Securonix Next-Gen SIEM Reviews

Our primary use case is privileged-account monitoring. We wanted the ability to monitor what privileged accounts do, what time of day they typically log in, what machines they log in from, what type of configuration changes they make, etc.

We're using the SNYPR Cloud UEBA.

The areas where behavior analytics helps in terms of advanced threats are around some of the rarity-based policies. An example would be if someone is logging in to a machine for the first time, someone who has never logged in to that machine before. Another would be a rare time of day when somebody is logging in. Policies such as rare suspicious-process also help. We have a list of processes that we typically don't expect many users to run, so if somebody's running one of them in the environment for the first time, it helps us understand that something potentially malicious or at least suspicious is taking place.

We had a recent internal penetration test to try to simulate attacker activity, and Securonix really stood out regarding some of its detection capabilities versus our traditional SIEM, with a lot of the policies that we have for rare-process running on a machine. The enumeration-type activities, where it's looking for an increase in the number of, say, accounts that are accessed, or the number of machines or file share that are accessed, was something that stood out significantly for us.

An example where the solution detected a threat that would otherwise have gone unnoticed recently was a Word document that launched PowerShell and tried downloading a malicious file. We have a policy which is looking for a rare process launched from a child process, and that detected a specific type of malware.

Also, given that the solution is offered as a cloud platform, it probably reduced the potential need for additional headcount. Had we gone with an on-premise solution - because it would have a lot of the administrative tasks of maintaining the hardware and doing updates, and some operational costs - we probably would have required an additional headcount. By going with the cloud, it didn't require us to add to our headcount, and yet we were able to add this new technology.

The solution has also enabled our team to focus on threats rather than on engineering of the platform. We're a very hands-on organization. We've done some of the engineering, whether it be to create new policies specific to our environment or specific to a threat that we're looking for. So it has helped us to focus on threats, but we also do a decent amount of engineering.

Securonix has decreased the time required to investigate alerts or threats. A lot of the information is right there for us, so it's easy to search and try to help with an investigation. In terms of how much time it has saved us, it's really a case-by-case scenario. It would be difficult to pinpoint an exact time on it.

As for the solution surfacing high-risk events that require immediate action, Securonix correlates different policy-violations together into what it calls threat models. There have been a few examples of threat models that have been triggered which gave us a high degree of confidence that there's a threat that we want to investigate right away. Using the threat models has really helped prioritize events of interest for us.

• The feature that is most valuable is the fact that it's an open platform, so it allows us to modify policies and tune policies as needed. 
• There's also a feature called Data Insights which allows us to create different dashboards on specific things of interest for us. 
• Finally, there is Spotter. Spotter allows us to search and investigate different events of interest for us.

In terms of behavior analytics, we're using cyber more than insider threats. With UEBA being a relatively new space when we looked at it close to two years ago, we were concerned about how well it worked and whether they were truly behavioral-based rules or if that was just marketing terminology for the "latest greatest system." But it exceeds what our initial expectations were for being able to detect different cyber threats. We're doing a lot around the network firewall and endpoint detection for rare process connections, rare network connections, etc.

Securonix implements risk scores based on different policies that are triggered. We've seen some challenges with the risk scores and how they trigger. These are things that Securonix has recognized and they've been working with us to help improve things.

Initially, within the first six to eight months, we had some issues with stability. In the last year we've really had no stability issues. There's been no downtime. Any time there are updates, we're always notified when they will take place, with adequate notice. After the updates, there's very minimal downtime as a result.

The earlier instability was growing pains. At the time, we were one of the largest customers going to their cloud solution. It was just a matter of some of the growing pains as they were trying to scale to handle the quantity of logs that we were sending to it.

They've also added additional features and enhancements, and we haven't had any issues with it or any downtime as a result of that.

We haven't had any issues with scalability. We've been able to send more log sources to it and we haven't had any issues with them being able to handle the volume.

We have close to 6,000 employees. We have about 9,000 servers and workstations in total, and we're sending about 5,000 events per second.

We have plans to increase our use of Securonix. Right now we use a different vendor for SIEM, LogRhythm, and we use Securonix for UEBA. We're looking at potential options to consolidate to one platform.

Their technical support has been pretty helpful. We have a lot of direct contacts with some of the higher-level support, people who help with the integration. A lot of times, when we have issues, we may email them directly and they're able to work on a resolution relatively quickly. 

