- AlienVault USM Anywhere is easy to deploy with their cloud-based model and deploying the required agents on-prem (or in the cloud) is quick and easy.
- Custom rules allow for alerting based on content from events and you can even trigger agents in response to threats, shutting down computers or grabbing forensic info for incident response.
- USM Anywhere also takes care of reporting for ISO and PCI, allowing you to pull reports for auditors at a moment’s notice.
- With many integrations out-of-the-box, you can pull in all the data from products you use and other sources, such as Amazon CloudWatch Logs.
- We would love to be able to create custom rules based on a series of events, to create rule-sets where, for example, failed logins to the VPN Server are logged and then when a successful attempt follows soon after, it triggers an alarm for a Brute Force. It does this for things like OKTA already, so control over which events this applies to would be great.
- More data tiers - something between 250GB and 500GB tiers, maybe break it down into 100GB tiers?
- Integration with OpsGenie would be great.
- AlienVault enables integration with external technologies, thereby broadening its scope and possibilities.
- AlienVault has a dashboard customization and reporting scheme that makes it flexible to query your data, allowing you to model the tool according to your needs.
- AlienVault will make you forget the need to consult some information on AWS Cloudtrail. It extracts the data from there and delivers in a much more efficient way.
- With a single tool you can monitor your cloud and on-premises environment.
- Their commercial policy on stored data makes you need to filter out some information before it is stored.
- Their new agent does not allow you to create local filters, which can easily lead to the overrun of monthly contracted storage limits.
- It does not allow you to create log analysis plugins. If it were allowed, it would be possible, for example, to create a plugin for analyzing the logs of an application created by your company.
- AlienVault USM Anywhere has a modern, user-friendly, and intuitive GUI, making it easy to use.
- AlienVault USM Anywhere is a cloud-based solution that is easy to deploy and easy to scale as well.
- On top of having built-in support with several technologies, AlienVault USM Anywhere has an API that allows you to develop additional plugins if necessary.
- Although they use machine learning, the algorithms that they use are graph-based. Their AI/ML capabilities could be improved a bit.
- The solution provides some compliance reports, but it does not generate reports with information such as... how many of what type of event happened this month. You can see this information on the dashboard, but it would be nice to be able to generate a report automatically.
Vulnerability Assessment and Remediation.
Threat and Malware Detection.
Log Management, Monitoring and Archiving.
Compliance Monitoring & Reporting
Being able to cover all the above aspects in one screen considerably reduces time and lets not forget money to quickly and effectivly solve security issues within the company and implemt fixes and reports as needed.
- SIEM - Real time logs allow you to quickly drill down into current issues in your network and filter out any noise
- Alarms - The alarms page shows all the current environmental awareness on the network and a quick report and ticketing system allows for ease of use. This again saves time and make you more effective at resolving issues and the ability to pass the tickets to the relevant department.
- OTX - The open threat exchange integrations enables the USM to use all the latest threat indicators to correlate against incoming threats without the need to manually add rules to your USM.
- Apps - AlienVault integrate with many apps already but there are plenty more to be added to allow further integration with other products.
- More ability to filter logs form other security platforms
- Enables integration with readily available software currently in use.
- Easily customizable to allow reporting for different functions and users within the organization.
- Reporting function for vulnerabilities as a check and balance with other tools utilized.
- Further integration with Enterprise tools.
- Rapid growth of product has led to some issues with implementation of alerts and false positives.
- Ability to report as needed takes some time for focusing and testing of reports.
- Deployment and Integration pretty easy and straightforward whether in AWS (Cloud) or the on-prem environment.
- Log aggregation, collection rules/Jobs easy to create.
- Notification s component working very well
- AWS Integration: in particular, monitoring of AWS resources is far away from ideal
- Vulnerabilities scanner requires root and administrative privilege in localhost, which is not acceptable.
- The sensors themselves generate millions of requests, which creates a lot of unnecessary noise to the systems and eventually "eating" traffic and expensive storage space
- SIEM - logging. AlienVault is easy to configure on the client side, and with a couple scripts, makes deployment a piece of cake.
- Vulnerability scanning. AlienVault helps us track which systems are most vulnerable to security issues so we can prioritize patching.
- Reporting. AlienVault generates useful and attractive reports.
- Some of the documentation could be improved and go more into depth, but support is helpful when the documentation falls short.
