AlienVault USM- Beginning Thoughts
Updated December 04, 2015

AlienVault USM- Beginning Thoughts

Ledan Patrick Masseus | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Overall Satisfaction with AlienVault Unified Security Management

We are currently using AlienVault Unified Security Management across our entire enterprise. We are using it to correlate and store logs from all devices to monitor for network and host intrusion detection. We also use it to do our vulnerability assessment, as well as our network inventory. It's part of our layered approach to security monitoring.
  • The AlienVault NIDS has proven to be very valuable in helping us identify traffic on our network. It has identified unauthorized traffic that was going out of our network.
  • The alarms generated from our realtime events have helped us to respond to and track our responses.
  • It has helped us with change management with realtime updates to any changes in configuration.
  • Inventory is terrible. Expect to spend some time fixing details on your inventory. This is particularly frustrating as often vulnerabilities are tied to specific versions of Windows or software. I mean there is a world of difference between Windows 7 and Windows 98. Its inability to differentiate is a big issue.
  • I would like to see the alerting functionality improved. Such that if you see an alarm that you want to be notified about every time it happens you can just right click on and say alert me next time this event happens.
  • AccelOps
The only reason we didn't go with AccelOps is because it lacked NID/HID functionality. It would have required us to purchase additional products to reach the completeness of the AlienVault solution.
One of the key questions that should be asked is - what in-house expertise will be needed? You do need someone with unix/linux familiarity.

Using AlienVault Unified Security Management

2 - It Security
1 - You need the skills of a network administrator and a sysadmin as well as that of a security administrator. You will need to be able to interpret the alarms that AlienVault is generating. In theory you will need someone who has had broad exposure to the IT world in order to facilitate understanding of what is happening.
  • Network intrusion detection
  • Host Intrusion detection
  • Malware/Trojan/Etc. detection
  • We've used it to validate some of our Regulatory requirements. as In we performed this exercise was AlienVault able to detect that activity
  • We've used for network change management. When It makes a change Security is notified and IT has to signoff that they made the change.
  • IF they ever get the asset discovery to the point where it's accurate, we can see using it for inventory.
  • We would like to use it to alarm us when a new piece of equipment is connected to the network. I suspect that is in there already. Haven't figured out how that would be accomplished yet.
We will be using it for the next 2 years at least, Mostly because that is the support contract we currently have. As long as we continue to feel we are getting what we need from USM we will continue using it.

Evaluating AlienVault Unified Security Management and Competitors

  • Product Features
  • Product Usability
  • Third-party Reviews
Usability was a big factor in our decision making process. There is no need for a product that those who have to use can't use it or find it clunky to use. AlienVault does provide a very workable user interface, and it helps that the underlying technology behind the product has been proven to work over time.
If I had to redo it again I probably would end up picking AlienVault with all things being the same with AlienVault and it's competitors.

AlienVault Unified Security Management Implementation

Before implementing AlienVault, take the class. It will make things easier down the line.
Change management was minimal - IT showed us how much change does happen on our network and we don't always know in advance...
  • Training and approvals

AlienVault Unified Security Management Support

I have extremely favorable support for the live people
support. They seem to know the product well in addition to knowing the actual underbelly
of a product such as AlienVault. I took two spots away as I find the online
support to be lacking. Almost any search takes you to the forums, where it's
mostly a miss. And searching for what one suspects is a bug is never there, but
you call in and it's, ‘yeah that's a bug and here's a quick workaround or
solution.’ so yeah for live support .. boo for the online based support/doc.
Quick Resolution
Good followup
Knowledgeable team
Problems get solved
Kept well informed
No escalation required
Immediate help available
Support understands my problem
Quick Initial Response
Yes - It makes since to get premium support for a product of this nature. I am by no means a Unix Guru and the underpinning of Alienvault is Nix. I have found that you will occasionally need to go into that Unix side. I frankly rather have a very knowledgeable support staff going in there with me. For the first year anyway it's well worth the money.
I was having an issue where after i Upgraded to 5.1.1 where the video vanished. You would boot up see the bios and nothing after that. It turned out to be a Bug in 5.1.1 and 5.2. I opened a ticket and within an hour I believe i had a tech on the phone and he knew exactly what the issue was and the workaround. The speed to resolution was frankly amazing.

Using AlienVault Unified Security Management

Overall the product has a bit of a learning curve. I took the Alienvault class and read through a lot of documentation. You need to know what you are going to use it for. This SIEM solution is very robust and you will have to put some work into it. At the end of the day if you do that work, it becomes easier to use. One piece of advice is to know your environment.
Like to use
Relatively simple
Well integrated
Feel confident using
Difficult to use
Requires technical support
Slow to learn
  • The directive events are fairly easy to adapt to your environment
  • Deployment of HIDS was very simple. This is in a windows environment
  • The asset discovery is particularly cumbersome as it's inaccurate, and you end up spending lots of time fixing it.
  • Vulnerability assessment caused many issues with our printers. We ended up having to skip our printers and the way to do that is very cumbersome. instead of being able to say exclude these IP's you had to only include the IP's you wanted inventoried by listing the subnets you wanted included.. a lot of /32's