Elastic Security Reviews

We have different use cases. We implement it for the banking and healthcare sectors. It's the most useful for the e-commerce platforms that we deploy it for. The most important feature is Elasticsearch.

They also use it for security. Elastic Security has been deployed in the National Bank of Dubai. They are currently using Elastic Stack and they're also using the security version. 

It's a good platform and the very best in the current market. We looked at the Forester report from December 2022 where it was said to be a leader. 

There are many benefits. It provides log monitoring, synthetic monitoring, real user monitoring, and application performance monitoring. 

These are the four main use cases that most organizations use it for. They want to know the downtime and the errors in the code. They acquire it through my company. It's mainly used by SMB-sized companies but not enterprise.

Elastic has one problem. In the past, Elastic Security was free. Now, they currently only offer the basic license or a certain period of time. 

The platinum and enterprise level features aren't offered in the free version and most organizations use the free version. They don't pay for the paid features. That's a problem in the market from the Elastic side. They should have a way for everybody to be able to benefit from the premium features. 

I have been using Elastic Security for one year. 

I would rate Elastic Security a nine out of ten. 

The solution is compatible with the cloud-native environment and they can adapt to it faster. 

Elastic Security's maintenance is hard and its scalability is a challenge. There are complications in scaling and upgrading. The solution needs to also provide periodic upgrade checks. 

I have been working with the solution for four years. 

The product is stable. 

The product's initial setup is straightforward but experts need to do it. 

The base product is open-source but if you need advanced security features then you need to pay for the subscription. Elastic Security's price is reasonable in some cases and in other cases it's not. 

I would rate the tool a seven out of ten. The solution has a very active community with troubleshooting cases. You need to consider the growth rate and environmental complexity when buying the product. If you need to use a multi-node or cluster version, then install it during initiation itself. So that you don't need to do the same procedure in the next three to six months. 

I sell Elastic Security to my customers. Almost all my customers use the free version, but some use the enterprise version.

I like that it's a SIEM platform. I like that I can sell Elastic Security quickly. Elastic Security has a large community that can support users.

It would be better if Elastic Security had less storage for data. My customers do not like this. Other vendors have local support in different countries, but Elastic Security doesn't. I would like to have Operational Technology (OT) Security in the next release.

I have been working with this Elastic Security for about ten months.

Elastic Security is a stable solution. It's the most stable solution I have ever seen.

The initial setup is straightforward. Anyone who knows the basic features can implement this product. Elastic Security has a large community that can support users.

We implement this solution for our customers. We present and demonstrate the POC, and we support them. After the implementation, we provide the provisioning service. Deployment time depends on the business size, but it usually takes about 20 days to a month. 

The price is reasonable. It probably costs the same as ArcSight and LogRhythm SIEM. FortiSIEM might cost less than Elastic Security. There are no hidden or additional costs.

This product is better suited for large enterprises. It's one of the best options in the marketplace. I would tell potential users to use all the features because they are already collecting all the logs and data in one place.

On a scale from one to ten, I would give Elastic Security an eight.

We really like that it integrates into the overall ELK Stack, and we're using that as our theme. We were looking for a product compatible with that. We like the detailed investigation features of the platform as you're able to get a lot of detail as to what's going on on the host when you do investigations. We like the quarantine feature.

We chose the product based on the ability to scan for malware using a malware behavioral model as opposed to just a traditional hash-based antivirus. Therefore, it's not as intensive. We have a lot of satellite communications, and it's not as intensive since we don't require updates to calm down on a regular basis for updated DAT files for hashes on a regular basis. We only have to update quarterly against the new malware model. It's also a lot less impactful from a performance perspective on a machine.

It's a pretty solid product. It's pretty easy to use as it's not a full endpoint protection suite. We're actually dependent on using Windows Defender for a firewall and traditional antivirus when it's required. It could use maybe a little more on the Linux side. Now that the product line is getting picked up by Elastic, they're going to continue to build out and make the Linux feature set more robust. However, I would say that right now the Linux feature set is a little limited.

I've been using the solution for about a year.

Stability is very good. It's a very stable product. We haven't had any issues with stability at all.

For what we use it for, scalability has been great. Our environments tend to be smaller. We're only talking about 200 to 1,000 systems. Therefore, I don't know that I could speak to a real large scale since that's not our implementation level.

We are kind of in an interesting use case as we're not actually using it on a day-to-day basis. We are a production house, and we shift suites out to customers to use. As far as what the user feedback is on a regular basis, we don't really see a ton of that unless we kind of go out and hunt for it.

We're using the Microsoft Defender product. It's just what's embedded inside of the operating system. It's not the full Defender for Endpoint. It's just Windows and antivirus.

The Endgame itself is extremely straightforward to set up and you just filled out the ISO and you follow a couple of wizards you're done. It's very easy. I would say the ELK Stack is a little more complicated, however, that's due to the way we implement PKI in our environment. The product in itself is fairly straightforward to implement. It's our choice of certificate implementation that's making it a little more complicated.

