Securonix Next-Gen SIEM Reviews

We use the solution for protection of engineering intellectual property. We currently look at engineering data in two systems, one a commercial system and one which is a homegrown system.

We've seen a couple of circumstances where people accessed data, especially in our internal application, and we weren't sure how they did it, because they shouldn't have been authorized to access it. We actually found a backdoor on our side. Their access did not go through that backdoor intentionally, but they did find a backdoor way to get the data. We shut that one down as soon as we found it.

The other thing we do, where it's been a big help, is that we people who, from a process standpoint, bring down a ton more data than they should. They aren't doing something malicious, but there are ways to bring down simplified data subsets. We've been able to educate the users to take down simplified sets. In essence, that saves them time and effort in having to bring all that data down and then call it up and use it. It's really tough to put hard numbers on that but we have certainly seen a reduction in the amount of these high-volume downloads and it's really been because of a process change on the part of the users.

The most valuable feature is being able to look at users' behavioral profiles to see what they typically access. One of the key events that we monitor is people's downloading of objects, files from either the engineering or the homegrown application. It's very easy to see people's patterns, what they typically do. The system might identify somebody who is engaging in anomalous behavior. Especially with the product's rev 6, there are a lot of tools to go in and do investigations, even without talking to the person, to try to determine what were they doing. Is it a case that they normally don't do something but this looks like a legitimate action, or is it something we need to investigate? That is pretty neat.

It's tough in some cases for the solution to do it, but we have a lot of users who, because they're engineers and they're bringing down product data - where, at times, a top-level product could be 10,000 or 15,000 objects - it's difficult for us to determine what should be a concern and what shouldn't be a concern. We work with the Securonix folks to try to come up with better ways to identify that. That's a difficult problem to solve because it's very application-driven and very user-driven, based on what the user's role is.

The stability has been pretty good. On rev 5, once we got it going, it was very stable. We didn't find very many issues.

As we go from rev 5 to rev 6, the architecture's a little bit different and we have run into a couple of issues which they are in the process of fixing. Once those are fixed, we'll discontinue use of rev 5 and use rev 6 because we feel comfortable with what we're seeing in the data for rev 6.

The stability issues I mentioned are definitely bug-related. We had a call with Securonix's development management last week and they gave me a very good technical explanation of what was going on. It made sense but it was complicated. It had to do with the sequence of what they were doing and the data sources and how it's different in the architecture. These are just things they didn't expect to run into. Once they understood it, they started fixing it and making sure that it not only fixes our instance but other customers' instances, where they might have run into something similar.

It's certainly extremely scalable. They have a lot of connectors into different data sources. We haven't identified a data it seems we wouldn't be able to read in.

We certainly have plans to increase usage. We started this as more of a pilot with engineering data access on these two systems. Currently, on our homegrown system, there are about 20,000 users a month. On the commercial system, which houses a lot of the engineering model data, there about 13,000 users. That's the number of people whose activities we're looking at. That's internal, customer employees, as well as contract-contingent workers, onsite and offsite.

We didn't have a previous solution. On our homegrown system, we made a little bit of a homegrown solution, but the only thing it did was that if somebody had a high number of downloads, it would send us a note. On the commercial system, we were trapping things in the log, but the logs are typically about 1.5 million rows a day, and that's really tough to analyze by hand. That is why I said, "I can't do this. I need an analytics tool to do this." This was really the first analytics tool that we deployed for this particular purpose.

For me, the system setup, itself, was of medium complexity because, for both applications, there were standard connections into them. We had to write our own queries. We learned from that. Our homegrown system was fairly easy because we just look for objects downloaded. Our other application looks for more than just these download events. So it was more complicated to come up with the query and then for us to come up with use cases to have the system analyzed. 

