TrustRadius
https://dudodiprj2sv7.cloudfront.net/product-logos/6i/pV/S7QULUJUMN0O.JPEGAlienVault ~6 Month ReviewAlienVault is currently being used in my organization to provide visibility on the activities we cannot see from the edge firewalls such as user to server or server to server traffic. Combined with the HIDs we are able to identify security vulnerabilities down to the source machine and or user, and either at the top (egress) or bottom (client/endpoint) most point in our network infrastructure. This overall helps with the tightening of the policies on the network security assets as we now have data showing endpoint and activity correlations.,Up to this point, I have had no issues integrating with a system we currently have in production. while AlienVault stays on top with plugin updates. Te dashboard is very informative when you figure out how to navigate around it and tweaked to your organization needs. Correlation of events is probably my favorite as I normally only need to jump on the AlienVault dashboard to hammer down on network traffic/activity details.,At times I do find navigating the dashboard for very specific functions to be difficult. For entry level security analysts or administrators I feel can get overwhelmed with the amount of data available from a single platform (in a good way) helpful to understand Linux for certain tasks,10,,Where AlienVault has become a major asset in is when digging into historical information for data gathering. At times it can get difficult without AlienVault as you have to dig through firewall logs (network and endpoint), DNS servers, Domain Controllers, IDS solution, or even web filtering products all together to identify a compromised endpoint. With AlienVault USM I find it extremely beneficial and productive to only need to look at a single platform and that is the AlienVault Dashboard.,This has helped tremendously as stated in the previous question.AlienVault a stronger solutionAlienVault is used by the Southfield office of Equain LLC. We needed a SIEM for our HITRUST compliance and I purchased the entire suite. I had used OSSINC a few years back in conjunction with Splunk to create a SIEM solution for a retail chain. I followed OSSINC and when I read that AlienVault had taken the product and enhanced it along with added capabilities, I was comfortable with the purchase. I am impressed with the Nmap capabilities, very quick and non-invasive. The vulnerability scanning gives a user options such as a quick non-invasive look at a network. I also do a deep scan that takes more time but very comprehensive. One more item I like is the HIDS deployment capability, this not only protects our workstations but most of our servers. The added data to the network data gathered by the SIEM is invaluable.,The SIEM does a good job of correlating network data from multiple sources along with the Data from deployed HIDS The Nmap scan is fast and non-invasive that defines devices on your network. The vulnerability scanning has several options and reports to enable data to be available for compliance purposes.,Walking through all the devices after a Nmap or device discovery scan can be tedious to get the data correct When deploying HIDS, it would be better if the system gave more detail as to the deployment error Offline updating of licenses can be a little time-consuming,8,Alert Logic Web Security Manager, HP Arcsight Logger and LogRhythm,AlienVault allows security personnel to correlate many devices along with the HIDS on systems on a network. This allows AlienVault to follow the path of malware or bad actor through the network until the final target is identified to allow security to determine the attack's end goal. It also allows the captured network traffic to be studied for clues as to propagation in the network.,We have used the capability to finalize our security posture to enable the team to not only detect threats but learn how to follow a threat through the network and discover the real goal of the attack.AlienVault USM for the win!AlienVault USM gets used to track events coming from assets and we also use it to track availability. Since we are also a reseller of this product, we use it as a test bed to deploy strategies, correlation directives and event plugins to our customers' production environment. We also use it for showing a demo of the product, to facilitate the sales process.,Compliance: For each compliance aspect in each standard, there's an AlienVault USM feature which helps compliance. For instance, in PCI DSS Compliance you require File Integrity Monitoring, and AlienVault USM has it. Every component of the standard gets covered by the product. Data handling: Event management can become cumbersome if not well handled. AlienVault USM classifies event information properly where it belongs to the data it's useful to you. When you export a report, you can filter out easily what you don't need, so you only extract valuable information. Asset availability: It is really handy to cover every aspect of your asset classification, events to come in, services each asset has, location, all of the information really helps to draw alarms properly.,Vulnerability Scanner reporting: The reporting from the integrated scanner (OpenVAS) are really difficult to read. They could have done a better job by scraping the report or creating a custom report from the data of the scan. However, leaving the default report template from OpenVAS makes the report somewhat useless. Sometimes the local integration fails because of the scope of the tool. Let me elaborate on that: The OpenVAS scanner has certificated that expire within a year, and that makes the USM fail scans if you don't renew certificates yourself. They should have made them last at least 10 years. Same with Nagios, sometimes the integration fails and one doesn't know why unless you jailbreak it and find out in the logs for sure. They do not provide a standalone installation of the product, because they modified so much the Linux distribution, that it must always be deployed as a virtual machine or appliance, but not on your own server.,9,LogRhythm and McAfee Enterprise Security Manager,AlienVault USM is really effective because when properly configured, it covers many aspects of your network. It counts with HIDS for each asset, for detecting suspicious activity on computers, as well as NIDS on the sensor, for detecting attacks and worms in your network. Along with Open Threat Exchange pulses, it's really fast at detecting outbreaks of attacks that happen anywhere else in the world, so when AlienVault detects it, I am already protected before the attack comes to our network.,Yes, the view from Alarms is really easy to understand and you can take a specific alarm and convert it to a ticket, so you can achieve true alarm and incident resolution by handling each ticket and assigning to each security analyst so they can take a closer look at what's really happening.AlienVault after 1 yearMy organization used AV in the cloud mostly with AWS. In one place we can monitor all systems. This could also be done with free tools but it can be hard to get all in one place and it would take much more time to do all of the checks daily.,All in one view where you can see all of your assets. Logs and alarms. Detecting systems in your environment.,Control of updates - nice to do it in maintenance window. More custom dashboards.,9,LogRhythm, Splunk Cloud and Trustwave App Scanner Cloud,It simplified our AWS checks and adding new servers, it's very intuitive. It consolidated logs in one place so it was very helpful for us as earlier we had to check most of them separately. Seeing and getting information about alarms is now faster and we 'see' more in our aws network and all is in one nice dashboard.,For sure we saved lots of time during the day for the system checkup. For me, it's about an extra 2-3h per day which I can do something else not just checking logs and writing new scripts for check up servers. But initial set up was quite long and I was thinking it will never end.More than SIEM: A whole Security Ecosystem which is easy to integrate, operate and useWhile a decision had to be made, which SIEM system would be the best fit for a "from-scratch" project, AlienVault USM had been chosen due to its easy and fast implementation path, as well as its rich feature set. The customer had been under a lot of time pressure and therefore an all-in-one solution had to be found and put in place. As the classical SIEM approach is missing the complete surrounding ecosystem, such as NIDS, HIDS, FIM, Vulnerability Scans, Availability Monitoring etc, you get everything in one solution here. Also AlienVault as a company was very helpful during the planning and implementation phase. Their documentation is pretty good and their service representatives are very helpful. This is definitively a big pro if you want to deliver fast results in getting it up and running to see your customer happy. Not to forget their pricing is very competitive too and most probably the most cost-efficient solution you can find in the marketplace by today. After the project became a real success, AlienVault USM is used subsidiary-wide and has already proven several times that is was the right decision.,AlienVault USM is based on well-known Open Source components, which each for itself, represents a quasi industry standard Integration into the existing infrastructure works like a charm. Basically you just need to roll-out an OSSEC client to each server or PC and you have already a pretty high coverage of security information and events. They immediately show up in the AlienVault Webinterface Due to the countless plugins, it is very easy to add network devices like firewalls, router, switches, but also servers running apache and the alike. You will just need to forward syslog and it will all appear in your AlienVault Webinterface The modular design of AlienVault USM in form of "deployable sensors", allows you to easily integrate different network segments, such as remote sites. As regular vulnerability scans are a must to understand which CVEs your infrastructure is exposed at, this becomes an easy task with AlienVault. They provide you with a set-and-forget approach for running regular scans. Additionally there are helpful hints to how to get more secure.,Because AlienVault USM combines several well know components, you have to life with the fact, that they are not in their latest version, i.e. the integrated OSSEC, which should be replaced with the OSSEC-Wazuh fork instead. Due to the all-in-one approach, the solution is quite resource hungry. You have to have a decent machine to run it. The reporting module is nice, but sometimes it is quite a challenge to configure a custom report as you will only get the results you want after a trial and error run.,9,,AlienVault USM is very effective in detecting real security threats, as their "OTX" integrated threat intelligence has a very good reputation in the industry. Thanks to its being-open to others too, other heavy weight champions like the Bro security monitor can integrate the OTX feed too (yes and this is done by many security people out there). This says more than words.,AlienVault USM really helps to reduce the amount of work you need to do in order to detect security threats as you getting security information from various sources into one place very easy. Another very important point is, that AlienVault USM helps you filter out the so called false positives with little effort and manpower. Getting rid of the false positives is most probably the most challenging task in running a SIEM (besides the integration work).
Linux
AlienVault USM
311 Ratings
Score 8.0 out of 101
TRScore

