LogRhythm SIEM Reviews

Our primary use case for using the LogRhythm SIEM product is reviewing alarms, events, and managing our cases for forensic investigation.

The LogRhythm platform has helped my organization by being able to have 24 analyses on logs and events from all the various systems that feed into the LogRhythm platform. It gives our analysts the capability to assess rapidly and be able to respond to events in almost real time.

We currently have over 500 log sources inside the platform. Managing those is relatively easy. The main feature that we do take advantage of with our log sources is setting up silent log source alarms, so that way we can identify if a log source is not feeding logs as it should be.

Currently, our messages processing rate is around 2,000 messages per second.

Our mean time to detect threats has been going down, which is a good thing. Lately, our main focus has been on handling and reducing the mean time to resolve phishing incidences within the company.

Our security maturity program has been overall positively influenced, mainly in the HIPAA healthcare spectrum, by meeting third-party auditing requirements and having those tested, too, and confirmed by our third-party auditors.

The capabilities that we mostly take advantage of in the LogRhythm platform is the wide array of log formats that we can bring in from various systems, and the capability to create custom role processing capabilities for log sources that may not already be a part of the platform.

Currently, LogRhythm, the playbook's functionality is not in my version, so we're looking forward to utilizing playbooks. That's part of the main draw for me to come here, was to learn more about the playbook functionality and how we can incorporate that into our platform. But right now, the functionality is not there.

The largest room for improvement would be inside the web platform, being able to have a longer log live time. Currently, we manage about five days of live log data inside the web console. Ideally, that should be 30 days-plus.

Stability is very good, so stability for the LogRhythm platform has been very positive. We do have pain points around upgrades, but we have been able to engage with support and get rapid response to how those issues resolved.

Scalability for the LogRhythm platform for my company has been very positive. We've been able to ingest logs from very high-traffic log sources without any type of issue, congestion, so very positive.

I was not initially involved in the setup. I came in to manage the SIEM solution three years after its deployment.

I would rate LogRhythm a nine out of 10, primarily because of the current functionality within the system and the direction that the company is going. I feel it's appropriately aligned with security today and being prepared for tomorrow.

We use it to alarm our help desk. 

We staring to use it for SMART Response. We have been using SMART Response for about a year. Now, we are starting to push that towards the help desk, so the junior analysts can do more.

It allows us to automate a lot of things with a smaller team.

• AI
• SMART Response
• Looking forward to using the playbooks

• Move it to Linux. I would like to see it get off the SQL Server.
• I would like it to be containerized. 

Our appliance is a little older, so we need to upgrade it. We are going to probably move to the software-only version. However, the issues that we have are our own fault because we didn't buy the right-size appliance.

We are not that big of a company. We are only at about 800 events per second.

We have had a couple of custom logs built, but we don't call in that much.

The initial setup is easy with the physical appliance.

We have two people who are setting it up and doing the admin side.

Make sure you size the appliance correctly.

We use Ansible and Terraform for infrastructure, so the same concept as the playbooks. We are looking to use the playbooks going forward.

We have about 1500 log sources. We do about a 25 million logs a day. Obviously, they're not all events.

From my point of view, at a organizational level, we're able to get that insight into what users are doing, what our applications are doing, whether there is any untoward traffic coming in, whether the applications are misconfigured. It's also used, dare I say, to tick a compliance box.

The most valuable feature for me is that it's a single pane of glass for all of the analysts in my team. It gives us complete eyes and ears into what's going on within our environment. We run two separate installations. One is in our datacenter where we handle all of the sensitive data, and one is on the enterprise side, so it gives us a real good visualization of what's really going on.

In terms of the product, what really needs to improve are the metrics that you can get from it. We're all about mean time to detection, mean time to response, pulling those metrics out so I can put them into my KPI packs to present to the board. Everyone in a CISO role is having the same challenge. We've got multiple spreadsheets. Being able to leverage the SIEM to give us the information would be invaluable.