We targeted it to be able to be maintained by one person. In a lot of cases, our scenario is that we only have one person available to maintain the product. It's very easy to maintain. There's not a ton going on. In a scene, you always have to have somebody watching the log of traffic if you want it to be effective. However, outside of that, there's no extreme maintenance associated with the product.

I do not know approximately how much it costs per month or per year. I'm not the one who makes the purchases.

We are just customers. 

I'd rate the solution an eight out of ten. 

We use Logstash to retrieve data from our servers, from different sources, to our Elastic Stack. There, Elastic Search allows us to search it, and we can visualize the data with Kibana.

I use the stack every morning to check the errors and it's just so clear. I don't see any disadvantage to using Logstash.

Our system architect has noticed a slowdown of the solution, but I don't see a slowdown.

One thing they could add is a quick step to enable users who don't have a solid background to build a dashboard and quickly search, without difficulty.

We have been using Elastic Stack for about three years.

The solution is stable. We also monitor the Elastic Stack health and it's been a while since we have had an issue. The stability doesn't cause any problems. It's good. We haven't had any major issues.

For now, we haven't had any problems. I'm just a user. I'm not the one responsible for the total solution. I use Kibana for the dashboard to detect any errors in our servers.

But for the future, perhaps we will need to scale our solution because we deploy new components and we implement new servers on Azure. 

The solution is maintained by dedicated architects who provide us with a solid platform. There is no direct support from Elastic Stack. We don't have any issue or any problem which requires support.

I'm a system engineer. The architects who set up these solutions did it before I worked here.

I learned how to use it by doing searches and finding information about it.  I learned to use it very quickly. The documentation is very simple to use, as long as you have some technical background in computers.

Elastic Stack is an open-source tool. You don't have to pay anything for the components.

Think carefully about how you will build the solution so that it is a high-availability solution. That is the trick when using Elastic Stack. Examine what your needs are.

I would rate Logstash at eight out of 10. I think the solution is really complete, with the components it has. It is a good solution. 

We are using the solution for log management. We use it for monitoring and observing. 

Its search engine is great, and it is really quick. In the beginning, we wanted to search through terabytes of log data, and after that, we decided to search using the solution.

The initial setup is very easy.

It can scale well. 

It's very stable and reliable. 

We use it as an open-source product and do not have to pay for licensing. 

There is a lot of good documentation online if you need to troubleshoot. Everything is clear and easy to follow. 

The solution wasn't designed for monitoring at first. It was for search and stack logs and for working with solutions like Kibana. Therefore, they are a bit weak when compared to traditional monitoring tools. 

They should work to improve their integration and graphical interfaces. Their visuals and graphs need to be better. They need better charts. These already exist in Kibana and should be in this solution as well. 

I've been using the solution for two years. 

The solution is very stable. There are no bugs or glitches, and it doesn't crash or freeze. it is reliable, and the performance is good. It'd rate the general stability ten out of ten. 

We can easily scale up, according to our needs. It's easy to expand. 

I'd rate the overall ability to scale up eight out of ten. 

They do not have technical support. They have community support and documentation to help with troubleshooting. We've been happy with the amount of detail we can find online if we need assistance. 

I have not used any other products that are the same. I only use Micro Focus Ops Bridge and SiteScope, which are traditional monitoring tools, so I can't categorize them. They are slow yet they can handle big networks. 

The solution is straightforward to set up. They have documentation on their site that shows how to do everything step by step. Everything is very clear and easy to understand. I'd rate the overall ease of implementation nine out of ten. 

The deployment is fast and only takes hours, not days. 

One person helped me deploy the solution. However, we did not need outside assistance. We did it ourselves. 

The solution is open-source and, therefore, free to use. 

I'm a partner. 

I'd advise others to take advantage of the documentation of the solution in order to get the most out of the product.

In general, I'd rate the solution eight out of ten. 

We plan to use it to analyze the data that we're pumping into it from Active Directory and from firewalls, then we'll pass that information onto our own external SOC.

We really haven't had any significant SIEM solutions, so it's all new to us, other than a simple up-down solution. Just the ability to do a lot more than just up-down is nice, which a lot of people take for granted.

The biggest challenge has been related to the implementation. It's a very complex product which, without a lot of knowledge or a lot of training, it's very difficult to get into and make use of. They try and make a lot of the general features very simple to access; a lot of the dashboards are very simple to use and so forth, but a lot of the refined capabilities take serious skills. They're not necessarily the easiest to implement.

We've been trying to implement it and get it up and going for a good three to four months now.

Elastic SIEM is pretty stable. I did have a problem during one of the upgrades, but customer support was able to resolve it for me quickly. Other than that, it's been very reliable and stable.

The customer service is great; not a whole lot of back-and-forth going on.

The initial setup was pretty straightforward.

It's a monthly cost with Elastic SIEM, but I am not sure of the exact cost.

In our case, being a medium-sized business, it takes a lot of resources to learn how to properly use and implement it — you need to have a good understanding. They give you a very good framework and a very good solution to work with, but there's a lot of intuition that's required to actually make it work well. It requires a lot more effort than they would lead you to believe or that you would even expect.