AlienVault USM Reviews

AlienVault USM
311 Ratings
Score 8.0 out of 101
Show Filters 
Hide Filters 
Filter 311 vetted AlienVault USM reviews and ratings
Clear all filters
Overall Rating
Reviewer's Company Size
Last Updated
By Topic
Industry
Department
Experience
Job Type
Role
Reviews (1-25 of 187)
  Vendors can't alter or remove reviews. Here's why.
April 17, 2018

AlienVault USM: "AlienVault ~6 Month Review"

Score 10 out of 10
Vetted Review
Verified User
Review Source
AlienVault is currently being used in my organization to provide visibility on the activities we cannot see from the edge firewalls such as user to server or server to server traffic. Combined with the HIDs we are able to identify security vulnerabilities down to the source machine and or user, and either at the top (egress) or bottom (client/endpoint) most point in our network infrastructure. This overall helps with the tightening of the policies on the network security assets as we now have data showing endpoint and activity correlations.
  • Up to this point, I have had no issues integrating with a system we currently have in production. while AlienVault stays on top with plugin updates.
  • Te dashboard is very informative when you figure out how to navigate around it and tweaked to your organization needs.
  • Correlation of events is probably my favorite as I normally only need to jump on the AlienVault dashboard to hammer down on network traffic/activity details.
  • At times I do find navigating the dashboard for very specific functions to be difficult.
  • For entry level security analysts or administrators I feel can get overwhelmed with the amount of data available from a single platform (in a good way)
  • helpful to understand Linux for certain tasks
In my organization's scenario, the on-premise appliance provides great value as we are a small company with site inter-connectivity. Where I am not too sure of is how exactly the product scales with very large networks with separate Windows and network domains.
Where AlienVault has become a major asset in is when digging into historical information for data gathering. At times it can get difficult without AlienVault as you have to dig through firewall logs (network and endpoint), DNS servers, Domain Controllers, IDS solution, or even web filtering products all together to identify a compromised endpoint. With AlienVault USM I find it extremely beneficial and productive to only need to look at a single platform and that is the AlienVault Dashboard.
Read AJ Gumataotao's full review
March 23, 2018

AlienVault USM Review: "AlienVault a stronger solution"

Score 8 out of 10
Vetted Review
Verified User
Review Source
AlienVault is used by the Southfield office of Equain LLC. We needed a SIEM for our HITRUST compliance and I purchased the entire suite. I had used OSSINC a few years back in conjunction with Splunk to create a SIEM solution for a retail chain. I followed OSSINC and when I read that AlienVault had taken the product and enhanced it along with added capabilities, I was comfortable with the purchase. I am impressed with the Nmap capabilities, very quick and non-invasive. The vulnerability scanning gives a user options such as a quick non-invasive look at a network. I also do a deep scan that takes more time but very comprehensive. One more item I like is the HIDS deployment capability, this not only protects our workstations but most of our servers. The added data to the network data gathered by the SIEM is invaluable.
  • The SIEM does a good job of correlating network data from multiple sources along with the Data from deployed HIDS
  • The Nmap scan is fast and non-invasive that defines devices on your network.
  • The vulnerability scanning has several options and reports to enable data to be available for compliance purposes.
  • Walking through all the devices after a Nmap or device discovery scan can be tedious to get the data correct
  • When deploying HIDS, it would be better if the system gave more detail as to the deployment error
  • Offline updating of licenses can be a little time-consuming
I think AlienVault USM is well suited for a medium size company where there are remote sites. The star configuration deployment would work very well. I would need to see how AlienVault would perform on a large multi-national company if headquarters wanted to correlate all data.
AlienVault allows security personnel to correlate many devices along with the HIDS on systems on a network. This allows AlienVault to follow the path of malware or bad actor through the network until the final target is identified to allow security to determine the attack's end goal. It also allows the captured network traffic to be studied for clues as to propagation in the network.
Read Clark Crain's full review
March 12, 2018

User Review: "AlienVault USM for the win!"