The other area is Office 365. We're cloud-first as far as our enterprise goes, and what we lack at the moment is being able to pull that information into the SIEM. I understand that that's coming, so we're looking forward to that.

On the whole it's been fine. We've not had any issues with volume, with the system going down. There are a couple of tweaks that you get with older systems. Patching time is always interesting. When you want to do an upgrade, if you're going from a minor version it's fine. If you're going from a major, then it's always good to use the autopilot services.

In a previous role of mine, we had an IT department that thought they could do everything, and virtualization was the way to go. That definitely didn't work. In the current organization, we found the two instances are very, very scalable. Being able to get additional licenses for agents works well, very easy to do.

The feedback I get from the analysts in the team is the first-line support is your traditional first line support, they'll log a call. We often get the responses in a timely manner. If it needs to be escalated, we've got good contacts within the wider organization and it gets escalated from level-one to level-two, definitely don't have any issues there. 

It's nice to see that the vendor listens. If something does go wrong, they're on the phone giving you the support that you need. Other vendors don't necessarily do that as quickly as LogRhythm.

If we go back nine to 10 years, we had the advent of PCI. The standards council says you needed to use file integrity. The only real solution at the time was Tripwire. That's when I got introduced to Ross Brewer (Vice President and Managing Director of EMEA for LogRhythm). From that point, we knew this was the right solution. We wanted to gather the logs into a central place.

In the various guises that I've had over the years, we've gone from multiple installations across 54 datacenters, globally, into our smaller setups. It's easy to install, it's pretty much, as they say, "out of the box," but it needs to be fed and watered on a daily basis. You do need a team to look after it, which I think is the same with any SIEM out there, but this is much easier to use. And because it's out of the box, you get the information you need within the first couple of hours.

With the new organization that I've been with for three and a half years, we spent seven months looking at other solutions out there; looking at Splunk, looking at ArcSight. We did a trial, we stood them up next to each other. Straight away it was fairly evident that the LogRhythm application itself, and the agent roll-out, was straight out of the box. Like I said, it needs feeding, watering every day, but in terms of being able to take the box, put it into your datacenter, get it up and running, they're definitely light years ahead of the competition.

In terms of the criteria for selecting a vendor, it always comes down to cost.

And usability. I like to make sure that my analysts are hands-on when we look at these tools. What's the interface like? How easy is it to use? What's the after-sales like? What's their tech support like? These are all things we need to look at. 

Also, which operating systems do the agents run on? Can you integrate into all the hardware that you've got? What syslog feeds can it take? Can it take SNMP as well?

If colleagues were looking to purchase a similar solution, the guidance that I'd give them is make sure that they draw out what they're looking to get from the solution. Make sure they have an inventory of hosts. Don't go all out, don't put everything on at once. As they said, don't try to boil the ocean at once. What are your critical hosts? Feed that information in first. Build case studies. What do you want to get from it, what are you looking for? And then work your way through it.

What I've done in the past is I've asked them to come over to our office and take a look at our implementation. I'm happy to share that information with others. I'm able to give them some case studies on what we've found with the Windows operating systems and some of the other hardware out there.

• Ability to collect logs
• File integrity monitoring

It has helped. We are still not very mature in our use of the product, but we are trying to get there. We are pretty small on the security side, but it has helped to give us visibility into our point of sale applications.

Just maturing is one of our biggest challenges, and really leveraging all the tools that LogRhythm provides. Just keeping up with it.

Just integration into our ticketing system, which we're using service now. Just being able to integrate LogRhythm with that so we can track incidents.

Continued support to help us understand the solution better.

It is very scalable, though we have not scaled it yet.

It is very good. LogRhythm has also contributed some sales engineers to help us, We have also participated in a weekly call, and we did an evaluation of that for 90 days. This has also been very helpful.

