Send the aliens back into space
February 17, 2017

Send the aliens back into space

John Grosjean | TrustRadius Reviewer
Score 1 out of 10
Vetted Review
Verified User
Review Source

Software Version

USM Anywhere (SaaS)

Overall Satisfaction with AlienVault USM

We are using it for our SaaS platform. Our software is used by healthcare networks, and AlienVault is our IDS.
  • Pulling in LOTS of logs from various places in AWS.
  • In theory, can consume any type of log you can send it.
  • SMTP: The appliance can only send SMTP alerts to ONE email address. At the very least, it should be able to send to multiple people, and this shouldn't be a global setting. Some people want to see certain alerts, others need to see other alerts. It's highly inflexible.
  • Reports: There basically aren't any. I need a way to prove to the CEO that this expense is worth it, but I can't print a nice graph of logs collected per day, alarms on each device, or really anything at all.
  • SLOW: When it starts collecting lots of logs, the appliance really slows down. When you're trying to do a search on logs, it can take an hour or more. Almost impossible to do forensic analysis of an incident when it takes this long to gather the correct logs.
  • Multiple VPCs are not supported: The only deployment option is a single box. Without allowing multiple sensor nodes, it's very difficult to see into other networks. VPC peering can get you around this, but this is not allowed for us because of security concerns, and it's impossible because both VPCs use the same IP range. You can use a Linux jump box, but you can't use a Windows jump box, and a Linux jump box won't connect to any Windows servers.
I recommended Alert Logic, but management was drawn to the much lower price of AlienVault. Alert Logic seems to have a more mature product and has some of these features that have been lacking in AlienVault.
It took a good bit of work to get all the log collection and things set up in AlienVault, but once they were set up, it immediately started sending us info. There were a few false positives of course, but many warnings had some actionable info. With it collecting so many logs, it started slowing down rather quickly, and the UI is slow enough now that it's impossible to do any deep analysis. We just look at the alert and do what we can with the info contained in it. Without being able to see the surrounding events, we end up ignoring a lot more alerts than we like to.
Before AlienVault, we weren't doing a lot around detecting security threats. We mostly set it up as strong as we knew how, and assumed that was enough. AlienVault has improved our security stance, but it has also added a lot of work we just weren't doing before.
It might work well for a very small office. It's a great concept, but lacks the smaller features that are essential for a larger enterprise. If there are more than 2 IT people, then your business is probably larger than AlienVault can handle.