Score 9 out of 10
Vetted Review
Reseller
Review Source
AlienVault USM gets used to track events coming from assets and we also use it to track availability. Since we are also a reseller of this product, we use it as a test bed to deploy strategies, correlation directives and event plugins to our customers' production environment. We also use it for showing a demo of the product, to facilitate the sales process.
  • Compliance: For each compliance aspect in each standard, there's an AlienVault USM feature which helps compliance. For instance, in PCI DSS Compliance you require File Integrity Monitoring, and AlienVault USM has it. Every component of the standard gets covered by the product.
  • Data handling: Event management can become cumbersome if not well handled. AlienVault USM classifies event information properly where it belongs to the data it's useful to you. When you export a report, you can filter out easily what you don't need, so you only extract valuable information.
  • Asset availability: It is really handy to cover every aspect of your asset classification, events to come in, services each asset has, location, all of the information really helps to draw alarms properly.
  • Vulnerability Scanner reporting: The reporting from the integrated scanner (OpenVAS) are really difficult to read. They could have done a better job by scraping the report or creating a custom report from the data of the scan. However, leaving the default report template from OpenVAS makes the report somewhat useless.
  • Sometimes the local integration fails because of the scope of the tool. Let me elaborate on that: The OpenVAS scanner has certificated that expire within a year, and that makes the USM fail scans if you don't renew certificates yourself. They should have made them last at least 10 years. Same with Nagios, sometimes the integration fails and one doesn't know why unless you jailbreak it and find out in the logs for sure.
  • They do not provide a standalone installation of the product, because they modified so much the Linux distribution, that it must always be deployed as a virtual machine or appliance, but not on your own server.
AlienVault USM is a great choice if you need compliance and asset monitoring in all aspects, event monitoring, and event correlation. The handling of alarms and OTX pulses are a great addition of value. It's less suited if you're also looking to replace your vulnerability scanner, I recommend having a proper vulnerability scanner because AlienVault USM's one is a bit impaired for heavy workloads and for the vulnerability information to be of any use.
AlienVault USM is really effective because when properly configured, it covers many aspects of your network. It counts with HIDS for each asset, for detecting suspicious activity on computers, as well as NIDS on the sensor, for detecting attacks and worms in your network. Along with Open Threat Exchange pulses, it's really fast at detecting outbreaks of attacks that happen anywhere else in the world, so when AlienVault detects it, I am already protected before the attack comes to our network.
Read Ivan Montilla Miralles's full review
June 07, 2018

AlienVault USM Review: "AlienVault after 1 year"

Score 9 out of 10
Vetted Review
Verified User
Review Source
My organization used AV in the cloud mostly with AWS. In one place we can monitor all systems. This could also be done with free tools but it can be hard to get all in one place and it would take much more time to do all of the checks daily.
  • All in one view where you can see all of your assets.
  • Logs and alarms.
  • Detecting systems in your environment.
  • Control of updates - nice to do it in maintenance window.
  • More custom dashboards.
It helped us to detect some anomalies in the configuration of servers, which were just simple human mistakes. Also, helped with daily detection of any scans and attacks. Viewing logs from all systems in one place is a big help for us to check any problems.
It simplified our AWS checks and adding new servers, it's very intuitive. It consolidated logs in one place so it was very helpful for us as earlier we had to check most of them separately. Seeing and getting information about alarms is now faster and we 'see' more in our aws network and all is in one nice dashboard.
Read Patrick Noc's full review
January 19, 2018

AlienVault USM: "More than SIEM: A whole Security Ecosystem which is easy to integrate, operate and use"

Score 9 out of 10
Vetted Review
Verified User
Review Source
While a decision had to be made, which SIEM system would be the best fit for a "from-scratch" project, AlienVault USM had been chosen due to its easy and fast implementation path, as well as its rich feature set. The customer had been under a lot of time pressure and therefore an all-in-one solution had to be found and put in place. As the classical SIEM approach is missing the complete surrounding ecosystem, such as NIDS, HIDS, FIM, Vulnerability Scans, Availability Monitoring etc, you get everything in one solution here. Also AlienVault as a company was very helpful during the planning and implementation phase. Their documentation is pretty good and their service representatives are very helpful. This is definitively a big pro if you want to deliver fast results in getting it up and running to see your customer happy. Not to forget their pricing is very competitive too and most probably the most cost-efficient solution you can find in the marketplace by today. After the project became a real success, AlienVault USM is used subsidiary-wide and has already proven several times that is was the right decision.
  • AlienVault USM is based on well-known Open Source components, which each for itself, represents a quasi industry standard
  • Integration into the existing infrastructure works like a charm. Basically you just need to roll-out an OSSEC client to each server or PC and you have already a pretty high coverage of security information and events. They immediately show up in the AlienVault Webinterface
  • Due to the countless plugins, it is very easy to add network devices like firewalls, router, switches, but also servers running apache and the alike. You will just need to forward syslog and it will all appear.in your AlienVault Webinterface
  • The modular design of AlienVault USM in form of "deployable sensors", allows you to easily integrate different network segments, such as remote sites.
  • As regular vulnerability scans are a must to understand which CVEs your infrastructure is exposed at, this becomes an easy task with AlienVault. They provide you with a set-and-forget approach for running regular scans. Additionally there are helpful hints to how to get more secure.
  • Because AlienVault USM combines several well know components, you have to life with the fact, that they are not in their latest version, i.e. the integrated OSSEC, which should be replaced with the OSSEC-Wazuh fork instead.
  • Due to the all-in-one approach, the solution is quite resource hungry. You have to have a decent machine to run it.
  • The reporting module is nice, but sometimes it is quite a challenge to configure a custom report as you will only get the results you want after a trial and error run.
AlienVault is most probably the best choice for smaller companies with up to 200 assets, which have limited resources in security personnel and are looking for an easy-to-implement, easy-to-run and easy-to-use SIEM including a "detection ecosystem". If you are highly skilled and very sophisticated (and you have the time too), you better run all the components, each as a stand-alone solution and feed their results into an ELK stack. If you are looking for something in between: AlienVault is customizable too! You can go down on a very system level (they call it jail-breaking, ouch!), and get on a config Spree, but be warned: The next update can break your changes. You need to know what you can so and what not, but once you understand where you can go, and where not, AlienVault becomes a friend for a lifetime.
AlienVault USM is very effective in detecting real security threats, as their "OTX" integrated threat intelligence has a very good reputation in the industry. Thanks to its being-open to others too, other heavy weight champions like the Bro security monitor can integrate the OTX feed too (yes and this is done by many security people out there). This says more than words.
Read Christian B. Caldarone's full review
March 27, 2018