We were using another product called AlienVault. The main driving factor behind looking for this solution was our PCI compliance requirement. We switched from AlienVault due to a lack of parsing rules providing by them, and LogRhythm provided those parsing rules for various devices we were collecting information from.

I was involved in the initial setup. It was very straightforward. I had used a different product previous to LogRhythm, so I had a basis of what I wanted to compare to. I was able to take that little bit of experience and bring it to LogRhythm, and ask them how do I accomplish these goals, and it was very straightforward. They helped through that process.

I can't remember anymore.

Though LogRhythm's involvement in providing quick answers to some of the criteria that we wanted to accomplish (5-10 things), and they were able to come up with those answers very quickly.

Make sure that what data you are collecting is usable. That is probably the biggest advice. Because the first product we used, we had problems just understanding the data presented in the SIEM console.

It's nice if the solution is a unified end-to-end platform, but it is not a deal breaker.

Most important criteria when selecting a vendor: Support after implementation is probably the biggest.

The benefits we see are manifold, compliance. We have to store logs. We're under SOX control, we're under now New York Department of Financial Services, cyber regulations, we are under EU GDPR, loads of regulations are coming out. To be able to store these logs and be able to access them if we need to, from an archive point of view, is very valuable.

The most valuable feature of LogRhythm for me is the ability to correlate logs throughout many different log sources. Every different log has a different time stamp, it has a different user, things are in different places. But with LogRhythm you can take all of your logs from all the different sources and make them relevant to each other. 

So if you're looking for a user that is doing something malicious or if you're looking for a computer that is maybe making some calls out to systems that you've never made before, you can correlate based on a user attribute or a computer attribute to say, "Go find me everything that that user is doing." Because of the correlation, you can then have alarms and reporting off of multiple log sources.

I'm not really sure I can pinpoint any particular area that I see LogRhythm needing improvement in. 

I think they probably need to, because a lot of companies are having this cloud-first strategy, where anything that's new has to go into the cloud for some reason. So I think with CloudAI coming out, that's really good. But maybe having more of LogRhythm in the cloud. Educating people about how we get LogRhythm more into the Cloud.

Part of the care and feeding of LogRhythm is staying on top of what's coming out in LogRhythm. I know that their community site has been improved and that they're wanting people to be more involved with the community. But I think making people aware of parts of LogRhythm that are new is very important. 

On the whole it's a stable product. Occasionally we do have issues with upgrades, but Professional Services and the support staff have been very helpful with fixing any of the challenges that we've had.

For us, because we're a small company with not that many locations - we only have seven datacenters in seven offices - we haven't had any problems with scale. 

We did purchase a company a few years ago and adding their log sources into LogRhythm did not pose a challenge. We always know that with the system that we purchased, there's a certain limitation of messages per second that we have to watch out for, and we've never gone over that. So for us there have been no issues with scale.

Whenever we've had Professional Services on site to work through new alarms, to implement a new feature that we haven't used before, they're always very professional, they're always very responsive. They follow up on items that they said they would, which is always good. We're paying them to do a service, and that's always nice, that they perform their service.

We have had challenges in the past with EU-based support - most of this is run out of Dublin and London - and those challenges were overcome by LogRhythm bringing their support back in-house. They were using a second-level team to perform the support. But once they fixed that, we get great support from LogRhythm. 

When you open a ticket they acknowledge that a ticket has been put in, and then somebody will get back to us. We also have 24/7 support, so sometimes our ticket can move from the EU to the US, and we have people in the US that are able to take over the tickets. They seem to be very good at managing that. 

We did not have a SIEM solution in place at all. I was told to go out and look for one, so I did, and LogRhythm definitely came out on top for what we needed it for.

The main challenge with setting up LogRhythm is you cannot just put LogRhythm in and let it run. You have to put some care and feeding into it. You really have to work on it.

