Overall Satisfaction with AlienVault USM
AlienVault Unified Security Management is deployed for a part of our network, and is used to monitor network devices and a few servers with HIDS deployed. We do plan to deploy it across entire organization very soon. It gives an insight of what assets are present in the network, which otherwise are not known since we do not use any asset management tools. It gives a good picture of our network through net flow as well. HIDS is a very useful and powerful tool which reports all the activities and any suspicious behavior at the host level. It all works in a very good synergy. Reports and alerts are provided which are very useful to manage the security posture of the network.
- AlienVault Unified Security Management is very flexible to configure and collect information from devices, even those which are unknown to it via custom plugins. It can be highly customized to suit each organization's requirements.
- Open threat exchange (OTX) is a very important and useful feature which helps to trace the malicious IP with reputation back to its origin, so intent is clearly visible when analyzing security events. Pulses and IOCs are very interesting and useful as well.
- Reporting is very good, it has variety and huge options to choose from, though the output format has potential to improve.
- Policies and actions can be very useful for fine tuning the system.
- Ticketing system can be improved and integration with external ticketing systems can be made easier.
- Reports can be output in a number of formats such as MS Office etc.
- Creating of new policies can be directly provided from the the SIEM or events page. This will help in pre-population of data fields required to treat the events as either false positives or for writing actions for particular events. Currently, all the data fields have to be noted and included manually in the policy fields which can sometimes be erroneous.
AlienVault Unified Security Management solution is extremely flexible and customisable when compared to other SIEM tools such as Splunk, HP ArcSight, LogaRythm etc. The log collectors supported by most of the SIEM tools are mostly limited, and writing new collectors involves a lengthy and costly process sometimes. In the case of AlienVault Unified Security Management, custom plugins can be written by end-users with specific skills. Most of the other SIEM tools may or may not features such as vulnerability management, asset management, HIDS, NIDS, threat detection etc. AlienVault Unified Security Management provides all of these features and hence is a single pane of glass to manage the security needs of the organization in an extremely effective manner.
I think it is very suited as a SIEM tool. In scenarios where network monitoring using both log collection as well as the Network Intrusion Detection System is required and correlation of events is required, AlienVault Unified Security Management is an excellent fit. It addresses the security, audit and compliance monitoring of the networks very effectively. Of course, tuning is the most important part in the case of any SIEM, so it iss true with AlienVault Unified Security as well, but it allows options to filter events at the source or at processing stages and also to redirect or drop or directly store events as per the organization's information security policies. The security analysis process is very well defined. Of course, every analyst will have his own style of investigations, but AlienVault Unified Security Management is definitely a value addition.