We find that that process is ongoing. From when we started, we've never really stopped improving how we're trying to get results with the system. From my experience, you don't set it up and you're done. It's very much an evolutionary process. As you learn more, you can help feed that into the system. You can say, "Oh, I thought this was a problem. You're saying it shouldn't be. Okay, I'll take care of that now and I won't flag that. Or I'll make a different peer group to analyze data against." For us, it's very much a continuous process so that we can improve and hopefully minimize what we think are things that we need to investigate.

In terms of how long our deployment took, to me, it is still evolving. If I look at the initial one that we did on rev 5, the system was set up in October and just after Christmas we were, for both sources, doing pretty well. We were getting very usable results. The homegrown one was very easy to implement and we got that one going before Christmas. The other one is a little more complicated and took about three months. We've constantly refined ever since. 

The implementation strategy, initially, was to apply it to these two applications but we didn't necessarily know what we would find, what the typical behavior would be. So we really needed to understand what people are doing, with our various use cases. Our strategy has been to continue to improve, to reduce the amount of time we take to look at data to see if something is an issue. And then, we're looking at a reading in more engineering data sources.

Currently, we're in the process of figuring out the best way to read in from a SharePoint Azure site, to get data from our SharePoint on what people are using for accessing documents. Then we're also looking at what we call data "exfiltration," which is: Did somebody take the data once they downloaded, did they send it to a printer, did they email it out? Did the data go somewhere off the computer of the user to somewhere else? Our strategy has included taking that to the next step.

When we move from rev 5 to rev 6, there are new capabilities, new enhancements, and so it took a few months to get ready. The best way to describe the move to rev 6 is that it's a totally different system. It's a SaaS environment. The one we have now is on-premise. What you do is re-set up the use cases that you are currently using and your policies and then re-ingest data, but from a shorter timespan. Because of what we were doing, it is a little more work. But the Securonix folks helped us with the initial setup and the data ingest. From our standpoint, it was just a matter of validating on our internal system for rev 5, how the data was looking in rev 6. It certainly took some time.

The consultants from Securonix are key, from our standpoint. I have almost daily calls with them to talk about what are we seeing, what are we doing, how can we improve things. We actually have a team call with some of the Securonix consultants and management every week. We generate a weekly report of what we have run into that we need help on, what our accomplishments have been, and if there are any issues, what their statuses are. We have excellent communication with the Securonix consultant folks. They're very good.

For this kind of solution, unless you find somebody who physically took something and was going to sell it or try to, and you were able to recover it, it's really tough to put a monetary number on intellectual property loss. You would be making an assumption about what might have happened if the competition had it.

Still, I would certainly say that that we have seen a return on investment. We haven't seen a return where we actually stopped our engineering IP from going out the door. Then we would definitely have an ROI because all it takes is stopping one person and you've paid for your investment over and over again.

But what we've been able to do, if nothing else, is to let more people know that we are aware, that we're watching what's going on. We've had factory managers who are actually appreciative and feel more comfortable knowing that someone is watching this information. Again, we're back to these intangibles, but our company very much sees the value in this and, as we move forward, we'll see even more value. It might cost us a little bit more but we'll see more ROI if we find out what's going on with things like data exfiltration.

I can't say anything from a numbers standpoint, but we went in on a three-year agreement which has an annual licensing fee, based upon the number of people that we're monitoring. There have not been any additional costs to the standard licensing fees.

We did evaluate other options. The main competitor was Exabeam. My manager was the one who did a lot of the investigation of the various tools.

At the time, the competitor's system was extremely limited in the number of data sources it could read in, whereas Securonix had a lot of pre-made connectors. In our cases it had out-of-the-box connectors to the two data sources that we needed. We had to write our own query, but it could at least connect directly into the logs that we had.

The other thing that Securonix had, and the other one didn't, is incident-management or case-management functionality. If someone were to download a high number and we decided we needed to investigate it, I could open a case right in the tool. It would be able to directly reference the data that they downloaded and we could open and shut the case directly in the tool, as well as report from it. Since it was all integrated, it was extremely helpful. That was one of the things that we liked. 