LogRhythm gives you a lot of standard rules, but some of those, a lot of them, do need tweaking, and there are reasons for it. They can create a global rule that would work for maybe 20% of their customers, but everyone needs to go in and actually make changes. You have to have a staff on prem to be able to know your organization, know what your organizations looking for, and to be able to make those tweaks.

So the challenge with setting up LogRhythm is you don't just flip it on, you work at it, you make sure that you're invested in it. You have to have a team. It doesn't necessarily have to be a huge team of people that are working on LogRhythm 24/7. I'm sure for some financial institutions, or some institutions, that has to happen. But you need to align resources internally to be able to know the product. 

It's almost best if you have a first-line support for LogRhythm internally, because you can't always rely on somebody else to fix your problems. You really have to know your system. So taking the LogRhythm training - when we've had other people come on to our staff - I've done a lot of training, but we have had Professional Services come back and do more internal training. 

In terms of criteria for choosing a vendor, when you go through an RFP process there are always weighted criteria. We went through that whole process and started out with eight vendors, got it down to two and then selected LogRhythm. For me it's relationship, I want to feel that the product that we're buying is going to be supported, and that we have almost a team behind us that is there. When we did purchase LogRhythm we felt that. We bought a lot of Professional Services time to help us implement. 

It's not like the sales guy says, "Okay bye," and never talks to you again, and just takes in the money for the license renewal every year. They have customer boards, the sales engineers will talk to you and will bring things to the table. They'll come and do a health check. I don't feel like we just bought a product with LogRhythm, I felt that we bought a team.

You have to allocate resources, and that's why I've recommended LogRhythm to a few friends and colleagues. To get the best out of LogRhythm you really have to put the time in.

• Advanced Intelligence Engine (AIE) for threat intelligence, 9/10
• LRM for logging and compliance, 8/10

Custom rules/alerts in LRM and AIE provide insight into network for internal users as well as InfoSec. Proactive account lockout alerts for SecAdmin, alerts to DBAs on domain admin access to SQL servers, PCI and GLBA compliance alerts/reports for InfoSec and Audit.

Adding an entity (should be able to create a template and/or eliminate locations) could be much faster/streamlined. The wizard could be improved to specify OU/Groups to search for new entities.

• LRM – four years
• AIE – three years

No issues encountered.

There have been issues with the hardware which has resulted in the LRM going down a few times.

No issues encountered.

It's the best there is.

It's the best there is.

We had Tripwire, but we needed logging and SIEM, not just logging.

It was straightforward as the training provided all the tools. Also, the UI has gotten better with time.

We had a mix of an in-house team with one from LogRhythm.

Literally impossible to quantify. We haven’t had any events or deficiencies in audits, which is invaluable.

Pricing (especially considering feature sets) is best in the market, though HA/DR is tough to justify for a SMB. Even with two outages due to hardware we haven’t invested in a backup.

• QRadar
• RSA
• Tripwire

Implementation time, hygene/maintenance time, functionality, and cost make it the clear choice in a competitive market.

Our primary use case is incident response and alerting. In terms of performance, it's pretty awesome.

It has saved us a lot of time. We've built some pretty cool custom alarms to alert us on stuff that we know is bad so we can respond to issues pretty quickly.

The AI Engine is the most valuable feature.

We've had no issues with it regarding stability. It's been pretty rock solid.

Scalability has been a little tougher for us. We're definitely looking to scale up. We've got a few log sources that we don't have in there that we need to get in there, but it's going to take a little additional effort.

Technical support is fantastic.

It's been pretty great. For us, the use case is all about generating actionable alerts and alarms and seeing how much we can reduce manual operations, so that's what I would compare: time saved.

We don't use the full-spectrum analytics capabilities. In terms of playbooks, we're still on 7.26 so we don't have the playbooks yet, but we're upgrading as a high priority right now. For deployment and maintenance of the solution, we use two staff members.

In terms of log sources, we have a couple of thousand and our MPS is 3,800.

When selecting a vendor, what's important for us is support. Support is huge.