TrustRadius
Don't be afraid of this Alien.
https://www.trustradius.com/security-information-event-management-siemAlienVault USMUnspecified7.9599101
James Ellsworth profile photo
Updated August 03, 2017

Don't be afraid of this Alien.

Score 8 out of 101
Vetted Review
Verified User
Review Source

Overall Satisfaction with AlienVault USM

The implementation of AlienVault Unified Security Management was the result of a network wide virus infection and not knowing where the virus originated required that all servers and workstations be scanned for infection. The system was deployed across the entire network for a centralized point of administration verifying network integrity and system security protocols.
  • Real-time access logs and scanning. Once the system was installed and configured it allowed our company to find that the network was being hit with a continued bruteforce attack. With this discovery we made a few changes for our remote users and reduced the unauthorized outside access attempts.
  • Traffic monitoring. When first starting with the company part of my assignment was to find why the network was so lethargic. With the AlienVault system I was able to see the time periods of heavy internet and data usage. With this information I was able to determine the highs and lows of user access.
  • OTX activity. After getting subscribed to the OTX community I was given frequent updates to the latest security threats and what to look for. To me the best aspect of the OTX activity monitoring is to know when the threat is directly affecting our network and keeping up to date on the threats.
  • Initial setup and administration. I came into this company after the utility was deployed and what I have found in our setup was that the ESXi environment in our setup does not scan the entire network. Having an initial setup assistance program for the installation.
  • Asset environment. In our current configuration we have all the servers and network appliances running with static ip's or reservations from our dhcp server, this works very well in our environment. What does not work well are the machines that are part of the dhcp pool, if the machines are configured as an asset and the ip address changes the description (identity) does not follow the device. I think that if we have the ability assign assets from the MAC address would eliminate this problem as I see it.
  • Kick-off program. As part of the service we where invited to join a kick-off event that I personally attended (virtual class actually) what I discovered from this class was a more advanced configuration than what I had expected to see. While in provided good information and virtual labs, I think if the class is a kick-off then it should be about the basic installation and configuration of the appliance. The time spent on configuring rules out weighed how to get information to be read from the sensors.
I could not offer a proper evaluation of these systems. While I have configured the Solarwinds product, the time I have spent with AlienVault would not provide a comparable opinion.
I believe the best aspect of the AlienVault system comes ultimately from the community of users. The OTX activity notifications for myself provides a great wealth of knowledge that I would not get otherwise. This is my first true experience in managing a service such as AlienVault for a long period of time. The community support is a great reference for smaller IT departments that have limited resources to stay up to date with emerging threats.
Having been a product the company purchased after experiencing its first network wide virus infection, yes, most definitely. The company just was not set up for or equipped to properly handle this problem. The AlienVault appliance once configured indicated that the company was experiencing a bruteforce attack. Was this an underlying result of the infection possibly? What I do know is that without the AlienVault software showing this outside access the problem would have never been discovered. We implemented changes to the network that resolved this problem to about 95% with just 1 workstation that continued to have problems with network access and traffic problems. The AlienVault system allowed me to watch in real-time when exactly this workstation was getting hit and from where. The workstation that experienced the network congestion just happened to be the same workstation that infected the network. Without this valuable information and having limited IT department resources, I was able to commit my time in monitoring the network and ultimately finding this problem. Once removed from the network and rebuilt this saved the company hundreds of hours in downtime and loss of productivity. Definitely a saver for the company.

Having been familiar with Cisco Solarwinds and what information is provided with their application I expected a similar result. I believe that gearing the appliance to a very specific task would be a greater service to the customer. What I mean would be to have a smaller footprint, say for the user that is looking to just monitor network traffic and network access that would be a single service or installation. Also, having another that would exclusively work with and integrate with virus software and provide central administration for the companies NOT using a server and endpoint environment.

My question to be asked, "Ultimately what do you expect to see the appliance provide you?"

Evaluating AlienVault USM and Competitors

Coming into the company I work for they had just experienced a very bad network wide virus. The USM software have been in place would have helped to mitigate the infection and locate the machine faster. This service since being installed has provided valuable information on continued port scans and access vulnerabilities. We found that our AD server and SQL servers had continued port scans. Once identified I was able to make changes to the remote access ports and this stopped the port scans. Ultimately Alienvault USM saved valuable time and increased user productivity.

AlienVault USM Implementation

The best recommendation I can offer is understand the system that is being installed. Knowing how to configure and specific expectations that you expect from the machine. I would say to watch the tutorials and the online video's, get yourself involved with the community forum and ask the questions if you do not understand.
Our company did not make the best choice on the computer that the service was installed on and it has led to some adverse effects that did not appear until now, almost 2 years later and needing to re-install the entire system all over again.
If you need the help, ask for it. The technical support team at alienvault and community forum members are always there to answer questions.

AlienVault USM Support

I have a 50/50 rating on this because they have been helpful in one aspect but not in another. They seem to be fairly responsive to requests, but like with my most recent request no solution offered. that is not truly a fair statement, but rather no solution unless I agree to pay additional fee's. From conversations with both our sales rep and another representative they both indicate that we have 3 years of extended support, but the problem reported to them is not covered under our support agreement.
ProsCons
Kept well informed
Support understands my problem
Problems left unsolved
Not sure if this an AlienVault thing directly or not. Working with our consultant Shawn he was able to create a custom plugin for our QNAP Enclosure to support my sys log from the device. It was crucial for us to read these logs and since all other event logs are going into AlienVault this was an ideal situation. After gathering some info logs from the QNAP device Shane had a plugin created for me in 2 days and deployed. That was an invaluable effort on the part of AlienVault and Shane.

Using AlienVault USM

The product once properly configured seems to offer a wealth of information but has it's issues. I feel that the initial setup/ installation should include technical support to get up and running. My personal experience from the configuration as installed indicates that the network adaptors are not properly configured to read information. The network ports where configured to only ready 1/2 the network?? So having help to get the system up and running should be part of the initial purchase.
ProsCons
Like to use
Unnecessarily complex
Difficult to use
Not well integrated
Inconsistent
Slow to learn
Cumbersome
Feel nervous using
  • Real-time scanning
  • OTX activity
  • Easy to read dashboard
  • Configuring the ESXi network adaptors
  • Understanding how to create rules
  • Not knowing what many of the rules meant or what they do.