LogRhythm SIEM Reviews

It has benefited the IT team's security functionality.

Our key challenge is HIPAA compliance. Then obviously, protection against malware, and particularly ransomware, is one vital threat to our organization.

As a healthcare company, what we use it for is compliance, then to protect our data from exaltation.

• The greater AI
• API support

Increased total costs of ownership (TCO): We have had to staff up our SOC. This has required analysts, which has required salary and staffing requirements.

In the next release, I would certainly like to see more HIPAA compliance. I would also like to see more integration with Palo Alto Networks, particularly their Traps, which is their endpoint solution.

In addition, I'd like to see more automation coming in. Whilst they have SmartResponse, it does not yet configure with OpenAPI support. That is something that I feel they need to look at in their next edition.

The scalability is very good. One of the reasons that we bought LogRhythm was because of its scalability. We intend to scale up as we increase our company size.

It is mostly good. We are not always able to reach the right person. We have had a couple of problems that were escalated all the way to Level 3, but they have always been solved.

We did not have a previous solution.

As a healthcare organization, we obviously have to have HIPAA compliance. This was the main driver for purchasing the solution.

I was involved in the setup. It was mostly straightforward.

Look at your staffing. Do you have highly technical people on your staff? If you do, then you obviously want to buy the product and look at your scalability options. If you don't have your staff, absolutely look into the co-pilot and factor that into your cost evaluation.

The SIEM tool list we considered from included Splunk and SolarWinds.

For LogRhythm against Splunk, it was their pricing model. For SolarWinds, LogRhythm's reputation and scalability.

It is highly important for our solution to be a unified end-to-end platform.

Most important criteria when selecting a vendor:

• Scalability
• The ability to have support.

LogRhythm has their co-pilot, which is absolutely essential, and whilst we do not use co-pilot in our organization, knowing it is there is certainly absolutely valuable.

It is the dashboards. Up until just a couple of weeks ago, we were just using the standard dashboards. We actually had our account manager and professional services team members come out to our Security Operations Center (SOC) and essentially walked through our processes and how the SOC operates. One of the immediate improvements was using the dashboards more effectively, so we just used the standard, out-of-the-box dashboard, and it actually wasn't really telling us much.

Now, the SOC have custom dashboards, showing them a lot more useful information, puts the information in context, and they are actively using it for proactive investigations, rather than just responding to alarms.

It has certainly helped with the visibility. We probably don't use the platform to its full extent. We've expanded the size of our SOC and the number of people in it. We are now starting to use the features, such as SmartResponse, to help automate things. We've probably been guilty of throwing people at the problem, as opposed to leveraging the tool itself. We are now trying to change that.

We host quite a volume of sensitive, personal data. We are a credit reference agency, based in the UK, and we hold records on probably, around about 50 million adults, both personal information and financial information. Our core role is protecting the confidentiality of that, so breaches, such as the Equifax breach, that happened recently, we have absolutely got to avoid that.

We are not leveraging the tool to its fullest extent at the moment. We had a focus session with our SOC, the other week, and we've got a defined roadmap now to make things a lot better.

We are at a good place now. We have just started using things, such as case management, whereas previously we were just responding to individual alarms.We're starting to use things a little bit more intelligently now, so not just using the technology, but also helping improve our processes through the use of the technology.

There are enough features that we are not using, and not to their fullest extent, at the moment.

The company has been using the platform for seven years. I joined the company three years ago.

We tend to struggle. We do see performance issues fairly regularly. I think part of this is the stress that we're putting it under, with the volume of events that it is receiving. When we put the new appliances in, which is imminently, we're hoping that it will solve a number of issues: the number of the performance issues that we see.

It seems to be scaling well.

We have currently just got a single platform manager that's been carrying out the role of the web console and AIE server. We've probably thrown too many events at it, and we are now, effectively, putting in a DR solutions, a second platform manager, and then spinning off individual components, so appliances for the web console and AIE server.

