Netsurion Reviews

We use Netsurion as our security operation center and also as an SIEM to put together all of our telemetry from various systems and to notify us when we have security events.

Netsurion's additional data source integration provides a unified view of our security posture. This makes it easy to track and see what's happening at a glance. We can also see our security status in real-time, without having to find an all-in-one security platform. Instead, we were able to choose the data sources that we wanted and integrate them into a single platform.

Integrating with our existing security tools was easy. Netsurion did all the work making it so easy for us.

The integration of Netsurion and our security tools gives us a unified view of our threat landscape.

The integrations that extend our detection and response capabilities are now easier to use. I no longer need to flip through the Azure or Office 365 admin centers to view our security alerts, and I don't need to go into Xcitium to see the security issues there. I can simply go to Netsurion's dashboard to see everything in real-time.

Netsurion's SOC does a good job of alert monitoring and threat hunting.

Netsurion's SOC has helped to eliminate recurring false positives. When they occur, we discuss them. If the investigation shows that it is a false positive, we will discuss how to prevent or suppress those types of false positives in the future.

Netsurion's SOC is effective at expediting incident response. I have worked with them on a few real incidents, and they have been outstanding. They handle a lot of the documentation for us, which is helpful. This way, we can refer back to it and what they were able to show us about our problem.

Netsurion takes care of platform management, which makes my job much easier. As a one-person IT department, I don't have the resources or budget to hire more staff to monitor cybersecurity incidents. Netsurion is like having a team of security experts on my side, at a much more reasonable price than hiring even one more person.

Netsurion allows me to focus on other tasks. In previous positions, I did not have this level of automation. I would spend two hours every morning going over logs, or X amount of time every hour checking things to make sure there were no problems. Now, I can focus on all of my other duties because I know that Netsurion will alert me if anything pops up.

Netsurion helped us boost our security operations productivity by decreasing the tedious security operations management tasks.

Netsurion has helped reduce our time to detection.

Netsurion has helped us improve our ability to remediate security incidents. In the past, we had to manually collect logs and analyze them to identify the source of an incident. Netsurion has simplified this process by providing us with pre-analyzed logs and after-reports that help us track down and remediate incidents more quickly.

Netsurion takes a holistic and proactive approach to security. They are proactive in that they give us advance notice of potential threats, such as when they have patches available. They recommend that we apply these patches immediately, rather than waiting for our regular patch day. They also notify us of other security-related matters. Additionally, they take a holistic approach by helping us with all of our systems.

Netsurion has its own security operations center, where it tracks information that comes across our telemetry. If there is an emergency, they will notify us immediately. If it is just a concern, they will notify us that day or in the weekly report.

I know they are working to resolve this issue, but Netsurion is currently unable to retrieve logs from S3 buckets. We use WP Engine for a lot of web hosting as well as AWS, and both of these platforms use S3 buckets.

I would like Netsurion to be able to pull logs from Linux devices. We have some of that capability, and I believe they can do it. However, the way it works with Amazon is strange and glitchy. Therefore, working something out with Amazon would be great.

Netsurion's SOC can be a bit too aggressive at times. We have asked them to adjust their playbook because I am tired of being notified about the same issue multiple times a day. I am aware of the issue, and it is not a cause for concern. Let's only take action on this issue if we see an actual problem.

I have been using Netsurion for two years.

Netsurion is stable. I have not encountered any issues.

Netsurion is easy to scale out. We have grown from 200 employees to 700 total units with no problems.

Our pricing for Netsurion last year was US $52,000 per year. In January, they were going to raise that to US $72,000. I told them I couldn't afford that anymore, and that I would have to go elsewhere. They worked with me and we were able to lock in last year's pricing for a two-year deal.

I would rate Netsurion nine out of ten. They're not perfect but they're as close as I would consider any other company in the market to be.

The maintenance is minimal. Netsurion provides me with a list of things they notice that could cause security issues. This is no more maintenance than I would typically do. In fact, it is a little easier because I do not have to go out and look for these problems. They notify me of the issues, and then I take action to remediate them.

Our experience with Netsurion has been excellent. We have had a positive relationship with them because they are easy to work with, responsive, and helpful.

We are a small company located in Bermuda with a team of 42 people. Specializing in reinsurance, we offer a range of reinsurance products from around the world. During a recent cybersecurity gap analysis, it became apparent that we needed to enhance our network and security monitoring capabilities beyond the capacity of our current 42-person team. Within the company, only three individuals work in the IT department, making it impractical to assign someone to security log monitoring around the clock.

To address this challenge, we have implemented Netsurion Managed XDR. This product, previously familiar to me from past professional experience, aggregates logs from our various devices including workstations, servers, switches, routers, and firewalls. These logs are then centralized on our on-premise servers, which are linked to Netsurion Managed XDR's security operations center. This center is staffed with experts who analyze the collected data, providing us with valuable insights. They promptly alert us through email, phone, and text if any unusual or critical activities are detected. These activities could range from unauthorized access attempts to anomalous Internet or firewall activities.

The system also offers weekly observation reports, categorizing activities using color codes ranging from red to green. This report covers a spectrum of information such as account lockouts and Internet activity. I have also specifically requested alerts for any usage of administrative passwords. Additionally, we engage in monthly review meetings where we assess the previous month's data, including a Power BI report that delves into trends and various monitoring aspects.

Another key service we utilize from Netsurion is their vulnerability assessment scanner. This monthly assessment involves scanning all our systems within the network to identify security vulnerabilities and needed updates. It's comparable to having a simulated penetration test, ensuring our systems are robust against potential threats. The resulting report provides valuable insights into our security posture.

In essence, Netsurion Managed XDR fills the crucial role of network and security monitoring that our internal team cannot handle alone. It's akin to having a dedicated 24/7 security team constantly scrutinizing our network for threats. The system not only detects immediate issues but also assists us in enhancing our security measures for the long term. For instance, based on their recommendations, we have successfully blocked requests originating from certain countries, such as the Russian Federation, China, North Korea, and Iraq. This proactive measure has significantly reduced the unnecessary traffic targeting our network.

Our experience with Netsurion's services has been exceptional. Their expertise and support are of the highest quality. As I had worked with them at a previous company, I sought them out again for our current needs. Particularly for a smaller company lacking a dedicated security team, this solution has proven to be one of the most effective ways to bolster our cybersecurity defenses. Their capabilities align perfectly with our requirements, and their professionalism makes them an ideal partner in safeguarding our digital environment.

One of the primary benefits of using Netsurion for our organization is that, due to a mandate from our regulator, we are required to have robust monitoring platforms in place. We now possess our own monitoring platforms, which allow me to oversee various aspects. Moreover, we have implemented a 24/7 monitoring platform, ensuring complete compliance with regulatory standards.

Netsurion offers a flexible solution that assists us in safeguarding our entire IT environment. This has significantly enhanced its robustness over time because they have been able to identify trends. Subsequently, we can adjust settings. Initially, when we implemented the product, we noticed more issues that, with time, would turn red or become more critical. These included instances where certain activities were not being blocked or when excessive permissions were granted to users in terms of access rights and similar matters. By analyzing trends over time, we have been able to refine the network, thereby achieving a higher level of overall security based on the insights provided by their monitoring.

The way the SOC service operates is by providing us with a dedicated team. This team usually consists of around four to five individuals participating in monthly calls. Essentially, this team, which is assigned to various companies, including ours, remains consistent. The individuals we interact with are familiar with our environment, and over time, we establish a rapport with them. Their contributions are highly valuable. It's akin to having a specialized team solely dedicated to handling our security concerns. Unlike a situation where we would interact with random support personnel for each inquiry or ticket, these individuals possess a deep understanding of our company as they consistently work with us. This arrangement eliminates the need to repeatedly transfer knowledge. They are well-versed in our history, the current state of our environment, and the specifics of our network. This setup operates 24/7, ensuring that meetings and communications align with my schedule. Furthermore, we receive updates even outside of regular working hours. This SOC service is available to us, and in my opinion, it's an excellent setup. The continuity of interacting with the same group of professionals allows us to establish relationships, not only with the individuals themselves but also with the company as a whole. This dynamic significantly enhances the trust we place in their services.

The SOC handles alert monitoring and threat hunting extremely well.

Reducing false positives is a crucial aspect of the tuning process we engage in. At the outset, we receive alerts for all activities, treating everything as a potential issue. However, we gradually refine this approach. For instance, we develop custom applications for our company. In collaboration with Netsurion, we've integrated their system to whitelist specific processes associated with our proprietary applications. To Netsurion, some of these processes might seem suspicious, such as activities involving the SQL database, potentially appearing as hacker activity. Nevertheless, this is not the case, and these actions should be permitted since they originate from our authorized service. It's highly beneficial to maintain this collaborative relationship. This allows us to fine-tune our system, minimizing the occurrence of false positives.

The SOC plays a crucial role in incident response. When issues arise, they are promptly prioritized. We have a specific prioritization process that feeds directly into our service desk. This enables us to initiate our incident response testing promptly. Additionally, the SOC identifies other potential concerns. For instance, we are currently investigating a situation involving suspicious DNS queries originating from specific IP addresses. Presently, we are actively examining this issue. While it appears suspicious at the moment, it has not been confirmed as an exploit or an actual event. Our standard procedure involves thoroughly investigating the matter and documenting all actions taken. Any actions we take become part of our response protocol. If the situation warrants, it might be escalated to the IT committee. Regardless, all actions and findings are meticulously logged in our service desk for future reference.