That being said, we do have a technical account manager and that person does a really good job of prioritizing resources to make sure that, if we do have any issues, they get addressed in a timely fashion.

We piloted Exabeam but we didn't go forward with them.

The initial setup was a little complex, but going into it we knew it's a complex solution. We didn't expect that it would be out-of-the-box. Our expectation was that it was going to take a little bit of time to get it set up and integrated and then to learn different profiles on users. It was somewhat complex, but it wasn't anything that we weren't expecting.

Our case is a unique situation where we aren't using Securonix as our SIEM so we had to send logs from our SIEM over to Securonix. There was some tweaking of the parsing that we had to do; how they were able to normalize the log and stuff like that. That took a little while to get up and running.

Overall, our deployment took about two to three months.

In terms of an implementation strategy, we had Professional Services from Securonix help with the implementation. They did a lot of the heavy lifting for us.

Our experience with Securonix Professional Services was very good. They were able to do the integration. It didn't really require a heavy amount of effort from us to work with them. It was just time-consuming. They were updating the parses to support our environment for several weeks.

We have definitely seen ROI using Securonix.

We piloted Exabeam but we didn't go forward with them. We looked a little bit at LogRhythm's UEBA capability as well. At the time they were in the beta stages, so we didn't feel comfortable going with them. 

One of the things that we really liked about Securonix was that it is very open-platform, where we have the ability to tune and tweak and create new policies as needed. With Exabeam, everything required us to go through their Professional Services to make some of those changes. The real benefit that we liked with Securonix over Exabeam was the reporting capabilities. Exabeam pretty much removed almost all their reporting and threat-hunting capabilities. I think there was some bug that was taking place. The other thing that Securonix does that I really like is that they give you the raw log message so you can see all the details. Exabeam was only providing parts of the log message, parts they thought were relevant for an investigation, but they didn't provide everything.

LogRhythm versus Securonix is not one-to-one. We're using LogRhythm for our SIEM, long-term retention, being able to look at things over a 90-day period of time. We're using Securonix more just for the UEBA capabilities. Based on how we're using them today it would be difficult to say the pros and cons of either one. We've had some challenges with LogRhythm support and some of their feature enhancements. Some of the things they've rolled out don't necessarily work as expected or we've experienced a lot of bugs with their product. We haven't had the same issues with Securonix.

From a positive standpoint, with Securonix, or with any UEBA vendor, but specifically Securonix as that's the one that we're using, it definitely overcomes a lot of the challenges with trying to understand what's normal and what's not normal in an environment. With the traditional SIEM rules, it's very difficult to tune some of the policies to understand what is normal for your environment. That's really helped us quite a bit. Another thing that might be helpful regarding understanding the platform is that it takes a little bit of time to come up with the behavior profiles. It might take 30 days, depending on what you're trying to look at, before you start seeing some alerts trigger, because you're looking at things over a longer period of time.

The biggest lesson I've learned using Securonix is that with behavioral analytics, and any UEBA vendor, it does reduce some of the alerts but it also has the potential to create additional volume or additional alerts, which could be good or bad. So just understand that there definitely is the potential to get a lot more security alerts as a result of using the product.

The way we try to work around the increase is through the ability to tune some of the policies to remove some of the few things that produce known noise. The biggest thing is just tuning things out, where applicable. Another is by leveraging their threat models. Correlating several different policies together, which are part of a threat model, might provide a little bit more context. As an example, if two of these three policies fire within a certain period of time, it might be a little more interesting than just, say, this one stand-alone policy triggering by itself.

The behavior analytics probably doesn't help us to prioritize advanced threats. It's just the nature of UEBA, I don't think it's necessarily a reflection of Securonix. But one of the challenges with being able to detect a lot of rare activity or anomalous activity is that you tend to find there's a lot more rare stuff happening in your environment than you would expect. It helps us, but sometimes it has the potential to create a little bit more noise as well.

With SNYPR, they have what's called SNYPREye which monitors the cloud solutions of SNYPR to detect if there is any type of operational issue.

We have five people on our team who use Securonix. They're security threat analysts. They all have the same feelings that I do: That it's very helpful with security monitoring, and that it also provides threat-hunting and investigations on users.