Also, at the time, Securonix was the most mature in the user and entity behavioral analytics, among the groups which offered that kind of functionality and software.

The best advice is to make sure that you understand your use cases. For example, we said we want it to trap a high number of downloads, we want to see if people downloaded and then emailed out any of the objects. We came up with the use cases of what we wanted to check for even before we started our implementation. Then the Securonix people were able to better set up the individual threats that we were watching for.

The other thing that we do is we categorize our data. We say a given type of intellectual property is high, medium, or low. That way we know what we really want to protect. Somebody taking a nut or a bolt isn't the same thing as somebody taking a turbocharged engine and trying to sell it to somebody.

It took us a while to actually come up with a standard for categorizing and then to actually categorize, because there were millions and millions of objects or drawings that we needed to classify. That was a project in and of itself. We did that before we did any kind of analytics with Securonix. The first thing we did was classify our data.

When I took this role, they said, "Hey, we want you to protect our high IP." So I smiled and said, "So how can I tell what the high IP is?" And they said, "Oh, well it's in this folder." I said, "What happens when it's out of the folder? How do I know?" I wanted it so that the data could always tell me it's IP level, regardless of what folder it was in or even if it was out on someone's desktop. That's why, to me, that's the first thing that you need to do. Because otherwise, it's just hearsay in terms what's important to protect. If it's important to protect, label it and then we'll understand.

We look for ways for us, and for the system, to improve identifying things. For the majority, we've been happy for what's there. With typical software you run into software issues that might slow you down and you have to get them fixed. They've been very good about resolving issues when we find them, especially because we find stuff that is pretty unique because of what we're doing with application monitoring. It's so specific and it's really customized for how we've set this up.

There are just a handful of users of the solution. I'm the main one who works with the consultants. Otherwise, it's a group of just under ten people who are even able to get into Securonix and look at the information. Like me, most are in IT. There's one person in insider-threat security who helps with coordinating investigations. There's also someone on the business side, even though he is, in a way, more IT-related. He works for the engineering standards group on the business side.

In terms of deployment and maintenance of the product, we certainly rely on the Securonix folks. There was one main person we used for the deployment of Securonix. Sometimes that person had a second, and I was involved as well. Only three people, from our side, were involved in the actual deployment, although I needed people to write the query to ingest the data. But once that was done, I didn't need those people anymore.

Maintenance is done by me and the Securonix consultant. Since it's a SaaS environment, I have no idea how many people they have on their side, making sure that the system's working fine.

For what we're doing and what it can do, on a scale of one to ten, I would put it in the nine to ten range. The only reason I wouldn't say ten is that means it's always perfect. There are always issues. But I'd say it's at least a nine.

I run the intellectual property protection shop for the company and our primary use case is to monitor for DLP.

In terms of detecting cyber and insider threats, my primary focus is insider threats. It's excellent at that. The ability for the system to detect events is incumbent upon knowing your own threats and risks and predefining those, to a large extent. If you know your environment well enough to make up your own rules and define exactly what a risk or threat means in your organization, it's outstanding at detecting them.

While my primary focus is insider threats, one of the reasons we like SNYPR more than other brands is the entity analysis piece. We have picked up unnamed entities - an infected machine or a machine that had been taken over through a fishing attempt and had a bot installed on it. We have been able to detect malicious software with the system without even predefining the threat or risk model.

When it comes to the solution's behavior analytics helping to prioritize advanced threats, as long as you can pre-define what you want it to prioritize, I find it to be excellent at doing that. We have a very small team. It's very important for me to have the Securonix system highlight the most critical threats so that the analyst can see it.

We have two models. There are the people who are reacting to something negative in the company, such as someone sending a lot of things to a USB drive or trying to email out a lot of sensitive documents. Those people are easy to catch because their behavior is anomalous to themselves and to others. But for the advanced threats, we have different models in place that will highlight what we call "low and slow" behavior, where someone might be placed in the organization by a competitor or a foreign country, with the intention of removing small amounts of data over a long period of time. We have successfully built models that detect that, as well. Any system can catch the people who are going to "break the window" and steal as much data as they can in 24 hours. It's the advanced threat that's much more intricate, but we have had success with that model.

