AlienVault USM: Simplifying Security with Cost-Effective Threat Detection.
Our organization uses AlienVault USM to enhance the security posture and streamline our clients' threat detection and response. The …
Starting at $1,075 per month
View PricingOverview
What is AlienVault USM?
AlienVault® Unified Security Management® (USM) delivers threat detection, incident response, and compliance management in one unified platform. It is designed to combine all the essential security capabilities needed for effective security monitoring across cloud and on-premises environments, including SIEM, intrusion detection, vulnerability management, as…
Recent Reviews
Awards
Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards
Popular Features
- Centralized event and log data collection (8)8.585%
- Correlation (8)8.585%
- Event and log normalization/management (8)8.080%
- Custom dashboards and workspaces (8)7.070%
Reviewer Pros & Cons
Pricing
Essentials
$1,075
Cloud
per month
Standard
$1,695
Cloud
per month
Premium
$2,595
Cloud
per month
Entry-level set up fee?
- Setup fee optional
For the latest information on pricing, visithttps://www.alienvault.com/products/pri…
Offerings
- Free Trial
- Free/Freemium Version
- Premium Consulting/Integration Services
Features
Return to navigation
Product Details
- About
- Competitors
- Tech Details
- Downloadables
- FAQs
What is AlienVault USM?
AlienVault® Unified Security Management® (USM) delivers threat detection, incident response, and compliance management in one unified platform. It is designed to combine all the essential security capabilities needed for effective security monitoring across cloud and on-premises environments, including SIEM, intrusion detection, vulnerability management, as well as continuous threat intelligence updates. The vendor states that even for resource-limited IT security teams, AlienVault USM can be affordable, fast to deploy, and easy to use. It eliminates the need to deploy, integrate, and maintain multiple point solutions in the data center.
Smart, automated data collection & analysis: USM Anywhere automatically collects and analyzes data across the attack surface, helping to quickly gain centralized security visibility without the complexity of multiple disparate security technologies.
Automated threat detection powered by AT&T Alien Labs: With threat intelligence provided by AT&T Alien Labs, USM Anywhere is updated automatically to stay on top of evolving and emerging threats, so the security team can focus on responding to alerts.
Incident response orchestration with AlienApps: USM Anywhere supports a growing ecosystem of AlienApps, enabling the user to orchestrate and automate actions towards other security technologies, able to respond to incidents quickly and easily.
AlienVault USM Features
Security Information and Event Management (SIEM) Features
- Supported: Centralized event and log data collection
- Supported: Correlation
- Supported: Event and log normalization/management
- Supported: Deployment flexibility
- Supported: Integration with Identity and Access Management Tools
- Supported: Custom dashboards and workspaces
- Supported: Host and network-based intrusion detection
Additional Features
- Supported: AlienVault Open Threat Exchange
AlienVault USM Screenshots
AlienVault USM Videos
AlienVault USM Competitors
AlienVault USM Technical Details
| Deployment Types | Software as a Service (SaaS), Cloud, or Web-Based |
|---|---|
| Operating Systems | Unspecified |
| Mobile Application | No |
| Supported Countries | Global |
AlienVault USM Downloadables
- Unified Security Management vs. SIEM: a Technical Comparison
- AlienVault USM Anywhere: Datasheet
- AlienVault Fast Facts
- AlienVault USM Anywhere: Datasheet
- Beginner’s Guide to Open Source Intrusion Detection Tools
- SIEM for Beginners: Everything You Wanted to Know About Log Management But Were Afraid to Ask
Frequently Asked Questions
Splunk Cloud and Fortinet on IBM Cloud are common alternatives for AlienVault USM.
Reviewers rate Deployment flexibility highest, with a score of 8.6.
The most common users of AlienVault USM are from Mid-sized Companies (51-1,000 employees).
Comparisons
Compare with
Reviews and Ratings
(735)
Community Insights
TrustRadius Insights are summaries of user sentiment data from TrustRadius reviews and, when necessary, 3rd-party data sources. Have feedback on this content? Let us know!
