Item: AlienVault OSSIM
Rating: 10
Author: Matthew Frederickson

Use Cases and Deployment Scope

Anyone who works in a K12 public school district knows you have just as many threats inside your network as outside. Think about it, what else do 7 through 12 graders have but time and curiosity? I've set this up on my perimeters at each of my high schools and middle schools, and again at the district level. My goal is to watch the traffic and devices inside each building and also across the buildings. We use it daily to monitor for unusual activity, devices, or strange "stuff" on our network.

Pros and Cons

Scan network for anomalies once you've established a baseline.
Excellent job of showing unusual connections or file transfers
Excellent job of showing the health of network, congestions, etc.

It only comes with 10 canned reports. These reports are good, but a little more flexibility would be nice. The data is stored in a database, so it is possible to roll your own reports, just very clunky.
Log ingestion. The OSSIM product doesn't have a separate log server, so you either have to have a really, really beefy system to do both analysis and log ingestion, or just do log ingestion with something else.
Aggregation of data. Actually, it does this really well, but if you have more then two sites, it can slow your analysis down a little.

Return on Investment

It's free, so a very positive impact. Most products out there are in the thousands of dollars, and for a K12 School District, money is always tight.
It allowed me to actually gain invaluable insight.

Alternatives Considered

Darktrace and FortiSIEM

Best bang for the buck. Darktrace did not perform even close to AlienVault. I ran them concurrently. AlienVault consistently found issues that Darktrace didn't pick up, and the Darktrace incidents were false positives. At one point, Darktrace stated I had 2,000 servers and I have 112.

FortiSIEM is an awesome package but it's more then I need (or can afford). I would need to add staff, for at least the first year or so, just to get it setup and configured correctly.

Support Rating

Everytime I had a question, they were very willing to help. Not that I called often.

Key Insights

Do you think AlienVault OSSIM delivers good value for the price?

Yes

Are you happy with AlienVault OSSIM's feature set?

Yes

Did AlienVault OSSIM live up to sales and marketing promises?

Yes

Did implementation of AlienVault OSSIM go as expected?

Yes

Would you buy AlienVault OSSIM again?

Yes

Likelihood to Recommend

AlienVault OSSIM is an excellent starter SIEM—you have a fully functioning SIEM in a few hours (installs in less than one, but takes a few to configure, based on your network). The insight you get, immediately is worth the time setting it up. If you are willing to invest some more time, you can fine tune it to really provide deep insight into your network. I really love that it is still free (was nervous when AT&T bought AlienVault).

Each of MyBuildings is routed back to the core - reduces overall traffic and adds one more layer to the network for security reasons. So having an "eye" in each building is necessary at this point. Not sure what I would do if I had to stop using them. The only other thing I plan on doing, in the process of rolling it out right now, is to add some netflow analysis.

AlienVault OSSIM: Best Bang for Your Buck Hands Down!

Overall Satisfaction with AlienVault OSSIM