AlienVault USM good for your business?
Updated April 20, 2017

AlienVault USM good for your business?

Anonymous | TrustRadius Reviewer
Score 7 out of 10
Vetted Review
Verified User
Review Source

Overall Satisfaction with AlienVault USM

We are currently using AlienVault Unified Security Management for our infrastructure security needs. Both our servers are end users and are being scanned with the OpenVAS integrated scanner. All traffic is being analyzed from our Palo Alto firewalls and all servers have the FIM agent installed. We are also using the system to store net flow data.
  • Traffic Analysis
  • OTX feed intelligence
  • File Integrity Monitoring
  • Threat Scanning
  • Asset Management depends too much on DNS
  • Threat scanner could have more functionality
The AlienVault Unified Security Management is much more affordable than the above mentioned products. Installation and configuration is simplistic and provides much of the same dashboards and raw log viewing. The AlienVault USM does not include extra parts such as specific database connectors or the "events per second" as the bigger products, but sometimes that isn't needed.
The AlienVault USM is a bit more simplistic in detecting and correlating events. The end user can add more "advanced" functionality, but must do so themselves within the "intelligence" tab. There is currently no easy way for other third party integration, as the API is mostly undocumented.
Once you have created your correlation events, the AlienVault USM can reduce the amount of work needed in detecting security events. A few common problems we have had to overcome was the built in openVAS scanner generating hundreds of alerts from itself. Another large project involved us setting up additional correlation events for products not initially understood by the SIEM.
For small and medium sized businesses the AlienVault Unified Security Management SIEM can be a great fit. Installation and configuration was on par or easier as with other more expensive systems. Larger organizations with additional infosecurity staff might find the system's lack of customization a bit of a hinderance. Overall the product is sound and has made great strides in the 5.x version.

Using AlienVault USM

2 - The infosecurity team utilizing the AlienVault USM system.
2 - We have not yet developed the proper logging and alerting protocols to support a "NOC" operation. Our company is working on maturing the product with additional logging sources and enhanced intelligence triggers.
  • Log Analysis
  • File Integrity Management
  • Threat Scanning
  • Alerting on large file transfers from net flow
  • Asset Management
  • Enhanced Threat Management
As our company grows we need additional features such as an API, integration with an ELK stack and pivot tables. Unfortunately those are not the strongest points of AlienVault.

Evaluating AlienVault USM and Competitors

Support is great for the USM product. Scalability is the best key feature you receive when official support is purchased.

Additionally, if a plugin or an internal process breaks support has the ability and knowledge to update and fix all aspects of the product. This was very useful to us, when a database table needed to be fixed.
  • Price
  • Product Features
  • Positive Sales Experience with the Vendor
The ease of setup and price were the two biggest factors in purchase. During our selection process the AlienVault sales team was very responsive to our questions. The sales team also involved the tech support folks to help troubleshoot an issue we had with agentless FIM and linux systems to help finalize our purchase. The dashboard was easy for all team members to understand and automated reporting helps keep an eye on what is going on in the environment.
At the time the AlienVault system was the right choice as it provides an easy transition to an SIEM product without the high prices and complicated setup. During our decision process no other vendor provided us with actual techsupport during the POC process. I would not change my decision from a year ago. The newest version of AlienVault 5.x has vastly improved the capabilities of the SIEM with speed and usability improvements.

AlienVault USM Implementation

I would plan on the initial setup taking longer than expected. File Integrity Monitoring does not have an automated way of rolling agents out with known keys. This does not work well with the asset management portion of AlienVault as systems will have an unknown state if a key does not get generated with the agent.
Yes - We had also purchased a few remote sensors with the AlienVault USM product. Our first phase was the USM with basic log analysis with raw data retention. The second phase was setting up the asset management correctly. The third phase was setting up network scanning with the primary threat scanner. The fourth phase was setting up FIM (File Integrity Monitoring). The fifth and final phase was on boarding the remote sensors for remote FIM (File Integrity Monitoring) and scanning for additional VLANs.
Not sure - As far as I know "change management" had no impact on implementing the AlienVault USM system. We just had to forward logs to the system from the firewalls and do "agentless" FIM monitoring, so they had very minimal impact. Threat scanning did require a change management ticket to get initially setup and give everyone a heads up.
  • File Integrity Monitoring -- Agent Rollout
  • Disk IO during logger rollout