- Business Problems Solved
- Recommendations
Users have found AlienVault USM to be a valuable SIEM solution for centralizing and searching log data from a large number of network attached devices. This platform is being used for various use cases such as vulnerability management, scanning, malware detection, and monitoring malicious network traffic. It is considered a good SIEM solution for organizations new to security operational logging or those with a smaller staff and budget. The product has been praised for its integrated feature sets, including HIDS, NIDS, FIM, and security alerting capabilities. The inclusion of features like vulnerability scanning and file integrity monitoring has extended its value for organizations in the early stages of cybersecurity program development. Many users have experienced real-time alerts, enabling them to respond to security incidents and compromised passwords more quickly. Furthermore, AlienVault is used for a range of functions such as SIEM, vulnerability scanning, asset discovery, and investigations. It provides organizations with a centralized log collection site, allowing them to monitor and address new problems more effectively. The platform has been effective in helping organizations meet regulatory compliance requirements and improve SOC operations. Additionally, AlienVault is used to analyze network traffic, Windows Event Logs, and other security events, helping organizations improve network security and protect their customers. It solves security challenges related to device and software visibility, monitoring for anomalous events, and ensuring patch management. Users appreciate the simplicity of deployment and the robustness of the interface. The support team is highly responsive and knowledgeable.
AlienVault USM Anywhere is used by organizations to easily identify security incidents happening across their infrastructure and comply with PCI-DSS compliance requirements. MSSPs utilize AlienVault USM Anywhere to provide their customers with best-in-class threat monitoring and response services. It is also used to monitor cloud environments, scanning and alerting for any known vulnerabilities or activity on servers. AlienVault helps organizations with auditing purposes by monitoring cloud permissions and changes to security. Additionally, it is deployed to customers for monitoring and is used by NSOCs to monitor their networks. AlienVault has been implemented across organizations, covering server assets and providing granular logging on systems and networks. It helps in raising alarms/alerts and mitigating network-related activities. AlienVault collects and alerts on network and system activity across the entire organization, making it easy to filter for important data. The product centralizes log data and helps perform vulnerability analysis and threat detection. It assists in security patching and monitoring within AWS environments. Users appreciate the ease of use and configuration of the cloud-based panel. AlienVault is implemented and managed for clients as a recommended SIEM solution, collecting and normalizing logs from various data sources. It is used throughout organizations to gain insight into network and server events, manage and correlate logs, and recognize anomalous activity. Users have been able to set up alerts for specific events and policies, effectively managing systems and alerts in place, monitoring multiple client environments, and identifying issues that clients may have missed.
AlienVault USM Anywhere is praised for its cost-effectiveness compared to other SIEM solutions on the market. Users appreciate its threat intelligence capabilities, ease of use, user-friendly interface, and simplicity of deployment. The built-in correlation rules require minimal setup and provide high-quality results. Asset management and scanning features help users stay on top of monitoring assets, including dynamic and static asset lists. The integration of OTX into USM Anywhere allows for up-to-date threat intelligence and pulse subscriptions.
The software plays a crucial role in monitoring and alerting when anomalies occur, aiding in threat detection, compliance management, log collection, and vulnerability scanning. It helps organizations stay up to speed on new vulnerabilities and supports agile business initiatives by aiding analysts in identifying cyber threats and providing access to threat cross-referencing data. AlienVault USM Anywhere is deployed to monitor AWS cloud environments, attain compliance, identify threats, and facilitate auditing of non-emergency configuration changes and vulnerability monitoring.
Overall, AlienVault USM Anywhere provides centralized security monitoring, incident response capabilities, compliance reporting features, vulnerability assessment tools, real-time SIEM functionality, as well as asset discovery and user activity monitoring capabilities. It has been widely adopted across various industries for enhancing security posture and gaining comprehensive visibility into network activities.
Based on user recommendations, AlienVault USM receives the following common recommendations:
-
AlienVault USM is recommended for cost-conscious companies and small to medium businesses due to its affordability and effectiveness. Users find it to be a great tool for analyzing and reacting to threats, offering excellent value for the price.
