Strengths: Mature log management offering; skilled analyst reviewing logs and event data.
Weaknesses: Not many. If we have to pick something, it would be support for a larger array of native log formats.
Verdict: If you’re like most companies and don’t review your log data in real time, you should consider this solution.
SummarySecureWorks provides real-time, 24/7 monitoring and analysis of host logs, leveraging its proprietary Sherlock Security Management Platform. The company's log monitoring service can capture, correlate and analyze log data from virtually any critical information asset.
The offering falls into the log monitoring and security event management (SEM) segment. Using its proprietary filtering and advanced correlation and logic engine rules, the Sherlock Platform analyzes all logs and alerts in real time and presents events of interest for assessment and response to a team of SANS GIAC-certified intrusion analysts in the company's counterthreat unit. The analysts attempt to identify malicious activity or policy violations. There are no agents to load on client-side equipment. Logs and event data can be transferred to the SecureWorks servers via several supported methods.
Events are reported via the portal in real time, providing clients with full visibility into security issues and policy violations within their environment. A full-ticket tracking system is available for managing client requests and monitoring progress on various monitored situations. The portal also features asset-based reporting allowing users to easily view the security and compliance activity across their environment, as well as demonstrate compliance with various regulatory requirements.
As with most managed log monitoring solutions, client data is stored in a shared repository. SecureWorks can provide log detail back to clients in XML format for use in other analysis tools or for incident response.
We were impressed with both the canned and custom reporting capabilities. The user dashboard is fully customizable and easy to use. Alerting is very granular and based on a per asset basis, i.e., set a phone alert for a critical asset versus send email for a less critical asset. There is also an option for keeping the assets up-to-date by conducting user-configured network scans. We liked what we saw.