I appreciate that the SOC handles platform management. It's pleasant not to be directly involved with managing the tools themselves. Essentially, what we do is utilize an agent. This involves configuring an agent that is deployed universally. Additionally, they handle the configuration of SysLog services and similar tasks. Apart from these aspects, they take care of everything else. They provide the server and are responsible for updates, including those related to the internet. When it comes to integrations, they've established connections with our firewalls, antivirus, and email security gateway. This facilitates the retrieval of logs and security details, which they collaborate with us on. I'm relieved that I don't have to concern myself with updating their software. In our monthly meetings, they discuss new exploits they've come across, often with amusing names like "monkey dine," and their efforts to identify telltale traces of potential threats within systems. This proactive approach is commendable. Their management of these aspects allows us to concentrate on using the platform. For me, it's comparable to owning a car. When I buy a car, I can operate it, but I don't need to understand its engine intricacies. In the same manner,  Netsurion Managed XDR has been a boon for us. It has consistently proven beneficial across the various companies I've worked with. Unlike setting up our own monitoring systems, which can be time-consuming, Netsurion Managed XDR's implementation is relatively swift. While there's an initial learning curve, within a few months, the value becomes evident. The insights provided are exceptional. Certain reports are even presented to the IT committee I report to, serving oversight purposes. These reports are also instrumental for compliance and audits.  Netsurion Managed XDR is a third-party solution, impartial in its reporting. They provide compliance reports alongside their software tools. From my perspective, it's one of the essential tools. Over the course of my professional experience, there are a handful of products and services that I've found indispensable, and Netsurion Managed XDR is one of them. I used to use the Netsurion Managed XDR in my previous company, which was a relatively larger company.

The SOC has enabled us to fully concentrate on everything else that we need to do. Knowing that the segment, the monitoring, the event tracking, and the alerting are taken care of by someone else gives us the confidence that if something happens, we will be notified. This allows us to focus on tasks that are more aligned with our experience and the size of our IT departments. If an issue arises and it's critical, I will receive prompt notification. If it's not critical, I will receive an email from them the following day, or it will be included in an observation report. It will definitely be discussed in the monthly review meeting.

If we didn't have Netsurion Managed XDR, I would be looking at logs, and we'd be relying on antivirus and our own monitoring to see if something was untoward. We just wouldn't have the insight and visibility we have now. And I didn't have it before. We had monitoring, but nothing as in-depth as we have with Netsurion. So has it decreased the amount of time we spend on it? I would say it would have if we'd been able to do some of the stuff that they do, but we really couldn't do it. We didn't have the time. We didn't have the tools to do it. For us, it's been a total value add in terms of the capability, rather than the time saved because we were unable to do the tasks before.

The most valuable feature is definitely real-time alerting, especially in situations where someone might attempt to exploit or hack into our network. For instance, if there's an unusual activity with user accounts, like a sudden surge in login attempts, the system promptly sends notifications via email, text, and even phone calls if our initial response is lacking. This holds true regardless of the time, even if it's as late as two in the morning. This capability provides me with a sense of security. Apart from this, my colleagues and I lack the time to meticulously sift through extensive logs and data. Having someone else handle the task of comprehensively analyzing the information we generate, not only pinpointing potential risks for us to counteract but also alerting us in real-time, is immensely valuable. It's truly impressive. Our workload prevents us from achieving this level of vigilance, even if we were to hire more staff. Their performance in this regard is unparalleled.

I appreciate the recordings that Netsurion provides on Power BI for our monthly meetings. I would also like to have a dashboard that I can access anytime to review the real-time data from their website.

I have been using Netsurion for almost two years.

I have an email address for SOC. When communication originates from my domain email address and is received, it goes to the same group of individuals. Therefore, their technical support and related services are consolidated under this single email address for us. We consistently interact with this group and they manage tasks on the backend. We engage with them frequently. What I need to communicate is if we encounter anything suspicious. We have an alert in CrowdStrike, and we are seeking additional details from them regarding specific matters. They are highly responsive to our requests.

The support team is remarkably persistent in their efforts to get back to us. Even to the extent that it becomes a bit bothersome. I think they're doing a fantastic job. There's always someone available, and they conduct well-organized meetings. Everyone is very pleasant. Overall, I think they're great. The only downside and I say this because we're part of a small team, is that sometimes the persistent ones get their message across. It's a positive thing that they maintain the momentum, keep bringing up matters, and continue sending emails. So, naturally, we keep pushing it down the priority list, but it's worth dedicating those thirty minutes to it.

Positive

The initial setup is straightforward. When it comes to configuring their servers and the main stations here, the process is fairly simple. Rolling out agents for all our intended applications is also relatively uncomplicated, as we are accustomed to deploying such items regularly. However, the true value lies in the subsequent steps, particularly in terms of integration. This integration involves working seamlessly with CrowdStrike, coordinating with firewalls, configuring routers, and setting up switches to transmit their Syslogs to the designated systems. This entire integration process remains quite straightforward due to the presence of their comprehensive knowledge base and their continuous collaboration with all products.

One of the topics under discussion today concerns a project in which my team and I are encountering a delay. This relates to our utilization of Kempflow balancers, both internally and externally. Essentially, these load balancers direct incoming traffic along various pathways based on resource availability and security parameters. Currently, these balancers are not reporting data to Netsurion Managed XDR, primarily due to its status as a specialized product and the previous lack of an integration guide. However, this has changed, and now there exists an integration guide. The delay for integration lies with us, and this process begins with an easily manageable initial deployment. However, as we expand and enhance the system, it has the potential to become complex due to its involvement in network-wide monitoring, which is our intended outcome.

Realistically, it may take a few months, approximately 90 days, to start deriving benefits from this initiative. Yet, even after this period, we are still in the process of integrating certain elements. These outstanding integrations are pending due to the involvement of my team members.

I would rate Netsurion a ten out of ten. I have been managing networks and IT departments for 25 years, and there are a few services that I find both wonderful and absolutely essential. Among these, Netsurion Managed XDR holds the highest importance for me. Without it, I wouldn't be able to gain the insights into our network that I currently can. There's no economically or technically viable way to achieve this. Despite being a relatively small company with a workforce of 42 individuals, I essentially possess my own security team consisting of five or six people and the array of tools they have at their disposal. Outsourcing this function or hiring personnel for it isn't feasible. While I am a security professional myself, the value brought by this service is unmatched even if I were to engage a consultant. The level of value it provides is truly remarkable. For example, we allocate approximately $65,000 dollars annually for this service, and I firmly believe that the investment is completely justified for us.

We make use of Netsurion SIEM services to collate logs from all our devices. These logs are forwarded and integrated into a local system. Netsurion also offers managed security services, including protection against malware. Although they do provide such services, I personally do not utilize them. My usage of Netsurion focuses on their SIEM package, specifically Netsurion Managed XDR. I also use their vulnerability assessment service.

On the flip side, we've worked with Netsurion to meet compliance requirements. Given our small team of only three people, adhering to strict duty segregation, as larger companies might, is challenging. To address this, we've established a practice where I request logs. For instance, when my team handles administrative tasks like unlocking users or managing access permissions, these activities are logged by a third-party system called Netsurion Managed XDR. I receive daily and weekly reports summarizing these activities. Netsurion has demonstrated impressive flexibility in accommodating our needs. They are open to tailoring their services based on our unique requirements. In cases where certain actions are less critical, they consolidate alerts into monthly or weekly reports instead of inundating us with numerous daily emails. This practical approach is highly valued. Our experience with Netsurion is unlike other monitoring software we've used, even after my extensive career, including the use of SolarWinds. At present, we are self-monitoring. The complexity of configuring these tools is significant. However, working with Netsurion feels like an extension of our team. It's far more efficient than purchasing software and struggling to configure it. Interacting with them is seamless. I can simply request tasks, like generating administrator activity reports. After a few questions and adjustments, they delivered the final report. This approach is in stark contrast to grappling with software configurations, where flexibility is often lacking. We've successfully fine-tuned Netsurion's services to suit our needs. I recently scheduled a monthly review meeting, which previously took an hour or more. Now, with Netsurion's support, the meeting takes about twenty minutes. They present data through Power BI, allowing for detailed analysis. They provide this along with supplementary Excel documentation. With their expertise, we've transitioned from red or orange indicators to green, or in some cases, even removed certain issues entirely. I am genuinely pleased with their assistance. I've worked with Netsurion in previous roles and introduced them to our current network. I secured budgets for their services upon joining this company due to the significant value they add. Considering our circumstances, I can't envision an alternative approach that would be as effective. Even hiring additional security personnel wouldn't provide the same economies of scale and expertise as Netsurion does.

Netsurion Managed XDR now offers an expanded range of services. Among these is a vulnerability assessment service that is now available. The quality of their recording has significantly improved, becoming more standardized and polished. It seems that their scope of reporting has also broadened. This expansion is facilitated by the advantages of being part of a larger company like Netsurion, which provides access to a greater array of tools. These tools can be integrated into their products and subsequently shared with customers. In terms of the core services, such as daily reporting, alerting, weekly observation reports, and monthly meetings, there hasn't been a substantial change; these aspects remain largely similar to what they were. The notable addition is the availability of the vulnerability assessment service, which was not part of the service package previously.

One aspect of Netsurion Managed XDR that I appreciate is the tenacity of its people. This becomes evident because, at times, my team serves as the bottleneck in accomplishing tasks. For example, concerning the integration, we've been attempting to integrate with our email system. The individuals from Netsurion Managed XDR persistently inquire about the progress of this integration. However, due to the substantial workload we have, we continuously postpone it. Consequently, it is difficult for me to think of an area of improvement. This sentiment holds particularly true following the acquisition of the vulnerability assessment service, which has proven to be highly beneficial for us.

In a former organization, we attempted a task akin to what Netsurion does using Syslogs and SolarWinds, but the results were incomparable to what we achieve with Netsurion.

Our IT department has limited time and resources. We are unable to create our own SOC, therefore Netsurion has helped us accomplish more security initiatives and monitors our environment.

