Great 5 Capabilities....where is the APT Button??
November 23, 2015

Great 5 Capabilities....where is the APT Button??

Anonymous | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User

Overall Satisfaction with AlienVault Unified Security Management

We are an MSSP and we are using AlienVault Unified Security Management on other companies. It is being used across the whole organizations. It is addressing compliance issues, insiders, and possible advanced intrusions. We use it for hunting operations and to have a 360 view of the organizations we work with.

Pros

  • AlienVault simplifies threat detection by providing us with a quick overview of what is going on in the network.
  • It is really easy to deploy which allows us to show value to our customers right away.
  • Having AlienVault labs helps tremendously because it feels that we are not just the only team trying to create our own rules. We have other experts on the other end writing rules that we can add and put together for a more robust threat detection.
  • Reporting for compliance purposes is awesome! Having all those already well developed reports has made our lives easier!

Cons

  • I remember asking a question on one of the demos they had online and it was regarding the capability of downloading executable or malicious files being detected by the NIDS. They laughed and said that one will have to have years and years of experience to analyze those files and that's why they don't have that functionality in their solution. I don't know if the "experts" have ever heard of Remnux or Cuckoo Sandbox . Anyways, I think that it will be great specially for organizations that cannot afford an IR team. Let's keep in mind that this product is being marketed a lot for SMBs and mid-sized businesses !!
  • It will be great to see SYSMON events being pulled by the OSSEC agents automatically a soon as it gets installed on the endpoint to have real complete visibility. I havent seen that yet. I have seen projects for Parsers but to work with ELSA. It would be great to see the AlienVault team to focus on getting as much information as possible of the endpoint too to help the IR team. You guys already have agents being installed on the endpoints, why not take advantage of it and show actually processes being created, call outs being made, etc. Remember that the nice packet capture feature will not be useful with encrypted traffic. Having the extra layer of detection will be really helpful. Knowing what files are being accessed or scanning for root-kits is useful but not enough for an IR engagement. During an intrusion, you need more information. Check Carbon-Black for some ideas on how to show the KILL CHAIN ! .
  • SAAS will be GREAT TOO!
  • Live response CAPABILITIES also will be a GREAT add-on for AlienVault USM. Launching a PSSession and adding functions to DELETE FILES, DOWNLOAD IOCs and KILL PROCESSES is really easy and it will be great to have a button that we can just press and have a shell on the Endpoint. EDR is HOT right now in the industry, and I wish I had that option in my USM Dashboard.
AlienVault is way cheaper than the other products for the five capabilities that it provides. However, the market is changing a lot and there are certain features that AlienVault has to think about on their roadmap if they want to stay ahead of competition. Live Response IR capabilities will be a PLUS !!
Does the product have EDR capabilities? How deep can the product go regarding endpoint security?

Comments

More Reviews of AlienVault USM