-
Users suggest exploring alternative SIEM choices and discussing functionality and configuration requirements. Logrhythm is mentioned as a possible alternate SIEM choice, especially for high-end functionality needs. It is advised to compare features and select the SIEM system that offers the best cost for desired features.
-
To maximize the experience with AlienVault USM, users recommend taking advantage of training opportunities provided by AlienVault. Joining official training sessions allows users to learn best practices from other users and gain comprehensive knowledge of the product. Users also recommend utilizing forums, support, webinars, and videos offered by AlienVault to enhance understanding and achieve optimal results.
Overall, AlienVault USM is regarded as a cost-effective solution suitable for organizations with data privacy and security priorities. The product's flexibility, community-created intelligence, and continual improvement are also highlighted by users. While some mention areas for improvement, such as support stability and module quality, the general consensus is that AlienVault USM delivers reliable security enhancements and cost savings.
Attribute Ratings
Reviews
(1-25 of 28)Companies can't remove reviews or game the system. Here's why
We use AlienVault across the org, with accumulator appliances in two offices and in our cloud infrastructure. These devices are syslog targets and are used to scan traffic in each location. In addition, I also have deployed the AlientVault USM agent script to all servers and user systems. AlienVault sometimes notifies me of problems within integrated systems such as Sophos before that service itself. Notifications as simple as an improperly configured SSH config or something as significant as signs of SPECTRE traffic are delivered to my inbox so I may deal with these alerts ASAP.
- Alienvault USM is THOROUGH. We have a highly integrated workspace that's most SAAS, and I monitor those integrations and their security with AV. If I am trying to track the uptime of a laptop, I don't go to VPN or our Directory Services... I go to AV.
- As I mentioned before, we use Sophos to protect our laptops. If a questionable file shows up on someones laptop, I hear about it from AlienVault before I hear about it from our Sophos service.
- The OTX Pulse feature is a built-in feature that lets you subscribe to industries and you are notified about new threats that affect that industry on a daily basis. The pulse alerts are added to your AV watchlist.
- Personally, I've wished I could purchase a service that would configure AV for my environment. I get a lot of traffic on a daily basis and I almost need to hire an analyst that just works on AV.
- Some of the filters when looking for a specific alert aren't that easy to use.
October 25, 2019
Good for startups
We use alienvault as our SIEM, by collecting all events coming from the physical network and the cloud one, allowing us to overview everything (from a server, a firewall down to an endpoint).
It is primarily used by the security team.
It is primarily used by the security team.
- integration with the cloud providers
- ability to manage big log files
- threat intelligence
- support is not so great
- plugins are not always up to date
We're using AlienVault USM anywhere at our Organization for its network scanning functionality as well as NIDS, and log collection and correlation capabilities. It covers a large range of input sources which works for our disparate environment. It will also help us to stay aware of our newly implemented and expanding cloud architectures' health.
- Ease of Use
- Built in / Updated Correlation Rules
- On Prem and Cloud options
- Host Agent available
- Customization of Agent
- Search Fields name doesn't match event info
August 15, 2019
A great one-stop-shop security management platform
AlienVault USM is being used for asset discovery, vulnerability management, and security event monitoring across all networks. Sensors are deployed within VMware currently. It solves a number of security challenges: device and software visibility, monitoring for anomalous events on those devices, and making sure that our patches are being applied as we expect them to be.
- It's incredibly easy to get up and running. The sensor is simply a VM download that you link to a console, and away you go. We'd scanned most of our networks within a couple of days.
- The insight it provides into our environment has been invaluable, especially in terms of discovering BYOD and other unmanaged devices in use.
- Having a number of functions (asset discovery, vulnerability management, SIEM) in a single platform gives a great bird's-eye view of security.
- There could be a greater degree of flexibility in terms of roles and permissions management. There is only 'Manager,' 'Analyst,' and 'Read Only,' all with pre-defined permissions.