Netsurion provides us with information that we never saw before. The solution helps us see it, capture it, bring it together, report on it, and derive analytics from it. They've provided visibility that we've always wanted but never had. When I'm speaking to the board information from Netsurion helps me provide them and senior leadership pertinent security information from within our environment. We provide a visual map of where potential bad actors are trying to connect from. We can see which applications attackers are trying to exploit. It drives dialogue that helps increase security awareness. It also enables us to justify our security budget.

Extending our detection and response through integration is something we're exploring. We have various products that we currently integrate into Netsurion. Our organization typically takes a best-of-breed approach for software selection. We will explore more integrations to see if there are efficiencies to be gained or if we can achieve quicker reporting and remediation.

Netsurion offers a flexible solution that covers our entire IT environment. They're another resource for us and act as an extension to our existing security resources. Netsurion isn't just monitoring our environment, reporting on it, and letting us take care of it. We bounce questions off them, and they help us dig deeper into incidents as they happen. 

They provide us with the necessary information to make business decisions based on some of these events. Netsurion is more than just a vendor to us—they are truly a partner that has changed how we approach security.

Their SOC is going above and beyond. They're our first MDR. Netsurion prefers to label itself as an XDR, but we've never had a managed response at that level. We had someone watching our perimeter firewall before, and we would run unannounced penetration tests against our environment. That organization was not able to detect the anomalous activity.

When we ran tests with Netsurion, their SOC investigated things and pinpointed exactly what was going on within two minutes. We've been able to verify the work they're doing. It's nice to have an organization watching my back while I'm trying to do what I need to do.

We like to investigate and find any anomalies. Whether we or Netsurion see activity taking place, they have the resources to monitor logs and do the investigations that we are too strained to perform. They can identify the activity causing the incident. By seeing the whole picture, it has helped us make decisions that reduce our false positives.

As an example, we requested specific logs from our web filter, and the response of Netsurion's SOC was above and beyond what the contract specified. Not only did they provide the data requested, but they also modified the visual presentation to our specifications.

Using Netsurion's SOC has freed me up to focus on other tasks. Initially, my role was purely focused on day-to-day security. My role has transitioned into
managing half of our IT department. I have less time to focus on day-to-day tasks. Most of that work has been transferred to the SOC. We have utilized them far more than we ever expected.

When we signed an initial contract three years ago, we wanted to see what we could get from the service. As we get ready to renew the contract this year, we're looking for more ways to utilize their services because budgets are getting tighter. We are exploring ways to take advantage of the SecOps management features.

Our time-to-detection has decreased exponentially, but I don't know how to quantify it because we weren't seeing the things that they're reporting. We knew they were there, but that level of visibility wasn't there. They notify us in under five minutes about issues we never would have known about before.

The remediation time has also improved exponentially. We can't remediate an issue unless it's known. As soon as an incident is detected, they notify us within a few minutes. We've remediated most issues in under five minutes.

What I like most about Netsurion is the level of visibility and reporting. We integrate multiple solutions and feed them into the managed services. It provides a single-pane-of-glass view. Having that data integration makes it easier.  Instead of logging into all these different solutions to find the essential things we're trying to home in on, we can log into Netsurion. We have them monitoring for specific events and activity, and they report alerts within a few minutes.

The integration is easy. We define the requirements, and they make it happen. We don't have an SLA for how quickly it needs to be integrated. You give the requirements and they make it happen. Communication is consistent and thorough. Validation testing is also done to ensure our needs have been met.

There's always room to improve because there would be no competition if they had a perfect solution. The GUI to perform searches within the product may not be intuitive to a new user. That's something that could be simplified, but I have no complaints about the product or the service they provide. They're phenomenal.

We are going into the third year of our contract with Netsurion.

At times, the agent may consume a lot of resources, but that typically happens when the agent is running on some assets that are near the end of life. 

We have not contacted technical support directly because we work strictly with our SOC. We've had relatively few issues with it outside of requests or alerts.

We had a company that did some network monitoring, but we were unsatisfied with their detections, and they were not responsive. 

The deployment couldn't have been easier and required approximately three staff on our side. After installation, Netsurion doesn't require much maintenance aside from providing the resources for the solution to run on. We go through support to request upgrades and customization. They take care of all of that. We only need to allocate resources. 

Netsurion's pricing is extremely fair and flexible. The price of their SIEM product is reasonable, and you can pay for those services you want on top of that. It wasn't cheap, but it's competitive, and we intend to renew our contract. 

We looked at Splunk, LogRhythm, and SolarWinds. We may have evaluated some other solutions, but those were the main players. We chose Netsurion after consulting with other organizations in our industry. Netsurion is a highly respected company with a good reputation. They also seemed more than willing to adjust to our environment. With some of the larger players, you have no choice in how to utilize their product. Netsurion was accommodating to all our requests. 

Obviously, pricing was a factor. They weren't the cheapest or the most expensive. Ultimately, it came down to how they could help us. It felt like they wanted to work with us to enhance our security posture and get us where we needed to be versus just selling us a service and a product. They wanted to work with us.

I use it for security events and incident management. It's a fantastic product. Netsurion Managed XDR is a really good product. It is hosted, and they do a lot of the analysis. They get great reporting. It covers all my highly valuable assets and offers a really low impact on my systems. I check a regulatory box as well as a cybersecurity box, so it covers a lot of bases for us.

The great upside is compliance and regulatory satisfaction. If we say we're using this product and someone wants to report, that's it. There's no question about the legitimacy of the product. They're large enough in the marketplace. Our regulatory bodies know about them and understand what the product is like. That's the number one pro for me. 

It gives me a really good piece of mind. I have a couple of products. This one is not cheap. However, it doesn't have to be. I pay a premium and they give me peace of mind that I don't get with any others.

A SEIM is an SIEM. They all do the same thing. What's valuable about the Netsurion Managed XDR product is the analysis that it brings to the table. They do a really good job of filtering out; it generates a tremendous amount of data. They filter out what's needed and give me what I need to pay attention to. That's hard to do in a lot of the other products.

The product provides us with a flexible solution that helps protect our entire IT environment. I only take advantage of it on the server side. I don't need it for my desktops, however, certainly, they offer that. Overall, it is quite flexible as evidenced by the fact that when it's first tuned, you get a large amount of data, and they're able to fine-tune that over time. To me, that's really important.

We operate with their SOC. They are really nice guys. Great to work with.

In terms of the SOC when it comes to alert monitoring and threat hunting, they do a great job. The fact that they're able to tune it for me over time and build a relationship is helpful. Some of those guys have been there for ten years. Is really important to us. They know what's valuable to us and what we want to see. We have the SOC provide a regular meeting. It's quarterly. We all get together, and I let my engineers do it over the phone. They'll let us know: "We're seeing this. This isn't important." They voluntarily call things to our attention and so on. It's a real value add working with them.

The SOC is helpful for eliminating false positives. It filters out unneeded and unnecessary alerts and calls my attention to what's really important and what I need to pay attention to.

Expediting incident response is really great. What's really nice is I haven't had to use it. So I don't have any examples. That said, they're really quick to respond. Again, that comes back to the SOC. They're there all the time. So they are looking at our stuff 24/7. We pay for that, yet it's a really valuable aspect of the service.

Using the SOC affected our ability to focus on, for example, any other tasks. They've taken a whole bunch of work off my team and made it easier for them to do other important aspects of what we do every day in our bank.

Monitoring helped to boost your SecOps productivity. It's decreasing the tedious SecOps management tasks.

The time it's saved us per week is an FTE equivalent or more. That's easily 40 to 60 hours a week. It's saving my team. There's no doubt in my mind. It's probably more than that, however, I could confidently say it's 40 to 60 hours a week.

The product has reduced the time to detection in my estimation. I haven't had any, however, it's clear to me that they would help. When we have had something that's been sort of fishy, they definitely chime in, and we get a notification from them almost immediately.

There is one area that needs improvement and that is with the agents and the server that's on-site. The system requirements are very, very high. So I need a pretty powerful server to run. If they could lighten that load so that the on-premise part of their product didn't impact my systems as much that would be ideal. My understanding is that's something they already know and are working on. If they could do that, I'd be even happier with them. 

I've used the solution since 2014. I've used it for around nine years. I'm a happy client. 

I don't have any stability issues. 

The scalability comes down to the server that is on-prem. That would be a problem if you have to pivot scalability. The agents on the servers are not a problem at all. I could deploy more systems. However, the server that gathers the data can be a hog. It would be ideal if they could take that piece out and take everything to the cloud to analyze there. 

We talk to technical support all the time. My team doesn't have any problems with them. Sometimes there may be language barriers, however, in general, they are all good to work with. They are responsive and make good decisions. 

Neutral

I did not previously use a different solution. I jumped to this product right off the bat.

I was involved in the initial deployment. 

It was relatively straightforward as I recall. It's just deploying an agent. You need a server. We built that form, and they did most of the work for us.

We needed maybe one and a half people to handle the deployment. 

It doesn't really require much maintenance. During quarterly meetings, they will push updates to us; those are pretty low-impact.

We have a hybrid setup. They have a cloud-based component, and that's where the SOC sits. Then, there's an on-premise server that feeds to their cloud.

Since it is a regulatory requirement for us, I don't even track ROI. That said, if I am saving one FTE a week, about 40 hours, if I had to pay somebody 40 hours a week, after a year, this more than covers that cost. In that sense, it's almost a 100% return on investment just for the dollars saved on labor.

Their pricing is high. I don't know if it's a barrier. The quality speaks to the price. The price is the price. They provide what they promise. From a purchasing perspective, I just have to come back and say, well is that function that important to me? And so far, every year, that function has been that important to me.

I did evaluate other solutions, however, I cannot recall which ones as so much time has passed. Many may not be on the market anymore. 

At this time, I do not use the additional data source integrations offered to help protect our environment.

I'd rate the solution eight out of ten. It's one of my favorite products. 