"AlienVault USM Review"

Score 7 out of 10
Vetted Review
Reseller
Review Source
We are an MSSP. We use AlienVault USM internally to monitor our data center and deploy it to remote customer locations and use it as our main security monitoring software. We use it to provide network and host intrusion detection as well as vulnerability scanning and more. AlienVault helps address security visibility and threat detection.
  • Threat detection. AlienVault uses respected open source tools to detect threats.
  • Threat intelligence. AlienVault constantly updates their threat intelligence feeds so they are never out of date.
  • Complete visibility. AlienVault helps monitor the main 5 areas of security visibility.
  • User interface can be very buggy and difficult to use.
  • Many features seem unrefined as if they were implemented to be functioning good enough to use but are not fully tested or refined.
  • Reporting is very underwhelming. They are not very configurable in terms of useful data and the design can be difficult to look at.
AlienVault is useful as it has heavy backing for managed service providers. It is cost effective in comparison to other SIEM tools. It may be less appropriate for individual businesses that do their own monitoring as there are other easier to use and more reliable options.
AlienVault does a good job of constantly updating their threat intelligence feeds. They automatically update every day with new signatures. Their open threat exchange is also constantly updated and it allows the custom creation of indicators of compromise and the ability to follow other users. However, OTX is very prone to false positives and does not provide much information on the threat. There have been other instances of the feed being updated and causing a rash of false positive.
Read Karl Spaeth's full review
March 15, 2018

AlienVault USM Review: "AlienVault Locks it Down"

Score 9 out of 10
Vetted Review
Reseller
Review Source
Sword & Shield is an AlienVault MSSP focusing on security for medium to large businesses. We believe it is the best security management and SIEM platform out there for the cost and value you get. We have a 24/7 managed SOC centered around this platform and also use it to monitor activities within our corporate environment.
  • Provides a simple, customizable dashboard to easily see the most important things going on in your environment.
  • Goes beyond traditional SIEM by providing things like File Integrity Monitoring, IDS and Asset Management.
  • Very simple integration with common cloud services (USM Anywhere only)
  • From a volume perspective, if you have a ton of log data, it isn't the best tool for traditional SIEM activities.
  • There is no migration from USM Appliance to USM Anywhere. You basically have to start over if you move some things to the cloud and want to capture that information.
It works best in medium to large environments where an organization is looking to get "bang for the buck." If you are just looking for a workhorse SIEM, it's not the best option. I consider AlienVault to be more of a security/threat management platform rather than a SIEM tool.
AlienVault users get intelligence from the Open Threat Exchange (OTX), one of the largest community sourced threat intelligence feeds in the world. As an MSSP, Sword & Shield also provides our own threat feed. I have been very pleased with how quickly AlienVault provides information on emerging threats in the security world.
Read Kevin White's full review
June 22, 2018

AlienVault USM Review: "Тhere is room for improvement"

Score 6 out of 10
Vetted Review
Verified User
Review Source
We are utilizing USM Anywhere as SIEM system for a logs aggregation and further analysis by creating correlation rules, manual monitoring of events and alerts sent through notifications to e-mail and Slack channel.
  • Deployment and Integration pretty easy and straightforward whether in AWS (Cloud) or the on-prem environment.
  • Log aggregation, collection rules/Jobs easy to create.
  • Notification s component working very well
  • AWS Integration: in particular, monitoring of AWS resources is far away from ideal
  • Vulnerabilities scanner requires root and administrative privilege in localhost, which is not acceptable.
  • The sensors themselves generate millions of requests, which creates a lot of unnecessary noise to the systems and eventually "eating" traffic and expensive storage space
To fill compliance requirement to implement SIEM system.
Read Vladimir Finkinshtein's full review
April 05, 2018

AlienVault USM Review: "Excellent USM"

Score 9 out of 10
Vetted Review
Verified User
Review Source
Currently used in my company for IDS, vulnerability scanning, monitoring of uptime, notification of when a server or device is disconnected, detection of assets in the network, malware monitoring, traffic monitoring, suspicious activity alert, etc. .
  • It is easy to understand and use
  • AlienVault USM is a product that works well for companies that do not have personal security insurance
  • The system processes them in real time, correlates events and alerts
  • The best thing about AlienVault USM is that it has all the tools in one place, vulnerability scanner, NetFlow, hides ..
  • Unable to obtain information sometimes
  • The limitation of reports
To monitor the computer systems in search of previously identified vulnerabilities.
It helps a lot in the monitoring of computer systems in search of previously identified vulnerabilities.
Read Marcela Guel Mendoza's full review
June 27, 2018

AlienVault USM Review: "AlienVault is a game changer for us!"