AlienVault USM Training

  • Online training
  • In-person training
  • Self-taught
I did not have any experience with "in person" training directly. The free online classes offered for a half a day are based on the actual training offered. These little teasers are very good and well worth your time to learn a few quick and dirty ways of getting more information from your SIEM
The online training is based on the in-person training and is well worth your time. The teachers are well informed and can answer many advanced questions without needing to "get back" to you after the class. This approach is very well received and everyone is very engaged during the training and seem generally excited to be learning the AlienVault USM device.
The key to the system is logging sources, enabling the plugins and watching the data flow into the SIEM is quite easy. The asset management setup was easy; just identify your networks and set up a basic asset scan all in a wizard like approach. The other easier setup was an unauthenticated scan of your internal networks, as most of the information provided in the asset scan is used to set up a threat scan.

Configuring AlienVault USM

The AlienVault USM is a network centered SIEM and does not offer many advanced integration points such as API's, sending alerts to other systems or reporting engines. As long as you stay in between the lines the product offers a good amount of configuration items such as reporting, correlation events and dashboard customization.
The best recommendation would be to understand the correlation (called intelligence) menu. Without further customization the AlienVault USM will only have limited functionality for alerts. This really isn't a knock on AlienVault as many of the other SIEM vendors require high touch analysis configuration. Another recommendation would be to understand and properly size your AlienVault USM, without doing so could lead to missed or late arriving events. Sensors can help distribute the load.
No - there is no facility to customize the interface
Yes - we have added extensive custom code - We needed some additional functionality and integration with another security product. This is not a very easy thing to do, as each version of AlienVault USM will require us to push our code back to the box. There is no documented API, which is a shame as integration will get the system a longer shelf life at our business.
We have done some customization via the command line, such as puppet and net flow parsing. This unfortunately means we can not upgrade the system as easily as we would like. This is also true for many of the other SIEM providers, but it would be nice to see the AlienVault USM be more friendly towards customization.

AlienVault USM Support

Every time we have opened a ticket with AlienVault they have managed to get us an answer. At times they are not what we want to hear, but I do appreciate the "drive it home" attitude of tech support. I believe the other SIEM competitors could learn a lesson from AlienVault.
ProsCons
Quick Resolution
Good followup
Knowledgeable team
Problems get solved
Kept well informed
No escalation required
Immediate help available
Support understands my problem
Support cares about my success
Quick Initial Response
None
Yes - We pay for the very quick turn around with issues of our AlienVault system. I am very satisfied with the amount of knowledge the support staff have, as they have to be trained in multiple software technologies that make up the entire AlienVault system. The price for premium support is very affordable and is well worth it.
We currently have an issue with a firewall sending too many "events per second". The tech support person did a lot of research on how to remediate the problem and took it upon himself to escalate the ticket to the developer team. We now have a phone call lined up with a developer so he can better understand the problems we are facing with a single source of too many "events per second".

Using AlienVault USM

The menus are well laid out for the most common functions of log management, File integrity monitoring and log analysis. The dashboards with graphs are easy to understand and is perfect for the casual glance aka single pane of glass look at your overall security rating. The product looks and feels like many of the other larger SIEM players, but at a much more affordable price. Each version from 3.x to 5.x have been a major improvement, which is free if you have paid professional contract in place.
ProsCons
Like to use
Relatively simple
Easy to use
Consistent
Quick to learn
Convenient
Feel confident using
Familiar
None
  • Reviewing Alerts
  • Dashboard graphs
  • File Integrity Monitoring
  • Menu systems
  • Threat menu and scheduling
  • OTX maps
  • Netflow setup
  • Advanced Threat Management
  • Asset Management
  • File Integrity agent setup
  • Correlation Event setup