They should be well-known. I've had zero issues with them. It's expensive, yet you get what you pay for. 

New users need to understand that it is kind of hands-off. You aren't going to have to put much into it once it is up and running. The time savings and the peace of mind make it worth it at the end of the day. 

We use Netsurion as a managed SOC provider for them to be able to do visibility scanning on all of the devices within our network and to look through the log events that we have coming out of the devices and SaaS products that we have. They are looking at the logins through Microsoft Azure and Google Workspace, aggregating all that, and doing some investigative work to see if there are any incidents where there might be a possible malicious activity or any possible intrusions into the network. If there are any problems or issues that may occur and if they do find things, they are able to notify our team of those things or those findings that may be a problem for us. They send us an email to let us know what to look into and how to remediate things. That is how we have been using them.

We do not have a security team. By implementing Netsurion, we could utilize an external team to be able to investigate those things where we do not have the expertise or people to do that. That was the number one reason why we went to them and asked for help from them. We purchased their services to monitor all those things.

The integration of Netsurion with our security tools gives a unified view of our threat landscape. It brings everything into one single pane of glass type of view. We can see everything going on in our infrastructure. It is pretty important for us to be able to see everything in a single report rather than going through ten different tools, which can be a bit annoying. Having Netsurion describe everything in detail in one report has been pretty valuable.

Netsurion has been a pretty flexible solution for helping us protect our entire IT environment. For everything that I have asked from them in terms of adding certain SaaS products, devices, or anything like that, they usually had a solution to get them integrated into their product. It might not be the best integration, but they have figured out a way to get our security stuff into Netsurion.

There have been some incidents in the past where we had a scare of a possible virus infecting one of our machines or of possible intrusion. We pushed it up to their SOC team. They did investigative work and came back and told us their findings, such as things being fine on those devices and so on and so forth. Their SOC team has been pretty good in the sense of being able to jump on things and be able to work with us on possible issues that crop up.

Netsurion's SOC is pretty good for eliminating false positives. They have done a pretty good job of going through a lot of the log data that we have. They go through hundreds of tickets in a month, but we only see the reports. They only come up with critical or warning items. We get a handful of those compared to all the tickets that they create on their side that may look like suspicious things on their end. They do a pretty good job of looking and working out a lot of false positives on their end.

Netsurion has helped to boost our SecOps productivity by decreasing tedious SecOps management tasks. They have been able to provide a way of monitoring things so that we do not have to do that. They have been watching the environment and only bringing things to our attention when we really need to. That is something that we did not have in the past. We never had a security team, and we needed someone to watch everything. They are able to watch everything and look through everything that we have on our infrastructure, such as SaaS products and other products. They have shown value by only bringing up the cases that truly need interaction from our side. My team is able to go into a system or one of the SaaS products that we use and take action on certain things. They do the investigative work, and they do the penetration scanning and things like that and notice things. They bring anything they find to our attention. They have steps or procedures to take action on those things. Once we get all that information, our team goes into those devices or services to make changes based on their recommendations for the issues they found. In the case of a security incident, Netsurion has improved our ability to remediate.

They have a number of integrations with different products. Google Workspace is one of them, and Microsoft Azure is another one. They integrate with a number of other things, such as Duo for multi-factor authentication. They can pull the logs from Duo to see if users are coming from bad repeatable IPs or if there are malicious known IPs that may be popping up in the logs. They are able to see that, and they can identify that. Some of the other integrations they do are from inside your network. For firewalls, they can integrate with SonicWall, Cisco, Fortinet, etc. They have a pretty wide variety of things to integrate with and be able to pull the logins from those devices.

Integration-wise, there is a pretty vast area of things that they are able to integrate with, but some of the tools they have are not so great. One of my pet peeves right now is the maturity of the agents that you install on Windows and Linux devices. On the Linux side, it has not been a great experience. They support CentOS and Ubuntu, but the client tends to be a little bit cumbersome and not so great. It is just okay. It is not so great because the agent that they use is basically like a SysLog forwarder of the log system of the Linux system. When it gets pushed out, they do not receive the data as a hostname. It just comes back as an IP, so they are not able to detect the hostname. There are little tedious things here and there that I have not been happy about. This is one of them.

They have their programs and tools that you have to put into your own environment. We basically ingest all the log data and then push it out to them. I wish it was a little bit different than that where we just push directly towards them. I do not know if that is a function that they thought would be better in terms of security, but I wish that instead of doing that, it should go from the device to them and not from the device to another system and then out to them. There seem to be some drawbacks to doing that.

They need to work on the tools they have. The UI of EventTracker, which is a proprietary piece of software that they built, needs improvement. It is not the friendliest thing in the world. Those are the things that they should probably work on. I know that a lot of their tools have been specifically built around their team, and their team is very familiar with it, but that is an area they probably need to work on to get their customers or even get more clients. They need to work on the UI of EventTracker.

I have been using Netsurion for a little over two years.

I have not seen anything that has been detrimental in using the services. However, using the tool tends to be slow sometimes.

It is pretty scalable. They can handle a pretty large environment if they want to. Our environment is comparatively small compared to other corporate environments out there.

We have not necessarily contacted them. We probably only sent them emails a couple of times in the beginning when we had some issues with getting some of the integrations done. I would rate their support team an eight out of ten.

Positive

We did not use any other solution previously.

Some of it is a bit tedious. I am trying to get everything integrated for a lot of our servers and devices. That is a part of getting any managed SOC and intertwining them into our environment so they can start watching things.

In terms of maintenance, client-wise, when they do send out patches or any sort of client updates, we have to push them.

It is a bit expensive as compared to some of the other products that have come out in recent years. Expense-wise, the only downside is that it is not cheap.

We looked at a couple of solutions.

If you want a team that is pretty devoted to making sure your environment is secure, you should go for Netsurion. They have been on top of a lot of things. We have constant emails coming in. They jump on things. Their support team has been pretty good to work with for working through issues. However, on the software side, they are just okay. They need to work on some of their tools. They need some work on that side, but if you are looking for a pretty devoted team to watch your environment, they are pretty good.

Overall, I would rate Netsurion an eight out of ten.

I manage 13 companies that have 300 to 400 companies underneath them altogether. We're a private equity company, so we manage one company, and they control 10 to 20 companies themselves. Our operations are decentralized, so there aren't many existing products suitable for our use cases. 

When we initially deployed, Netsurion didn't seem like a particularly robust solution. We had the reporting, and if I told them to look for something specific, they could look for it and report on it. We haven't given them anything outside of the box to look at. It tells us everything that you see. We haven't whittled it down to specific events yet.

Netsurion is on the endpoints. You install it, and it speaks to a web server. We have it on workstations and servers on AWS, Google Cloud Platform, Azure, and everything else. We're using it as a decentralized SIEM product, and it's one of the only ones out there. We use Netsurion for things like log forwarding, and we deploy it on every workstation. It's a manual process. There is an installed agent, and as long as it has internet connectivity, it goes and talks to the centralized server, and Netsurion's SOC monitors the logs for all those devices.

Because we don't have a centralized enterprise network, there are a lot of different companies involved, and they could be anywhere. They could be working from home, or there could be several employees in a coworking space. The Netsurion agent has to be installed on every endpoint and allowed to communicate directly to the internet.

We don't have the security staff needed to monitor log data constantly. It's too much data. You have to send it to a third party like Netsurion that specializes in that, and they have a 24/7 security operation center. We don't have the in-house staffing or the time, so we offloaded the task to a third party, and they only report on critical incidents. Then they have reporting criteria, so if it's urgent, they call us. If it's not so critical, then they email us. We don't have the capacity to do that ourselves.

Netsurion has allowed us to consolidate cybersecurity technology, including SIEM and network traffic analysis. It's not a decisive factor, but it's important. Having multiple tools keeps it centralized.

Netsurion's security operations center is critical for us because they provide 24/7 monitoring. We've never had another company meet the same need in the past. It's a valuable tool to have. Netsurion provides us with a lot of actionable threat intelligence. Their security people don't come in, but they know who to call. We tell them specifically who to call for a specific event or certain companies and they're good at that.

The product is based on an agent initially intended to talk internally, and they've simply tweaked it to talk externally. It's inside of a network versus talking on the internet. If they redeveloped the product to use internet options that are part of the operating system, it would add more security. Netsurion would keep pace with the computer as it updates and the technologies change. 

If it were to talk using the internet options inherent in the operating system, the communication would be better and more frequent. It would be part of the operating system. It would work like opening a browser and hitting the internet rather than being a standalone solution. I've suggested redeveloping the application to work more fluidly with current technology instead of working as an old solution in a new application.

We've been using Netsurion for about a year or so now.

Netsurion is highly stable. I haven't had any issues. However, the agents on the endpoints seem to fail quite a bit, requiring manual involvement from the local administrators. I would like to see their product be much more ad hoc and update automatically. I'd like to know if it has errors or issues to support that. Otherwise, local people need to uninstall and reinstall, and it's very time-consuming to maintain the installed product. This should be automatic. We shouldn't have to deal with that on a routine basis.

I think Netsurion scales well. We've gone from a small number of agents up to thousands. I would imagine that it would continue to scale. I don't see any issue with that.

Our SLA with Netsurion doesn't require them to respond immediately. But I haven't had any issues with them from a communication perspective. They've been very good at communicating. If we're talking about the entire process from onboarding to scaling operations, I will give their support a six out of 10, and I'm only giving them a six because they're one of the only companies that provide this service. The installation and customer care at the beginning of the process have a lot of room for improvement.

The fact that Netsurion's SOC is outside the United States hasn't been an issue for us. Most IT labor is offshored, but the communication server and the information are warehoused within the United States on Azure, I believe. I can't recall exactly what they have, but I know it is located in the US. The data itself is still housed domestically, and the third party monitors it. So I don't have a concern with it, and I think over the last 10 or 15 years, the IT industry has pretty much gone that way for the labor component.