We are effectively doubling the size of the platform, at the moment, to cope with the volume of logs that we're throwing at it.

A couple of the team do tend to find that certainly the initial contact with support slows things down a little bit. I think their support has their script or their route to follow to triage the issue, whereas we've already done that because we know the platform, we've been there and we know what to do when something happens. Generally, we contact support when all else has failed. For us, we probably need to hop down the line a little bit, rather than just hit the initial support function (the first line).

When we do reach the right level, they are knowledgeable.

The risk appetite changed. We are in quite a regulated organization, and having something like LogRhythm in place gives us the visibility and the comfort that we've got the monitoring required in place.

I would not know.

Technology's important, but it is the support you get as well. Don't just focus on, necessarily, the features and technology, but also consider the support and the engagement you get with the organization.

Most important criteria when selecting a vendor: the relationship. I would not want to work with an organization that just sells you the technology, then disappears or only ever speak to when there is a problem. It is starting to look a little bit more like a partnership now with LogRhythm, that's exactly what we want to maintain.

We used to use a third-party vendor. We migrated to an in-house security operation center, so it's been a big difference.

We're doing almost 10,000 EPS right now and we have anywhere between 5000 and 6000 servers, and a couple thousand network devices more or less.

Our goal is pretty much to gather all those logs. Keeping track of when new servers are deployed and new network equipment gets put out there and then have them report to LogRythm. That's mainly the biggest challenge so far.

Mostly for us the most valuable feature is its aggregation of all the logs into a single platform, and then doing the real-time monitoring based on that.

Also, the real-time monitoring piece of it, that's extremely valuable. Plus you can tweak a lot of their settings while other systems don't really let you.

Dashboards, reports. Right now I know there's a big issue with reporting. It's challenging, at least for us, to do some of the reporting within the system itself. Hopefully that's something that gets improved.

Also, when you're reaching out to any other solution out there, any third party, most of them have integrations with Splunk; that's something that it's lacking on the LogRythm side. They're lagging behind when it comes to integration to main platforms.

So hopefully, with the help of the entire community, we can build something a little bit more flexible when it comes to integrations.

We had some issues. Unfortunately, it was not sized properly from the beginning. But now with the additional boxes on everything, so far it's pretty solid.

They're pretty good. Sometimes I wish they would be a little bit quicker getting back to you, at least when you open a ticket, but apart from that they're pretty good. We usually do reach the right person within the SLAs they have.

We were using a third party, Dell SecureWorks. We wanted to go away from that and go into more of a centralized system in-house. We went through a bunch of factors and LogRhythm came out on the top.

It was good. We have a lot of collectors, we ended up having almost 50 collectors in total, so it was a little bit challenging, but it's not bad.

• Curator Security
• Splunk
• ArcSight

We took it as far as they were able to help us with very specific things we do as a company, and LogRhythm came out on top.

We're migrating to a dumb-terminal type of environment. That's the end goal that we have, because we have noticed that there's no way for us to secure everything. There's really no way. So having the users centralized into one location, it makes a big, big difference.

So far it's working fine. Like I said, we had some little things here and there but we've revised the architecture and now it's good.

For selecting a vendor we had a matrix. There were a bunch of points that we were trying to cover. How easy is it to use? For Roger's group, for example, to see how easy it was to adapt from the GUI base to the console.

In terms of a unified, end-to-end platform, I'd say we're not married to specific vendors or companies, that's the nature of our business, at least how we run. But it's good to have everything in one solution.

If I had a colleague at another company researching this and other SIEM security tools, I would give him my matrix.

• SIEM
• File Integrity Monitoring
• Danned compliance reports (PCI, GLBA, HIPAA).

The solution has significantly reduced the time and effort necessary to manage and review logs and produce reports for regulatory compliance.

No current suggestions.

I've used it for six years.

No issues encountered.

No issues encountered.

No issues encountered.

8/10

10/10

No previous solution was in place.