Score 9 out of 10
Vetted Review
Verified User
Review Source
AlienVault USM has helped us gain great insights into our operations, as well as the way our users utilize our environment. It is simple to track complex issues, and quite convenient to have a single interface to do so. Management has been pleased with the internal reports we've created using AlienVault, and it has become a critical part of our environment in a short amount of time. The security, alerting, and logging have allowed us to grow as an organization without worrying about whether or not we are secure and up-to-date. This is a fantastic product, and while initially a hard sell due to the price, has proven its worth over the year or so we've used it. I love being able to say to management "yes, I can get you that information" knowing full well that I will be able to, in an easy and timely fashion.
  • SIEM - logging. AlienVault is easy to configure on the client side, and with a couple scripts, makes deployment a piece of cake.
  • Vulnerability scanning. AlienVault helps us track which systems are most vulnerable to security issues so we can prioritize patching.
  • Reporting. AlienVault generates useful and attractive reports.
  • Some of the documentation could be improved and go more into depth, but support is helpful when the documentation falls short.
AlienVault is suitable for any company with more than a few servers or services. Keeping track of updates, vulnerabilities, logs, etc., can be very time consuming and frustrating, and AlienVault takes care of this in a very clear and concise way. It is easy to use and "just works".
The ability to set up rules and notifications has allowed me to sleep at night knowing that I will be alerted anytime an unauthorized SSH login occurs in our environment. Additionally, being able to track zero-day vulnerabilities on a server-by-server basis has upped our security game immensely. We can run bulk updates on our environment and go back and run a scan in AlienVault and see that the vulnerabilities are no longer an issue. Game changer!
Read this authenticated review
May 01, 2018

AlienVault USM Review: "Great correlation engine but needs additional features to be a full SIEM"

Score 6 out of 10
Vetted Review
Verified User
Review Source
We are using AlienVault for log aggregation, analysis and alerting and for scheduled vulnerability scans.

AlienVault ingests logs from our switches, routers, firewalls, servers and essential workstations. It combines uses the analysis of all of these elements using its correlation engine.

It also does a scan on a regular basis to identify vulnerabilities that exist on the network.

It has an integrated ticket system and asset management system but they are both, kind of, lacking in features.
  • AlienVault's correlation engine is really well designed and it understands a large number of log types.
  • AlienVault's open threat exchange is a great way to use the community to report new signatures for issues that are being seen in their environment.
  • AlienVault's main screen UI is well designed and makes it very clear as to what issues need to be addressed first.
  • AlienVaults published development to-do-list is a great feature that more companies need to employ. It is great seeing that features are being worked on and they do take input as to what features need to be added next.
  • AlienVault's on-premise and cloud platforms use a completely separate software base and they don't seem to be getting the same attention from developers. They need to bring the two platforms together into one code base.
  • AlienVault needs to enable integration with third-party utilities for ticketing and asset management. Neither the ticket system nor the asset management system is well featured, as such, they need to be able to integrate with other systems that have more features.
  • AlienVault needs to add a true compliance scanner like Openscap.
  • AlienVault needs to get their cloud solution Fedramp compliant.
All administrators need to use some kind of log aggregation and analysis tool. Alienvault is a great product for that.
Additionally, Administrators should employ some kind of vulnerability analysis system and Alienvault does an ok job with that.

However, as a complete SIEM solution Alienvault lacks the ability to do compliance checking and without using their cloud solution you cannot do an analysis of cloud-based applications.
AlienVault has done a good job detecting threats and its correlation engine does a great job of bringing logs together from separate systems for a holistic analysis of your environment, however, there need to be more actions than just creating a ticket. Custom actions via scripts should be possible as well.
Read this authenticated review
March 27, 2018

"AlienVault USM Review"

Score 8 out of 10
Vetted Review
Reseller
Review Source
We are an MSSP and use AlienVault to monitor customer networks for malicious activity.
  • SIEM
  • Easy to navigate UI
  • Training classes to get you up to speed fast on the product
  • Value "progress over perfection" seen very prominently in bugs while using the software
  • Training classes do not properly prepare for the ASCE exam that is recommended for MSSPs to take
  • Technical questions about deployment in a distributed environment not easily available. Normally have to schedule technical calls that can take a week to resolve.
AlienVault is good for overall monitoring and keeping up with the security health of your network. For a quick overview, the product is nice. However, when it comes to more in-depth analysis, investigations, or using it as a stand-alone tool for security needs, the product falls short with a lot of features. It's nice that it is made primarily from opensource tools and products - but it is lacking some features.
We did not use any other technologies - AlienVault was satisfactory.
Read this authenticated review
June 15, 2018

AlienVault USM Review: "Better for enterprise than SME"

Score 7 out of 10
Vetted Review
Verified User
Review Source
AlienVault helps us collect and log from a variety of sources. We use that information to generate security events using its built-in functionality. We run AlienVault in a cloud deployment, and use it to monitor all of our production services across the organization. The alerts it generates are used throughout the company.
  • Parsing logs in a variety of formats
  • Training was very useful
  • Set up is challenging
  • Debugging log ingestion issues is difficult
  • Limited alerting out of the box
In a cloud deployment with multiple assets, AlienVault can be quite useful to deploy. Particularly if you have the sysadmin or devops knowledge to set it up properly. If you have compliance requirements like HIPAA, PCI, or similar, then the reporting functionality of AlienVault USM can be quite useful. It is less valuable if you have a simpler setup, where the setup costs are high.
Read this authenticated review
March 27, 2018

User Review: "AlienVault USM Anywhere"

Score 10 out of 10
Vetted Review
Reseller
Review Source
​We are an MSP and we utilize an AlienVault USM Anywhere solution for threat detection in client networks. The new cloud-based panel is excellent both for client review as well as for our SOC to review and respond to threats. It is much easier to configure and use than the previous solution from AlienVault.
  • Ease of Initial Installation
  • Range of products covered
  • Cloud Alert Console
  • Relevancy of Data/Alerting
  • Adding additional plugins and applications can be difficult
  • Extensive customization required to clear out white noise
This is a great product for small and medium businesses. I don't think it would be well suited for a large enterprise environment, but they are getting closer to that scale with the USM Anywhere product.
The AlienVault OTX Pulses are a great resource for current threats and applying some real-world intelligence to the data stream from AlienVault.
Read this authenticated review
March 23, 2018

AlienVault USM: "AlienVault Review"

Score 8 out of 10
Vetted Review
Verified User
Review Source

We are using AlienVault as a collection point for our security and appliance logging to take advantage of its correlation engine to identify security concerns we might not otherwise notice.

