- Up to this point, I have had no issues integrating with a system we currently have in production. while AlienVault stays on top with plugin updates.
- Te dashboard is very informative when you figure out how to navigate around it and tweaked to your organization needs.
- Correlation of events is probably my favorite as I normally only need to jump on the AlienVault dashboard to hammer down on network traffic/activity details.
- At times I do find navigating the dashboard for very specific functions to be difficult.
- For entry level security analysts or administrators I feel can get overwhelmed with the amount of data available from a single platform (in a good way)
- helpful to understand Linux for certain tasks
- The SIEM does a good job of correlating network data from multiple sources along with the Data from deployed HIDS
- The Nmap scan is fast and non-invasive that defines devices on your network.
- The vulnerability scanning has several options and reports to enable data to be available for compliance purposes.
- Walking through all the devices after a Nmap or device discovery scan can be tedious to get the data correct
- When deploying HIDS, it would be better if the system gave more detail as to the deployment error
- Offline updating of licenses can be a little time-consuming
- Compliance: For each compliance aspect in each standard, there's an AlienVault USM feature which helps compliance. For instance, in PCI DSS Compliance you require File Integrity Monitoring, and AlienVault USM has it. Every component of the standard gets covered by the product.
- Data handling: Event management can become cumbersome if not well handled. AlienVault USM classifies event information properly where it belongs to the data it's useful to you. When you export a report, you can filter out easily what you don't need, so you only extract valuable information.
- Asset availability: It is really handy to cover every aspect of your asset classification, events to come in, services each asset has, location, all of the information really helps to draw alarms properly.
- Vulnerability Scanner reporting: The reporting from the integrated scanner (OpenVAS) are really difficult to read. They could have done a better job by scraping the report or creating a custom report from the data of the scan. However, leaving the default report template from OpenVAS makes the report somewhat useless.
- Sometimes the local integration fails because of the scope of the tool. Let me elaborate on that: The OpenVAS scanner has certificated that expire within a year, and that makes the USM fail scans if you don't renew certificates yourself. They should have made them last at least 10 years. Same with Nagios, sometimes the integration fails and one doesn't know why unless you jailbreak it and find out in the logs for sure.
- They do not provide a standalone installation of the product, because they modified so much the Linux distribution, that it must always be deployed as a virtual machine or appliance, but not on your own server.
- Threat detection. AlienVault uses respected open source tools to detect threats.
- Threat intelligence. AlienVault constantly updates their threat intelligence feeds so they are never out of date.
- Complete visibility. AlienVault helps monitor the main 5 areas of security visibility.
- User interface can be very buggy and difficult to use.
- Many features seem unrefined as if they were implemented to be functioning good enough to use but are not fully tested or refined.
- Provides a simple, customizable dashboard to easily see the most important things going on in your environment.
- Goes beyond traditional SIEM by providing things like File Integrity Monitoring, IDS and Asset Management.
- Very simple integration with common cloud services (USM Anywhere only)
- From a volume perspective, if you have a ton of log data, it isn't the best tool for traditional SIEM activities.
- There is no migration from USM Appliance to USM Anywhere. You basically have to start over if you move some things to the cloud and want to capture that information.
- Deployment and Integration pretty easy and straightforward whether in AWS (Cloud) or the on-prem environment.
- Log aggregation, collection rules/Jobs easy to create.
- Notification s component working very well
- AWS Integration: in particular, monitoring of AWS resources is far away from ideal
- Vulnerabilities scanner requires root and administrative privilege in localhost, which is not acceptable.
- The sensors themselves generate millions of requests, which creates a lot of unnecessary noise to the systems and eventually "eating" traffic and expensive storage space
- It is easy to understand and use
- AlienVault USM is a product that works well for companies that do not have personal security insurance
- The system processes them in real time, correlates events and alerts
- The best thing about AlienVault USM is that it has all the tools in one place, vulnerability scanner, netflow, hides ..
- Unable to obtain information sometimes
- The limitation of reports
- SIEM - logging. AlienVault is easy to configure on the client side, and with a couple scripts, makes deployment a piece of cake.
- Vulnerability scanning. AlienVault helps us track which systems are most vulnerable to security issues so we can prioritize patching.
- Reporting. AlienVault generates useful and attractive reports.
- Some of the documentation could be improved and go more into depth, but support is helpful when the documentation falls short.
