AlienVault OSSIM

Originally my organization leveraged alien value due to the lower cost of entry and ability to manage it as a service provider. Unfortunately, after several years of working with this tool, it became unwieldy to use as it felt that almost every useful report had to be created by hand. As other tools have come out with the ability to do automated responses such as Stellar Data processor, we have begun to evaluate alternatives.

We did not evaluate or use any other product previous to AlienVault [OSSIM]. We had a specific need to meet our audit requirements and AlienVault [OSSIM] provided all the features needed as well as being simple enough to deploy without any dedicated staff. Real-time alerts from custom rules gives us a heads-up immediately to investigate any threat.

GravityZone is more or less an EPP/EDR solution for individual workstations, however, it includes centralized management, which can help mitigate/prevent cybersecurity incidents. AlienVault monitors the entire network monitors clients/accounts for suspicious behavior and it's more flexible as does not require any form of a client to be installed on any devices in the business. In the end, I have decided our business can benefit from both and have purchased both GravityZone for all of my workstations/remote workers and AlienVault to cover our entire network.

I liked it but it seemed a bit pricey for our organization at the time in comparison to AlienVault.

We have not used any other products similar to AlienVault so I do not have anything to compare it to. We did look at a few others when first purchasing, but at this point, I do not recall what they were.

Best bang for the buck. Darktrace did not perform even close to AlienVault. I ran them concurrently. AlienVault consistently found issues that Darktrace didn't pick up, and the Darktrace incidents were false positives. At one point, Darktrace stated I had 2,000 servers and I have 112.

FortiSIEM is an awesome package but it's more then I need (or can afford). I would need to add staff, for at least the first year or so, just to get it setup and configured correctly.

OSSIM is the free version of the Alien Vault USM and comes packed with most of the features you will need to get going. Like most free to use products, it is missing aspects that make the use of the product much more productive.

As an example, you will need a separate system for log storage, as the OSSIM does not have storage like the USM does, making the setup a little longer and more systems needed to make it work.

AlienVault OSSIM has the upper ante in initial deployment price, being that it's open source. Also, with perhaps the exception of SolarWinds, it has a lower optimal requirements for onsite deployment, hence your OPEX won't be hit very hard by investing in new hardware to suit the appliance. The correlation engine is somewhat more robust that their counterparts in LogRhythm and SolarWinds, and the IDS (both NIDS and HIDS) are more reliable as well in terms of results. Finally, although Tenable SecurityCenter is more robust in dashboards, alerts and reports, it comes short in front of OSSIM in terms of real-time IDS and SIEM correlation.

AlienVault OSSIM as the first experience with a SIEM is very fine, especially if your company is an SMB. Every SIEM shares some features in common with other products, features such as log retrieval and normalization. So if you stick with principles, you can learn other SIEM products as well. If your environment is not of a minimum size, LogRhythm might be overkill for your network, same with McAfee Enterprise Security Manager.