solution is good. However, it depends on the configurations. If the solution is configured properly from the beginning, it will be stable. However, if the solution is not configured from beginning properly, it will not be. This is due to the fact that ELK Elasticsearch gives you the framework only, and the customizations depend on the guys who will be coming to configure everything for the company.

The scalability is good, however, there is a certain level of skill that is needed. Due to the lack of trained engineers in the area, this could be a challenge.

We've reached out to technical support in the past. We found that sometimes communication with them was difficult as there was a lack of understanding. This means that it takes a longer time to reach a resolution. However, in the end, when we have had issues, we were able to resolve them, even if it was a bit delayed. 

I've also worked with LogRhythm and there is no comparison. LogRhythm is the best solution for me. The use cases are better and are readily available. In contrast, with ELK, we need to deploy a lot of things. We need to program people and we need skills and training. We need a lot of things. Even the LogRhythm training is easier than ELK. With ELK, you need to build the customization, rules, everything, from scratch. WithLogRhythm, you just have to enable features.

If a company wants some more specific detailed use cases, then ELK would be better than LogRhythm, however, for a generic use case, LogRhythm is better.

The initial setup is pretty simple and straightforward. It's not overly complex. 

That said, it does require trained specialists, and there just aren't that many in our area. 

Overall, I would rate the setup process at a two out of five. 

The configuration must be done correctly, and that depends on who is configuring it. If the person configuring it, for example, only has an administrator background, he will configure the administrator stuff. If he has a security background, he will configure for security.

We are a partner. 

I'd advise others considering the solution that ELK is a good solution, however, it requires skills and capability. You need to be properly trained with it to get the most out of it. 

I would rate the solution at a five out of ten.

It is for our own infrastructure. We are trying to do ELK Stack for everything. We are trying to build our own monitoring solution. For now, we are using it as an alerting solution, and SIEM is going to be our destination.

Its flexibility is most valuable. We can have a number of scenarios, and we can get logs from anything. If we know how to use Logstash, we can tweak it in many ways. This makes the logging search on Elastic very easy.

With Kibana, we can make very beautiful dashboards the way we wanted. It makes sense for the business.

We are paying dearly for the guy who is working on the ELK Stack. That knowledge is quite rare and hard to come by. For difficulty and availability of resources, I would rate it a five out of 10.

We don't have any scalability problems as of now. We have less than 2,000 devices.

We have a contractor who is trying to develop and deploy the ELK Stack for us. He has requested a couple of servers, and we have given those to him. He asked for more RAM and storage for the service, and he will take time developing the custom Logstash scripts that we have asked for.

I find it better than Splunk in terms of cost-effectiveness. For cost-effectiveness, I would rate it a nine out of 10.

It is complex, but you just need to have patience and personnel to develop it. Unless you explore a technology, you won't know what are the pros and cons. I have not seen any cons as of now, but it has miles to go in terms of being equal to Splunk. It is a community-driven technology. So, it will get there.

I would rate this solution a seven out of 10.

Our primary use case of this solution is for application performance monitoring. We are customers of ELK.

This solution enables us to monitor application performance from Elasticsearch and we can predict some behaviors for applications using ELK. This product is distributed and scalable which is good for us.

The troubleshooting or diagnostic tool can be improved to provide a better understanding of internal behavior and how data is stored. It would also be helpful if they were to release the next version as a plugin or an extension, or as a JAR file, for the latest features. When releasing a new version they currently provide a new stack which means everything needs to be removed before the new version is installed. 

I've been using this solution for five years. 

The solution is generally stable, although with each new upgrade there is an adjustment period. They upgrade versions very regularly and it's hard to keep up. By the time my environment is stable with the previous versions, they are already bringing out a new version. 

Scalability is very good with this product. 

I'm not satisfied with technical support because whenever you raise a case, it goes to some random support person who asks questions about the architecture. It's a waste of time. I'm a platinum customer so each time I raise a request, it should go to a dedicated customer support representative who knows my case. It's very difficult when you work in a highly secure environment to get all the logs and send the logs to them each time. 

The initial setup is easy, but as you begin using the more advanced features like security and authentication with an AM and LM, then it becomes a bit tricky.

Licensing costs are high, they charge based on the nodes and the RAM. If I purchase a license for a 64GB RAM node and then want to have 128GB RAM, I can't because it's not in the contract so I have to pay on top of that. They removed a feature that allows me to provide multiple disks for one node so if I now want to add an extra disk to the volume, I have to buy a license for one extra node. It's very unfair. 

I would recommend this solution for an organization that doesn't require a highly secured environment, because they'll have to deal with the issues of VM upgrades and installations. If it's a highly secured environment like a bank, then I suggest ELK cloud instead of on-prem.

I rate this solution a seven out of 10. 

We do not use monitoring due to the fact that we use Prometheus for monitoring. We don't use APM and so on. We use ELK only for logging.

The solution has very good logging functionality. 

The aggregation capability is quite useful. 

The solution is quite stable. The performance has been good.

The solution scales well.

The solution has gotten easier to deploy since the 2019 version.

Using ELK the first time there was a lack of security. We had to buy the paid version due to the fact that we needed to secure access to Kubernetes.

