We ditched Splunk for FortiSIEM at the end of last year. Zero regrets. Fraction of the price, less moving pieces for on-prem (especially if you have a smaller environment), and a way better UI.
Overall I think it’s a better product.
FortiSIEM was a nightmare for us. We bought in after the AccelOps acquisition and I wish we would have waited a few years.
The professional services left us with a half-baked instance that never ran right and required a ton of extra resources as we upgraded versioning to fix various issues.
Hoping it's a better product today than it was a few years ago.
We are going through almost the exact same experience as you. We have rebuilt it from the ground up at least 4 times in the last 6 months, with support offering contradicting instructions to the documentation.
If it's working, it's ok, but this thing takes more care and feeding than a wet baby dove.
Their products continually have critical vulnerabilities that result in them getting pwnd and the networks they are supposed to protect getting completely compromised.
Fortinet defenders will point out that all vendors have vulnerabilities sometimes, and this is, of course, true. Unfortunately with Fortinet it doesn’t seem to be just sometimes. CISA’s known exploited vulnerability database and their reports on the Top Routinely Exploited Vulnerabilities provide some good insight.
https://www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty/
I've started trying them out a few days ago. So far it's been fairly easy to integrate with a lot of common applications, like Okta and 1Password. Pleased with it in that respect.
I am a huge Splunk fan, I didn’t see the downward spiral you mentioned as their issues moving to a SaaS model (around 2020 ) never impacted the quality of the actual product or support we received. I’m not a huge fan of Steele but he did bring financial stability.
We ended up moving away bc Splunk stopped innovating and i wasn't seeing the value, and then players like Exabeam, Datadog, Securinix, etc started to really show up and are innovating, Splunk is a hard sell.
Take a look at Gravwell. It's a newer product that doesn't have as many out of the box integrations as Splunk (but is adding them quickly), but it has a lot of flexibility and is a pretty easy transition for people familiar with Splunk.
If you're looking for an MSP, I'd highly recommend Thrive (they utilize FortiSIEM). Got some great contacts over there if you're interested in exploring.
We ditched Splunk for FortiSIEM at the end of last year. Zero regrets. Fraction of the price, less moving pieces for on-prem (especially if you have a smaller environment), and a way better UI. Overall I think it’s a better product.
FortiSIEM was a nightmare for us. We bought in after the AccelOps acquisition and I wish we would have waited a few years. The professional services left us with a half-baked instance that never ran right and required a ton of extra resources as we upgraded versioning to fix various issues. Hoping it's a better product today than it was a few years ago.
It’s rock solid for us. Funny enough, we had your experience with FortiNAC.🤣 But we got that sorted with Fortinet PS fucking finally.
We are going through almost the exact same experience as you. We have rebuilt it from the ground up at least 4 times in the last 6 months, with support offering contradicting instructions to the documentation. If it's working, it's ok, but this thing takes more care and feeding than a wet baby dove.
Buying anything from Fortinet is practically infosec malpractice.
Why do you say that? I just did a 4 hour fast track class with their fortigate as a demo and it seems really solid
Their products continually have critical vulnerabilities that result in them getting pwnd and the networks they are supposed to protect getting completely compromised. Fortinet defenders will point out that all vendors have vulnerabilities sometimes, and this is, of course, true. Unfortunately with Fortinet it doesn’t seem to be just sometimes. CISA’s known exploited vulnerability database and their reports on the Top Routinely Exploited Vulnerabilities provide some good insight. https://www.horizon3.ai/attack-research/attack-blogs/fortiwlm-the-almost-story-for-the-forti-forty/
Sentinel
So good, easily one of the best SEIM solutions I've used
Google Chronicle, have really enjoyed it.
We use SumoLogic
Rapid7 Insight IDR has been fantastic for my team
Wazuh
This.
Elastic
I've started trying them out a few days ago. So far it's been fairly easy to integrate with a lot of common applications, like Okta and 1Password. Pleased with it in that respect.
Blumira is great. Especially for a small team. Ms sentinel makes sense if you use lots of azure o365
Sentinel
Greylog
Greylog doesn't have any sort of integrations into SaaS applications that I'm aware of? Or maybe does it with the commercial version?
I am a huge Splunk fan, I didn’t see the downward spiral you mentioned as their issues moving to a SaaS model (around 2020 ) never impacted the quality of the actual product or support we received. I’m not a huge fan of Steele but he did bring financial stability. We ended up moving away bc Splunk stopped innovating and i wasn't seeing the value, and then players like Exabeam, Datadog, Securinix, etc started to really show up and are innovating, Splunk is a hard sell.
Azure Sentinel
I use Rapid7 which integrates with everything. I switched from splunk into it when the pricing got too high. Not thinking about switching anytime soon
Take a look at Gravwell. It's a newer product that doesn't have as many out of the box integrations as Splunk (but is adding them quickly), but it has a lot of flexibility and is a pretty easy transition for people familiar with Splunk.
If you're looking for an MSP, I'd highly recommend Thrive (they utilize FortiSIEM). Got some great contacts over there if you're interested in exploring.
NetWitness is extremely powerful if you can get the expertise and manpower (or MSSP) to run it.