We are able to run various reports as needed or schedule them to provide insight into various metrics such as account lockouts, vpn connectivity, etc.

  • Log Correlation - continuously growing list of correlation rules to catch network and security concerns.
  • Log searching - quick sorting / searching through all of our security events.
  • HIDS - It is nice to be able to track multiple specific metrics or logs against servers using the HIDS agent.
  • Difficult to configure.
  • They include training when you purchase AlienVault - which I feel is necessary. The downside is the training is really split between implementation and use, where the value for end users is really just use. Staff probably need this training to get most out of implementation.
Entry level SIEM software - can be built into very stable SIEM but you will need to put the time in for it to do so. I do feel all SIEM software requires dedication staff time to properly configure and maintain. You do need to actively hop in and clean up false positives and whatnot or the system will be too chatty and less useful.
AlienVault is constantly updating the correlation rules as new threats come out, you also can sign up and tie their threat intelligence to the appliance. This feature is very nice and seems to have a large growing support community. Very regular updates and good documentation if you are looking to do incident management and understand the threats you identified.
Read this authenticated review
June 14, 2018

AlienVault USM Review: "Good product for the price"

Score 8 out of 10
Vetted Review
Verified User
Review Source
It is being used by the I.T Department to help get a handle on the number of intrusion attempts. It is helping secure our organization's critical servers.
  • Intrusion detection
  • Correlation
  • Log based eventing
  • The appliance can only handle so much SPAN port traffic. We need more but are making do with what we have.
Great for the price. Could use more bandwidth allowance on SPAN port but it's an easy-to-use interface with lots of features.
We have identified a number of known malicious IPs trying to intrude and have mitigated them by using an IP blacklist on our firewall. We are also able to lock down our public SSH hosts better because of this.
Read this authenticated review
January 18, 2018

User Review: "AlienVault USM"

Score 8 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault USM in AWS and onsite. It's a nice way of viewing everything what is happening there in one place. Clear and nice picture of what is happening on the network. Dashboards view is missing customization of view profiles as they are very limited and unfortunately you can't control when updates are done. We have tested view of IDS in cloud and this was the best choice for us.
  • Shows all issues, vulnerabilities and attack on servers.
  • More customized dashboard view.
It's one of the best choices for IDS on servers in AWS unless you want to have multiple firewalls with IPS.
It's very helpful to detect any issues and show them almost in real time. You get notifications on specific issues - all depending on set up.
Read this authenticated review
November 06, 2017

AlienVault USM Review: "When the door closes what window will they try to use?"

Score 10 out of 10
Vetted Review
Verified User
Review Source
Our AlienVault USM is deployed at the organizational level. It monitors and reports any attempt to breach in place security or attempts to find vulnerabilities within said security scheme. Ease of use and limited number of false positives provides peace of mind.
  • Quickly reports unauthorized access attempts of our network.
  • Provides insight to the possible internal breaches sending data out of our network.
  • provides strong reporting on network resources.
  • I would like to see an interface that is more menu driven. For example a method that allows me to drag and drop the items I would like in an adhoc report based on local machines that are attempting to connect to sites beyond our network that are blocked by our firewall.
  • I would like to see a more robust connection to our SonicWall, having two devices in the same rack that must be configured independently is some times a pain to fine tune.
  • I would like to see additional help files built that allow users to work with the Alienvault without attending formal training.
AlienVault USM provides solid insight into the attempted connections to our organization's network resources, this includes printers that may have been properly configured. We recently discovered a third party provided Workgroup printer which had a network port that was misconfigured and allowing probing from the outside (actually was hit by probes from the far east as well as the communist block countries.) This report allowed us to clear the issue and protect resources.
Very effective, as I mentioned previously, we were able to identify a true threat to our environment due that intelligence gathering nature of the AlienVault USM and its clean reporting.
Read Randy Kouns's full review
December 28, 2017

AlienVault USM Review: "Aliens to the rescue!"

Score 9 out of 10
Vetted Review
Verified User
Review Source
We are primarily using the product as our SIEM system to correlate logs across our infrastructure and provide useful analysis on potential threats and anomalies. We also use the built in vulnerability scanning, IDS and asset management functions as a complement to our existing vulnerability/IDS/asset management systems. With this level of intelligence, it helps us determine what course of action to take to an incident and assists us in prioritization.
  • Log correlation is excellent and on par with other more expensive solutions.
  • Ease of use is a big plus.
  • Initial setup was simple and quick.
  • The OTX threat intelligence is a great complement to our other threat intelligence feeds to ensure we have as many 'eyes' out there informing us of all the potentially malicious threat actors out there.
  • There are a couple of things that can only be done through the CLI and unless you're familiar with the CLI, there may be a large learning curve for some.
  • The vulnerability scanner lacks a number of advanced features that other solutions have which make it simpler and more efficient to manage.
  • Plugins are limited (although they are adding more as time goes on). If you need a plugin that is not available you will need to create one on your own which requires modification of a number of files and can be daunting for someone new to the platform.
AlienVault Unified Security Management is a perfect system for small to medium sized deployments. I could see some challenges with larger deployments that would require additional time and effort to get it functioning appropriately, but it definitely can be done. As with any procurement, I would recommend you look at your own environment and your goals when sizing up the different solutions out there and select the most appropriate solution.
The AlienVault USM is reasonable at detecting actual security threats. There is an initial period where you may receive a large amount of false positives or false negatives however with some tweaking these disappear.
Read Farakh Hussain, CISSP, CISM, CEH, ISO LA, MCSA's full review
December 15, 2017

AlienVault USM Review: "AlienVault is no Alien when it comes to Security"

Score 10 out of 10
Vetted Review
Verified User
Review Source
AlienVault Unified Security Management is being used across the whole organisation for event logging and monitoring, threat/vulnerability management and IDS.
  • Alerting on correlated events - this has allowed us to capture malware ahead of time.
  • Ease of device logging - once the logs are sent through, the data is available instantly.
  • Actively reviewing and responding to vulnerabilities through an easy to use interface and schedule task format.
  • More functionality pushed through the web interface would be useful.
  • Asset management can be a little restricted when applying changes across a rule set.
AlienVault is well suited to environments where there isn't always a dedicated SOC reviewing output, a lot of its competitors are unable to cover this area.
Threat management is an excellent feature and allows us an all round vision of our landscape.
Read Philip Clarke's full review
December 04, 2017

AlienVault USM Review: "AlienVault is the best SIEM out there - hands down!"

