Cost-effective, but you better be comfortable with the Linux command line and vi/nano
November 21, 2015
Cost-effective, but you better be comfortable with the Linux command line and vi/nano
Score 5 out of 10
Vetted Review
Verified User
Overall Satisfaction with AlienVault Unified Security Management
We are primarily using AlienVault Unified Security Management to enable centralized logging and event correlation across hundreds of retail locations, as well as centralized logging and event correlation for servers and network devices in our core data centers. We thought we would also use the vulnerability scanning capabilities, but we have found the vulnerability information incomplete and the scanning capabilities inadequate for canvasing all of our remote locations over VPN.
- The deployment of the OSSEC(AlienVault HIDS) agent the basic logging and event generation got us out of the gate quickly.
- AlienVault has a lot of out of the box parsers for popular network devices to parse system logs.
- AlienVault has a lot of out of the box correlation sets to generate intelligent security alarms.
- The vulnerability scanning feature is basically useless for us. There is not an easy way to see which vulnerabilities are being scanned for, and I've confirmed that monthly Microsoft updates take forever (over 30 days) to get into the definitions. We need to see them in there within a couple of days. The scanning is all done remotely (no local agent-based scanning), which requires superuser credentials to be supplied to the scanner. Because we have a lot of remote locations connected over VPN, the scans repeatedly timeout or error out. We are exploring alternative products for this need.
- AlienVault documentation is severely lacking. When I have opened tickets with AlienVault regarding missing documentation, I am often referred to the open source project's documentation for the component they've integrated. If AlienVault wants to integrate a component and rebrand it as part of their product, they need to take the ownership of documenting how to use it within their product.
- AlienVault requires too much "hacking" to do anything custom. The CLI has a "Jailbreak system" mode that is required for anything outside of the most vanilla configurations. In my mind something called "Jailbreak" should not be required on a daily basis. Examples of low level config include having to create custom rsyslog.d conf files to aggregate syslogs from multiple devices to a single log for parsing. Using the Web UIs per asset assignment of a plugin isn't resource efficient. Doing any sort of custom rules or plugins requires CLI modification of multiple files and the OSSIM database. It shouldn't be that hard.
We were looking at other solutions, but ultimately the sales demo we received for AlienVault looked good and was at a MUCH better price point than the alternatives we evaluated. We are also intrigued by the additional capability of vulnerability scanning.
Using AlienVault Unified Security Management
3 - IT Infrastructure & Security team.
2 - We each took a week long AlienVault course. Skills required would include a thorough understanding of network logic, Windows security logic, regular expressions (required for anything from rsyslog conf files to custom OSSIM plugins), and a security framework philosophy to guide the creation of custom directives.
- Centralized logging and retention.
- Event correlation.
- Alerting.
- Sending syslog events from our network monitoring solution to use in directive correlations for alerting.
- If the vulnerability scanning is improved and introduced localized agent based scanning, we would explore that feature again.
Evaluating AlienVault Unified Security Management and Competitors
Yes - Solarwinds LEM. We wanted more control over being able to log from custom sources, as well as retain more logs than being allowed by the hardware appliance we had.
- Price
- Product Features
- Product Usability
Price.
I would have wanted to see a more extensive proof of concept or pilot demonstrating how the product would handle particular systems or aspects of our environment.
AlienVault Unified Security Management Implementation
- Professional services company
Castra Consulting.
Change management was minimal - It was a greenfield implementation, so change management wasn't really in play.
- The big deliverable was to enable log collection and event generation of our Meraki MX appliances and Cisco SF300 switches, neither of which had a built-in plugin. We spent all of our professional service hours having to build custom rsyslog conf files and plugins for these devices.
AlienVault Unified Security Management Support
| Pros | Cons |
|---|---|
Good followup Knowledgeable team Kept well informed Immediate help available Support cares about my success Quick Initial Response | None |
Not Sure - Not sure if this question is about getting "premium support" for products in general, or specific to AlienVault? If it is the former, I would say it depends on what levels of support are available. Paid support is more or less a requirement so we have a "throat to choke."
Yes - Not definitively. A lot of times the suggestion is to see if the next update resolves it.
When we encountered an issue with an upgrade, AlienVault support was able to connect remotely and resolve the package dependency problems to allow us to complete the upgrade.
Using AlienVault Unified Security Management
| Pros | Cons |
|---|---|
None | Do not like to use Unnecessarily complex Difficult to use Requires technical support Not well integrated Inconsistent Slow to learn Cumbersome Lots to learn |
- I can't say any of them are. Documentation is so lacking and there are not a lot of helpful hints within the UI itself.
- I would have to say all of them. Again, lack of documentation, tutorials, etc., coupled with the lack of any sort of help indicators within the UI makes this very difficult to use without training. And then there is all of the undocumented command line work...