- All logs, even for cloud services (linked via AlienApps) have to be forwarded to a sensor. For example, if you want to monitor a cloud service such as Box, you need to forward logs to your sensor (which is likely behind your firewall). It would be better if you could forward straight to AlienVault cloud.
- There's not much documentation or recommendations in terms of how much CPU, RAM, etc. your sensor requires in relation to how much scanning and monitoring you'll be doing. Even just 'ballpark' recommendations would be useful.
We use the USM Anywhere SIEM for our corporate security program currently, separate from our application security team in charge of our cloud environments our SaaS offering is hosted on. This solves the compliance and security issues we face as an organization for forensically sound log storage as well as data aggregation for correlation.
- The integration setup for syslog forwarding and native web apps partnered with the platform is a very simple setup.
- Deploying sensors in cloud systems usually follow a pre-defined build flow for ease of sensor deployments and scaling.
- For perimeter defense, as long as your defended organizational structure uses Active Directory or another LDAP replication type service, vuln scanning and KIDS is a breeze.
- For highly distributed workforce issues, the system requires a lot of third-party integrations to collect data for automation.
- Customization can be lacking in areas without significant help from their support teams.
- Building rules for filtering, suppression, and custom alarms can be a steep learning curve, although this is slightly offset by their training offerings.
June 10, 2019
AlienVault and an honest comparison to Darktrace
We are using AlienVault USM as the cornerstone of our layered security model. We use it for Incident Management, Event Logging and Anomaly Detection.
We have a Global Security Operations Centre and are deploying AlienVault globally. We want to standardize our security incident responses globally to ensure that we can implement a true 'follow the sun' model. AlienVault has a global presence and we want to leverage that capability to support our security teams.
We have a Global Security Operations Centre and are deploying AlienVault globally. We want to standardize our security incident responses globally to ensure that we can implement a true 'follow the sun' model. AlienVault has a global presence and we want to leverage that capability to support our security teams.
- Excellent feedback and reviews from external organisations and in-house experience
- Good value for money
- A reliable, all-round tool to avoid duplication / overlap with other products
- Allowed us to build a security tool-set without wasting money on duplicated (and unused) functions
- Global presence
- Other products, like Darktrace, provide exceptional automatic isolation and intrusion protection. I want AlienVault to provide equivalent protection / isolation to protect environments out of working hours (public holidays etc)
- External threat monitoring is a great way to identify threats mobilizing before they attack (horizon monitoring). Intsights (https://intsights.com/) provides this for a fee, but I would like to see a capability for monitoring key assets, such as domain names, C-Suite personnel etc.
- Some simple mechanisms to reduce white noise. We are gradually improving our filtering, but machine learning (aka Darktrace) would be helpful to allow the system to 'learn' behaviours and then allow to be filtered by an administrator. Full AI learning is difficult (hence the costs for Darktrace) but a configuration dashboard to reduce 'noise' should be easy to deliver, rather than having to edit and apply filters individually.
- Dashboards for ISO27001 and PCI. ISO27001 KPIs such as Threats Detected, Threats automatically prevented, Threats requiring human intervention etc are simple and should be easy to provide.
- Anything you can do to link with Vulnerability Management, such as Nessus, Cyberark DNA etc would be helpful. Currently these are managed separately, but would be great if these could be integrated for running routine scans from a single dashboard, or reporting on a dashboard.
Score 5 out of 10
Vetted Review
Verified User
Globally as a SIEM/FIM solution.
- FIM with limits.
- Vulnerability scans (with agents installed as opposed to "NXlog").
- Dashboards.
- Need to be able to comment on issues flagged by AlienVault so that other users may know what has been done for triage.
- Single pane of glass, need to have a shared dashboard that is customizable.
We use AlienVault USM across our entire organization. It was purchased to help us improve our ability to respond to cyber security threats by keeping up with patching and tracking down vulnerabilities on our network. We took these steps after paying to have penetration testing done on our network.
- AlienVault USM helps our IT staff stay on top of patches.
- AlientVault USM makes it easier for our IT staff to track down vulnerabilities.