Our entire implementation was completed in one day.

The vendor team was one of the best we have ever worked with. They were able to work through issues not covered in their implementation manuals quickly, and without further support.

No ROI. The solution is in place to meet PCI compliance and improve our overall security posture.

While LogRhythm's professional services are one of the best we have ever worked with, their hourly rate is generally quoted at a much higher rate than the industry standard. Additionally, the hours necessary for an engagement are also regularly over estimated.

Several other solutions were considered including Q1 Labs (now IBM), EMC, and HP.

There were two primary reasons we selected LogRhythm. First was the ease of implementation, which was extremely simple and straight forward. Second, was the integration of file integrity monitoring. LogRhythm at the time, and I believe still today, was the only vendor that provided a solution that included integrated SIEM and FIM.

Visibility, obviously. Seeing all the logs from all the various log sources, be it perimeter, internal, overall security controls; getting it in one pane of glass. And alerting, obviously.

I started here two years ago, no SIEM. Now we have visibility into any type of external attacks, perimiter attacks. We've found operational problems, misconfigurations, things like that.

Logging improvements. I think that the template to reporting is just difficult, it's hard to go back. You can't modify the templates. So more customization. That would be key.

We could also use more information on how to integrate with specific vendors.

Threat intelligence is a big thing. LogRhythm actually has a pretty good threat intelligence deal, but we happen to use a vendor that is not built-in. It'd be great if LogRhythm could expand more on the user forum on how to integrate more with the more non-mainstream vendors.

It's good. We have all-in-one, an XM unit, because we're a smaller shop. It's been a great, a single unit. As we've needed to expand, I've put out more collector systems feeding back into the XM unit, so it's good.

We've used them many times. I'd say overall good. I was actually an ArcSight user at a previous company, I'd rank LogRhythm higher than those guys.

As I said, it was ArcSight at my previous company. I was lucky enough to try to build the security practice where I'm at now. LogRhythm was one of three that we evaluated.

I'd say straightforward. We did have PS as well, so it was very helpful.

QRadar and Splunk. And, for whatever reason - it is not really a truly a SIEM player - Tripwire. Management wanted us to evaluate Tripwire.

We're about 1200 seats, 10 locations roughly, totally a Cisco shop, from perimeter ASAs to IDS, Sourcefire, to web filtering, it's a big Cisco shop that I stepped into.

Our key security goals revolve around maturation and pulling more information into the SIEM. We started off with the low hanging fruit, the Active Directory, the SOCKS servers, things like that. But now we need to get more - all our security controls as well - security systems. We need more from executive PCs, from application servers, we need more visibility I think.

In terms of meeting these goals, this solution, on a scale of one to 10, is an eight, at least in terms of how we've been able to adopt it.

The most important criterion when selecting a vendor interoperability, the ability to pull logs, and the ease of customizing parsing logs. By far.

In terms of advice to a colleague, if they're looking at this and similar solutions: I've dealt with ArcSight before, they're a magnitude higher in terms of operationally managing the software. I haven't used QRadar, but from the surface, looking at it form 10,000 feet, I would say and Logarithm and it are probably much easier to mange, much easier to use.

LogRhythm has been really a good partner, they've reached out, they're always wanting information, "How we can improve? How can we do this or that?" Our SE and sales guy are really great. Keep in touch, so I feel like there's someone I can always reach out to if there's a problem.

For me, the NERC compliance modules are probably the best thing. And the system monitors, they really pick up a lot for me.

It helps you get an eagle-eye view and then delve down granularly. The ease of that is pretty amazing.

I've got three main datacenters and then I'm processing somewhere in the vicinity of 20 million logs a day. My key challenge is making sure that I'm complying with federal regulations.

It's helping me in my compliance role. Helping me to provide evidence for our audits so that I can show we're doing what we're doing.

My main thing I'd like to see is, when you're using canned reports, that they're not blank. If there's no log source say, "No log source", or if it didn't find anything say, "It didn't find anything". I hate blank reports.

