AV USM - Jack of all trades or master of none?
July 25, 2016
AV USM - Jack of all trades or master of none?
Score 8 out of 10
Vetted Review
Verified User
Overall Satisfaction with AlienVault Unified Security Management
AlienVault Unified Security Management has been deployed as a centralized aggregation point for log collections and to manage all remote OSSIM sensors. The expectation is to utilize all USM components (asset management, nids, hids, vulnerability scanner, siem) by the infosec team to have a holistic view on security posture across the enterprise.
- Customization: this is one point where AlienVault (AV) outshines the competition in capability of customization to perform threat detection, asset discovery, threat scoring, APT detection etc.
- AV Sensor performs asset discovery, vulnerability assessment, threat detection, and behavioral monitoring in addition to receiving raw data from event logs and helping in monitoring network traffic (including flow). The sensors also perform normalization of the received raw events and communicates them to the AV Server for correlation and reporting.
- AV Logger provides the capability to archive log files for purposes of forensic analysis and to meet compliance requirements for long term retention and management.
- Flexible architecture: all components including the sensor, the logger, the correlation engine etc., can be deployed tier based, isolated or in a consolidated all-in-one style. This wide variety of deployment options helps to have flexible and open architectures. This also helps us control a cost deployment - we bought only USM and the rest of OSSIM components are free, deployed as VM across the enterprise
- Open Threat Exchange (OTX) is a great community sharing platform that helps to share IP and URL reputation information so that all AV customers can benefit. This is true community sharing modeled on the likes of the Splunk Community (for app development). This has the potential to grow into a large source of real world ontelligence and what AV intends to do with this data remains to be seen. For now, it is being used by USM Correlation engine to provide better context and content for security monitoring.
- Price is way better than other vendors.
- A Jack of All trades, but King of None: the correlation engine is no where close to the likes of ArcSight , QRadar or Splunk etc. The threat Intelligence is not as good as QRadar, McAfee, RSA etc. And so on and so forth. So when it comes to critical functionality expertise, AV USM is found lacking.
- Product Stability: the biggest issue is its poor stability. With way too many components, myriad integration, a ton of scripts, the product is really unstable. Every version upgrade is a nightmare. Re-installation or re-start is the most common solution for the product to start working again. One of the most common and frequently failing components is the DB. We quite often experienced issues like DB corruptions, unresponsive queries etc. We think this is mostly attributed to MySQL DB as it by definition a structured DB. USM can hugely benefit from moving to a Non-DB Log storage architecture, thereby giving more flexibility in data management and improve scalability.
- Correlation & Workflow: AV USM has a strong foundation in correlation using XML driven directives and alarms thresholds, however, it falls terribly short when it comes to predefined rules, directives and workflow.
- Starting from version 5.2 AV broke a distributed Vulnerability scanner model for OSSIM (free components), based on remote sensors serve as relay to pass the result to USM (central aggregation point).
- Technical Support is inconsistent and poor quality. They support only USM and never a free version (OSSIM) For OSSIM support will refer you to documentation. Most of the times, the solutions rely on re-install or re-start or a bug-fix, because there are way too many components to troubleshoot and this leaves support to resort to re-install or re-start, without thorough root cause analysis.
Decisive factor was a price over diverse functionality