- AlienVault USM provides steps to correct any vulnerabilities that may arise.
- AlienVault's staff were very helpful in setting up their product on our network. There was plenty of opportunity for training.
- AlienVault USM can be cumbersome for a small IT staff to manage. We still use AlienVault USM but now pay a third party to help us manage it.
October 29, 2018
Great Product, Great Value
As a product-agnostic Managed Security Services Provider (MSSP), AlienVault USM is one of several SIEM solutions we utilize in our Security Operation Center (SOC). We deploy, manage, and monitor the solution for other clients, and we use it for ourselves. As do most SIEMs, AlienVault allows us a central location to monitor the cybersecurity of an IT environment. It's impossible to avoid 100% of attacks, so after setting up defenses, the next best thing is to have 24/7 eyes-on-glass to be able to quickly respond to incidents as they happen.
- AlienVault USM Anywhere has a modern, user-friendly, and intuitive GUI, making it easy to use.
- AlienVault USM Anywhere is a cloud-based solution that is easy to deploy and easy to scale as well.
- On top of having built-in support with several technologies, AlienVault USM Anywhere has an API that allows you to develop additional plugins if necessary.
- Although they use machine learning, the algorithms that they use are graph-based. Their AI/ML capabilities could be improved a bit.
- The solution provides some compliance reports, but it does not generate reports with information such as... how many of what type of event happened this month. You can see this information on the dashboard, but it would be nice to be able to generate a report automatically.
January 03, 2018
This is no Area 51, AlienVault exposes the hidden threats!
AlienVault USM is use throughout our organization. It was put in place to resolve two issues. One was for vulnerability scans for audit compliance. It was also used for monitoring critical systems in our network. We also use to to parse syslog and other logging. An added bonus was the ability to track AD changes.
The vulnerability scans are the best bar none that we tested. The monitoring is great too, however the only thing we found lacking was hard drive monitoring, we had to put another solution in place for that, however that was 6 months ago, so things may have changed.
The vulnerability scans are the best bar none that we tested. The monitoring is great too, however the only thing we found lacking was hard drive monitoring, we had to put another solution in place for that, however that was 6 months ago, so things may have changed.
- Vulnerability scanning
- Up to date security definitions
- Open Threat Exchange
- Range or product sizes to fit any size of organization
- Hard drive monitoring
- Slightly higher learning curve
December 28, 2017
Aliens to the rescue!
We are primarily using the product as our SIEM system to correlate logs across our infrastructure and provide useful analysis on potential threats and anomalies. We also use the built in vulnerability scanning, IDS and asset management functions as a complement to our existing vulnerability/IDS/asset management systems. With this level of intelligence, it helps us determine what course of action to take to an incident and assists us in prioritization.
- Log correlation is excellent and on par with other more expensive solutions.
- Ease of use is a big plus.
- Initial setup was simple and quick.
- The OTX threat intelligence is a great complement to our other threat intelligence feeds to ensure we have as many 'eyes' out there informing us of all the potentially malicious threat actors out there.
- There are a couple of things that can only be done through the CLI and unless you're familiar with the CLI, there may be a large learning curve for some.
- The vulnerability scanner lacks a number of advanced features that other solutions have which make it simpler and more efficient to manage.
- Plugins are limited (although they are adding more as time goes on). If you need a plugin that is not available you will need to create one on your own which requires modification of a number of files and can be daunting for someone new to the platform.
November 30, 2017
AlienVault Review
Security Event Correlation.
- Notification
- Log Monitoring
- Threat Alerts
- Inventory Monitoring
- Vulnerability Scans
- System Updates break features, especially Threat Intelligence Policies as well as corresponding Alerts
- Need to conduct more Customer Education regarding features and system updates
- Steep initial learning curve on getting the most out of system
- Getting a Support Technician on the phone when something breaks.
