Sumologic vs LogRhythm

Remedymp

Have any of you members here dealt with the either of the two SIEM's?Sumologic or Logrhytm. Your opinions are welcome.

Danielm7

No experience with Sumologic but we run LogRhythm at work.

636-555-3226

Splunk FTW. LogRhythm was 2nd on our list. Never looked at sumo

what's your use case? what do you want to get out of it? consolidated security reporting? correlation? what's your org size? Any SIEM requires a dedicated FTE to be useful in a mid/large org, so be prepared. It still has use if you can't dedicate a FTE to it, but you'll be constantly wanting more but not being able to give it to yourself.

Remedymp

Danielm7 wrote: »

No experience with Sumologic but we run LogRhythm at work.

How is LR for your team?

Danielm7

We use a hybrid management of the SIEM, by that I mean the boxes are all on site, I can access and use them anytime I want but we also have a 3rd party SOC who monitors it and can change anything you need. If you don't have the staff on site to deal with it I highly recommend a managed service like that. I've done training on it so I know how to do most of what I need, but I can also ask the SOC to handle anything I don't have time for. They also work 24/7/365 which we don't have the staffing for.

As for LR itself, I don't have a lot of experience with other SIEMs to compare it to, we've been mostly pleased, other customers that I've talked to have been happy with it as well, no huge glaring issues that I'd want to bring up really.

Chitownjedi

I worked with our vendor to get LR put in place a few weeks ago and I am currently tasked with maturing the platform (importing, rules, users) the whole gambit. Server maintenance cleaning up Data Indexers for corrupted shards or segments... LogRhythm was highly regarded, customer service has been outstanding

TheFORCE

Used LogRythm at my last job, very good system, needs a lot of time to learn it properly though.

JoJoCal19

Did a full POC of LogRhythm at my last job and loved it.

beads

LogRythm is good. Only heard of Sumo but never anyone who has actually bought or used it, so no idea there.

SIEM has come a long way but already feels dated over some of the newer BADs and NBADs out there. Making SIEM the relic or good for junior analysts to watch all day. Frees the adults up to do more productive work.

- b/eads

Remedymp

beads wrote: »

LogRythm is good. Only heard of Sumo but never anyone who has actually bought or used it, so no idea there.

SIEM has come a long way but already feels dated over some of the newer BADs and NBADs out there. Making SIEM the relic or good for junior analysts to watch all day. Frees the adults up to do more productive work.

- b/eads

But, the BAD and NBAD's are quite a bit more expensive than SIEM's, no? I mean SIEM's have their place, but *BAD's have their place as well.

nelson8403

We use LogRythm at work, but watch out for sizing, they undersized us heavily and we're not sure if it was just trying to get to our price point but we've had days where we can't process anything.

We just recently finished a vulnerability assessment and it didn't catch much, we had to tune some of the signatures to alert us, but when we watched the systems we got information.

Previously we had a fully managed which worked out well, our SIEM is really only used for creating reports anyways.

winona_ryder

I would avoid LogRhythm in place of Splunk, any day of the week. LR is not intuitive or consistent across its interface

Danielm7

winona_ryder wrote: »

I would avoid LogRhythm in place of Splunk, any day of the week. LR is not intuitive or consistent across its interface

We were quoted literally 3x the cost of LogRhythm in our environment, for Splunk. The salesman didn't understand why we weren't going forward when we had a 500K quote, and his was 1.5 million. If it was close, sure, but that's kind of a hard sell to the board.

winona_ryder

Danielm7 wrote: »

We were quoted literally 3x the cost of LogRhythm in our environment, for Splunk. The salesman didn't understand why we weren't going forward when we had a 500K quote, and his was 1.5 million. If it was close, sure, but that's kind of a hard sell to the board.

You must have needed a massive license. 100GB /day license is around the $150K mark, for a perpetual license. That seems like a hideous amount of logs to be sending to LR. My concern would be that it would fall over due to messages per second.

It's almost a given if you send it ASM logs. At least when I sent unfiltered ASM data to Splunk, it took it all and simply popped the license. LR fell over and stopped processing logs.

I've used both, and every time I use LR, I feel like I've been ripped off. In terms of usability, documentation, consistency and support, Splunk blows it away. Same with ELK. The amount of times I've done a google search for an LR issue and come up blank is very high.

I'd add that I would use ELK over LR too. LR's implementation of elastic search is clunky

cyberguypr

Are you factoring ES into that 150k figure?

winona_ryder

cyberguypr wrote: »

Are you factoring ES into that 150k figure?

Nope, that's a good call, I had forgotten about the separate licensing for it.

ES does require a separate license that runs concurrently from your main instance - but it doesn't have to be the same amount. You could be aggregating 250GB and sending 100GB of that to ES. Though, Splunk obviously prefer if you mirror the license.

That being said, if he was quoting ES to cost a million it must be the last sale that the bloke was putting through, so he could retire.

beads

@Remedymp;

There is that old cliche' about you get what you pay for - in most cases. Depends on your needs and environment. For general traffic and a low to mid risk level of tolerance LR is fine. If you have really sensitive data floating around with the possibility of serious PR loss due to compliance fines and sales loss - your going to need some really serious tools to back it up. SIEMs can be very basic but provide enough functionality to check the box where a *BAD and SIEM maybe the right combination. Splunk is cool but costly. Particularly looking at where it came from (FOSS, etc).

Now add a Damballa or Sentinel one, replacing the old A/V model and yeah I can spend seven figures without batting an eyelash. The question was a comparison between two mid level products. Personally, I like LogRythm but it feels very entry level today. A good workhorse of a security model but nothing special. Sumologic? I know by marketing alone and maybe its great - dunno.

BADs, NBADs and a couple other products mentioned above I know from personal experience and had great success with building very secure best of breed networks around. Interesting stuff.

Just costs money and labor. What's the big deal?

- b/eads

Danielm7

My costs also included SOC management as well plus a few other things. Both companies were proposing similar packages, so it was just a straight cost issue at that point minus the details how one might be better than another, etc.