The solution benefits our company overall in the sense that we are protecting intellectual property which is the key to the company's success. But there has been a direct benefit to my team as a force-multiplier. At any given time, I have three or four analysts and we have 120,000 end-users. I feel confident in the increase in the value of cases we have found. We bring in fewer cases per year, overall, and that's attributable to the ability to tune Securonix and drop things that might be more of a "coaching-letter" type of event, rather than an investigation. We're able to tune those so that they are less of a priority than the significant data-loss events. We've been successful at catching the data-loss events.

And the functionality within the Spotter tool has helped us eliminate many hours required to create link analysis diagrams, which we used to create by hand.

It has easily decreased the time required to investigate alerts by 30 to 35 percent. The Spotter functionality, where we create link analysis diagrams within Securonix, takes about five seconds to do. We type in the pipe symbol, the word "link," and a couple of arguments and it puts the link analysis diagram right in front of us. Before, it was a manual download from three different systems and we would put things into Excel or i2 Analyst's Notebook and do the link analysis diagram that way. That single step alone is something we do for every single case which an analyst writes up, and it easily represents 30 to 35 percent of their time.

The solution has also helped us to detect threats that would otherwise have gone unnoticed. In the past, when we were using just a SIEM tool, we had reports on things like the top-ten people each day sending email to a competitor's domain, or top-ten people emailing to a personal domain, or the top-ten people copying data to a USB. We looked at six of these lists every day. When we first started using Securonix, they came to us with an event that their system had detected, something which was a fairly significant event. When I went back and looked at why we hadn't caught it ourselves first, what had happened was that Securonix was able to accurately able to identify, with its pattern-matching functionality, two personal email addresses from this person and correlate that with USB use and their sending of emails to a competitor's domain. Out of the four domains, none was high enough to get on the top-10 lists, but all four together - when they were correlated together as a single event - were very significant. That enabled an analyst to see it and react to it.

Securonix has helped to surface high-risk events that require immediate action. The preceding example is a good one. Another good example is correlating events with foreign travel, for instance. One of the things we have programmed in is HR data around a known last-day-worked. We've been able to correlate people whose last day at work was within 48 or 96 hours of having foreign travel booked. Those things, by themselves, don't really mean anything, but as part of a model they add to the score of someone who has data leakage events. We've used those factors successfully to increase the score of someone with leakage events and prioritize them so that we can react before the person has left the company and the country.

We moved to their software as a service and cut over to production, officially, in January of this year (about five months ago). It has significantly reduced the amount of time spent by the technical lead on my team doing hands-on patching, maintenance, and troubleshooting on the host server, as well as fixing the server when there were application incompatibility issues. The previous version we had sat on a standard, company Linux server. Securonix was an application package, a COTS, for the most part, that sat on top of a standard-built server. The server represented a cost to us when purchasing it and there was a cost to maintain it. Moving it to the software as a service model in the cloud has completely cut out all of that. It's a less expensive model for us to operate under.

The Hadoop-based platform has also provided operational benefits. With the on-premise version that we had before, we were limited in the number of data inputs. As soon as we moved it to their Hadoop-based platform, it became unlimited. It's scalable to whatever size we need. We were able to quickly add six data sources to the system, which were impossible to add before.

There are a number of things that are very useful.

What I like most is that the threat models and risk scoring are very accurate and very helpful to the analysts on my team. They help highlight the most important things for them to look at.

The second feature is that within the SNYPR product there is a functionality called Spotter. We use that for link analysis diagrams and to run the stats command. That's extremely useful because it replaces a tedious, manual process we used to go through, using Microsoft Excel and a couple of other methods, to bring data together.

