Alienvault USM: Navigating the Infosec Universe
May 09, 2016
Alienvault USM: Navigating the Infosec Universe
Score 10 out of 10
Vetted Review
Verified User
Overall Satisfaction with AlienVault Unified Security Management
AlienVault USM is being used for threat and vulnerability management by the whole organization. Active exploit attempts are detected, which raises security awareness, and provides actionable intelligence. Vulnerability scanning and reporting helps us to asses our security posture and identify opportunities for improvement.
USM compiles/correlates logs from devices so that we can show evidence of PCI compliance by tracking and reporting on system administration activities such as additions/changes to privileged accounts, group policy objects, and firewall rules.
USM compiles/correlates logs from devices so that we can show evidence of PCI compliance by tracking and reporting on system administration activities such as additions/changes to privileged accounts, group policy objects, and firewall rules.
- AlienVault USM does log aggregation and quick analysis very well. There is an analysis screen which provides the ability to group events by signature for quick "big head and long tail" analysis. Looking at the most common events and the least common events often highlight misconfigurations, device errors, and security concerns. The analysis screen also provides the ability to filter events by signature, then select fields of interest within those events. Once this is done, it's just a few clicks to create a custom view and report module so that an analyst can quickly find and report on key pieces of information in the future.
- AlienVault USM provides powerful out of the box correlation rules which generate alarms on security concerns, misconfigurations, and vulnerabilities. Analysts can add their own rules to alert on just about anything in the environment, such as a specific user logging into a specific machine, a machine going offline, or configuration change to a critical device.
- Another thing AlienVault does well is providing administrative access to the underlying Linux system giving the analyst the ability to quickly troubleshoot issues within the SIEM implementation itself. Access to the underlying OS also provides the ability to make changes to configurations of the underlying well-known security tools to weed out noise events before they can start to consume higher level compute resources.
- Although the creation of custom report modules is powerful and easy, incorporating them into reports that are readable by non-technical staff without some interpretation is not so easy. Section headers can't be customized, and full log events cannot be presented in reports.
- Normalization (extraction/parsing of log fields and mapping them to actionable fields in the SIEM) needs to be done in further detail. There are times when I want to search on a particular field in a log, and can't do it because it's not normalized. I'm sure that it's a bit of a cat and mouse game with device vendors and operating systems, but more actionable fields in the database would be better. Fortunately, I can go into the underlying Linux system and do it myself, but it is quite time consuming to do so.
- A faster, more convenient way to weed out false positives would speed up the journey to SIEM success. I envision an interface similar to Micorosoft Outlook's rules, in which an analyst can look at an alarm from the USM, select the criteria on which she wants to suppress the event, create the rule, then hit a button to "delete existing alarms that match these criteria". I've shared this vision with AlienVault, and have my fingers crossed for the next version.
In comparison to Splunk, LogRhythm, and Arcsight, AlienVault came in at a great price. Also, AlienVault doesn't do "per event" pricing (which is confusing for those new to SIEM). When we did our review, AlienVault just offered more out of the box security capabilities than their competitors. The other thing that helps AlienVault stand out against their competitors is a functional free, open-source version of their product (OSSIM), which gives prospective buyers time to really experience the product. A one month trial for a SIEM just isn't enough.