Neutral

The onboarding process was complex. There was quite a learning curve, and few of our technical staff knew what they were talking about on the Netsurion side. But we were expected to do all the work. There were issues with the installers and the availability of people who could work through the code. I had a lot of concerns about what was being installed and how it was communicating online. It was not communicating securely.

I was hoping Netsurion could meet my expectations and have their developers fix the application to work more smoothly. Unfortunately, it took quite a bit longer than it should have to onboard. I have five companies that have a bunch of subsidiaries. Those five are using this product on probably a thousand endpoints total. We started with the first one about this time last year, and we've only just finished onboarding. The onboarding should have taken less than a month or two, but it ended up taking a year. That was a problem that we had with them, and it could potentially impact future business.

After we onboarded the first company, the learning curve went down. I found most of the cybersecurity issues in the initial deployment and would not move forward until we resolved them. That took a few months of our time. Netsurion showed some organization from a project management perspective, but there should have been more of a technical push from their side. 

As the customer, we had to provide many technical solutions, and I believe the onboarding would have gone faster if Netsurion had provided more technical resources, not just project people. The project people would push things to the next week instead of scheduling a technical person to fix that issue specifically. They were just logging hours rather than helping us move forward.

We expected that we would be fully deployed on all the discovered devices discussed before the start of the project within 90 days after we signed the contract. Things happen, so I wouldn't expect it all to get done in 90 days, but it should've been mostly done. You need to be at 80 to 90 percent before going to the SOC level and getting reports. That should've happened in under 90 days. Regardless of how many endpoints there are, there should be a real push to bring everything in within the first 90 days.

I think that's a short deadline. At 90 days, I would expect to have the devices onboarded at a minimum. At between 90 and 120 days, I expect to start seeing reports, even if they're very generalized. I expect to see what's talking and what's not. And If we're talking about the total maintenance, it's split. I would hope that Netsurion would be managing their web server, which is the receiving server that takes all the logs in. I'm doing some sorting that allows the agent that's installed to talk back. 

It saves us from hiring someone to do the same thing. IT is a cost center, so we don't make money. We spend it. But in terms of a return on investment, it's cheaper than hiring an employee and it's providing actionable results about threats like ransomware that could be costly if we don't catch them in time. That's a kind of savings, but it's theoretical. It's not something that was accrued. It's a potential for loss. I would say that there's a return in that sense. 

I don't have a hard number because there wasn't a pre-existing solution to compare it to. But to manage the logs the same way that Netsurion does, we would need someone working at least 40 hours a week. To hire someone at the SOC analyst level, you would have to pay an annual salary of between $70,000 to $100,000. However, paying a full-time analyst 40 hours a week still wouldn't give us 24/7 service like Netsurion.  

Netsurion's pricing is competitive. At the same time, they're the only ones who do what we want to do the way we want it. I can't say we would've paid more, but we would've had to have come up with our own solution if they weren't providing that. I believe they have a good niche where they're the only ones providing this type of service that we specifically need in our business model. 

We tried out a couple of competing solutions, including Comodo and Arctic Wolf.

I'd rate Netsurion six out of 10. I'm only going above the five because there aren't a lot of other products in that niche for a decentralized SIEM product. To anyone skeptical about the need for managed security services, I would say that they need to look at whether they have the resources to provide the service themselves. I think most don't, and I believe that the cost of hiring even temporary personnel to provide that function doesn't make business sense compared to bringing in a third party like Netsurion. Cost savings, management, and 24/7 monitoring — you can't get all that for the same price.

Our main concern is IT security. We are looking at it from a point of view of making sure that we are fully PCI compliant. PCI is the compliance driver for us above all others. The log management, event management, and managed services are all fairly pricey services for a small business like us, but we felt the need to be able to take all the logging traffic that we are storing, then make some sense out of it. We needed someone with that expertise because we don't have a dedicated, trained security professional in our organization or in our small group. We turned to Netsurion for that service and have been happy with it.

It takes the load off of our systems administrator from having to manage, vet, and analyze logs. Even though they come out in a good format and we have reports from them, there is still an incredible amount of data moving through that system. 

When I looked last week, we probably averaged about 20 million log entries a day. So, we certainly can't individually manage that. Just looking at the reports, then trying to go back and find anything that was questionable, was a challenge. Therefore, the managed service has been invaluable to us in terms of being able to narrow the scope of what really needs to be looked at and bringing those things to our attention to be dealt with.

The solution provides 24/7 monitoring and alerting. When we have third-party security assessors come in and do our annual pentest and security review, they have ranked us as being a very mature small business compared to others that they deal with. So, we rank fairly high in terms of cybersecurity maturity compared to other small businesses with 75 employees, such as ourselves.

We don't do a lot of network analysis, but it certainly meets all of the correlation requirements that we have so we can be able to spot logins at unusual times. Or, I just got a report, not 30 minutes ago, and called one of my guys, saying, "Hey, go check on this PC because it is showing 15,000 incorrect password attempts to get to the file server. What is going on?" Obviously, it's not necessarily an indication of a breach of any kind. It is an indication of some kind of software malfunction. So, we were able to look at that and get those reports, and say, "Hey, we have something that needs our attention. I have one user account hitting a file server from one PC, and we know that a password was changed on the day that started, but we also know that the password is not locked out. This helps us analyze what the real problem is, then we are able to eliminate that it is not an Active Directory problem nor a Windows problem. We know what caused it, and it's not an intrusion attempt. However, this narrows down all those issues so we can focus on where the problem might really be.

We found Netsurion to be so much easier versus our previous solution with our limited experience and expertise to be able to install and get our logs, at least to meet minimum compliance. So, we appreciate the ease of use of it. 

When it comes to threat detection and response, it is done well. When we have our annual network penetration tests, they often will find things that are questionable and report on those things, usually within a weekly update report. So, we will normally see the events that took place. There have been instances where they have contacted us right away, but those have been fairly limited. We haven't had incidents that rose to the level of needing immediate attention very often, but they do confirm what we expect to be confirmed, which is that we have somebody doing things on our network with our permission who notifies us about it.

I would like to see a faster response when we see things like 15,000 lockouts. I really wished that I had known that on Friday afternoon rather than waiting until I got the weekly report today. By the same token, they are looking at it from the point of view that this is a system or software malfunction. This is not a bad actor repeating the exact same password three times a second. Therefore, they can tell that this is not a bad thing. However, it's not a security event but it is an operational event for me. Knowing this sort of thing would help my team and me out more because then we would be able to clear out a lot of network traffic that we didn't know was going on. So, we would like quicker updates on non-high security events.

We have been on their managed services for a little over two years.

It has been very stable. We have had no major problems with it. We might need to put in one or two calls because of an issue logging into the software. I think we had a problem one time with a disk partition filling up, which hauls a lot of data in and out. So, that is something where you just have to be aware of it, but they have always been very responsive. There have been a few times when we might have had to go in and re-enable their remote access. They always notify us when they are going to be on that server, so we are able to tell when that outside third-party is accessing the server. So, stability has been good.

We are at a terabyte of data that we are holding right now, and we have been on for two years. We have grown to the capacity that we expect to maintain unless we begin adding more endpoints to manage or watch. We don't manage every endpoint in our environment, only the ones that we consider touch anything dealing with business security. So, it is as scalable as we need it to be, but we really haven't tested that beyond the one terabyte of disk storage.

We may increase usage as we get down the road a little bit, depending on our circumstances and what changes. Right now, we are not looking at increasing it, but that could change.

There is a dedicated team available to us. I don't call a number or leave an email, then have to deal with unknown people. Instead, it is the same folks whom I talk to every three months that host a call with us. I am grateful for the fact that these are people whom I speak to often and know our situation. They know what things are important to us. They have helped us out with some specialized reporting along the way. So, I find this gives an extra level of confidence to us that we are being looked at by people who know what is important to us.

There have only been a few times when we have needed to address a question to the SOC, but usually those have been dealt with immediately or within the day. There have been a couple of times when we have asked for custom reports and those have gotten done. Sometimes, there is a little back and forth to really understand what it is I am asking for and have them explain to me what the capability is from the logs that they are receiving from a device. However, they have been very quick and responsive to our needs, even when it is not a priority security event.

They are very familiar with our network and company. We have spent almost a year tuning the SIEM managed service. Since that time, we have continued to meet quarterly and talk about if there are modules that need to be installed or other products that we need to consider. We ask questions like, "Is there a way for you to be able to deliver this type of report to me?" They are very upfront about "yes" or "no".

We have an assigned team, so they are not sending something into a help desk then hoping it goes to the correct tech, i.e., Level 1, Level 2, or Level 3. We know their team. Anytime we send something in, we copy the supervisor for that team who will make sure it gets dealt with. So, they have been very responsive with good customer service.

Overall, I am going to give the product an eight (out of 10). It could be bigger and more mature, but then it probably would be in a niche that would have ruled them out for us. From my point of view, they are meeting our needs well. I think they are continuing to develop the product and expanding their portfolio, which is all good.

Positive

We used a competitor, Tripwire, to Netsurion for a few years prior to moving over. We found it very difficult to configure and maintain for doing in-house work. This was prior to managed services.

We switched from Tripwire to Netsurion because of cost and complexity. Tripwire was a good bit cheaper than Tripwire. With Tripwire, we needed a third-party that helped out with making changes to it and adding additional endpoints. It just was a very complex system to set up and watch, so we made the change after being with Tripwire for a few years.

We initially just did log management within, watching the logs ourselves. They set up the system for us. We were getting reports out of it every day and trying to look at what we thought was important, but ultimately it just proved to be too much for us internally with a staff of three.

In our case, it was almost like we had an event management platform before with Tripwire, but we still didn't fully understand what could be done with it. You couldn't come ask me what I want to do with it. I don't even know what it did because we are just general purpose IT people here. We are not experts in this field.