November 13, 2017
All-in-one, Integrated Security that is Simple and Low-cost
We use Alien Vault's USM all-in-one appliance for all of our compliance needs. We went looking for a security product that would meet our compliance needs and found that just one component of our compliance budget, logging, was too expensive for our budget. AlienVault United Security Management allowed us to meet the other needs of SIEM, threat detection, HIDS, and vulnerability management less than most of the other products charge for logging.
- Integrated product - AlienVault does a great job of bringing the varied product functionality together and provides a centralized view of security throughout our company.
- Support and Training - We chose to implement AlienVault ourselves and took the training class with implementation assistance. Both helped in learning the product and allowing us to be able to administer, use and improve our use of it more effectively.
- Product improvements - I have found issues with the product in the short time I have been using it and then seen product updates shortly thereafter that included the fixes we requested.
- Plugins for data could use some improvements. Newer plugins and a more user-friendly way of creating them rather than writing regex would greatly improve the ability to add additional data sources.
- Documentation can be improved. The knowledge base and help are being redone and they have yet to catch up to the latest version. They provide some help but need to add detail for advanced troubleshooting. Forums can sometimes be helpful and the support also is helpful.
We have a single rack mount AlienVault USM appliance installed at our HQ location. We have multiple branch offices that the devices scan and report on as well. It addresses items such as alerting us if suspicious activity is detected on a particular workstation. It also lets us know when new devices are added to our network that were there previously using baseline scans.
- Technical support is responsive, return call back time is quick
- Marketing, the reason we went with the system was incredible marketing and rave reviews in the industry
- Sales, very aggressive and I felt I was pushed on a regular basis to purchase more devices form AV.
- Large overhead when scanning, network was impacted with the default scan settings for our network, huge network performance hit.
- Direction, felt abandoned after spending over $30,000 on an onsite appliance now that the core focus of the company seems to be going cloud-based, very quickly after we purchased the onsite device I learned through an AV webinar that new malware/ransomware protection that was being including in the cloud version of AV was not going to be introduced into the onsite appliance and there were no foreseeable plans to integrate it.
- The interface is sometimes unrefined and difficult to navigate, there were some bugs that we ran into.
- Requires almost a full time person just dedicated to compiling and reviewing the sheer amount of data collected and presented. Very comprehensive though with that it requires a high training curve to get new staff to fully be able to navigate and use the product properly.
September 07, 2017
AlienVault - Funny name but a great security product
We are an AlienVault Managed Service Security Provider (MSSP). We use the product internally, as well as for customers. AlienVault is a great product because it provider a level of visibility into network activity that is difficult to achieve with traditional infrastructure monitoring tools. Like any good tool, there is a learning curve. I highly recommend working with a partner or a consultant if you are considering implementing AlienVault. Once it's set up properly on a network, it provides excellent data about vulnerabilities and network activity that would otherwise be missed. In every case where we've deployed AlienVault, the tool has exposed risks and/or activity that was unknown prior to the installation. AlienVault support is excellent. In every case where we've had to escalate an incident or problem to support, they have been very responsive initially and in fixing the problem. I highly recommend the AlienVault product for any organization that is looking for a cost-effective and comprehensive security tool.
- Identifying network vulnerabilities
- Alerting on suspicious network traffic
- Providing a single pane-of-glass for security monitoring
- Ticketing - the internal ticketing system is not very good and integration with external ticketing systems is limited to email forwarding
- Out-of-the-box usefulness. The product requires a significant amount of time and expertise to make it useful. AlienVault could provide better documentation and/or GUI workflows to make setup smoother
August 21, 2017
Secure Compliance Solutions powered by AlienVault USM
As a managed security services provider (MSSP), Secure Compliance Solutions utilizes AlienVault USM to continuously monitor our clients' information systems. Secure Compliance Solutions deploys AlienVault USM All in One servers along with remote sensors to capture events for analysis and response by our security team.
- The combination of comprehensive threat detection and access to the Online Threat eXchange positions AlienVault with a very formidable security tool.
- The reporting in AlienVault is well executed and provides a simple method of conveying how well it is protecting the end user's network.
