LogRhythm NetMon Reviews

The analytics feature is the most valuable feature. 

I would like to see better integration with multiple products. Integration is not something that is readily available for most of the products. 

I would also like to see some more customization with the analytics that LogRhythm offers because there are competitive solutions on the market that get much more analytics, unlike LogRhythm. We have second-hand features when we look at the analytics portion of it. Otherwise, the solution is good but I'm expecting a little more in analytics.

The stability is good. I would rate it a three out of five. 

Scalability depends on the sizing. If you have lower sizing then you will not be able to scale the system. 

The security team of around five people are the main users. They do analytics for an organization of 3,000 plus employees.

Their technical support isn't so great. 

We were previously using ArcSight. We switched because ArcSight didn't have a roadmap for their company. We didn't get a clear roadmap for their technology innovation guidelines.

The initial setup was a little complex. We have to manage a lot of devices, the dashboard needs to be set up. 

The entire deployment took a little over a month. We required five to six staff members for the deployment. The staff compromises of security and forensic analysts.

We implemented in-house. 

Pricing is okay. There were some competitors that were extremely expensive and there were some which were really inexpensive but LogRhythm stayed in the middle of them.

I would advise someone considering this solution to do the assessments properly before you deploy the solution because it also depends on what kind of products you have to integrate with LogRhythm. Most products do have an integration out-of-the-box. You need to study the product first before you make the decision to go ahead with LogRhythm.

I would rate it a seven out of ten.

Our primary use case is trying to monitor irregular network traffic - identifying the type of traffic within our network, its origin, and destination IP. It could be HTTP, HTTPS, FTP, or OBDC. Once we recognize the traffic, we then correlate it, determining whether it's normal or abnormal. The data is also send via Syslog to LogRhythm SIEM to further correlate with logs from other devices to look at threats from a holistic view

We simply enabled the out of the box DPA rules within network monitor to look for Ransomware via SMB traffic and other types of attacks such as DNS hijacking where external DNS is being used instead of internal, and it was happening in our network environment

I think visibility is the most valuable feature - the ability to see what's going on with the network traffic even if it is not passing the firewall. It provides the lateral traffic visibility, which most can't see it in firewall and networking switch/routers with limited logs. In an internal environment, we have a customer with several database servers, and they want to know who is connecting to these critical servers, this solution enables that. In terms of attacks or any abnormal traffic, we can quickly detect it. Visibility to network lateral movement is significant.

Our customers would always like to see additional features. Ideally, they want one solution to do everything, particularly with networking products. Often customer request features that are related to their day-to-day operation such as traffic congestion and network usage at a specific endpoint. Adding operational flavor into the existing network threat detection product would allow more customers to use a single platform to satisfy all their networking visibility needs. I'd like to see more of these types of visualization or dashboard geared toward this kind of usage is built out of the box and ready to use.

Also, having network topology visuals from a specific endpoint can be a great feature that would help correlate and investigate faster.

I've been using this product for four years. 

It's an excellent & stable solution, it's based on ELK and is a proprietary solution. It provides you with an ISO file that you can install in minutes.

The technical support is excellent. You can find many pre-built rules, visualization dashboards, or the Kibana dashboard within the community portal. 90% of users can just use it right out of the box and use the many built-in deep packet analytics rules and dashboard or download from the community. If you like to build your own rules, it will require some learning on the rule syntax. Any more advanced integration with an external system can request to Logrhythm support. They will be willing to answer any questions you have.

The initial setup is very straightforward and simple. It takes about half a day to get it all done. 

Compared to many other products in the market, I think LogRhythm has the highest cost to performance ratio in terms of its value. Many customers compared us to a lot of other network tools that focused more on traffic flow and data flow, which often lack threat detections, visibility, and Deep packet analytics. However, LogRhythm NetworkNDR provides excellent visibility and threat detections because it identifies 3000 plus applications, built-in Deep packet rules, and provide SOAR capability at the same time.

LogRhythm provides a freemium version of Netmon, so I would first advise anyone to download it and play with it first.  All features are the same as a full version, and it is the best way for anyone to understand the product capability and how it works. If it works well then consider buying the product

I would rate this product a 9 out of 10.