Cost-effective, but you better be comfortable with the Linux command line and vi/nanohttps://www.trustradius.com/security-information-event-management-siemAlienVault USMUnspecified7.95931012015-11-21T19:15:52.278Z
November 21, 2015
Cost-effective, but you better be comfortable with the Linux command line and vi/nano
Score 5 out of 101
Overall Satisfaction with AlienVault Unified Security Management
We are primarily using AlienVault Unified Security Management to enable centralized logging and event correlation across hundreds of retail locations, as well as centralized logging and event correlation for servers and network devices in our core data centers. We thought we would also use the vulnerability scanning capabilities, but we have found the vulnerability information incomplete and the scanning capabilities inadequate for canvasing all of our remote locations over VPN.
- The deployment of the OSSEC(AlienVault HIDS) agent the basic logging and event generation got us out of the gate quickly.
- AlienVault has a lot of out of the box parsers for popular network devices to parse system logs.
- AlienVault has a lot of out of the box correlation sets to generate intelligent security alarms.
- The vulnerability scanning feature is basically useless for us. There is not an easy way to see which vulnerabilities are being scanned for, and I've confirmed that monthly Microsoft updates take forever (over 30 days) to get into the definitions. We need to see them in there within a couple of days. The scanning is all done remotely (no local agent-based scanning), which requires superuser credentials to be supplied to the scanner. Because we have a lot of remote locations connected over VPN, the scans repeatedly timeout or error out. We are exploring alternative products for this need.
- AlienVault documentation is severely lacking. When I have opened tickets with AlienVault regarding missing documentation, I am often referred to the open source project's documentation for the component they've integrated. If AlienVault wants to integrate a component and rebrand it as part of their product, they need to take the ownership of documenting how to use it within their product.
- AlienVault requires too much "hacking" to do anything custom. The CLI has a "Jailbreak system" mode that is required for anything outside of the most vanilla configurations. In my mind something called "Jailbreak" should not be required on a daily basis. Examples of low level config include having to create custom rsyslog.d conf files to aggregate syslogs from multiple devices to a single log for parsing. Using the Web UIs per asset assignment of a plugin isn't resource efficient. Doing any sort of custom rules or plugins requires CLI modification of multiple files and the OSSIM database. It shouldn't be that hard.
We were looking at other solutions, but ultimately the sales demo we received for AlienVault looked good and was at a MUCH better price point than the alternatives we evaluated. We are also intrigued by the additional capability of vulnerability scanning.
I can say that the SIEM functionality is better than the previous technology I have used. I find the different tiers of Alarms/SIEM Events/Raw Logs to be effective in elevating the signal above all the noise. The alarms that have been generated in our environment have given us valid scenarios to investigate.
I would say we have achieved this benefit, but expanding the capability of the system to include new sources of information is a painful undertaking.
I wouldn't recommend it for anyone that isn't comfortable messing around at the Linux command line. Basic out of the box monitoring is OK, but if you have any specialized requirements, be prepared to put in a lot of time and testing. For vulnerability scanning, if you have a lot of remote locations and can't put a sensor in each one (like a small quick-serve restaurant), don't plan on using that feature. The vulnerability reporting views are sorely lacking as well. It doesn't allow you to easily pivot and collapse views based on a node or a vulnerability.
Using AlienVault Unified Security Management
2 - We each took a week long AlienVault course. Skills required would include a thorough understanding of network logic, Windows security logic, regular expressions (required for anything from rsyslog conf files to custom OSSIM plugins), and a security framework philosophy to guide the creation of custom directives.
- Sending syslog events from our network monitoring solution to use in directive correlations for alerting.
- If the vulnerability scanning is improved and introduced localized agent based scanning, we would explore that feature again.
Evaluating AlienVault Unified Security Management and Competitors
Yes - Solarwinds LEM. We wanted more control over being able to log from custom sources, as well as retain more logs than being allowed by the hardware appliance we had.
AlienVault Unified Security Management Implementation
Change management was minimal - It was a greenfield implementation, so change management wasn't really in play.
- The big deliverable was to enable log collection and event generation of our Meraki MX appliances and Cisco SF300 switches, neither of which had a built-in plugin. We spent all of our professional service hours having to build custom rsyslog conf files and plugins for these devices.
AlienVault Unified Security Management Support
They have helped resolve a lot of issues, but then there are cases where I am referred to look at documentation for open source components maintained by parties outside of AlienVault.
Kept well informed
Immediate help available
Support cares about my success
Quick Initial Response
Not Sure - Not sure if this question is about getting "premium support" for products in general, or specific to AlienVault? If it is the former, I would say it depends on what levels of support are available. Paid support is more or less a requirement so we have a "throat to choke."
Yes - Not definitively. A lot of times the suggestion is to see if the next update resolves it.
Using AlienVault Unified Security Management
Not enough documentation, non-descript error messages, and too much required to be done at the command line for an "appliance".
Do not like to use
Difficult to use
Requires technical support
Not well integrated
Slow to learn
Lots to learn
- I can't say any of them are. Documentation is so lacking and there are not a lot of helpful hints within the UI itself.
- I would have to say all of them. Again, lack of documentation, tutorials, etc., coupled with the lack of any sort of help indicators within the UI makes this very difficult to use without training. And then there is all of the undocumented command line work...