On a scale from one to ten, I would give this solution a rating of eight. This is based on my experiences from the past as we're still implementing it.

We use Elastic Security for monitoring. Our client is a financial client, so we detect their infrastructure from that perspective. For example, if there is any unauthorized access to their financial systems, we need to know about that. We monitor all the instances they are using all the storage buckets they use, and then if they have exposed any APIs, we need to monitor those as well. They are using AWS Cloud, and we need to monitor their cloud services.

There is a lot of customizability in Elasticsearch. For example, I can use indices if I want to modify the fields or segregate the logs. I can also use different open-source tools. For example, a tool called ElastAlert can be used for detection on Elasticsearch. Even if you don't have Elastic SIEM, you can still use ElastAlert. Similarly, the APIs they provide are pretty flexible. We use those APIs in our automation to get notified in Slack.

Another good thing about Elasticsearch is that it provides extensive flexibility regarding search. The filters are pretty amazing. You can know, search whatever you want.

There are a lot of things that could be improved. For example, if I talk about Sentinel, the automation of the server component is very cool. But when it comes to Elastic, I don't see that. I think we need to come up with other solutions to make it possible to automate the response. This is easier in Azure Sentinel.

Then if I come to integration, for example, there is a product from IBM called QRadar. They provide a very managed way to manage your integrated log sources. For example, you will get a list in one pane where you can segregate logs based on their log type. For example, it could be based on Windows or Linux. Even within them, you can segregate them based on their application. You can tag them. But in Elasticsearch, you will get all of these in one place, in a raw form which is not very presentable. You cannot visualize those log sources pretty well. Although you can visualize logs pretty well through dashboards and graphs, when it comes to integrated devices, management for those devices is missing. And wherever I use Elasticsearch, it takes a lot of time to reload or load. It is very time-consuming.

I've worked with this solution for more than seven years.

Stability is a tough question with Elastic Security. Some of my clients have found this solution pretty stable, but two or three clients have a lot of real-time data, and it has been a pain in the neck while dealing with Elasticsearch because it takes a lot of time to load. Even if my client has increased their resources like RAM and storage, they might still put that into a load-balancing infrastructure without scaling enabled. The stability depends on how well you deploy it from the start. For example, if your design is good, and you have implemented it as it should be deployed, then you will not face those complications. But if you have deployed it wrong and don't have a completely planned architecture. After that, it is not easy to correct those mistakes because it has already been deployed and integrated, and now there's no time to fix those errors in the architecture.

It depends, but the solution is overall reliable.

The solution is scalable. But again, it depends on the deployment. If you're deploying it in an auto-scaling infrastructure, it will automatically scale as per the demand. For example, if it's a service on AWS, they provide Elasticsearch but call it OpenSearch. If you use that, it will automatically scale as per the demand, and you will only be paying for the resources you use. But if you are deploying it on-prem, it's only as scalable as the infrastructure.

Three of my customers are using the solution currently.

The initial setup is straightforward. But since I've been using it for seven years, I could be comfortable with the solution, so I'm saying it's straightforward. However, my team, including new people, found that the documentation was not complex. They find it easy to understand and deploy the solution.

The time it takes to deploy the solution depends on the kind of resources you will utilize. For a basic deployment, I don't think it should take more than one day. Also, consider that if you face any error, you must troubleshoot, even basic errors. It should not take more than one day. I'm only talking about basic deployment, not integration, fine-tuning, or configuration.

The steps taken during the deployment process depend on various factors. If you're deploying the cluster base, you must deploy Elasticsearch and Logstash. If you're using it, you can even deploy Wazuh, and on top of it, Kibana which would be used for all your graphical user interfaces. If it is an all-in-one deployment, the steps taken are simple. Just a bunch of commands from the documentation you can see. But if it is a cluster deployment, it's different. If it's on a cloud, you have to deploy different instances for each server, like Logstash, Elasticsearch, and Kibana. But if you're using the solution on the cloud, you will use different instances. Or, if you're going to deploy a cluster on-prem, you might want different servers or VMs.

I am a security engineer and I have a team of security engineers. We are an MSSP that provides security services to different clients. For example, a customer might need us to monitor their infrastructure, so they'd provide us access to their SIEM and monitoring tools. Similarly, one of our clients in UAE approached us to monitor their infrastructure, and I learned that they are using Elastic Security as an SIEM. I wanted to ensure that my team and I were comfortable using this solution to get clients to use this product.

I rate Elasticsearch a six-point five out of ten.

To anyone planning on choosing Elasticsearch, I advise you to know your infrastructure first and then plan how many instances you'll need. Consider how the number of devices and your business will grow, and plan accordingly. Then, deploy the solution according to the best practices. Once deployed, make sure you organize your integrations so that the solution is easy to manage in the long run because when you have more than 200,000 or 300,000 log sources feeding logs into your ELK, it will be very tough to manage.