AlienVault ingests logs from our switches, routers, firewalls, servers and essential workstations. It combines uses the analysis of all of these elements using its correlation engine.
It also does a scan on a regular basis to identify vulnerabilities that exist on the network.
It has an integrated ticket system and asset management system but they are both, kind of, lacking in features.
- AlienVault's correlation engine is really well designed and it understands a large number of log types.
- AlienVault's open threat exchange is a great way to use the community to report new signatures for issues that are being seen in their environment.
- AlienVault's main screen UI is well designed and makes it very clear as to what issues need to be addressed first.
- AlienVaults published development to-do-list is a great feature that more companies need to employ. It is great seeing that features are being worked on and they do take input as to what features need to be added next.
- AlienVault's on-premise and cloud platforms use a completely separate software base and they don't seem to be getting the same attention from developers. They need to bring the two platforms together into one code base.
- AlienVault needs to enable integration with third-party utilities for ticketing and asset management. Neither the ticket system nor the asset management system is well featured, as such, they need to be able to integrate with other systems that have more features.
- AlienVault needs to add a true compliance scanner like Openscap.
- AlienVault needs to get their cloud solution Fedramp compliant.
Additionally, Administrators should employ some kind of vulnerability analysis system and Alienvault does an ok job with that.
However, as a complete SIEM solution Alienvault lacks the ability to do compliance checking and without using their cloud solution you cannot do an analysis of cloud-based applications.
- Easy to navigate UI
- Training classes to get you up to speed fast on the product
- Value "progress over perfection" seen very prominently in bugs while using the software
- Training classes do not properly prepare for the ASCE exam that is recommended for MSSPs to take
- Technical questions about deployment in a distributed environment not easily available. Normally have to schedule technical calls that can take a week to resolve.
- Ease of Initial Installation
- Range of products covered
- Cloud Alert Console
- Relevancy of Data/Alerting
- Adding additional plugins and applications can be difficult
- Extensive customization required to clear out white noise
We are using AlienVault as a collection point for our security and appliance logging to take advantage of its correlation engine to identify security concerns we might not otherwise notice.
We are able to run various reports as needed or schedule them to provide insight into various metrics such as account lockouts, vpn connectivity, etc.
- Log Correlation - continuously growing list of correlation rules to catch network and security concerns.
- Log searching - quick sorting / searching through all of our security events.
- HIDS - It is nice to be able to track multiple specific metrics or logs against servers using the HIDS agent.
- Difficult to configure.
- They include training when you purchase AlienVault - which I feel is necessary. The downside is the training is really split between implementation and use, where the value for end users is really just use. Staff probably need this training to get most out of implementation.
AlienVault USM: "More than SIEM: A whole Security Ecosystem which is easy to integrate, operate and use"
- AlienVault USM is based on well-known Open Source components, which each for itself, represents a quasi industry standard
- Integration into the existing infrastructure works like a charm. Basically you just need to roll-out an OSSEC client to each server or PC and you have already a pretty high coverage of security information and events. They immediately show up in the AlienVault Webinterface
- Due to the countless plugins, it is very easy to add network devices like firewalls, router, switches, but also servers running apache and the alike. You will just need to forward syslog and it will all appear in your AlienVault Webinterface
- The modular design of AlienVault USM in form of "deployable sensors", allows you to easily integrate different network segments, such as remote sites.
- As regular vulnerability scans are a must to understand which CVEs your infrastructure is exposed at, this becomes an easy task with AlienVault. They provide you with a set-and-forget approach for running regular scans. Additionally there are helpful hints to how to get more secure.
- Because AlienVault USM combines several well know components, you have to life with the fact, that they are not in their latest version, i.e. the integrated OSSEC, which should be replaced with the OSSEC-Wazuh fork instead.
- Due to the all-in-one approach, the solution is quite resource hungry. You have to have a decent machine to run it.
- The reporting module is nice, but sometimes it is quite a challenge to configure a custom report as you will only get the results you want after a trial and error run.
- Quickly reports unauthorized access attempts of our network.
- Provides insight to the possible internal breaches sending data out of our network.
- provides strong reporting on network resources.
- I would like to see an interface that is more menu driven. For example a method that allows me to drag and drop the items I would like in an adhoc report based on local machines that are attempting to connect to sites beyond our network that are blocked by our firewall.
- I would like to see a more robust connection to our SonicWall, having two devices in the same rack that must be configured independently is some times a pain to fine tune.