The third feature is the ability to create watch lists that highlight specific predefined events in a separate window - or widget, as they call it. If I want to highlight something of interest without changing the risk score, or affecting any of the threat or risk models that we have in place, I can create a watch list. It moves those events to an area where an analyst will see them, first thing, without changing any scores or any other manipulation of data. I can highlight events that way.

A helpful feature would be an event export. A way to create more substantial summary reports would be nice.

We've never had a problem with it. They're responsive around the clock. We've never experienced a system outage and we've never experienced their being unavailable to help. It's highly stable.

Now that we are on the cloud-based version, scalability is limited only by what we want to spend. The more events per second we add, the more the cost goes up. But that's the same with any model, anywhere. We're limited only in budget. They appear to be scalable to handle anything we can put into it.

I would give them a ten out of ten on technical support. In the past, we did have some issues with their technical people, but they were quickly resolved as soon as I brought them to someone's attention. 

They don't really offer a service where they just plug it in and leave and you're on your own. They do semi-annual data scientist reviews of the events we have and the scoring behind them. They make recommendations to us on new models we can implement or ways we can change the scoring slightly to make sure we're seeing the most appropriate things. That part has been really nice.

We used ArcSight. The IT department had ArcSight deployed as a SIEM, so that was the system I used to create lists like top-ten emails to competitor domains, top-ten events for USB, top-ten people going to job-search domains through the web proxy, etc.

ArcSight was not very sophisticated. It was just six PDF files a day that were representative of top-ten events in some predefined rule. There was no way to prioritize or score or, even better, correlate events. Securonix, in one example, as I mentioned, pulled together four events and chained them together, which would not have made any of the top-ten lists and that were significantly more important than anything on any of those top-ten lists that day.

The initial setup was very straightforward. We used Professional Services and we had three meetings a week in the build process. It dropped to two meetings a week as we were migrating from one system to the next. Then we went to weekly and then biweekly break-fix meetings until everything was up and running.

Within two weeks they had it pretty fully in place and then we spent about another two weeks fine-tuning different details, because it processes data differently than the on-prem version. We were up and fully in production on the new system inside of a month.

We created the cloud-based version in parallel and we kept the on-prem solution up and running until we cut over, 100 percent, to the cloud-based solution. We kept them running in parallel for an additional month so that we could check risk scores back and forth between the two systems, to make sure one was not capturing events that the other didn't, with the exception of "net-new." As I said, when we put in the new cloud version, that enabled six more data inputs which, obviously, didn't exist in the on-prem version. But for the things that were identical, we made sure it was up and running and accurate. Then we just cut away from the old one all-together.

The fact that we used Professional Services made a big difference because they did the heavy lifting. We just presented threat and risk models to them and data sources. Our experience with Professional Services was very good.

We have seen return on investment many times over. There have been data-loss events that we've prevented which, had they left the company, would have represented billions of dollars of intellectual property. If you look at the $250,000 a year as a percentage of a billion dollars, that's not too bad an ROI.

We have an annual license. We pay $200,000 for the base licensing and we pay another $50,000 for the software as a service.

In terms of any additional costs, it depends on how extensively we use the Professional Services. I might spend another $45,000 to $50,000 a year on them, but that's because we're always coming up with new things and changes. If I wasn't asking them to make coding or application changes, then that cost would be unnecessary because the additional cost for the software as a service includes the maintenance, 24/7 monitoring, etc. Because the Hadoop version is new to us, we're expanding into new data sources and new threat and risk models. For that, there's an additional cost for the coding.

We looked at a product from Lockheed Martin which was very analyst-centered. It produced a lot of CSV files as output and required having an analyst who could really pull together Excel spreadsheets and do a lot of manual work. 

We had looked at Securonix for a couple of years at trade shows and we knew we liked the concept of an UEBA. But then when we did a demo with them in a bake-off with the Lockheed Martin product, and the Securonix user interface was hands-down better and the event correlation and the behavior analysis pieces were what really sold us. We have a number of static, pure analysis rules built for behavior analysis, but now that we've had it in place for a few years, it's far more sophisticated in the dynamic behavior analysis, through the machine-learning the system does. That has been far more beneficial to us than the static rules.