Score 10 out of 10
Vetted Review
Verified User
Review Source
I implemented first OSSIM, the community version, to see what type of intelligence it could give me. Before long I was feeding it information from my firewall and network devices. When people talk about a "single pane of glass", this must be the product they are referring too. I purchased the product and have it deployed across the enterprise now. I'm using it for two purposes really - to see what isn't normal - i.e. warn me about potential issues, and I'm using it to see what has happened (historical).

The interface really allows you to see what's hot - if a metric, when it changes, doesn't prompt you to get out of your chair and do something, it's a wasted metric. With AlienVault, all I see are metrics that make me do things when they aren't where they are supposed to be.

In my environment, I have 18 buildings spread across 72 square miles. We support 13,000 users on a daily basis, with 6,000 owned devices, and a ton of BYOD devices. With only 10 people in the department (including myself and my secretary), I couldn't imagine staying on top of this without AlienVault.
  • Reporting, reporting, reporting. Setting it up so I get emailed reports has allowed me to know, even when I am not in the office, how my day is going to go. The breadth and depth of the reports, and the ability to customize so you get what you want is awesome.
  • Dashboard. The visual dashboard with the circles (areas of concentration based on number of incidents) is brilliant. All I have to do is show that to people, and they want to install it.
  • Ease of implementation. Turn it on, answer a few questions, point stuff at it, and you're done. Ok, there is a lot more - I mean a lot more - you can do to customize it, but if you're looking to quickly establish a baseline, that's all you need to do.
  • Who else has a fully functional product (OSSIM) you can download and install for FREE to see how it will work in your environment?
  • If it did a little more with IPFIX data (think NTOP).
  • Otherwise, it's perfect.
Ideally suited everywhere. A small SMB with NO IT staff; a medium sized organization; a large corporate environment. It scales and can be configured to just about any type of scenario.

Seriously people, if you need a SIEM and aren't using AlienVault you're wasting money.....
So, my environment (a K12 Public School District with 11,000 students) faces two threats. External, and internal (come on, where else are the kids going to try to break things?). AlienVault was a perfect fit because it really allows me to see EVERYTHING. I've used it to stop kids from doing network scans; trying to load bots; everything script kiddies do. I've also used it to detect and shut down traffic from external threat vectors based on attepts to scan and penetrate the network.
Read Matt Frederickson's full review
August 03, 2017

AlienVault USM Review: "Don't be afraid of this Alien."

Score 8 out of 10
Vetted Review
Verified User
Review Source
The implementation of AlienVault Unified Security Management was the result of a network wide virus infection and not knowing where the virus originated required that all servers and workstations be scanned for infection. The system was deployed across the entire network for a centralized point of administration verifying network integrity and system security protocols.
  • Real-time access logs and scanning. Once the system was installed and configured it allowed our company to find that the network was being hit with a continued bruteforce attack. With this discovery we made a few changes for our remote users and reduced the unauthorized outside access attempts.
  • Traffic monitoring. When first starting with the company part of my assignment was to find why the network was so lethargic. With the AlienVault system I was able to see the time periods of heavy internet and data usage. With this information I was able to determine the highs and lows of user access.
  • OTX activity. After getting subscribed to the OTX community I was given frequent updates to the latest security threats and what to look for. To me the best aspect of the OTX activity monitoring is to know when the threat is directly affecting our network and keeping up to date on the threats.
  • Initial setup and administration. I came into this company after the utility was deployed and what I have found in our setup was that the ESXi environment in our setup does not scan the entire network. Having an initial setup assistance program for the installation.
  • Asset environment. In our current configuration we have all the servers and network appliances running with static ip's or reservations from our dhcp server, this works very well in our environment. What does not work well are the machines that are part of the dhcp pool, if the machines are configured as an asset and the ip address changes the description (identity) does not follow the device. I think that if we have the ability assign assets from the MAC address would eliminate this problem as I see it.
  • Kick-off program. As part of the service we where invited to join a kick-off event that I personally attended (virtual class actually) what I discovered from this class was a more advanced configuration than what I had expected to see. While in provided good information and virtual labs, I think if the class is a kick-off then it should be about the basic installation and configuration of the appliance. The time spent on configuring rules out weighed how to get information to be read from the sensors.

Having been familiar with Cisco Solarwinds and what information is provided with their application I expected a similar result. I believe that gearing the appliance to a very specific task would be a greater service to the customer. What I mean would be to have a smaller footprint, say for the user that is looking to just monitor network traffic and network access that would be a single service or installation. Also, having another that would exclusively work with and integrate with virus software and provide central administration for the companies NOT using a server and endpoint environment.

My question to be asked, "Ultimately what do you expect to see the appliance provide you?"

I believe the best aspect of the AlienVault system comes ultimately from the community of users. The OTX activity notifications for myself provides a great wealth of knowledge that I would not get otherwise. This is my first true experience in managing a service such as AlienVault for a long period of time. The community support is a great reference for smaller IT departments that have limited resources to stay up to date with emerging threats.
Read James Ellsworth's full review
November 21, 2017

AlienVault USM Review: "RUN-- RUN FAST (And don't look back!)"