- AlienVault Unified Security Management (USM) delivers a unified, simple and affordable solution for threat detection and compliance. Powered by the latest AlienVault Labs Threat Intelligence and the Open Threat Exchange the largest crowd-sourced threat intelligence exchange, USM enables mid-size organizations to defend against modern threats.
- It is free. The best free SIEM out there. Possibly the only one.
- Every upgrade is a possible chance for re-building the system. About 80% of the time, the upgrade will break something so badly, you need to re-install and start from scratch.
- The system slows down considerably when a large number of events are fed in.
- The community is weak and there is rarely any input from the developers on the community to help out. So a lot of people try it out and then go somewhere else.
- While I think it is a great product, it seems to me like it is falling behind in the last few years. There are some more usable and better products in recent years that would make me buy them instead of AV USM.
- Up to this point, I have had no issues integrating with a system we currently have in production. while AlienVault stays on top with plugin updates.
- Te dashboard is very informative when you figure out how to navigate around it and tweaked to your organization needs.
- Correlation of events is probably my favorite as I normally only need to jump on the AlienVault dashboard to hammer down on network traffic/activity details.
- At times I do find navigating the dashboard for very specific functions to be difficult.
- For entry level security analysts or administrators I feel can get overwhelmed with the amount of data available from a single platform (in a good way)
- helpful to understand Linux for certain tasks
- The SIEM does a good job of correlating network data from multiple sources along with the Data from deployed HIDS
- The Nmap scan is fast and non-invasive that defines devices on your network.
- The vulnerability scanning has several options and reports to enable data to be available for compliance purposes.
- Walking through all the devices after a Nmap or device discovery scan can be tedious to get the data correct
- When deploying HIDS, it would be better if the system gave more detail as to the deployment error
- Offline updating of licenses can be a little time-consuming
- Compliance: For each compliance aspect in each standard, there's an AlienVault USM feature which helps compliance. For instance, in PCI DSS Compliance you require File Integrity Monitoring, and AlienVault USM has it. Every component of the standard gets covered by the product.
- Data handling: Event management can become cumbersome if not well handled. AlienVault USM classifies event information properly where it belongs to the data it's useful to you. When you export a report, you can filter out easily what you don't need, so you only extract valuable information.
- Asset availability: It is really handy to cover every aspect of your asset classification, events to come in, services each asset has, location, all of the information really helps to draw alarms properly.
- Vulnerability Scanner reporting: The reporting from the integrated scanner (OpenVAS) are really difficult to read. They could have done a better job by scraping the report or creating a custom report from the data of the scan. However, leaving the default report template from OpenVAS makes the report somewhat useless.
- Sometimes the local integration fails because of the scope of the tool. Let me elaborate on that: The OpenVAS scanner has certificated that expire within a year, and that makes the USM fail scans if you don't renew certificates yourself. They should have made them last at least 10 years. Same with Nagios, sometimes the integration fails and one doesn't know why unless you jailbreak it and find out in the logs for sure.
- They do not provide a standalone installation of the product, because they modified so much the Linux distribution, that it must always be deployed as a virtual machine or appliance, but not on your own server.
AlienVault USM: "More than SIEM: A whole Security Ecosystem which is easy to integrate, operate and use"
- AlienVault USM is based on well-known Open Source components, which each for itself, represents a quasi industry standard
- Integration into the existing infrastructure works like a charm. Basically you just need to roll-out an OSSEC client to each server or PC and you have already a pretty high coverage of security information and events. They immediately show up in the AlienVault Webinterface
- Due to the countless plugins, it is very easy to add network devices like firewalls, router, switches, but also servers running apache and the alike. You will just need to forward syslog and it will all appear in your AlienVault Webinterface
- The modular design of AlienVault USM in form of "deployable sensors", allows you to easily integrate different network segments, such as remote sites.
- As regular vulnerability scans are a must to understand which CVEs your infrastructure is exposed at, this becomes an easy task with AlienVault. They provide you with a set-and-forget approach for running regular scans. Additionally there are helpful hints to how to get more secure.
- Because AlienVault USM combines several well know components, you have to life with the fact, that they are not in their latest version, i.e. the integrated OSSEC, which should be replaced with the OSSEC-Wazuh fork instead.
- Due to the all-in-one approach, the solution is quite resource hungry. You have to have a decent machine to run it.
- The reporting module is nice, but sometimes it is quite a challenge to configure a custom report as you will only get the results you want after a trial and error run.
- Threat detection. AlienVault uses respected open source tools to detect threats.
- Threat intelligence. AlienVault constantly updates their threat intelligence feeds so they are never out of date.
