<a href='https://www.trustradius.com/static/about-trustradius-scoring#question3' target='_blank' rel='nofollow'>Customer Verified: Read more.</a>
<a href='https://www.trustradius.com/static/about-trustradius-scoring' target='_blank' rel='nofollow'>trScore algorithm: Learn more.</a>Score 8 out of 101
Based on 334 reviews and ratings
Likelihood to Recommend
I think AlienVault USM is well suited for a medium size company where there are remote sites. The star configuration deployment would work very well. I would need to see how AlienVault would perform on a large multi-national company if headquarters wanted to correlate all data.
If you can't answer two questions - I mentioned them before - about your network, then you really are not in a good place from a cyber security or even customer service standpoint. Regardless if your networking is outsourced to a vendor, you need some type of check and balance - and you NEED to know what's going on.I was able to use this product to detect a botnet on our network - and using the details, and the ability to tie in other software, pivot from the endpoint (in Stealthwatch) to another program which allowed me to completely remediate the botnet before it spread.
Feature Rating Comparison
Centralized event and log data collection
Event and log normalization
Custom dashboards and views
Host and network-based intrusion detection
- AlienVault USM is based on well-known Open Source components, which each for itself, represents a quasi industry standard
- Integration into the existing infrastructure works like a charm. Basically you just need to roll-out an OSSEC client to each server or PC and you have already a pretty high coverage of security information and events. They immediately show up in the AlienVault Webinterface
- Due to the countless plugins, it is very easy to add network devices like firewalls, router, switches, but also servers running apache and the alike. You will just need to forward syslog and it will all appear in your AlienVault Webinterface
- The modular design of AlienVault USM in form of "deployable sensors", allows you to easily integrate different network segments, such as remote sites.
- As regular vulnerability scans are a must to understand which CVEs your infrastructure is exposed at, this becomes an easy task with AlienVault. They provide you with a set-and-forget approach for running regular scans. Additionally there are helpful hints to how to get more secure.
- Stellar at grabbing Netflow data - and really, really good at differentiating types of traffic.
- Excellent at knowing which traffic was flowing from what endpoints - and then using some tie-ins to gather data about the endpoints.
- Used this mostly for historic (what happened when) but also used it a few times for real-time analysis, looking for bandwidth hogs and help for troubleshooting issues.
- Highly recommend as a forensic tool - doesn't do full packet capture, but for everything else it's awesome.
- SMTP: The appliance can only send SMTP alerts to ONE email address. At the very least, it should be able to send to multiple people, and this shouldn't be a global setting. Some people want to see certain alerts, others need to see other alerts. It's highly inflexible.
- Reports: There basically aren't any. I need a way to prove to the CEO that this expense is worth it, but I can't print a nice graph of logs collected per day, alarms on each device, or really anything at all.
- SLOW: When it starts collecting lots of logs, the appliance really slows down. When you're trying to do a search on logs, it can take an hour or more. Almost impossible to do forensic analysis of an incident when it takes this long to gather the correct logs.
- Multiple VPCs are not supported: The only deployment option is a single box. Without allowing multiple sensor nodes, it's very difficult to see into other networks. VPC peering can get you around this, but this is not allowed for us because of security concerns, and it's impossible because both VPCs use the same IP range. You can use a Linux jump box, but you can't use a Windows jump box, and a Linux jump box won't connect to any Windows servers.
- There is a slight learning curve with the UI - this could use some improvement. Once you learn though, it is not an obstacle.
- Would like them to add a log correlation engine - that could tie into log files - but then it would be a SIEM.
Likelihood to Renew
Based on 33 answers
The product once properly configured seems to offer a wealth of information but has it's issues. I feel that the initial setup/ installation should include technical support to get up and running. My personal experience from the configuration as installed indicates that the network adaptors are not properly configured to read information. The network ports where configured to only ready 1/2 the network?? So having help to get the system up and running should be part of the initial purchase.
Based on 24 answers
They have helped resolve a lot of issues, but then there are cases where I am referred to look at documentation for open source components maintained by parties outside of AlienVault.
I looked into Splunk, QRadar, but they were way too expensive and the reviews weren't always great. I used McAfee ESM extensively at my prior job and the product is probably the worst in the SIEM space. We moved to AlienVault from ELK which, while a cool product, didn't do any security event correlation and has a terrible search and log review and export. AlienVault is the only major SIEM comprised of over 200 open source tools I'd want to use anyway, so it does more than any SIEM with its HIDS agents, vulnerability scanning, asset discovery, etc. The included Open Threat Exchange subscription is also a major plus.
NTOP is the only thing out there, in my opinion, that provides similar type of visibility. But StealthWatch is the product all vendors should strive to emulate. It is easy to install; it is easy to configure; it works as advertised (and then some). I do recommend the three-day work shop they occasionally run - or some onsite training. The product is feature rich and the training will help you get the most out of it.
Return on Investment
- It is a little pricey - in my organization, with budget cuts, I eventually had to replace it with an open source product (NTOP). While it works well for visibility, it simply isn't the same. If you can afford it, don't bother looking anywhere else - just get it.
- Being able to detect, pivot out, and remmediate from one console was awesome.
Premium Consulting/Integration Services
Entry-level set up fee?
Additional Pricing Details—
AlienVault USM More Information
Premium Consulting/Integration Services—
Entry-level set up fee?