RUN-- RUN FAST (And don't look back!)
Updated November 21, 2017
RUN-- RUN FAST (And don't look back!)
Score 1 out of 10
Vetted Review
Verified User
Software Version
USM Appliance (On-Premises)
Overall Satisfaction with AlienVault USM
We use AlienVault as an IT Department and use it to monitor all of our brach offices. Its primary use case is of a typical Intrusion Detection System where it actively monitors and alerts for potential threats. I have also used it to run vulnerability scans on my servers (both physical and virtual) to have a better understanding of risks in my environment.
- I have found things it does well are in short order. It leverages the Snort engine so its IDS scans are pretty good.
- I like some of the diagnostic capabilities built into the product such as the whois search on a foreign IP address.
- The support team is knowledgeable. I have had several support cases for databases that crash causing the system to be unresponsive. Each time I have had a support person that was knowledgeable of the product and Linux without having to ask for an escalation.
- The user interface is horrible. Making changes to directives nearly requires a Ph.D. It takes 6 clicks to find the directive you want to modify and the chain of which 6 items you need to click is not provided in the alert. So if you want to go to a directive that is nested multiple layers you must have the full path memorized, and they have hundreds of directives so unless using AlienVault is the only thing you do it is unlikely you will memorize the path.
- The system is highly unstable. As I mentioned earlier, I have had several support tickets for the system being hard down. I support several virtual appliances and a significant number of databases that are far more stable than this one.
- Support and maintenance costs are disproportionately high. AlienVault charges a premium several times higher than any other appliance (virtual or physical) I have ever seen. I have 3 other virtual appliances (including another virtualized security device) in my environment and the cumulative cost for support and maintenance on those three is less than 1/3 of the cost of AlienVault.
- AlienVault has a lot of false positives; so many that one of their consulting companies knows them by name and has a list of recommended alerts to turn off. If the consulting company knows these are false, and AlienVault highly recommends working with the consulting company, why doesn't AleinVault fix the alert? In one case it appears they are marking a Microsoft Update Server (not my WSUS, but one owned by Microsoft) as a DNS Sinkhole.
- By default AlienVault creates a policy to ignore USM traffic, but does not enable it. I cannot understand why that is unless, they want a new owner to see alerts to know the system is on? It may seem minor, but why not tune out the noise from your system so new customers are only focusing on their traffic and not every SSH session from the USM? All that does is add extra work to a deployment.
I evaluated AlienVault against Secure Works, Snort, Palo Alto, IBM's Informix Dynamic Server, and HPE's ArcSight. I based my evaluation on several criteria and after talking with several people at AlienVault (including management) I decided it would be a good fit as the product was evolving with a solid roadmap. In the last year, there have been no updates of substance (despite being on the roadmap) and the product does not meet expectations.