LogRhythm Security Intelligence Platform
Strengths: Probably the most complete pure-play SIEM we’ve seen with the added benefit of many next-gen features and superlative correlation and analytics.
Weaknesses: Some minor hiccups in the documentation at the getting started point, but after that nothing that we noted.
Verdict: This is a heavy duty tool made for a demanding large environment. It is scalable and complete with the largest list of supported connectors we’ve yet seen. For all of that we make it our Recommended product.
It feels as if these folks have been around forever. They started life as a SIEM with a heavy emphasis on log management. Today they are all that plus a solid suite of next-generation attributes. They have many of the attributes of next-gen SIEMs: artificial intelligence, sophisticated log correlation, sophisticated pattern recognition and behavioural analysis. Their strength is, as it always has been, log management. But "log management" has taken on an entirely new dimension with this product. As is absolutely necessary today, it has the intelligence to analyse, correlate and make sense of huge amounts of data.
It can take input from almost any device and any log type you can imagine - the list ran to 14 single-spaced pages - and it has an excellent UI that makes analysis if not intuitive at least very straightforward. To support that, LogRhythm has first-rate documentation with lots of detail and step-by-step lists. We do wish for some clarification on what the rear panel ports mean. On our unit they were labeled a bit ambiguously and a call to support provided the explanation quickly. It would have been nice not to need to call support. In fairness, though, the company pointed out that the product typically is deployed with the assistance of a professional services engineer. We decided to bite the bullet and go it alone. The results, after the first start-up hiccups, were quite satisfactory.
Everything starts with the IP address configuration. Instructions for that - a simple two-page guide - came with the product and once we figured out where to plug what, we were up in no time. Next comes configuration and that - depending on the size and complexity of your enterprise, of course - is where it can become a bit more difficult. The centerpiece for that set of tasks is the Deployment Manager. That has a menu that is about as straightforward as a menu can be and still be a GUI. Just about anyone who ever has set up a security device will feel comfortably at home with the Deployment Manager tabs.
There are a lot of options on the Deployment Manager and they each are described in detail in the manual. In fact, the manual has hyperlinking for finding specific topics rapidly, something we see less and less of, sadly. One specialised capability is collecting typical Windows logs. To set that up, you use the Windows Host Wizard. The tool has lots of wizards and that makes setup and configuration much easier. In a large enterprise there can be tens of thousands of endpoints and logging devices. That can be a very difficult environment in which to deploy. LogRhythm makes it much easier with the detailed documentation and excellent wizards.
There are data processors, data indexers, agents and log sources among others that all need to be configured and added. We recommend that you read the manual to get the deployment flow before you even apply power to the box. However, that's the piper that must be paid if you want the kind of analytical power that the tool offers. It probably is worth noting that the first 720 pages of the manual are devoted to deployment and other administrative tasks while much of the rest of the 1,220 pages are a user guide. The user guide assumes a configured device in production and the power of the device - buried by deployment details in the first part of the manual - really becomes evident. The remaining pages address device configuration guides and cover everything from adding Bit9+CarbonBlack to adding Cisco and Checkpoint devices. Support is substantial and can include training and other extra benefits. However, you must register to have access to the support site and we were told that documentation only is available for download temporarily after you buy the product. We would like to see, at least, a mini-support portal open to the public where one could access technical details during the decision-making phase of buying the tool. This is a very pricey device, but it offers a lot as well. For a SIEM of this quality, we believe that its cost is reasonable.