It is complex because we didn't really get that involved in the initial setup. They were the ones who called us, and said, "Okay, we're going to have this meeting. In this meeting, we are going to ask you a series of questions and whatever you tell us is what we are going to take care of." For example, what do you want your normal workday hours to be so we can tell that if an employee logs in at a certain time, which employees should be logging in after hours, and what systems should be talking over the weekend. They guided that discussion. It was a very easy discussion to have because they talked to us in terms of our business, not in terms of SIEM events. So, that was very good.

The initial deployment was 90 days. We signed on in August, then there was a 90-day period where we had to make sure that everything was operational. We knew this upfront. Next, we scheduled a few meetings after that. We used those next few meetings to tune the SIEM. So, we got everything in there that we expected to have over a period of weeks. They went through everything. It wasn't like drinking through a fire hose.

They were able to guide us, not giving us more information than we could handle. After we got past the initial setup period, we were able to start seeing reports. The first ones didn't make a whole lot of sense to us. However, over time, we were able to ask questions and the reports became more valuable because they were more tuned to our real environment. They began to suggest, "We now need to add in the connectors to SQL and Active Directory." We run an IBM i system, which is not a typical syslog or Windows event system. We were able to get that system set up and tuned with some reports so we could really look at our most critical systems from a security perspective. All of that happened over a period of time, yet it wasn't too rushed nor was it too slow.

When I started looking for a managed SIEM, consultants looked over the specs and compared us with some of the bigger players. They addressed concerns that they had to me, then we dealt with those concerns in the early days of installing the SIEM. Knowing that I have a seal of approval from those consultants was very important to me, and Netsurion rose to the level of getting that approval from them. They seem satisfied with what they have seen in terms of our ability to meet all of our compliance requirements and general security needs.

The vendor’s assistance in the onboarding process helped with the product’s time-to-value and return on investment.

It enables us to devote our time to other projects that demand more of our attention. We are saving about an hour a day. 

The fact that I can walk away from this network and know that not only have I got a managed intrusion prevention system with another vendor who is looking at the edge of our network, but now I have a system which looks at the internal devices on our network. So, I have two sets of SOCs looking at what could go wrong. Between those two and our endpoint solution, I am much more comfortable thinking that if one thing misses it than another one will pick it up. So, they are part of that trifecta of products that I would expect to find a bad actor in my network. We have several other security components, but those three large products are really key to our comfort level, with being able to say, "I don't believe there is anything bad going on in my network today. If something bad did start happening, we would see it within a matter of hours, if not minutes."

We were very careful and slow to get into this world because it is fairly expensive, but I do not regret at all being there today. I just did a presentation for our board of directors on what we do for security. That was last night. I got quite a few questions from our board. One of the topics that we discussed was event management and logging. The question that came back to me was, "What else do you need to do in order to be more secure?" So, I felt that they understood what we had done and how we had done it. They were very supportive of any other features that we needed to take advantage of. Sometimes, it is just making sure that the people in management understand the risks and what is going on in the real world. That is how you sell it to them.

We put together the package of what we needed. It was based pretty much on the number of agents that we were deploying. If we needed to manage logging from certain specific applications, like Active Directory and SQL Server, there has been no additional cost for that. We had agents deployed for those specific servers and the applications were included, then there was just an additional installation that they had to do for us.

This was a lower cost solution for us. That was the main reason that we looked in this direction. When I bought a lower cost solution, I didn't expect it to deliver even the value that we are getting out of it. I talked to some of my counterparts and other utilities, who were using it, and they were very happy and satisfied with it. So, I haven't really looked outside of that box very much.

Tripwire and LogRhythm were the two vendors who had support for an agent that could watch an IBM i system server, which is a mid-range platform server. When we went to Netsurion, we looked around at some others, but Netsurion was the only other one that we found later on that supported that integration. 

LogRhythm would probably have been a good solution as well. However, after talking to some of my counterparts, I decided that Netsurion would be a very good solution because they spoke very highly of it. They had been very pleased with its service as well as their managed SIEM service as well.

Netsurion Managed Threat Protection is more small business-friendly. It has been good to have a company who suggests things along the way without pushing things on us. For example, they will say, "Here is something that you want to do, but ask your auditors." My auditors can't tell me what we should be logging or watching. They can't tell me that. Maybe a Fortune 500 company's auditors can tell them that, but our auditors don't tell us that. We pay a lot of money to auditors every year, but they don't come in, and say, "Are you watching for every disabled login?" They don't give us that level of detail. Instead, I need people who understand a small business and the realities of working with a small business budget and are able to guide us on the number one, two, or three priorities, then tell me why those are priorities. After that, I can then take it back to our security auditors and financial auditors, and say, "Okay, here's what we are doing. Are we doing enough? Is there something that we are leaving out?" 

It has been good to be able to work with people who are not high pressure on sales. They are not here to tell us that you need to do it a certain way. The door is open to whatever we want to do. Where we don't have the knowledge or experience with it, they have filled in those gaps.

The market is moving to where vendors are trying to be the single vendor who does it all for you. Frankly, I'm not comfortable with that. I'm okay with a vendor who doesn't do every piece of my security stack, because I don't really want that company. Other people may be looking for that, but I am not one of them.

It doesn't matter whether a solution is outside or inside the US. When we look at our firewall logs, most of our spam and ransomware attacks are coming from inside the US. That is where the majority of that traffic is coming from. We shut down everything from the outside that shouldn't have access. We determine who gets on our server and when they get on it. We control it as well from the outside as we would from inside the country. There doesn't seem to be any national barriers that seem to have anything to do with whether you are really secure or not anymore. Certainly, there is a lot of risk from certain rogue countries, but vendors are vendors, you just have to vet the vendor as well.

Everything in life is a risk. You need to determine what your risk tolerance is. In our case, we take the risk of not logging every single device on our network. We don't log the laptops of the guys who work in the field all day, then come in just to do payroll. We don't care what goes on their PCs, but we do care once it touches another server somewhere. Therefore, we log those servers. It is all about risk tolerance. At the end of the day, you need to balance your budget one way or another.

Having a managed SOC reach out and contact us when something pops up is useful, since we're not, as IT staff, able to have eyeballs watching for things. We are dealing with staff, devices, services, etc. all the time, so we are not able to watch for things. There is also not the expertise available all the time for all our escalations of threat management. Having someone who can notify us, "This is urgent. I will call (or email) them based on the runbook that we have," and, "I need to follow up in however many days," depending on the urgency of the issue, has been really helpful.

Given that the solution is passive, it hasn't had much impact other than occupying space on our server infrastructure.

They offer 24/7 monitoring and alerting with the understanding that our boots-on-the-ground staff are not 24/7. Being that it is passive, if they are calling us to do something, then depending on the time of day or even the day, our staff aren't working. We don't have a 24/7 rotation, given that there are only two IT staff positions for the entire organization.

Netsurion gathers the logs from our Sophos cloud provider, amalgamating it all into our on-premise SIEM. Then, the SOC is performing all the analysis, reporting, and alerting for us. This is pretty important given that we have very limited staffing, so we need to be able to have that handled for us.

There haven't been a lot of incidents in the last six months, which has been nice. Most of the incidents that we have reported have been false positives in the last few months. It has been quiet since August.

Its threat detection and response is pretty good.

We had a staff member who downloaded something, and I can't remember if they had had the authority to install it in this scenario. Anyhow, they downloaded something and were running something that was connecting to services in Europe which had a bad public reputation. The database or listing that they had referenced was either malware class or spyware. The visibility of seeing somebody had downloaded something that they weren't supposed to, and they weren't following organizational procedures for software procurement, was very helpful and useful. 

The threat detection and response is passive. We have asked if there were options for taking action, and we have not gotten any feedback on that, which would be useful to know. Depending on the situation and threat, some actions may not be possible, but we haven't gotten any feedback on what options could be directed and actionable with the understanding that it may have an extra cost. 

It would be nice to know or find out if it is actually possible to take actions by a SIEM service or a SIEM agent. To clarify, we did get a price quote but not a demonstration. I was hoping for a demonstration of what exactly was possible and doable. We did get the pricing for it, but I was hoping for a demonstration of what it would actually look like.

We started using it in 2019.

The stability has been mostly okay. There have been the odd times where agents weren't able to report in. For example, there was the odd time where the software agent had issues on clients, then reported as offline or not reporting, even though it was online. That was a bit annoying at times. The hosted on-premise hardware that we were using was having issues. This is the only time that I will call "Fault" to the hosted SOC. The performance of it was horrendous, but we weren't using it. It was being all done through the SOC and the performance was horrendous. If it was that bad, why wouldn't they have perhaps said something? Why were they struggling with delivering reports or fighting with the server on our behalf? If it was struggling that bad, why wouldn't they have said, "Hey, this machine has problems. We need to do something about it"? 

We didn't know or do anything about it until we needed to check on something, then realized that the performance on it was horrendous and there were severe hardware problems with the server. Then, that spiraled into actually replacing it and the SOC team didn't mention anything. So, that was a bit of a frustration. If they were struggling with something that bad, then why didn't they say something?

The bigger false positives have been when we are doing things, such as actions, remediation, or normal operations through our remote management system. It can sometimes trigger a whole bunch of alerts by scripts, and that is expected. We quite often inform the SOC center, "This is expected behavior. This account is supposed to do these things."

Any time something comes up with a false positive or was unexpected, the managed SOC team follows through and asks, "What's going on?" Then, we will do an update to say, "Yes, this is expected behavior." We keep updating the runbook anytime there are false positives, and they get to know us a bit better.

We had an antivirus, firewall, and malware previously, but we didn't have a threat management system before Netsurion. 

