Cost-effective, but you better be comfortable with the Linux command line and vi/nano
November 21, 2015

Cost-effective, but you better be comfortable with the Linux command line and vi/nano

Aaron Rothstein | TrustRadius Reviewer
Score 5 out of 10
Vetted Review
Verified User

Overall Satisfaction with AlienVault Unified Security Management

We are primarily using AlienVault Unified Security Management to enable centralized logging and event correlation across hundreds of retail locations, as well as centralized logging and event correlation for servers and network devices in our core data centers. We thought we would also use the vulnerability scanning capabilities, but we have found the vulnerability information incomplete and the scanning capabilities inadequate for canvasing all of our remote locations over VPN.
  • The deployment of the OSSEC(AlienVault HIDS) agent the basic logging and event generation got us out of the gate quickly.
  • AlienVault has a lot of out of the box parsers for popular network devices to parse system logs.
  • AlienVault has a lot of out of the box correlation sets to generate intelligent security alarms.
  • The vulnerability scanning feature is basically useless for us. There is not an easy way to see which vulnerabilities are being scanned for, and I've confirmed that monthly Microsoft updates take forever (over 30 days) to get into the definitions. We need to see them in there within a couple of days. The scanning is all done remotely (no local agent-based scanning), which requires superuser credentials to be supplied to the scanner. Because we have a lot of remote locations connected over VPN, the scans repeatedly timeout or error out. We are exploring alternative products for this need.
  • AlienVault documentation is severely lacking. When I have opened tickets with AlienVault regarding missing documentation, I am often referred to the open source project's documentation for the component they've integrated. If AlienVault wants to integrate a component and rebrand it as part of their product, they need to take the ownership of documenting how to use it within their product.
  • AlienVault requires too much "hacking" to do anything custom. The CLI has a "Jailbreak system" mode that is required for anything outside of the most vanilla configurations. In my mind something called "Jailbreak" should not be required on a daily basis. Examples of low level config include having to create custom rsyslog.d conf files to aggregate syslogs from multiple devices to a single log for parsing. Using the Web UIs per asset assignment of a plugin isn't resource efficient. Doing any sort of custom rules or plugins requires CLI modification of multiple files and the OSSIM database. It shouldn't be that hard.
We were looking at other solutions, but ultimately the sales demo we received for AlienVault looked good and was at a MUCH better price point than the alternatives we evaluated. We are also intrigued by the additional capability of vulnerability scanning.
I wouldn't recommend it for anyone that isn't comfortable messing around at the Linux command line. Basic out of the box monitoring is OK, but if you have any specialized requirements, be prepared to put in a lot of time and testing. For vulnerability scanning, if you have a lot of remote locations and can't put a sensor in each one (like a small quick-serve restaurant), don't plan on using that feature. The vulnerability reporting views are sorely lacking as well. It doesn't allow you to easily pivot and collapse views based on a node or a vulnerability.

Using AlienVault Unified Security Management

3 - IT Infrastructure & Security team.
2 - We each took a week long AlienVault course. Skills required would include a thorough understanding of network logic, Windows security logic, regular expressions (required for anything from rsyslog conf files to custom OSSIM plugins), and a security framework philosophy to guide the creation of custom directives.
  • Centralized logging and retention.
  • Event correlation.
  • Alerting.
  • Sending syslog events from our network monitoring solution to use in directive correlations for alerting.
  • If the vulnerability scanning is improved and introduced localized agent based scanning, we would explore that feature again.
The centralized logging and retention for PCI compliance was our main driver, and it is meeting that need. Otherwise there has been enough frustration with the lack of documentation and the need to customize through the CLI that I would be open to alternatives.

Evaluating AlienVault Unified Security Management and Competitors

Yes - Solarwinds LEM. We wanted more control over being able to log from custom sources, as well as retain more logs than being allowed by the hardware appliance we had.
  • Price
  • Product Features
  • Product Usability
I would have wanted to see a more extensive proof of concept or pilot demonstrating how the product would handle particular systems or aspects of our environment.

AlienVault Unified Security Management Implementation

Anything beyond a vanilla deployment will take a lot of effort.
  • Professional services company
Castra Consulting.
Change management was minimal - It was a greenfield implementation, so change management wasn't really in play.
  • The big deliverable was to enable log collection and event generation of our Meraki MX appliances and Cisco SF300 switches, neither of which had a built-in plugin. We spent all of our professional service hours having to build custom rsyslog conf files and plugins for these devices.

AlienVault Unified Security Management Support

They have helped resolve a lot of issues, but then there are cases where I am referred to look at documentation for open source components maintained by parties outside of AlienVault.
Good followup
Knowledgeable team
Kept well informed
Immediate help available
Support cares about my success
Quick Initial Response
Not Sure - Not sure if this question is about getting "premium support" for products in general, or specific to AlienVault? If it is the former, I would say it depends on what levels of support are available. Paid support is more or less a requirement so we have a "throat to choke."
Yes - Not definitively. A lot of times the suggestion is to see if the next update resolves it.
When we encountered an issue with an upgrade, AlienVault support was able to connect remotely and resolve the package dependency problems to allow us to complete the upgrade.

Using AlienVault Unified Security Management

Not enough documentation, non-descript error messages, and too much required to be done at the command line for an "appliance".
Do not like to use
Unnecessarily complex
Difficult to use
Requires technical support
Not well integrated
Slow to learn
Lots to learn
  • I can't say any of them are. Documentation is so lacking and there are not a lot of helpful hints within the UI itself.
  • I would have to say all of them. Again, lack of documentation, tutorials, etc., coupled with the lack of any sort of help indicators within the UI makes this very difficult to use without training. And then there is all of the undocumented command line work...