I'm Not Saying it's Aliens, but it's AlienVault.
Updated September 01, 2017
I'm Not Saying it's Aliens, but it's AlienVault.
Score 10 out of 10
Vetted Review
Verified User
Software Version
5.1.1
Overall Satisfaction with AlienVault USM
We currently use AlienVault as our IDS, HIDS, FIM, vulnerability scanning, log storage, SIEM, and incident response solution at Save Mart Supermarkets. It is also used in a lesser degree for asset inventory within specific areas of our company. It was purchased primarily in order to help us comply with PCI (the main driver behind purchasing AlienVault) and for security in general. The Networking and Security team are the primary users of this tool but it is used to monitor across the entire enterprise.
- AlienVault has a broad selection of tools all within the same user interface. We have been able to cover several security needs with one product that previously were done with several different tools. This has made it a lot easier to manage as we have to learn one tool rather than many different tools. It was also much more cost effective than it would have been buying a multitude of point products. AlienVault enabled smoother compliance with PCI because we were able to get many of the required security controls in place more easily. In our particular case this was especially because of using the vulnerability scanning, file integrity/host intrusion detection, and network intrusion detection modules within AlienVault.
- I have always had excellent experience with AlienVault's support. Any issue I have had they worked with me to resolve quickly. I have also had the opportunity to speak to several individuals within AlienVault to discuss problems I have had with the product or features that I would like to see. They have always listened to me and almost all of the things that I wanted to see have actually been added to the product in the time I have used it. It has improved considerably over the year that I have been using AlienVault. I am quite happy with the ability to give feedback that I know is listened to. In fact I consider this to be one of the best things about this product. It is pretty solid and has quite a bit of usefulness to begin with but no product is ever perfect. We are all aware of products that don't live up to marketing hype. Which of course means having a company that listens to feedback very important so they can constantly improve and refine their solution.
- Complete access to the underlying OS. I am not particularly fond of products that limit access to all aspects of the product. It is one thing to have proprietary code it is another to limit root or admin access to a box your company paid for. In AlienVault you can get into the command line anytime you want (it is built on a Linux OS). If you need to do some troubleshooting with which the UI is simply not sufficient, you can! There are issues that I have resolved with support that now I can resolve entirely on my own because I retain the capabilities to fix the problem they have (for support issues it is really a lack of knowledge on my part rather than lack of capability). I have had bad experiences with products that require calling support and waiting for them to do something.
- OTX (Open Threat Exchange) went from something that was merely interesting and possibly useful to something that is extremely interesting and very useful for incident response. It has a lot of really good information on the many threats that you would see out in the world. It is really handy in order to hone in on the threats that actually matter to you (plus ignoring threats that do not matter). In our case POS (point of sale) malware represents the greatest current threat. I now have a good idea of the kind of POS malware there is. AlienVault will correlate all of the data from OTX so you will know if any behavior from any of the threats listed in OTX can be found in your environment.
- I have had several "teething" issues with AlienVault. While I have been able to resolve pretty much all of them with support they were irritating to deal with. It has required fixes that had sometimes taken hours to resolve certain issues. None of them were crippling or extremely serious but I have run into enough of them that it was a problem. These ranged from issues with the local backups taking up way too much space because they did not rotate properly to issues with the asset inventory database.
- Performance issues have been a problem, especially earlier. Sometimes pulling data from the event log is very slow. To the point of being unusable. It has improved considerably as not too long ago they upgraded their back end database that increased performance in a very noticeable way. I personally would like to see a much faster way to look through individual events. It can take a while to look through several of them. It keeps improving but they definitely have some room to grow here.
- I do not like dealing with the plugins for data. Some of this could be merely my lack of ability in log reading and writing filters but the feature I want to see most improved is how you use plugins within AlienVault. It can definitely be streamlined and made more user friendly. I buy tools like this so I do not have to write my own correlation rules and log interpretation filters. It is certainly usable but kind of clunky.
Evaluating AlienVault USM and Competitors
Yes - Tripwire and Nessus were replaced. Primarily because AlienVault could take the place of both for a reduced cost and with the same level of functionality for FIM and vulnerability scanning. Besides that AlienVault provided much other functionality neither of those tools possessed. AlienVault gave a single UI and point of management for various aspects of security controls. This made administration much easier especially in comparison to Tripwire which was an administrative burden.