The 24/7 monitoring and alerting has been a huge step up, given that we didn't have anything before. This was our first step into having an enterprise-level security threat monitoring system in place, which was a huge step forward as they provide actionable threat intelligence. The next step would have to be something that can take some sort of action.

The MITRE ATT&CK Framework wasn't something that we were aware of when we started with Netsurion. Our remote management system has MITRE scanning and mitigation measures as well. While Netsurion hasn't identified anything, it is still nice that it is there.

The initial setup was very straightforward. I have my own in-house expertise and experience when dealing with some log collection services. I know all the infrastructure. I handle all the infrastructure. From our standpoint, it was relatively straightforward because we are not that big of a shop.

Start-to-finish, the deployment took awhile. It was over the course of several weeks, given that they had to schedule their staff as well as our staff because of the boots-on-the-ground stuff that we had to do. So, it did take time over the course of several weeks.

Their SOC team had a number of documentation guides. The only one that we struggled with was the Office 365 integration, given that Microsoft keeps moving a number of the admin tools around into different places. Office 365 is going through some fairly frequent adjustments, updates, and changes every couple of quarters. By the time they had published something, we had actually done some of the Office 365 integration parts. They needed to remote screen share with us to walk us through, because everything was in different places. 

Their assistance meant we weren't fighting to get stuff working.

The MITRE ATT&CK Framework has affected the time it takes for us to identify and understand sophisticated threats. It has definitely sped things up within the organization. There is just not the in-house expertise to deal with it, understand it, or communicate it to higher ups.

We don't have the eyeballs available to stare and watch for things, or even have the capability of building internal alert systems. So, the managed SOC has been huge for freeing up staff to work on other responsibilities. We are saving on at least one full-time employee. 

I would rate the SOC component of the solution as 10 out of 10. It is needed.

Our budget follows the calendar year. We just started a new budget year at the beginning of the month. We did budget for an increase in our threat management system selection. Therefore, we have the budget to implement and accommodate a threat management system change, including an increase for the quoted actions that we received to improve Netsurion. We are just waiting on our council to approve that budget, which might not be for a little while. Hopefully, when they do, we will be able to jump on doing something.

We had a bunch of data security incidents with staff clicking and opening things that they weren't supposed to. We started a security awareness program in 2021. We got a fair bit of traction, which was good and has helped, but we still wanted to pursue some type of threat management system. We looked at three different systems: Netsurion, Trustwave, and LogRhythm. Netsurion was the only one where we could get a good demonstration and quote that was close to our budget. That is why we ended up going with it.

Depending on your organization, the type of organization that you are, and the level of risk tolerance your organization has, but say that you don't need threat protection, then you probably don't understand the situation fully.

Excluding false positives, the accuracy of remediation is pretty straightforward. Things like Exchange Server security vulnerabilities, which came out last year, had all the details included. That came out very well.

Right now, with Netsurion, a number of their staff are based in India, and there are no concerns with it. They are signing the appropriate NDAs and going through the appropriate certifications for data security and data privacy. As long as they are doing those types of things, there are no concerns on my part as long as they are able to monitor things in our time zones.

I would rate the solution as seven out of 10. They are definitely areas for improvement. I know for sure that all the areas of improvement aren't solely with the SOC and the product. A lot of it is probably implementation issues and issues within our organization, as this is our first crack at using a threat management protection system and dedicating the appropriate amount of time, attention, and thought to it. Some of that is probably on us. However, we have had struggles. At times, we have needed to think, "Is that because of you or because of us?"

It's a managed SIEM. It collects our log information, events from different systems. That information gets analyzed to alert us to any problems that are typically security-related issues. We use that database to do our own research as well. For instance, it's handy for figuring out why somebody keeps getting locked out.

The 24/7 monitoring and alerting is definitely a positive because we don't have to have it in-house. These days, finding security people and keeping them is even more of a challenge than it was two years ago.

Netsurion also provides us with actionable threat intelligence. If an endpoint visits a site that tries to do a download, a "drive-by" type of situation where it tries to run an obfuscated URL through a PowerShell or the like, we'll get an alert from the SOC so we can take remediation actions for that particular endpoint.

Our detection time is shorter than it was, and they're well within the SLA for both detection time and remediation. Since MITRE was added in, we haven't seen anything take longer than it's supposed to. The detection times are short, and alerting times are also very short. And while the addition of MITRE hasn't increased remediation accuracy, remediation accuracy has always been good with Netsurion. When it's already good, if it only gets a little bit better, it's hard to measure that.

In addition, the fact that this is a managed security solution has definitely freed up my time to work on other responsibilities. If we didn't have the managed component, I would probably have to spend most of my day in the SIEM, personally. Now, I only have to turn to it once in a while. It has freed up most of my time to work on other projects instead of managing the SIEM. It saves close to 75 percent of an FTE in our existing staff and we also haven't had to add staff. To get 24/7 monitoring, we'd have to have at least three people with no vacations for those people. That would add up to a whole bunch of FTEs.

The fact that it's a managed solution is very valuable to us, having their SOC do 24/7 analysis and alerting. The SOC is a very important component of the solution. They are responsive when we have questions or when we want something to be analyzed further. We also have periodic reviews with our primary liaison of the state of the solution and the offerings of the SOC.

When it comes to threat detection and response, it does a very good job detecting and blocking on its own. And the SOC is a nice added value because they're doing analysis on things that aren't as obvious, on things that you can't just detect with a signature or behavior. Also, any SIEM will come with a lot of noise, so having them do a lot of the initial analysis to find out what's critical and what issues are false alarms is very good.

An important feature that is more specific to the product itself is the EDR component. We get analysis, blocking, and remediation for endpoints. It also does known and unknown malware blocking on its own. It's nice to have another layer of analysis and security from the agent as well.

Everything that I've wanted has been added in. EDR was added, and MITRE was added. Those were two big ones that we didn't even have to push for. 

I've been using Netsurion Managed Threat Protection for four years.

Other than updates, there has been no downtime. It is very stable.

I'm not concerned about its scalability. It's very scalable. We could grow greatly in size, and it would just continue to work for us. It's now used everywhere, throughout our organization. There are some additional paid features that we don't have, but we're using everything that we have licensed.

Our account representatives within Netsurion, and the handful of people I deal with in the SOC on a regular basis, are familiar with our company and our previous issues. I talk to the same people all the time. Obviously, there has been some turnover throughout the years and people get promoted, but our account manager became a manager in general, and I still talk to him. He still reaches out to me to see how things are going. It's not just a bunch of different names being thrown at you every time.

Positive

Using Netsurion has not meant we have consolidated cybersecurity technologies. We haven't eliminated anything. We added Netsurion into the environment, because nothing catches everything. We were not even looking for something that would replace everything else we had. We wanted the enhancements that we would get from a managed SIEM, versus keeping everything in-house.

Additional layers and different technologies are looking for different things. Netsurion deploys a technology and algorithms that we didn't already have. And the 24/7 monitoring with the SOC was another reason to add it to our environment.

The setup was pretty straightforward. They needed to learn about our environment and I needed to provide a fair amount of information for that. We set up a system for them, and they did the configurations, primarily, and have continued to maintain them. We had an account rep, not a sales rep, but an actual Netsurion manager, who worked with us and their SOC and did the project management on their end. He worked directly with me and we had a number of web meetings and phone calls until it was up and going. Anytime there's a new version or new features, I'm still talking to the same guy.

Their assistance in the onboarding process certainly helped with the product's time to value. It would have taken a lot more time to set it up if we were doing it by ourselves. The setup required about 20 hours of my time and we had data coming in and being analyzed within a week, maybe a little longer, of the beginning of the project. It didn't take very long to get the core system up and going. After that, it was a matter of configuring all the systems in our environment to start reporting to it.

They maintain the system itself, but we have to make sure that clients are reporting to it. You get a report, and depending on the service level, a report you can run yourself, anytime you want. It's very easy to run, and you get a list of non-reporting systems. For example, we can see that Bob has been on vacation for two weeks, so it makes sense that his computer hasn't reported in in two weeks. But Joe has been working every day from the office for the same two weeks, and his computer hasn't reported for the last three days, so something probably needs to be looked at on Joe's computer.

We haven't been hit by any surprises when it comes to pricing and licensing. You are paying for different levels, especially as far as the monitoring goes and how often you review it with the team. The other factor that figures in is how many nodes are on your network, such as clients, network equipment, servers, etc. There are some additional pieces on top of that, but it's laid out pretty simply, as far as how much you're going to pay for a node. And if you want an additional feature, they tell you how much you pay per node to add that on.

We looked at a few solutions but we narrowed it down quickly to Netsurion. The features offered by the various solutions were pretty close in parity, but Netsurion, at least at that time, had an edge on pricing, and we liked the initial conversations that we had with them.

Netsurion didn't integrate the MITRE ATT&CK Framework when we brought it on, but it was added afterward. But as MITRE solidified into a pretty important framework, I reached out to Netsurion and asked when it was coming, and it was coming in the next release. They were on top of it. 

As for someone being concerned that the solution's SOC is outside of the US, it hasn't been a concern for us. It's 24/7. If the concern is more national or regulatory, you have to follow what your rules are. But if you don't have any regulations or laws restricting you, I wouldn't hesitate just because the SOC isn't in the US.

If a colleague at another company said he's not sure that they need managed services, part of that conversation would be about what kind of staffing levels they already have and if they already have 24/7 in-house security monitoring. If not, do they think the bad guys only work from 8:00 to 5:00 Eastern?

It's reliable. It works. With the managed component, we get that personal attention and that consistent team to deal with. To some extent, it's like they're part of our IT team. They're not in our buildings or working with us directly day-to-day, but in some respects, it's close to that.

We use Netsurion to find out what's going on in our environment. It lets us know if we have strange actions acting out. It's a deny-all policy, so there's an access list on each machine. It was effortless to tune it for our software because we have four pieces of intellectual property used in-house, and that was super easy to get up and running compared to some of the other solutions I've seen. For the most part, it's set-it-and-forget-it protection.