- I would like to see additional help files built that allow users to work with the Alienvault without attending formal training.
- Log correlation is excellent and on par with other more expensive solutions.
- Ease of use is a big plus.
- Initial setup was simple and quick.
- The OTX threat intelligence is a great complement to our other threat intelligence feeds to ensure we have as many 'eyes' out there informing us of all the potentially malicious threat actors out there.
- There are a couple of things that can only be done through the CLI and unless you're familiar with the CLI, there may be a large learning curve for some.
- The vulnerability scanner lacks a number of advanced features that other solutions have which make it simpler and more efficient to manage.
- Plugins are limited (although they are adding more as time goes on). If you need a plugin that is not available you will need to create one on your own which requires modification of a number of files and can be daunting for someone new to the platform.
- Alerting on correlated events - this has allowed us to capture malware ahead of time.
- Ease of device logging - once the logs are sent through, the data is available instantly.
- Actively reviewing and responding to vulnerabilities through an easy to use interface and schedule task format.
- More functionality pushed through the web interface would be useful.
- Asset management can be a little restricted when applying changes across a rule set.
The interface really allows you to see what's hot - if a metric, when it changes, doesn't prompt you to get out of your chair and do something, it's a wasted metric. With AlienVault, all I see are metrics that make me do things when they aren't where they are supposed to be.
In my environment, I have 18 buildings spread across 72 square miles. We support 13,000 users on a daily basis, with 6,000 owned devices, and a ton of BYOD devices. With only 10 people in the department (including myself and my secretary), I couldn't imagine staying on top of this without AlienVault.
- Reporting, reporting, reporting. Setting it up so I get emailed reports has allowed me to know, even when I am not in the office, how my day is going to go. The breadth and depth of the reports, and the ability to customize so you get what you want is awesome.
- Dashboard. The visual dashboard with the circles (areas of concentration based on number of incidents) is brilliant. All I have to do is show that to people, and they want to install it.
- Ease of implementation. Turn it on, answer a few questions, point stuff at it, and you're done. Ok, there is a lot more - I mean a lot more - you can do to customize it, but if you're looking to quickly establish a baseline, that's all you need to do.
- Who else has a fully functional product (OSSIM) you can download and install for FREE to see how it will work in your environment?
- If it did a little more with IPFIX data (think NTOP).
- Otherwise, it's perfect.
Seriously people, if you need a SIEM and aren't using AlienVault you're wasting money.....
- Real-time access logs and scanning. Once the system was installed and configured it allowed our company to find that the network was being hit with a continued bruteforce attack. With this discovery we made a few changes for our remote users and reduced the unauthorized outside access attempts.
- Traffic monitoring. When first starting with the company part of my assignment was to find why the network was so lethargic. With the AlienVault system I was able to see the time periods of heavy internet and data usage. With this information I was able to determine the highs and lows of user access.
- OTX activity. After getting subscribed to the OTX community I was given frequent updates to the latest security threats and what to look for. To me the best aspect of the OTX activity monitoring is to know when the threat is directly affecting our network and keeping up to date on the threats.
- Initial setup and administration. I came into this company after the utility was deployed and what I have found in our setup was that the ESXi environment in our setup does not scan the entire network. Having an initial setup assistance program for the installation.
- Asset environment. In our current configuration we have all the servers and network appliances running with static ip's or reservations from our dhcp server, this works very well in our environment. What does not work well are the machines that are part of the dhcp pool, if the machines are configured as an asset and the ip address changes the description (identity) does not follow the device. I think that if we have the ability assign assets from the MAC address would eliminate this problem as I see it.
- Kick-off program. As part of the service we where invited to join a kick-off event that I personally attended (virtual class actually) what I discovered from this class was a more advanced configuration than what I had expected to see. While in provided good information and virtual labs, I think if the class is a kick-off then it should be about the basic installation and configuration of the appliance. The time spent on configuring rules out weighed how to get information to be read from the sensors.
Having been familiar with Cisco Solarwinds and what information is provided with their application I expected a similar result. I believe that gearing the appliance to a very specific task would be a greater service to the customer. What I mean would be to have a smaller footprint, say for the user that is looking to just monitor network traffic and network access that would be a single service or installation. Also, having another that would exclusively work with and integrate with virus software and provide central administration for the companies NOT using a server and endpoint environment.
My question to be asked, "Ultimately what do you expect to see the appliance provide you?"