The problem with ELK is it's difficult to administer. When you have a problem, it can be very, very difficult to rebuild indexes. In fact, you have to monitor the stack and it's very, very difficult. Sometimes we lose indexes or we have nothing on the dashboard.

I've been using the solution for about two years at this point. It hasn't been an extremely long amount of time.

The solution is stable. It's reliable. There are no bugs or glitches. It doesn't crash or freeze.

The solution can scale. If a company needs to expand it, it can do so pretty easily.

We use the solution for quite a small team. Ten people work on it.

Due to the fact that we have a paid version of the product, technical support has been fine. We've been satisfied with the level of service provided to us. They are quite helpful and responsive.

Previously, we were on Datadog, Kubernetes Logs. It was not very easy to debug incidents and so on. If I had to compare, I'd say that Datadog is very easy to implement and it's such a fast solution.

The first time, it was very hard to deploy on Kubernetes. However, as we reached version seven, they are now an operator. Now it's very easy to deploy. We no longer have any issues.

The solution is a bit expensive. I don't know the pricing of Datadog, which is what we used to use, however, it's my understanding that it is very expensive also. 

We are a customer and an end-user. We do not have a business relationship with ELK.

The solution is deployed on Kubernetes in Azure.

I would advise other companies and users not to mix monitoring and logging. It's not the same purpose. Many people do monitoring by scanning logs. It's not a good idea. The good idea is to monitor separately. In case of incidents, you have to monitor metrics and logins for the root cause. It's important to separate this, and not treat them as the same thing.

I'd rate the solution at an eight out of ten.

It is currently deployed as a single instance, but we are currently looking at clusters. We are using it for a logging solution. I'm a developer and act as a server engineer for DevOps Engineers. It's used by developers and mobile developers. It could be used by quite a few different teams.

It is quite comprehensive, and you're able to do a lot of tasks. It has dashboards and we're able to create a lot of search queries. It is not easy to use, but once you get the hang of it, then it provides good graphs and visuals such as these. The indexes allow you to get your results quickly. The filtering and log passing is the advantage of Logstash.

In terms of query resolution, error searching finding and production issues, we're able to find issues quicker. We don't need to manually obtain the logging reports. All bugs in code are quickly identified in the logs as they are in one centralized logging location.

We're using the open-source edition, for now, I think maybe they can allow their OLED plugin to be open source, as at the moment it is commercialised. We are planning to go into the production to use the enterprise edition, we just wanted to check how this one works first.  I think maybe on the last exercise part, I think the index rotation can be improved. It's something that they need to work on. It can be complex on how the index, all the logs that have been ingested, the index rotation can be challenging, so if they can work on that. In terms of ingestion, I think they should look at incorporating all operating systems. It should be easy to collect logs from different sources without a workaround to push the logs into the system. For example, in AIX, there's no direct log shipper so you do need to do a bit of tweaking there.

We have been using ELK Logstash for three years or so. We believe we are using the latest version. 

The solution is quite stable, although it does need a bit of maintenance, and because there is quite a lot of plugins that come with it. There's a lot of testing that is involved to ensure that nothing breaks.

The solution is scalable. So you're able to extend it and grow it. For example, you're able to put it in a cluster, so it is quite scalable.

I have used the technical support. Their forums are quite good in terms of response. There is quite a big community of forums, where you can get similar question or issues that others have experienced issues previously. Even then direct support is quite good. They also have regional support. 

Logging solution previously, but mainly I've been using Graylog and ELK. Graylog gives you centralized logging. It's built for a logging solution, whereas ELK is designed and built for more big data. If you want to go in deeper into analytics, ELK gives you that flexibility and out of the box models. The two solutions are widely used by a lot of bigger clients in the industry and they've been tried and tested.

With ELK, installation is not really straightforward. There are about three applications to consider. It's quite intense in terms of set up, but once you've done the setup, then it's nice and smooth. The implementation took about 3 weeks, but that is because I was doing it in between other projects. We used an implementation plan. It was deployed to the development environment, then the Point of Concept (POC) environments. It was then deployed into the production environment.

We implemented the solution in-house. There were no third parties involved. For deployment and maintenance, we just need about two to three people and the role is known as maintenance and installation.

We're using the open-source solution, So there are no-cost implications on it, but we are planning to use it throughout the organization. So, we will soon adopt the open-source model and depending on if there is a need for enterprise then we'll go down the enterprise route. If you need a lasting solution, you do need to buy the license for the OLED plugin. The free version comes fully standard and has everything that you need. It is easy to deploy, easy to use, and you get everything you need to become operational with it, and have nothing further to pay unless you want the OLED plugin. 

We also have Graylog, for Graylog we're using it in parallel for a similar solution. At the moment, we're basically just comparing the two and see which one is preferred.

Do a POC first. They should compare solutions and also look at different log formats they're trying to ingest. See how it really fits with the use case. This goes for ELK and Graylog. You can trial the enterprise version. In terms of lessons learned it does need some time and resources. It also needs adequate planning. You need to follow the documentation clearly and properly. I would give this solution 8 out of 10.