We've been under attack since the day we opened. Our company has a web base that hosts more than 100 different websites, and we're constantly facing attacks — our mail servers too. Of course, we knew we were under attack, but Netsurion provides excellent visibility into how often it's happening and what services they were using. We had a relatively decent idea of that ahead of time, but it solidified a lot of issues we thought we had and allowed us to tailor some solutions to mitigate those issues a little bit easier than it had been when we didn't have all the actionable intelligence.

You can't protect against what you don't know. My instincts told me certain issues were happening. There were a couple of records of it here and there, but it's easier to zero in on what you need to do if you can see what attacks are occurring and how often. It helps you identify gaps you may not be aware of. Netsurion helped shore up our security posture by verifying that some of the initial steps I had taken to protect us against some of these outside attacks were correct. I don't want to go into it too deeply, but it also showed us the usefulness of some best practices out there that many people aren't following. 

It also gave me some insight into what the attacker is going through. When I looked at the thousands of logins we get a day, and I was surprised to see the different languages attackers were using. I thought that was kind of interesting, but for the most part, it showed that many of the early countermeasures we put in place 20 years ago were still protecting us effectively versus a lot of the threats out there. 

We've been able to consolidate cybersecurity technology for our endpoint security. It's a deny-all policy. We reinforce it with other products behind it to ensure that nothing's getting through, but it was still a paradigm shift for us. Instead of just using signature-based threat protection methodology, it allowed us to really get a better grip on what was running inside of our network. That includes some attacks that aren't even nefarious, but just some chatty stuff. We were able to clean up our network a little bit based on some of the things we had seen.

It helps that everything's in one pane of glass by limiting the number of dashboards we have to look at. Consolidating services really helped us gain C-level buy-in. This wasn't just to monitor logs and check for some malicious entries — it was a complete solution that allowed us to recoup monies in other areas because we could consolidate everything in one product.

Neturion's managed security didn't reduce the amount of time we had to devote to everything else, but it supplemented our visibility, giving us the ability to see more than we could on our own. They also got us up and running in a week, whereas we would've probably spent months trying to get this running with the resources we had at the time. Even if I were fully staffed, this would have been a difficult task for us to pull off on our own. So while I won't say that it freed up my staff to do other tasks, it saved me from having to assign staff or take staff away from current projects they were working on to get this implemented and keep it running. I know it would've taken a lot of my time — at least two to three weeks — plus the time of my techs.

It's good to have the SOC team analyzing, monitoring, and getting reports that have actionable items. We were a small shop, to begin with, and when the pandemic hit, we lost 60 percent of our workforce, including my department and the other technology services departments here. We needed something actionable to get an assessment of our threats, what we needed to do, and where our vulnerabilities were. It exposed us to issues we knew, but it could give us accounts.

The threat detection and response are excellent. It shows you exactly where you're vulnerable, and it helped us get some of our early PCI compliance laid out, too. We're doing internal PCI scans now based on what we originally discovered with this product, and it's a necessary piece of our overall threat protection landscape. I had known for years about specific surface attacks I wanted to limit or certain servers I tried to get rid of because I felt like it was exposing us to too much liability or possible liability on the internet. This just pointed me in the right direction to show me that my instincts were correct in what I was seeing. It gave me something actionable I could take back to the VP or my CFO and say, "Listen, this is exactly what we need to do."

I also like that the monitoring is 24/7. It never stops. Netsurion helps with the MITRE ATT&CK framework. It gives us a lot of that. It doesn't scan inside and give us reports like my other PCI compliance scanning tools do, but it gives us a base idea of what's going on in those machines and where our surface attack vector could be. The embedded MITRE ATT&CK framework helps us pinpoint exactly what we should be looking at. It's nice to have a vehicle that drives you to where you need to be, and you don't have to find a map to get things settled up at the last minute. 

I would like to see more communication with the SOC. I believe they are communicating quite a bit, but I think that relationship could be better. There was maybe one person, and I don't know if they can afford the time. We get a report generated on a particular day of the week and we go through it, trying to mitigate problems and make sure we're seeing everything that's happening. It would be helpful if the SOC spent a little more time with us going through some of those reports.

We have been using Netsurion for around 18 months.

I've never known Netsurion to go down.

We haven't had to scale up. We needed to scale down, but I haven't seen problems scaling this. If we could afford to expand our usage of Netsurion's products, we would. There's another product they offered us called Deep Instinct. It just didn't fit into our budget, but I would love to have it. There's more I'd like to do with Netsurion once our budgets get back intact.

I give Netsurion's support an eight out of 10. I never give a 10, so eight is a relatively high mark for me because I always think there's room for improvement no matter what you're doing. They're great. It may take 24 hours to get a response on something we need, but they do respond and they take care of problems rather quickly. We're working with a team in India, so there is a large time difference. My team probably should be working overnight when we're working, but I'm always wondering if we kind of cross over where they're leaving early in the morning when we're coming in, or maybe we're coming in, and they're on a skeleton crew when we're on. That'd be the only thing is sometimes it does take a little bit of time to get an answer, but I would say we're getting answers quickly enough 90 percent of the time.

The SOC component is crucial. It's nice to know that I can reach back out to them if there's something we don't quite understand or something we're not getting. We know we have a team we can contact and get help to ensure we're mitigating things correctly. In the time we've been working together, I've found that I do like the SOC team. They're a good bunch of folks to work with. 

Additionally, we do quarterly follow-ups and everything, too. I think the SOC is an essential part of it, and I believe the Symphonic portion is equally important. You can have the SOC, but if you're getting a bunch of noise, the SOC isn't going to be able to do much. The fact that the SOC then takes the time to filter out a lot of the noise and then gives you that directed report is beneficial.

The SOC understands the peculiarities of our environment. They are an active partner whether they agree with our idiosyncrasies. We're getting a lot better at working with them to manage threats now that we've been doing it for a couple of years, but at least initially there was a lot to go through. The SOC was also instrumental in helping us with the onboarding process. We worked with them to get some agents installed, and they had us up and running fast.

They showed us how to make sure that we were only listening for things initially and not blocking anything. It was super helpful. Again, it was a two-hour call compared to three to four weeks of our time and then on top of it, another six months of monitoring beyond that. At least they have the knowledge of the tool that they know initially where they need to start quieting it down, where we wouldn't have had that knowledge to start off with.

It's not much of a problem for us that the SOC is located outside of the United States. I would say that's life nowadays. Maybe pre-pandemic, that would've been a big concern. I have a friend that owns a US-based SOC that I also work with, and he is having a hard time staffing it. It's hard to find technicians in the United States. You're going to have to make some trade-offs in the number of people who can help you work your solution and maybe some coverage because of the lack of technicians available if you're really concerned about keeping things inside of the US.

Positive

We were collecting event logs into our RMM product that we used to patch and maintain our systems, so we received alerts that way. However, it was all emails, and we'd have to sift through it to decide where the problems were and what was happening. It was more reactive compared to what we're doing today with Neturion. We can be more proactive because we know where the patterns have been in the past. We know what we're seeing, we have a better idea of where to place our assets strategically, and we know how to protect those assets.

Netsurion was easy to deploy. I have worked with other systems that were a little less complex, but they weren't quite as easy to deploy. It's on every machine we have in the enterprise, so technically, every person I have in this company is using the software, whether they realize it or not. My entire team is involved in going through reports and remediating. 

We didn't have to do anything. Netsurion did everything. We sat down, we told them, "Here's what we feel are our key pieces of software. Here's what we've designed." They showed us how to exclude that inside of their software. I want to say that we did 30 days of just listening to the network and bringing them reports. From our side, we mostly conferred with them initially and spent time with them explaining what intellectual property we had running and what programs were essential to use on the network. It was super simple.

If we were to do this on our own, we would need at least one full-time person in a high salary range, so $80,000 to $150,000. That would be a security analyst at minimum. 

Any security solution won't be cheap, but I think Netsurion is well placed to make it affordable on any enterprise's budget.

We looked at other solutions, but nobody had a comprehensive SOC and fine-tuning like Netsurion. I had even used some other solutions before this in some trials when we were getting ready for a tool like this. As far as I know, I may have found one or two later after we implemented this that offer some of the same features, but I still think this is the best solution for the money.

I'd rate Netsurion nine out of 10. It's not a fancy product, and I don't mean to say that it's not comprehensive or it doesn't do what it needs to do. I guess what I'm trying to say is it's like driving an old Chevy Nova. It's easy to work on. If something goes wrong, it's easy to fix, and it gets you down the road. Netsurion does a good job, and it's reliable. I haven't known it to ever go out on us. 

If someone is wondering why they should implement Netsurion, I would say, you don't know what you don't know. That's what it comes down to, and it's a matter of whether you want to sleep easy at night thinking you've done enough. You know how bad it is out there and that these attacks never stop. We get thousands of attacks daily, and we're not a big company. We're a US-based company that isn't in a volatile field. Our significant lines of business are restaurants, health clubs, and travel. You wouldn't think that is a huge target, but we had almost a quarter of a billion attacks against us last week.

A lot is happening out there, and it's nice to get some affirmation from the executives that everything you've done is working and keeping you safe. It's also giving you some benefits you may not be thinking about, so you know where you might have to apply some of these new things or come up with some new best practices that will work out better for you going forward.

Your SIM is only as effective as the reports you get out of it and the actual items you can get from it. While you can spend a lot of time and energy doing this yourself, it helps to have a professional team on your side walking through this. Maybe after three years, we won't need the entire SOC, but I can't see that happening. It's better to have them generating these reports for me than one of my teammates having to go through this and spend all week doing this as their job. We have to wear too many hats here to be able to commit to a person like that.