In those respects, they were hands-down better than the other product we put them in the bake-off with. Quite honestly, it has worked so well in the six years we've had Securonix in here that I haven't gone back into the market to even looked at what the competition has. It saves me a lot of stress. 

Looking for a new product and evaluating takes so much time and there's so much cost in swapping them out. For example, if you had invested in a server infrastructure and have to take that down because it doesn't match up, there's a cost to that. There's software licensing. There's also the fact that my team has five years of experience in navigating the Securonix user interface. With a new product, they'd have to start from scratch, learning something new.

The single thing I recommend most is understanding your environment and being able to articulate the risk and threat models. Securonix is very good now, better than when we first bought them, because we were early adopters. We're in the pharmaceutical space and they didn't have very many Pharmas. They were very good at financial institutions, the banks, the credit card companies and that sort of data, but when it came to risk and threat models for Pharma, we were so successful because we knew what we wanted.

I had studied insider threat and behavior analysis for quite a while before we brought in Securonix and was able to start out with very accurate models and articulate things like the relationship between sender and recipient of emails. Is there generally a higher risk with one-to-one or one-to-many relationships on either side? If the data is in the body of an email or in an attachment, which is more important to me? Different models, like competitor domain or personal domain, or USB use: What are the most important things to know about your own environment? Be able to tell them in a way that helps them build the risk models.

Probably in some environments, again, finance for example, where they've had years of experience, they could probably plug in a box and you could just throw all of your events at it and it would be accurate in at least pointing out the anomalies. But you would still need to be able to say what, in your environment, is bad and what is not. That is the single biggest thing: Know your own environment and they can build it to match your needs.

The biggest lesson we've learned using Securonix, in hindsight, is that if we had paid the additional $45,000 to start with, in the cloud, we would have been years farther ahead. We're trying to stay very low-budget. We built the on-prem version and thought that was going to be sufficient, but we ran out of space and the ability to add new data sources and risk and threat models. The on-prem version became limiting. The biggest lesson we learned was that we probably should have spent what was not a lot more money and had the cloud, Hadoop-based version, much earlier in the game than we did.

If I had a big enough staff, it would probably be preferable to do some of the back-end, hands-on coding ourselves, but I don't have that kind of talent on hand. Outside of that, we have no complaints about it. When we've asked them to make certain changes to the user interface or to workflow within the tool, they've been very quick to respond and make those subtle changes for us. Outside of that, we're fairly pleased with this platform.

We have three intelligence analysts and they look at the events themselves, do the initial assessments, and write up the cases. I direct the team and I have one technical lead. I'm in the compliance division, so my team monitors for compliance with specific corporate policies. In addition, our IT department recently also purchased Securonix and they're building a platform on software risk to complement the insider threat that I have. There are currently five users there.

The Securonix team does all of the back-end work because it's housed entirely in their cloud.

Overall, I would give Securonix a ten out of ten. We've been extremely happy with them as a company and as a product. The product has been very good for my career. But again, we put the time into making it accurate right from the start so we have found some fairly significant things. I feel the product is accurate. Whenever we have worked with the company, they've been a good bunch to work with. I'm happy to stand up on their behalf. It's been a true partnership with Securonix, more than that we just license their product and use it.

My use cases relate to SIEM. 

I like Securonix Next-Gen SIEM's integration with in-house AI. I use its behavior analytics feature and am happy with it. It helps to enhance security. 

The solution's AI features reduce the need for manual analysis and help in decision-making. It displays the report in seconds.  It saves my resources three to four hours of work. 

Securonix Next-Gen SIEM's deployment is complex and you need a team to do it. 

I have been using the product for two years. 

I rate the solution's stability a ten out of ten. 

The tool is scalable since it's on the cloud. There are no limitations. 