- I have found things it does well are in short order. It leverages the Snort engine so its IDS scans are pretty good.
- I like some of the diagnostic capabilities built into the product such as the whois search on a foreign IP address.
- The support team is knowledgeable. I have had several support cases for databases that crash causing the system to be unresponsive. Each time I have had a support person that was knowledgeable of the product and Linux without having to ask for an escalation.
- The user interface is horrible. Making changes to directives nearly requires a Ph.D. It takes 6 clicks to find the directive you want to modify and the chain of which 6 items you need to click is not provided in the alert. So if you want to go to a directive that is nested multiple layers you must have the full path memorized, and they have hundreds of directives so unless using AlienVault is the only thing you do it is unlikely you will memorize the path.
- The system is highly unstable. As I mentioned earlier, I have had several support tickets for the system being hard down. I support several virtual appliances and a significant number of databases that are far more stable than this one.
- Support and maintenance costs are disproportionately high. AlienVault charges a premium several times higher than any other appliance (virtual or physical) I have ever seen. I have 3 other virtual appliances (including another virtualized security device) in my environment and the cumulative cost for support and maintenance on those three is less than 1/3 of the cost of AlienVault.
- AlienVault has a lot of false positives; so many that one of their consulting companies knows them by name and has a list of recommended alerts to turn off. If the consulting company knows these are false, and AlienVault highly recommends working with the consulting company, why doesn't AleinVault fix the alert? In one case it appears they are marking a Microsoft Update Server (not my WSUS, but one owned by Microsoft) as a DNS Sinkhole.
- By default AlienVault creates a policy to ignore USM traffic, but does not enable it. I cannot understand why that is unless, they want a new owner to see alerts to know the system is on? It may seem minor, but why not tune out the noise from your system so new customers are only focusing on their traffic and not every SSH session from the USM? All that does is add extra work to a deployment.
The USM does not give realtime alerts or data. That is a misnomer. It will monitor in realtime, but it goes through a correlation process that I have seen take over 15 minutes to complete before you can drill into an alert for data points such as the origin or destination IP of the reported issue. For example, I might see a brute force alert and have to wait to see where the alerts are coming from and where they are going to. I also have not seen any impressive information coming from the OTX that they boast about. You can find the same or better information from any number of security blogs.
- It has great reports that are able to be generated
- A lot of functionality
- The intrusion and detection system is particularly useful for us
- It is not easy to use for non IT professionals
- The set up process is very tedious and difficult
- Ease of installation - The VMware OVA installation is very quick, and basically bulletproof. Once installed, the Setup Wizard gets you up and going rather quickly.
- The availability of sensor plug-ins for the most common network devices is a real plus in getting operational quickly.
- The USM user interface is easily navigable, and is laid out very well. It makes configuration and remediation very quick.
- I'd like to see an auto-update feature. Having to manually update several times a week (times 2 servers) is a process I'd like automated.
- Policy based email alerts can be difficult for new users to set up. I would like to see a Notification Wizard for this.
- Have Asset Discovery more actively identify network devices. It seems to always detect Windows 7 systems as Server 2008, for example. Better interrogation and maybe plug-in recommendations.
AlienVault USM Scorecard Summary
Feature Scorecard Summary
About AlienVault USM
Unified Security Management (USM) is AlienVault’s comprehensive approach to security monitoring, delivered in a unified platform. The USM platform includes five core security capabilities that provide resource-constrained organizations with all the security essentials needed for effective threat detection, incident response, and compliance, in a single pane of glass. Designed to monitor cloud, hybrid cloud and on-premises environments, AlienVault USM significantly reduces complexity and reduces deployment time so that users can go from installation to first insight in minutes for the fastest threat detection.
The vendor says unlike traditional security point technologies, AlienVault Unified Security Management does the following:
- Unifies essential security controls into a single all-in-one security monitoring solution
- Monitors your cloud, hybrid cloud, and on-premises infrastructure
- Delivers continuous threat intelligence to keep you aware of threats as they emerge and change
- Provides comprehensive threat detection and actionable incident response directives
- Deploys quickly, easily, and with minimal effort
- Reduces TCO over traditional security solutions
AlienVault USM Videos (2)
AlienVault USM Downloadables
AlienVault USM Support Options
|Free Version||Paid Version|
|Video Tutorials / Webinar|
AlienVault USM Technical Details
|Deployment Types:||On-premise, SaaS|