We have shared roles, so I wouldn't say we have dedicated focus on just Securonix. We're a small team that does a little bit of everything. At a minimum, if we didn't have that shared focus, maintenance of Securonix would take one full-time resource.

Data loss protection and account misuse are our primary use cases. We're utilizing it to help identify and correlate user behavior to identify potential data loss as well as to detect certain types of fraud.

The behavior analytics of Securonix has helped to prioritize advanced threats for us. We're still working through it, but it has helped. For example, it enables us to customize widgets, risk scores, and dashboards to identify what we want to see and gives us the ability to base the risk score on our business model and what we consider to be a high priority.

While we would have detected the threats that we do without the solution, it helps us have a central point to manage and detect those threats. It would have taken a little bit more work or additional tools to identify them after the fact. For example, it helps us in identifying and detecting fraud in the early stages.

The solution has decreased the time required to investigate alerts and threats because a lot of the data is in one console. We're not having to go to three or four different consoles. It also helps to surface high-risk events that require immediate action, such as identification of penetration testing.

The customizability of the tool is valuable. We are able to customize the use cases and create them easily without a large amount of Securonix assistance. It's very flexible. We do not have to rely on Professional Services to modify or create a new use case.

The solution's behavior analytics, in detecting cyber and insider threats, are good. The tool does what it's supposed to, as long as the data coming in is accurate.

Other than issues with the training, there have been issues with the encryption. There have also been issues with some of the reporting, minor glitches that they have fixed as they've gone along.

I think they have fixed the encryption piece and they have supposedly fixed training. I haven't seen the new training modules yet. The reporting and metrics will be improved in the next release, from what I understand.

The solution is very stable. We haven't had any issues.

We were able to increase it. It's scalable, but with some work on-prem; we're not cloud. But it is scalable. The issues were mostly from our environment: networking and support.

My team only is the only team that's using it and it's one hundred percent part of our daily functions. We have plans to increase usage, and extensively. We're about 50 percent of the way to where we want it to be.

Technical support is excellent.

We did not have a previous solution.

The setup was complex. The data mapping was complex because of our own structure and environment. From start to finish, it took us about three-and-a-half months before we went to production.

In terms of an implementation strategy, we worked with Securonix to develop a statement of work and we followed that. It included development and identification of data sources, implementing or ingesting those data sources, and applying use cases to those data sources as we fed them in.

Securonix helped us to deploy the solution. Our experience with them was very good; excellent.

So far we have seen ROI. We would like to see even better ROI. 

We pay yearly.

We did a PoC between two solutions and we chose Securonix. The other solution was Exabeam. One of the reasons we went with it is that someone had used Securonix at a different company. The scalability, the interface, and the results that it provided were also factors in our decision to go with it.

The biggest lesson we have learned from using Securonix is to start small. Don't throw everything at it. Start with one single use case and build out. Don't throw all the use cases into it at once. Otherwise, it's too much work, you get flooded with too much data, you can't focus on what's important, and you can't clean it as quickly. You can clean it, but it will take a lot of time.

My advice is to go with the cloud solution and, as I said, start small. Don't try to ingest everything at once. And don't create use cases for everything under the sun.

Because we're on-prem, we've had to both focus on threats and on the engineering of the platform. They provide support, but we still have some engineering overhead on our side.

We have five users using it and they're all investigator-analysts. We deployed with the help of four people who are security engineers, and maintenance is pretty much done by the two Securonix support people we have.

Overall, I would rate Securonix at eight out of ten. We're still going through it, developing, learning, and we find issues.

My use cases relate to SIEM. 

I like Securonix Next-Gen SIEM's integration with in-house AI. I use its behavior analytics feature and am happy with it. It helps to enhance security. 

The solution's AI features reduce the need for manual analysis and help in decision-making. It displays the report in seconds.  It saves my resources three to four hours of work. 

Securonix Next-Gen SIEM's deployment is complex and you need a team to do it. 

I have been using the product for two years. 

I rate the solution's stability a ten out of ten. 

The tool is scalable since it's on the cloud. There are no limitations. 

I haven't contacted the technical support since we have a strong in-house team. 

We did the deployment in-house. 

The solution's price is double the competitors. 

I would recommend Securonix Next-Gen SIEM to SMBs if they have the money. I rate it a ten out of ten.