AlienVault USM Reliability

The AlienVault USM is not very scalable. Some scalability can be achieved by installing additional sensors, but this only offers 500eps per sensor and is still overall limited by the installation type of VM or physical. We have also noticed the EPS (events per second) is rated overall and not towards a single source. A single source on a very healthy VMware partition tops out at 2,000eps for us, no matter how we configure it. Maybe this is a problem of the 5.2 release?
We do have issues with maintenance on the AlienVault USM as the disk fills up from time to time with other data sources. Sources for scanning logs and net flow data isn't calculated in regular disk maintenance and can easily fill up our disk if we do not keep an eye on it with some custom Nagios plugins. The system does properly trim logging data from logging sources properly.
With the latest release of AlienVault USM overall performance has not been an issue. We have noticed single source events per second does not scale well with the overall system. 2,000eps on a vmware system with a single source produces delays of up to an hour for us. Pages, reporting and even raw log searches are rather quick though.

Integrating AlienVault USM

I believe AlienVault USM is one of the worst systems for integration. For most customers I would imagine this is not an issue, but when you get to be an enterprise level company this could be a major factor in replacing the system. With current configuration management software puppet, ELK and even grafana it is a shame AlienVault couldn't be part of the integrated stack of any of those products.
  • SocVue software
  • ELK (elastic search, logstash and kibana)
Integration has been very difficult without and official API. We have it mostly working, but are apprehensive on upgrading the system for fear of breaking integration with the products mentioned above.
Our other vendors do support integration with API keys for grafana, elasticsearch, logstash and kibana. AlienVault USM only offers direct database access, or you end up being a detecting and decode the API yourself.
  • File import/export
  • API (e.g. SOAP or REST)
Direct database access is also used to integrate with our ELK (elasticsearch, logstash and kibana) stack. This has not been easy without an API key. We are also using the file import/export to get data from our 3 scan engines into the ELK stack for better correlation with other 3rd party devices.
My overall opinion as of AlienVault USM 5.2 is to not integrate with other products. As long as you stay within the painted lines, the AlienVault USM works quite well for most of our needs. For advanced correlation you might need to look elsewhere or put in additional feature requests to get a real documented API in a future release.

Relationship with AlienVault

The sales team is top notch and very responsive to all types of requests (including tech support!). AlienVault accepts all types of payments and it was very easy to interface with the accounting team to get the PO paid on time. Our first renewal was just due and it was properly discounted without us bartering down the list price, which is very refreshing. Again it was very easy to renew as we just gave the accounting team the payment info and it was done.
From time to time our AlienVault account representative contacts us with new products and to see how we are doing with the product. He also recommends new training and volunteers his tech support resources if we are stuck with any issues. They respect my time and I feel they have not wasted it with needless phone calls or emails.
Our terms for training and price were met with very little bartering. It is nice to get some online training thrown in with a large purchase of your AlienVault USM it can help the on-boarding with new employees. The overall purchase was discounted fairly and did not require us to spend weeks haggling over price.
We are completely satisfied with the AlienVault sales team. I would just recommend being honest with them with timelines and prices, I am sure they will work with you to make the AlienVault USM happen. At certain times of the year (year end) the discounts could be higher, so it could be worth the wait!

Upgrading AlienVault USM

Yes - We have upgraded from version 3.x to 4.x and recently from 5.x. Each one of the major upgrades went without issue and had only 10-15 minutes of downtime. This is much better than most of the other SIEM vendors as it could lead to hours of downtime, unless you have clustered systems. Remote sensors store the logs, while the database is being updated. The database update takes the longest, but is completely "hands off" and as long as you pass the free disk space check, is seamless.
  • Performance
  • Dashboard
  • Log Analysis
  • Documented API
  • Asset management
  • Better plugin correlation support
Yes - during our POC we started off with the "free" version of AlienVault USM. For the first month we stayed with the free version to better understand the limitations and features of the product. The paid version is well worth the money for the speed improvements and phone tech support. The technicians can save you many hours of time, their troubleshooting skills are top notch.