- AlienVault USM is processor hungry and will only run as Virtual Machines unless your purchase the hardware directly from the vendor. I would like to see an installable version so that we can deploy bare metal on our own hardware.
- The learning curve can be steep and requires advanced training to get the most out of the system.
July 12, 2017
Still work in progress
AlienVault is being used to provide Security information and event management in several departments. It addresses the need to monitor and detect security issues in our networks.
- Low cost
- Relatively simple to manage
- Largely open source
- Technical support does not really manage defects and fixes well.
- Poor versioning of software releases - two different releases had the same file name!
- Support highly dependant on remote access. This is not permitted in my environment.
- The GUI setup tool does not work properly.
- No useful knowledgebase of known defect and fixes available to customers.
June 12, 2017
Good for static networks; too slow for cloud
AlienVault is used by our information security team for log management, SIEM, and vulnerability scanning. Our network is split across on-premise and multiple cloud accounts. Alarms are raised for any issues detected, and then are investigated by the infosec team.
- Good detailed vulnerability scanning using OpenVAS
- Logs are correlated well
- HIDS Agents are easy to deploy to static servers
- Access to the linux back-end of the server for adding additional functionality
- Frequent correlation updates
- Alienvault becomes pretty inflexible when working in rapidly-changing transient cloud environments. Our servers can automatically rebuild when required, and alienvault requires an agent to be deployed to each. Unfortunately an auto-deployment function is not included, and we had to script our own process - requiring extra upkeep and maintenance.
- Drilling down to find specific logs is awkward and clunky (especially compared to some of the competition in this area).
- There is no functionality to automatically remove agents/assets that have been disconnected for a period of time. This means it is a constant manual job to make sure old agents aren't still in the system (as you will soon get IP collisions when using DHCP or in a limited IP range on the cloud).
- Some competitors use machine-learning to alter which events raise alarms - Alienvault doesn't have this functionality meaning I have to be constantly adjusting rules.
- Struggles finding DNS names for our cloud servers, meaning a lot of our assets are named something like Host-192-168-1-1. We have found ways to script around this, but this is another thing that isn't supported by AlienVault.
- Agent deployment to Linux can't be done from the AlienVault UI, and has to be done manually on each Linux instance (or by creating unsupported scripts as we did).
- Can't digest cloud infrastructure logs without additional scripting and writing own plugins.
May 15, 2017
Into the mind of a programmer
We use it to track all calls to our WebAPI application. We use this to stay compliant with HiTrust. We designed a plugin to use with AlienVault to track all of these calls with custom attributes. It works great. It also had the added benefit of monitoring our network which yielded surprising results (such as an outside penetration attempt which allowed us to take action). As much as I love this tool, it does have its caveats: It is not easy to maintain and has a steep learning curve. Once you pick it up, it would be easy to maintain thereafter and rarely has any hiccups.
- Monitors the network for various attack vectors. We were notified of an attack vector via Remote Desktop where we were able to take action and close up those ports.
- It was able to handle the thousands of messages (syslog) it was receiving from both our API web servers.
- The search needs to be better polished as it makes it difficult to search by multiple parameters (i.e. we have custom user fields and we wanted to search by two fields, and it does not allow us to do so).
- The steep learning curve is a big stumbling block. The UI needs to be more polished and easier to use. Perhaps having a basic and advanced screens.
- There should be an easier way to bump up the mysql connection pool without having to jailbreak to the command prompt and modify the configurations. We initially were constantly getting a "Too many connections" error, but once I bumped up the connection pool limit, the problem went away. It would've been nice if we could do this from the UI.
April 20, 2017
AlienVault USM good for your business?
We are currently using AlienVault Unified Security Management for our infrastructure security needs. Both our servers are end users and are being scanned with the OpenVAS integrated scanner. All traffic is being analyzed from our Palo Alto firewalls and all servers have the FIM agent installed. We are also using the system to store net flow data.