Score 1 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault as an IT Department and use it to monitor all of our brach offices. Its primary use case is of a typical Intrusion Detection System where it actively monitors and alerts for potential threats. I have also used it to run vulnerability scans on my servers (both physical and virtual) to have a better understanding of risks in my environment.
  • I have found things it does well are in short order. It leverages the Snort engine so its IDS scans are pretty good.
  • I like some of the diagnostic capabilities built into the product such as the whois search on a foreign IP address.
  • The support team is knowledgeable. I have had several support cases for databases that crash causing the system to be unresponsive. Each time I have had a support person that was knowledgeable of the product and Linux without having to ask for an escalation.
  • The user interface is horrible. Making changes to directives nearly requires a Ph.D. It takes 6 clicks to find the directive you want to modify and the chain of which 6 items you need to click is not provided in the alert. So if you want to go to a directive that is nested multiple layers you must have the full path memorized, and they have hundreds of directives so unless using AlienVault is the only thing you do it is unlikely you will memorize the path.
  • The system is highly unstable. As I mentioned earlier, I have had several support tickets for the system being hard down. I support several virtual appliances and a significant number of databases that are far more stable than this one.
  • Support and maintenance costs are disproportionately high. AlienVault charges a premium several times higher than any other appliance (virtual or physical) I have ever seen. I have 3 other virtual appliances (including another virtualized security device) in my environment and the cumulative cost for support and maintenance on those three is less than 1/3 of the cost of AlienVault.
  • AlienVault has a lot of false positives; so many that one of their consulting companies knows them by name and has a list of recommended alerts to turn off. If the consulting company knows these are false, and AlienVault highly recommends working with the consulting company, why doesn't AleinVault fix the alert? In one case it appears they are marking a Microsoft Update Server (not my WSUS, but one owned by Microsoft) as a DNS Sinkhole.
  • By default AlienVault creates a policy to ignore USM traffic, but does not enable it. I cannot understand why that is unless, they want a new owner to see alerts to know the system is on? It may seem minor, but why not tune out the noise from your system so new customers are only focusing on their traffic and not every SSH session from the USM? All that does is add extra work to a deployment.
I would never purchase AlienVault again, and tell every person I know not to purchase it. This is the worst SIEM I have ever used. If someone reading this review is thinking of buying AlienVault. DON'T!!! The product will meet surface level requirements, but will cost you more time and energy to get full value out of it than it is worth. There are better products on the market.
It's not helpful.

The USM does not give realtime alerts or data. That is a misnomer. It will monitor in realtime, but it goes through a correlation process that I have seen take over 15 minutes to complete before you can drill into an alert for data points such as the origin or destination IP of the reported issue. For example, I might see a brute force alert and have to wait to see where the alerts are coming from and where they are going to. I also have not seen any impressive information coming from the OTX that they boast about. You can find the same or better information from any number of security blogs.
Read Scott Whitehouse's full review
November 14, 2017

AlienVault USM Review: "Alienlogging"

Score 8 out of 10
Vetted Review
Verified User
Review Source
AlienVault was used as a SEIM for logs and also threat analysis. The vulnerability scanner was also a very nice feature. I used it to scan my server and core network environment. It provided a nice report similar to when I had a professional pen test done, so it was a nice list of known vulnerabilities. The core features (the threats) provide a lot of value over just a regular log SEIM.
  • Crowdsource along with source-based threat feeds
  • Very nicely laid out web-based GUI
  • Very easy asset discovery
  • Maybe some better NetFlow integration to get data at the network and application level.
I think it's a great solution for a shop looking for a good all in one solution.
Open Threat Exchange (OTX) is a great implementation that helps create a great picture of actually threats and real time information of the current attacks.
Read John Dopson's full review
November 02, 2017

AlienVault USM Review: "Great system to meet FINRA's Cyber Security Requirements"

Score 9 out of 10
Vetted Review
Verified User
Review Source
We use AlienVault to be in compliance with FINRA's cyber security regulations. We monitor our traffic, our users logins, and systems to make sure we don't have any unauthorized entries. It is used by our IT Dept primarily, periodically compliance logs in as well. It is a great system and I am happy we went with AlienVault for our cyber security needs.
  • It has great reports that are able to be generated
  • A lot of functionality
  • The intrusion and detection system is particularly useful for us
  • It is not easy to use for non IT professionals
  • The set up process is very tedious and difficult
It is great for individuals and institutions in the financial space especially broker dealers. It is a great way to satisfy FINRA's cyber security regulations and be compliant with them.
I have not compared this to other software.
Read Mikhail Suleymanov's full review

Feature Scorecard Summary

Centralized event and log data collection (1)
8
Correlation (1)
8
Event and log normalization (1)
8
Deployment flexibility (1)
7
Custom dashboards and views (1)
6
Host and network-based intrusion detection (1)
7

About AlienVault USM

Unified Security Management (USM) is AlienVault’s comprehensive approach to security monitoring, delivered in a unified platform. The USM platform includes five core security capabilities that provide resource-constrained organizations with all the security essentials needed for effective threat detection, incident response, and compliance, in a single pane of glass. Designed to monitor cloud, hybrid cloud and on-premises environments, AlienVault USM significantly reduces complexity and reduces deployment time so that users can go from installation to first insight in minutes for the fastest threat detection.

The vendor says unlike traditional security point technologies, AlienVault Unified Security Management does the following:

    • Unifies essential security controls into a single all-in-one security monitoring solution
    • Monitors your cloud, hybrid cloud, and on-premises infrastructure
    • Delivers continuous threat intelligence to keep you aware of threats as they emerge and change
    • Provides comprehensive threat detection and actionable incident response directives
    • Deploys quickly, easily, and with minimal effort
    • Reduces TCO over traditional security solutions


AlienVault USM Features

Has featureAlienVault Open Threat Exchange

AlienVault USM Videos (2)

Watch An Introduction to AlienVault USM Appliance

Watch AlienVault USM Anywhere: Five Essential Cloud Security Capabilities in a Single SaaS Platform

AlienVault USM Downloadables

Pricing

Has featureFree Trial Available?Yes
Has featureFree or Freemium Version Available?Yes
Has featurePremium Consulting/Integration Services Available?Yes
Entry-level set up fee?Optional

AlienVault USM Support Options

 Free VersionPaid Version
Phone
Email
Forum/Community
FAQ/Knowledgebase
Social Media
Video Tutorials / Webinar

AlienVault USM Technical Details

Deployment Types:On-premise, SaaS
Operating Systems: Linux
Mobile Application:No
Supported Countries:Global