5 out of 5.0, Reviewed Aug 25, 2016
We were leaning towards LogRhythm because we had in-house skills with that platform. We invited RSA to compete as a courtesy, really, since we have a strong EMC relationship. It suprised us all when Security Analytics whupped LogRhythm in pretty much every area, and they were very competitive on price. LogRhythm, like many of the players in this space, is like an iPhone - your get lots of shiny bells and whistles, but you can't really go outside the box they have defined for you. Security Analytics was like an Android phone in comparison - has basic features out of the box, but really comes alive when you start tweaking it to your liking. Very extendable, and even our CSIRT team, which used LogRhythm prior, appreciate the extendable parsing and alerting engines.
Built for hunting. Easily tunable and extendable. Fast. Packets engine is second-to-none, and brings another level of intelligence to the operation.
Not quite a fully-integrated solution. Their endpoint analysis tool, eCat, still runs independently, and has a separate management interface. But the data is accessible within the Security Analytics console for investigations. This should be fixed in the next major release.
While Security Analytics does the basic alerting and reports, the product is really built for hunting. If you are looking for something to give you shiny dashboards and lots of blinking lights, you might be better served with one of RSA's competitors. This is a tool for hunters, to enable them to identify and research anomalous behavior. It does well in log analysis, but really shines in packets. The ability to perform actions on emails that the Packets engine sees is game-changing. You don't need to have parsers for everything if you can just see another system's alert fly by on the wire, and act on that. The tool has also been refreshingly fast in searches, which is amazing given our volume of logs (millions a day), and packets (terabytes per day)
Security Analytics is a completely different beast than the prior Envision product from 3 years ago, and our local SE had to escalate a lot of questions to the engineering team back at RSA's headquarters. But RSA's commitment to us during the POC and initial implementation phases has been great.
Since RSA had installed and configured the POC for us, there was little work for us to do to convert it to Production. Just moved the hardware from lab to datacenter, and re-IP'd it. RSA flew an engineer out to assist, and the solution was moved on Day 1 and we spent the rest of the week further tuning.
5 out of 5.0, Reviewed Jun 9, 2016
After we go over the initial hurdles with implementation we discovered Security Analytics to be extremely full-featured and highly customizable. We were able to quickly get the return on investment, when we started having use cases and visibility into areas we were previously blinded to, and provided support to groups for troubleshooting major applications.
Take the time to understand the architecture of the application and how each of the data points work together. Look for unique ways to construct dash lets and views into data you care about.
The customization and control of the data is great! Blew away other similar products. Netwitness is still the 800 lb gorilla in this space. Nothing else compares.
Reporting still has some room to grow.
Initial training was a bit rough but once getting through it everything was awesome!
Very functional and very customizable!
4 out of 5.0, Reviewed Oct 7, 2015
A conservative choice for PCAP at the border with a solid user community and road support. Good analytics and reliable capture. Very expensive to get enough storage to meet retention needs for large enterprises though, and writing rules can require very specialized skills.
Tiered storage to help manage retention costs.
RSA provides good support if you ask them the right questions, but they aren't proactive.
2 out of 5.0, Reviewed Oct 6, 2015
Released prematurely while not focusing well on log collection.
Wait until the product is more mature.
Potential of the integration of Esper and data warehouse with the product is intriguing.
Released too soon, with too many bugs and features/functionality missing.
Wait to release a more stable product.
Ensure the product is more mature and company has a history of hitting deadlines.
Support wasn't fully trained on product.
4 out of 5.0, Reviewed Jun 16, 2015
It was hard for every day engineers to use.
Look more at the operational needs
Good for analytics, and we tried to use for everyday use.
Configuration was easy, but the integration was a long process
5 out of 5.0, Reviewed Jun 10, 2015
The local RSA engineer spent a lot of time with my team and help get past a number of implementation hurdles
Choosing to go with a managed service to manage our SIEM allowed us to implement RSA's product much faster than we could ever do it ourselves. I highly recommend a managed solution for this type of solution.
RSA's Security Analytics is able to collect network data and correlelate that into the log feeds.
User interface is a bit ugly
Vendor (RSA) was really good to work with so no changes wished for here.
Would not change anything
3 out of 5.0, Reviewed Jun 9, 2015
The application is great, just requires much customization. the vendor needs to do a much better job representing the product.
Dont listen to the salesman and do your research
Very adaptable to what you want, but it takes time and a lot of effort.
Provide better engineers to make the application perform better quicker.
do more indepth research on the product from an out of box perspective
It tooks weeks to get advanced support for final implementation, which shouldn't have taken more than 24 hours.
We were able to deploy Archer within 4 months, but now we have to customize the product to the way we need it.
3 out of 5.0, Reviewed Jun 9, 2015
Monster tool. Take your time to know the product.
Easy navigation and user friendly
Give ourselves more time to implement.
Product vendor onsight
Have a better understanding to the USMC security requirements.
4 out of 5.0, Reviewed Jun 9, 2015
Still evaluating and getting used to using it.
Make sure to include all stakeholders.
Gets rid or certs in the future.
Make sure a roadmap is available.
Include stakeholders more.
Still learning the product
Involved very little
2 out of 5.0, Reviewed Jun 8, 2015
The product does what is intended but the support and implementation has been a difficult process.
Understand the product and its capabilites.
The interactive control panel.
Installment on endpoints.
Communicated better with its clients.
Be better aware of the capabilites of the product.