I haven't contacted the technical support since we have a strong in-house team. 

We did the deployment in-house. 

The solution's price is double the competitors. 

I would recommend Securonix Next-Gen SIEM to SMBs if they have the money. I rate it a ten out of ten. 

We are a services company, so we provide services for our clients' companies.

We would like to see better integration with other products. 

We have been using Securonix Security Analytics for around six months.

The solution is stable. 

The solution is scalable.

The technical support is okay. 

We work with different SIEM solutions, including IBM QRadar and LogRythm. Although I prefer IBM QRadar to Securonix Security Analytics, there are no features of this product that I wish to see included in it, as these two platforms are disparate. 

The reason I prefer IBM QRadar is because we already utilize this solution with our customers, whereas with Securonix Security Analytics we are talking about a process which we have yet to complete. 

The initial setup was relatively uncomplicated. It basically involved operations, with which we had some issues. 

I cannot comment on pricing as this is not within my purview. 

Our clientele includes small and medium sized companies, not enterprise.

I rate Securonix Security Analytics as an eight out of ten. 

It was supposed to be good for security to provide as a SOC-as-a-Service, however, it failed.

The solution did not improve our customer's organizations at all. The implementation attempts were a complete failure. We had to move them to another product.

There aren't any positive aspects of the solution. It was a complete failure. There are no redeeming features.

We thought they were going to be a great product, however, they're actually not great at all as an MSP.

The integration is very bad.

The initial setup failed in both use cases.

The technical support is terrible and completely unhelpful.

The product itself needs a lot of work; it's very immature.

The stability isn't great.

We never really properly used the solution. We tried, however, on the two clients we attempted to have to use the solution, it completely fell flat.

The stability of the solution is not good. 

Technical support is terrible. they are very bad. They are not helpful or responsive, and we were quite disappointed with the level of service on offer. 

We ended up moving out clients over to QRadar as this solution did not end up working for either of them.

The initial setup failed. We had to move to a different solution completely. The installation process was terrible. It was not straightforward. 

The implementation was done with the vendor, and the vendor failed on a number of areas to implement it.

We did not pay a licensing fee. We moved away from the solution.

We tried to implement it and we've taken it out. We've tried it with two clients, it failed, and therefore we moved them now to QRadar. It was terrible. It offered bad support and was a bad product, and everything that was promised wasn't able to be delivered.  

We canceled our partnership with them, and we've actually reverted the two clients that were supposed to go onto the Securonix, on to QRadar now.

We were trying to onboard two customers, and we ended up implementing this solution with neither of them.

I'd rate the solution at a five out of ten.

I work for Avalara. It's a tax technology company based in Seattle with offices all across the world: North Durham, California, Sao Paulo Brazil, Brighton UK, Pune India, and we are expanding right now.

We have a list of use cases, like brute force attacks. Our top executive team wanted to see — whenever we are under a serious attack — on their dashboard that the attack is happening, so that the corrective measures can be taken. That is the primary use case: to have that transparency for a number of security use cases like brute force, phishing, and others, and for our executives and our team to see that attack is happening so that we can counter-measure it and save our company from any data exposure or any security incident.

I see Securonix as a full-featured SIEM. I was looking for a SIEM tool that has traditional SIEM as well as UEBA, and found Securonix to be a good fit for our company, Avalara.

Another good thing is that I was looking to move away from tool management. I was looking for software as a service rather than having issues with managing hardware, upgrades, updates. I was trying to step away from that. Those were the key factors when looking at Securonix as a full-feature SIEM with next-generation capabilities available.

There is slight room for improvement in terms of the initial deployment. What I see is that Securonix is more focused on their product. They are expanding, in a big way, the number of customers. So there has to be a number of dedicated teams to jump on and speed up the deployment process. We would like to partner with different teams that can implement and deploy it faster, whose only job is just to go to the client's site and deploy. Just do it. That's one improvement, based on my experience, that would definitely help them go a long way. Because the way they are expanding they need to focus, because the first impression is the last impression. During the initial one to two months of deployment, that momentum and that support you provide a client is very important. That first two months after a client buys it, how the deployment goes, leaves a long-lasting impression on the client and the team.