I think it's pretty amazing. We have two deployments. My deployment is a small one that is on secured systems. We also have another deployment that's way bigger and for our normal corporate environment. So it fits from small to huge.

I have used LogRhythm tech support and I would say those guys are phenomenal, outstanding. They get back to you quick. If they can't answer it right off the bat they get an engineer to give you a call back, and they follow it through till it's good.

I gave it an eight out of 10 because you can kind of dig around and find what you need, so it's fairly user friendly. And the support that you get from their tech teams is pretty phenomenal.

I'd say definitely give it a look, and talk with them. I would definitely say that the support that you're going to get is well worth it.

It's allowed us to have more visibility into our network as well as be able to respond more quickly to incidents seen on the network.

• Being able to gather logs in one place
• Being able to process them and generate alarms

I work in a highly regulated industry. I know the product has compliance mechanisms, but being able to get more governance surrounding some of the compliance. Merging things that we have to be on top of would be helpful.

LogRhythm has been able to show that their products are very scalable. Usually, when you buy things that are out of boxes, you get them, they're old. But the new enhancements and things that LogRhythm continues to integrate allow you to scale up with them as they grow. They scale with you also.

I've used tech support. They're very helpful, very knowledgeable people who genuinely care about you and want to see not just their product but you, as a company, be successful.

This is our first iteration of SIEM at my organization. At the time, my superior had used Splunk previously, and that was what he was a fan of. But LogRhythm is one of the emerging leaders, price point was very important, and also to be with a company that's on the cutting edge of technology.

I think that anytime you're integrating SIEM monitoring tools into an environment, it is complex, but the LogRhythm Professional Services help make things easier, and I've worked with them every step of the way.

It's very important to our organization that the solution be a unified end-to-end solution.

I don't think any company is perfect, but I know that they're striving, and that's why I give them such a high score.

I understand that whatever you're buying with LogRhythm, it is not going to be static. It's a very dynamic company and a lot of new technologies emerge, so ensuring that you get the proper level of training upfront, as well as continued training for your staff, is important for being able to wrap your hands around what LogRhythm is actually doing and where they're going.

You start to talk about some things like blockchain and quantum, I'm sure that LogRhythm is already researching some of those new computer technologies. I didn't know what to expect back in 2015 when we bought the product, but it's showing to be agile, scalable, and the people are very knowledgeable.

• Log correlation
• Aggregation
• Being able to quickly identify threats in our network.

Key challenges, right now, are just having the resources. Whether it be humans in the seats, because, as of know, it's just me. I'm our security program. So the challenges involve just having the time and the resources to stay on top of threats.

The solution is pretty effective towards meeting these challenges. Though we don't utilize it heavily at this point in time, but we're looking to it. I think it will be a big help to us in the future.

There are a lot of pieces of it that are very complex and time consuming. If we can try somehow to just make it more simple, that would be better.

I would like to see more pre-integrated SmartResponses. Right now, I'm on 7.1.10, so I'm not even to the current version. If there were more pre-integrated SmartResponses, that would be really cool.

We are in our infancy stage right now.

It was deployed before I was there.

It's very scalable. Right now, we have the XML appliance cell all-in-one, but I am looking to move the web platform off to another server. Clustering has really been impressive to me with the product.

It is really good. I've had a few interactions with them. The first was really good. The second one, he was good, but I could tell he was new, which isn't a problem. Overall, I've been really satisfied with it.

Really understand what's important to you as far as what are you hoping to gain out of the product, what threats are you looking at, and what are your critical logs sources. Just have a fundamental foundation before you start looking into it.

Having a unified end-to-end platform is really important to me, because I am the only security professional at the college. If I can avoid having systems all over the place, that is only going to be beneficial.

Most important criteria when selecting a vendor:

• It is the problem that they are solving and solving effectively.
• Being able to rely on really good support.