AlienVault OSSIM vs Elasticsearch

• Most of the configuration comes out-of-the-box suited for most environments. Setting it up is really easy, with the wizard, you can have it working in less than 3 hours of deployment, without counting asset installation.
• Out-of-the-box dashboards are really useful. You can modify or add new widgets to suit your needs, but you'll most likely agree with what already comes configured.
• The tickets feature for handling alarms is really easy to use.

Read full review

• Indexing. Elasticsearch can index thousands of documents per second.
• Searching. Elasticsearch provides plenty of options for querying your data to get just the right information back.
• Scalability. Elasticsearch has built-in features for replicating data and distributing load, so you don't have to invest a ton of time and effort into third-party or customized clustering and/or sharding solutions.
• Backup. Elasticsearch has built-in options for backing up your data. If you're dealing with a large cluster, backing things up can get rather interesting from a storage perspective, but Elasticsearch has worked very well for us thus far.
• Recovery. If part of your cluster goes offline, Elasticsearch generally does a decent job of staying online and recovering from the outage. Occasionally you'll lose nodes that house all copies of a given set of shards (which isn't fun), but Elasticsearch still handles that situation as well as can be expected.

Read full review

• The correlation directives that come out of the box are very few. I understand more correlation directives are a premium product, but one can hardly see the value of having very few. It makes new customers think they will not get better directives when they switch to the full USM or USM Anywhere.
• Same with reports, the few reports it comes out of the box can be retrieved using other tools that are better prepared for the task. I understand that compliance reports aren't free, but at least I'd expect more security reports.
• The OTX tab in dashboards sometimes takes too long to load, even if you have a fast internet and plenty of resources in the VM.

Read full review

• The documentation could be a bit more detailed and have more examples, especially for advanced functionality.
• The ability to update/change existing live field mappings would be nice.
• The ingest pipeline structure is a bit more complicated and confusing than previous implementations for using things like attachment plug-ins.

Read full review

• The ROI of OSSIM itself is, obviously, immediate, being that it's a free, open-source product. However, you must take into account other inherent investments to cover up for the lack of official support, such as certified agents or consultants that take care of the management and maintenance of the product once in production.
• On the other hand, the potential loss of information and interruption of operativity due to malware and other threats is really unmeasurable. The implicit savings in OSSIM as a SIEM (Security Information and Event Management) are really the major positive impact on your organization's revenue.
• Finally, and from a reseller's point of view, reselling OSSIM has the big plus of being a professional services-only asset, given that the appliance itself is free of charge. The only thing to consider is the initial investment in team members with the required capacitation and knowledge to address such professional services to potential customers.

Read full review

• ROI since it is open source, yay!
• We have been able to track defects quicker.
• We can detect immediately when deployed changes help or hurt.

Read full review