In the initial setup itself we needed to dive deep into this. We had some deep technical questions and we were lucky that Securonix provided us with another technical resource. He really seemed knowledgeable.

And myself, I'm personally in touch with some of the technical people. We are getting that good support from them.

For the initial setup a team was assigned and a command was set up, so it was pretty straightforward. We had already gone through a PoC. Coming from a SIEM background, I understand the whole architecture and the process that takes place. We were looking at reducing the timelines and, as we go through it, we are seeing that. The log integrations are pretty fast and, as I said, tool management is done at the backend. So, the initial setup is pretty good. We got logins the day we wanted them. They were assigned, and we are proceeding ahead with the deployment, and we're pretty close to it.

The strategy was to shorten the timeline. My COO and our company didn't want to waste time in long processes. So the strategy was to first have a list of log sources, prioritize them, and integrate the important ones, and the ones that could be integrated fast, immediately into the system. The second step was to streamline the rules, to baseline the rules initially. We already had our team to work on the alerts. The strategy was to get it up and running as fast as possible. We're doing it in phases. We have already done the first phase and with the second phase we are almost there. Within the first two months, we'll have most of the SIEM organization done as well as baselining of the rules done.

I would rate the product at eight out of 10 right now, because there are scopes for improvement, operationally as well as technically. But they have definitely come a long way in a very short time, so I really give them eight-plus. There's definitely some scope for improvement operationally, and there are some technical features which need to be added.

In our organization, we handle cybersecurity. As an IT services company, we are limited to setting up the security operations center in different forms for our customers' requirements.

We are in the business of setting up the security operation center for the customers and we also provide other stock services for many of the customers. We do have a lot of service offerings on our stock management platform.

We do MDR via cloud security and its monitoring services, so we are very familiar with the leading platforms in the market today like QRadar and Splunk. We use them in our environment today. I have been searching out the next-gen SIEM. Then I brought Securonix to my board. I came to learn that Securonix is leading in the innovative ideas and innovations on the SIEM platform side. Particularly because my role is a security practice in Veeam SM. If you evaluate the market trends you understand the products released into the market and how best to leverage that integration and make sure that there is no bounce back to the customer in these situations. That's why I started evaluating the Securonix in a typical lead evaluation.

We are not partnered, we have just done a couple of initial discussions with some of the folks here in India. We are still in the stage of evaluating these products, including Securonix.

I noticed that this is more on the open data platform when it comes to managing the locks from a different angle and for different assets. That's one area which is more interesting for us.

Compared to other competitors in the market, what I have seen is that their module is the UEBA, User and Entity Behavior Analytics, module. That is something different which they are offering today.

These are some of the differences I see. Additionally, is the pricing issue. They are moving from DB pricing to the identity-based pricing. But I'm still confused about that identity pricing. I still have to get more clarification from the products.

The feature that I have found most valuable is their analytics platform where they have the open security data-link, which they introduced. This is typically different from the other vendors.

As far as what can be improved, again it is the pricing. I'm not sure how they are proceeding with the identity-based pricing compared with DB pricing which most of the vendors are using today. Some of them are dealing with EPS based pricing.

There is still a need to evaluate the stability because we are very new to this platform. So we need some more time to do that.

The initial setup is straightforward, it is easy to deploy.

We did evaluate other options before choosing Securonix. As an MSSP we use many products. It all depends on the kind of requirements we get from the customer. We evaluated QRadar and Splunk. As an MSSP, we use a combination of tools.

The major difference between Securonix and the rest is that their security data-link is very open and the hosting of that platform is much simpler compared to other vendors.

Because there is no proprietary thing involved here the log management should be much easier compared to others.

On a scale of one to ten I would rate Securonix an eight.