- Complete visibility. AlienVault helps monitor the main 5 areas of security visibility.
- User interface can be very buggy and difficult to use.
- Many features seem unrefined as if they were implemented to be functioning good enough to use but are not fully tested or refined.
- Provides a simple, customizable dashboard to easily see the most important things going on in your environment.
- Goes beyond traditional SIEM by providing things like File Integrity Monitoring, IDS and Asset Management.
- Very simple integration with common cloud services (USM Anywhere only)
- From a volume perspective, if you have a ton of log data, it isn't the best tool for traditional SIEM activities.
- There is no migration from USM Appliance to USM Anywhere. You basically have to start over if you move some things to the cloud and want to capture that information.
- Log correlation is excellent and on par with other more expensive solutions.
- Ease of use is a big plus.
- Initial setup was simple and quick.
- The OTX threat intelligence is a great complement to our other threat intelligence feeds to ensure we have as many 'eyes' out there informing us of all the potentially malicious threat actors out there.
- There are a couple of things that can only be done through the CLI and unless you're familiar with the CLI, there may be a large learning curve for some.
- The vulnerability scanner lacks a number of advanced features that other solutions have which make it simpler and more efficient to manage.
- Plugins are limited (although they are adding more as time goes on). If you need a plugin that is not available you will need to create one on your own which requires modification of a number of files and can be daunting for someone new to the platform.
- Alerting on correlated events - this has allowed us to capture malware ahead of time.
- Ease of device logging - once the logs are sent through, the data is available instantly.
- Actively reviewing and responding to vulnerabilities through an easy to use interface and schedule task format.
- More functionality pushed through the web interface would be useful.
- Asset management can be a little restricted when applying changes across a rule set.
- It is easy to understand and use
- AlienVault USM is a product that works well for companies that do not have personal security insurance
- The system processes them in real time, correlates events and alerts
- The best thing about AlienVault USM is that it has all the tools in one place, vulnerability scanner, netflow, hides ..
- Unable to obtain information sometimes
- The limitation of reports
The interface really allows you to see what's hot - if a metric, when it changes, doesn't prompt you to get out of your chair and do something, it's a wasted metric. With AlienVault, all I see are metrics that make me do things when they aren't where they are supposed to be.
In my environment, I have 18 buildings spread across 72 square miles. We support 13,000 users on a daily basis, with 6,000 owned devices, and a ton of BYOD devices. With only 10 people in the department (including myself and my secretary), I couldn't imagine staying on top of this without AlienVault.
- Reporting, reporting, reporting. Setting it up so I get emailed reports has allowed me to know, even when I am not in the office, how my day is going to go. The breadth and depth of the reports, and the ability to customize so you get what you want is awesome.
- Dashboard. The visual dashboard with the circles (areas of concentration based on number of incidents) is brilliant. All I have to do is show that to people, and they want to install it.
- Ease of implementation. Turn it on, answer a few questions, point stuff at it, and you're done. Ok, there is a lot more - I mean a lot more - you can do to customize it, but if you're looking to quickly establish a baseline, that's all you need to do.
- Who else has a fully functional product (OSSIM) you can download and install for FREE to see how it will work in your environment?
- If it did a little more with IPFIX data (think NTOP).
- Otherwise, it's perfect.
Seriously people, if you need a SIEM and aren't using AlienVault you're wasting money.....
- I have found things it does well are in short order. It leverages the Snort engine so its IDS scans are pretty good.
- I like some of the diagnostic capabilities built into the product such as the whois search on a foreign IP address.
- The support team is knowledgeable. I have had several support cases for databases that crash causing the system to be unresponsive. Each time I have had a support person that was knowledgeable of the product and Linux without having to ask for an escalation.
- The user interface is horrible. Making changes to directives nearly requires a Ph.D. It takes 6 clicks to find the directive you want to modify and the chain of which 6 items you need to click is not provided in the alert. So if you want to go to a directive that is nested multiple layers you must have the full path memorized, and they have hundreds of directives so unless using AlienVault is the only thing you do it is unlikely you will memorize the path.
- The system is highly unstable. As I mentioned earlier, I have had several support tickets for the system being hard down. I support several virtual appliances and a significant number of databases that are far more stable than this one.
- Support and maintenance costs are disproportionately high. AlienVault charges a premium several times higher than any other appliance (virtual or physical) I have ever seen. I have 3 other virtual appliances (including another virtualized security device) in my environment and the cumulative cost for support and maintenance on those three is less than 1/3 of the cost of AlienVault.
