AlienVault USM good for your business?
Updated April 20, 2017
AlienVault USM good for your business?
Score 7 out of 10
Vetted Review
Verified User
Overall Satisfaction with AlienVault USM
We are currently using AlienVault Unified Security Management for our infrastructure security needs. Both our servers are end users and are being scanned with the OpenVAS integrated scanner. All traffic is being analyzed from our Palo Alto firewalls and all servers have the FIM agent installed. We are also using the system to store net flow data.
Pros
- Traffic Analysis
- OTX feed intelligence
- File Integrity Monitoring
- Threat Scanning
Cons
- Asset Management depends too much on DNS
- Threat scanner could have more functionality
- McAfee Nitro and RSA enVision
The AlienVault Unified Security Management is much more affordable than the above mentioned products. Installation and configuration is simplistic and provides much of the same dashboards and raw log viewing. The AlienVault USM does not include extra parts such as specific database connectors or the "events per second" as the bigger products, but sometimes that isn't needed.
Using AlienVault USM
2 - The infosecurity team utilizing the AlienVault USM system.
2 - We have not yet developed the proper logging and alerting protocols to support a "NOC" operation. Our company is working on maturing the product with additional logging sources and enhanced intelligence triggers.
- Log Analysis
- File Integrity Management
- Threat Scanning
- Alerting on large file transfers from net flow
- Asset Management
- Enhanced Threat Management
Evaluating AlienVault USM and Competitors
Not Sure
- Price
- Product Features
- Positive Sales Experience with the Vendor
The ease of setup and price were the two biggest factors in purchase. During our selection process the AlienVault sales team was very responsive to our questions. The sales team also involved the tech support folks to help troubleshoot an issue we had with agentless FIM and linux systems to help finalize our purchase. The dashboard was easy for all team members to understand and automated reporting helps keep an eye on what is going on in the environment.
At the time the AlienVault system was the right choice as it provides an easy transition to an SIEM product without the high prices and complicated setup. During our decision process no other vendor provided us with actual techsupport during the POC process. I would not change my decision from a year ago. The newest version of AlienVault 5.x has vastly improved the capabilities of the SIEM with speed and usability improvements.
AlienVault USM Implementation
- Implemented in-house
Yes - We had also purchased a few remote sensors with the AlienVault USM product. Our first phase was the USM with basic log analysis with raw data retention. The second phase was setting up the asset management correctly. The third phase was setting up network scanning with the primary threat scanner. The fourth phase was setting up FIM (File Integrity Monitoring). The fifth and final phase was on boarding the remote sensors for remote FIM (File Integrity Monitoring) and scanning for additional VLANs.
Not sure - As far as I know "change management" had no impact on implementing the AlienVault USM system. We just had to forward logs to the system from the firewalls and do "agentless" FIM monitoring, so they had very minimal impact. Threat scanning did require a change management ticket to get initially setup and give everyone a heads up.
- File Integrity Monitoring -- Agent Rollout
- Disk IO during logger rollout
AlienVault USM Training
- Online training
- In-person training
- Self-taught
The key to the system is logging sources, enabling the plugins and watching the data flow into the SIEM is quite easy. The asset management setup was easy; just identify your networks and set up a basic asset scan all in a wizard like approach. The other easier setup was an unauthenticated scan of your internal networks, as most of the information provided in the asset scan is used to set up a threat scan.
Configuring AlienVault USM
The best recommendation would be to understand the correlation (called intelligence) menu. Without further customization the AlienVault USM will only have limited functionality for alerts. This really isn't a knock on AlienVault as many of the other SIEM vendors require high touch analysis configuration. Another recommendation would be to understand and properly size your AlienVault USM, without doing so could lead to missed or late arriving events. Sensors can help distribute the load.
No - there is no facility to customize the interface
Yes - we have added extensive custom code - We needed some additional functionality and integration with another security product. This is not a very easy thing to do, as each version of AlienVault USM will require us to push our code back to the box. There is no documented API, which is a shame as integration will get the system a longer shelf life at our business.
We have done some customization via the command line, such as puppet and net flow parsing. This unfortunately means we can not upgrade the system as easily as we would like. This is also true for many of the other SIEM providers, but it would be nice to see the AlienVault USM be more friendly towards customization.
AlienVault USM Support
Pros | Cons |
---|---|
Quick Resolution Good followup Knowledgeable team Problems get solved Kept well informed No escalation required Immediate help available Support understands my problem Support cares about my success Quick Initial Response | None |
Yes - We pay for the very quick turn around with issues of our AlienVault system. I am very satisfied with the amount of knowledge the support staff have, as they have to be trained in multiple software technologies that make up the entire AlienVault system. The price for premium support is very affordable and is well worth it.
We currently have an issue with a firewall sending too many "events per second". The tech support person did a lot of research on how to remediate the problem and took it upon himself to escalate the ticket to the developer team. We now have a phone call lined up with a developer so he can better understand the problems we are facing with a single source of too many "events per second".
Using AlienVault USM
Pros | Cons |
---|---|
Like to use Relatively simple Easy to use Consistent Quick to learn Convenient Feel confident using Familiar | None |
- Reviewing Alerts
- Dashboard graphs
- File Integrity Monitoring
- Menu systems
- Threat menu and scheduling
- OTX maps
- Netflow setup
- Advanced Threat Management
- Asset Management
- File Integrity agent setup
- Correlation Event setup
AlienVault USM Reliability
Integrating AlienVault USM
- SocVue software
- ELK (elastic search, logstash and kibana)
Integration has been very difficult without and official API. We have it mostly working, but are apprehensive on upgrading the system for fear of breaking integration with the products mentioned above.
Our other vendors do support integration with API keys for grafana, elasticsearch, logstash and kibana. AlienVault USM only offers direct database access, or you end up being a detecting and decode the API yourself.
- File import/export
- API (e.g. SOAP or REST)
Direct database access is also used to integrate with our ELK (elasticsearch, logstash and kibana) stack. This has not been easy without an API key. We are also using the file import/export to get data from our 3 scan engines into the ELK stack for better correlation with other 3rd party devices.
My overall opinion as of AlienVault USM 5.2 is to not integrate with other products. As long as you stay within the painted lines, the AlienVault USM works quite well for most of our needs. For advanced correlation you might need to look elsewhere or put in additional feature requests to get a real documented API in a future release.
Relationship with AlienVault
Our terms for training and price were met with very little bartering. It is nice to get some online training thrown in with a large purchase of your AlienVault USM it can help the on-boarding with new employees. The overall purchase was discounted fairly and did not require us to spend weeks haggling over price.
We are completely satisfied with the AlienVault sales team. I would just recommend being honest with them with timelines and prices, I am sure they will work with you to make the AlienVault USM happen. At certain times of the year (year end) the discounts could be higher, so it could be worth the wait!
Upgrading AlienVault USM
Yes - We have upgraded from version 3.x to 4.x and recently from 5.x. Each one of the major upgrades went without issue and had only 10-15 minutes of downtime. This is much better than most of the other SIEM vendors as it could lead to hours of downtime, unless you have clustered systems. Remote sensors store the logs, while the database is being updated. The database update takes the longest, but is completely "hands off" and as long as you pass the free disk space check, is seamless.
- Performance
- Dashboard
- Log Analysis
- Documented API
- Asset management
- Better plugin correlation support
Yes - during our POC we started off with the "free" version of AlienVault USM. For the first month we stayed with the free version to better understand the limitations and features of the product. The paid version is well worth the money for the speed improvements and phone tech support. The technicians can save you many hours of time, their troubleshooting skills are top notch.
Comments
Please log in to join the conversation