- Traffic Analysis
- OTX feed intelligence
- File Integrity Monitoring
- Threat Scanning
- Asset Management depends too much on DNS
- Threat scanner could have more functionality
AlientVault is used in the classroom in a college environment to acclimate students to the product before they go out in the field and use it in a production environment. We have several students in our Baccalaureate program that are using the product in their current jobs. Some students are going on internship positions where the company is using AlienVault as a main product in an NOC environment. Currently, AlienVault is a dashboard utility in our classroom where students can see the product, get excited about the product, use the product, and gain knowledge of the product without fear of breaking something in a production environment. This hands-on approach is a win-win situation for Pittsburgh Technical College and future employers.
- Dashboards.
- Using trends in industry such as OTX pulses.
- The alarms are easy to track and start an investigation.
- More graphs like PRTG.
- More hands on labs.
- A faster learning curve.
February 13, 2017
AlienVault USM - The SEIM has landed.
Alienvault USM is being used as our main log collection and correlation engine. As we are a relatively small company, IT resources from all parts of the company feed into the USM. The main business problem it solved is insight into network and user activity along with the benefit of having applied threat intelligence through the OTX.
- The price point is amazing.
- Directives are highly customizable.
- The open threat exchange is quite valuable as an open threat and IOC exchange.
- The UI has a bit of a learning curve.
- I would recommend a strong Linux background if you are going to do any custom plugins or directives.
- Some events are fairly generic in terms of naming convention, which can require more hands on investigation.
November 04, 2016
Alien Vault has been a great choice
We use Alien Vault USM to perform security log reviews. We have used general log collection software in the past but really needed to move beyond log collection to log inspection with intelligent alerting out of the box. We're a very small shop so we needed a SIEM tool that was easy to install, configure, and use. We also needed relevant alerts out of the box. We are at the point where we do receive alerts with actionable information.
- Built in correlation and directive rules. This fits the out of the box need.
- Ease of use. Of the four SIEM tools we investigated, Alien Vault was the only one to show in a demo how easy it was to use. Others made promises but Alien Vault showed proof. That has continued in our experience as well.
- Solid 3rd party monitoring and professional services. The company that performed the install was excellent. They helped us work through some configuration issues in our environment. We also decided to utilize a 3rd party for 24/7 monitoring and they have been excellent and responsive as well.
- Frequent improvements. Alien Vault appears dedicated to improving its product. In the relatively short time we've had it in place we have received several updates to features and functionality.
- The ad hoc search feature doesn't always return relevant results. Some of this may be a learning curve but some default queries would be helpful.
- Nothing else to really add. We've been very impressed with it so far.
November 02, 2016
AV USM - give it a few tasks and let it be!
We use AlienVault Unified Security Management (USM) to correlate logs from our various departments' own SIEM tools. We do not use USM as our master logger, but to pick out security concerns from all our other log management tools. We also have a few systems logging to USM directly. It provides us visibility into our vulnerabilities by performing scans and by looking for malicious patterns in network traffic.
- It has a good dashboard that provides a good sense of our overall security posture.
- It ties in well with emerging threats via its Open Threat Exchange system.
- It does a good job finding users out of compliance with our external VPN/Proxy policies.
- USM is great at identifying malicious network behavior.
- There is a big learning curve to the user interface. Once learned, its complexity makes it powerful.
- There are no alerts for system configuration alerts - such as full disks of the USM itself.
- There is no automatic offloading and archiving of old logs from the USM to an archival disk system. I have to manually SCP old logs off monthly.
July 22, 2016
Basic review of AV
It is our primary SIEM tool that is leverage by the IT and security teams. It is centrally located within our network, hosted on a VM cluster, which made it really easy to get setup. It solves the need to have data consolidated into one platform that will alert the team to anomalies, by connecting to all my network devices and learning what is normal and what is suspicious.
- Alarms dashboard provides a great overview of all alerts, makes it easy to see what I need to focus on and what is noise
- Easily connects to all my desktops/servers using the HIDS agent, makes it simple to get setup
- As a solution, it was relatively cheap in comparison to it's competitors.
- Does not play well with CheckPoint firewalls, this has been a major pain point for me
- Would be great if there was a quick way to dismiss normal activity