- AlienVault has a lot of false positives; so many that one of their consulting companies knows them by name and has a list of recommended alerts to turn off. If the consulting company knows these are false, and AlienVault highly recommends working with the consulting company, why doesn't AleinVault fix the alert? In one case it appears they are marking a Microsoft Update Server (not my WSUS, but one owned by Microsoft) as a DNS Sinkhole.
- By default AlienVault creates a policy to ignore USM traffic, but does not enable it. I cannot understand why that is unless, they want a new owner to see alerts to know the system is on? It may seem minor, but why not tune out the noise from your system so new customers are only focusing on their traffic and not every SSH session from the USM? All that does is add extra work to a deployment.
The USM does not give realtime alerts or data. That is a misnomer. It will monitor in realtime, but it goes through a correlation process that I have seen take over 15 minutes to complete before you can drill into an alert for data points such as the origin or destination IP of the reported issue. For example, I might see a brute force alert and have to wait to see where the alerts are coming from and where they are going to. I also have not seen any impressive information coming from the OTX that they boast about. You can find the same or better information from any number of security blogs.
AlienVault ingests logs from our switches, routers, firewalls, servers and essential workstations. It combines uses the analysis of all of these elements using its correlation engine.
It also does a scan on a regular basis to identify vulnerabilities that exist on the network.
It has an integrated ticket system and asset management system but they are both, kind of, lacking in features.
- AlienVault's correlation engine is really well designed and it understands a large number of log types.
- AlienVault's open threat exchange is a great way to use the community to report new signatures for issues that are being seen in their environment.
- AlienVault's main screen UI is well designed and makes it very clear as to what issues need to be addressed first.
- AlienVaults published development to-do-list is a great feature that more companies need to employ. It is great seeing that features are being worked on and they do take input as to what features need to be added next.
- AlienVault's on-premise and cloud platforms use a completely separate software base and they don't seem to be getting the same attention from developers. They need to bring the two platforms together into one code base.
- AlienVault needs to enable integration with third-party utilities for ticketing and asset management. Neither the ticket system nor the asset management system is well featured, as such, they need to be able to integrate with other systems that have more features.
- AlienVault needs to add a true compliance scanner like Openscap.
- AlienVault needs to get their cloud solution Fedramp compliant.
Additionally, Administrators should employ some kind of vulnerability analysis system and Alienvault does an ok job with that.
However, as a complete SIEM solution Alienvault lacks the ability to do compliance checking and without using their cloud solution you cannot do an analysis of cloud-based applications.
- Easy to navigate UI
- Training classes to get you up to speed fast on the product
- Value "progress over perfection" seen very prominently in bugs while using the software
- Training classes do not properly prepare for the ASCE exam that is recommended for MSSPs to take
- Technical questions about deployment in a distributed environment not easily available. Normally have to schedule technical calls that can take a week to resolve.
AlienVault USM Scorecard Summary
Feature Scorecard Summary
About AlienVault USM
AlienVault USM Anywhere is a cloud-based security management solution that promises to accelerate and centralize threat detection, incident response, and compliance management for cloud, hybrid cloud, and on-premises environments. The vendor says that USM Anywhere includes purpose-built cloud sensors that natively monitor your Amazon Web Services (AWS) and Microsoft Azure cloud environments. On premises, lightweight virtual sensors run on Microsoft Hyper-V and VMware ESXi to monitor your virtual private cloud and physical IT infrastructure.
USM Anywhere aims to help you rapidly deploy sensors into your cloud and on-premises environments while centrally managing data collection, security analysis, and threat detection from the AlienVault Secure Cloud.
Five Essential Security Capabilities in a Single SaaS Platform
AlienVault says that USM Anywhere provides five essential security capabilities, giving you everything you need for threat detection, incident response, and compliance management, within one platform. With USM Anywhere, you can focus on finding and responding to threats, not managing software. USM Anywhere can readily scale to meet your threat detection needs as your hybrid cloud environment changes and grows.
- Asset Discovery
- Vulnerability Assessment
- Intrusion Detection
- Behavioral Monitoring
Try USM Anywhere in
your environment—free for the first 14 days.
AlienVault USM Screenshots
AlienVault USM Videos (2)
AlienVault USM Downloadables
AlienVault USM Support Options
|Free Version||Paid Version|
|Video Tutorials / Webinar|
AlienVault USM Technical Details