Item: AlienVault USM
Rating: 10
Author: Karl Hart, ACSE, CEH, CHFI, CISSP

Use Cases and Deployment Scope

We are using AlienVault as our central source of all security related information giving the team the visibility of everything that connects to the network. Without having to worry about going over on EPS, like some vendors that charge based on EPS, we are able to send any and all logs to the server allowing us the ability to tune the device for maximum security visibility.

Pros and Cons

Easy to manage and customize the configuration to match your needs.
No limits on EPS (events per second) like other vendors that make you tune out information that might help you identify a threat but due to cost for EPS you have to dump it.
All security information in one location and dashboard.

The reports are not very user friendly, seem to be a left over from the 90's era of formatting.
Dashboard could also use a good facelift to make it easier to view when on the big screen in an operations center.

Alternatives Considered

I have used several SIEM type products like Splunk, ArcSight, QRadar, and LogRythm. These do their job well but are limited to doing log management type of work where as AlienVault does so much more than just manage logs. The other big elephant in the room is the large price tag that comes with these solutions, the more events that you want to pull in the more it will cost you. With AlienVault you purchase based on the number of assets, allowing you to send as many events as you want to the system.

Likelihood to Recommend

I have been using AlienVault and OSSIM since version 1.0 and have recommended it as well as installed it for many clients. The small business with limited resources can deploy the all in one or even an OSSIM server to greatly improve their security posture. Large enterprises can scale AlienVault to meet any of their needs, the sky is the limit. If the business does not have the employees to manage the system then it can be easily outsourced to a managed service provider while still getting all the benefits that you get with deploying an AlienVault system.

Implementation Rating

Implementation is easy but having easy access to support and professional services is a great help. Getting it up and running is very easy, getting it configured for your specific environment does take a little more work, when you run into any issues support or your professional services provider is always there.

Implementation Details / Implementation Partner

Implemented in-house
Professional services company

We did most of our implementation in-house but had a local AlienVault Professional Services provider, CyberCon Security Solutions, help with customization.

Implementation Phases

Yes - Phase 1: Over all planning and gathering of inventory that we wanted to collect logs from as well as network layout.
Phase 2: Installation and initial configuration of the USM.
Phase 3: Configuration of network equipment, firewall, IPS, switches, etc, to send logs to the USM.
Phase 4: Deployment of agent to servers.
Phase 5: Deployment of agent to workstations.
Phase 6: Tuning and customization of events.
Phase 7: Release to full production.

Change Management Lessons

Change management was a small part of the implementation and was well-handled - Having everything mapped out ahead of time in phase 1 allows you to identify who needs to be involved from all the various departments. This also opens up the communication ahead of time so that you when you do ask for their help they know what you are referring to.

Implementation Issues

Identification of all network devices and who has access to make changes.
Configuration of custom applications or appliances that AlienVault did not have plugins for. This is were Professional Services really helps out.
Tuning out of all the noise to get to the data that matters.

AlienVault, so advanced that you will think it came from outer space.

Overall Satisfaction with AlienVault USM