AlienVault USM - Great Potential waiting to be unlocked
August 09, 2017
AlienVault USM - Great Potential waiting to be unlocked
Score 6 out of 10
Vetted Review
Verified User
Software Version
USM Appliance (On-Premises)
Overall Satisfaction with AlienVault USM
The best thing about AlienVault USM is being a “Jack of All” solution. They provide SIEM, HIDS/NIDS, FIM, NetFlow, asset management, vulnerability management etc., under one USM platform. While all the features are formerly isolated open source community projects, the USM does a good job of integrating them into a feature set. While they are not great as individual parts, they more than make up as a sum of the parts.
- Flexible Deployment Architecture – The 3 main components of the Architecture are as follows:
- AV Sensor – AV Sensors perform asset discovery, vulnerability assessment, threat detection, and behavioral monitoring in addition to receiving raw data from event logs and helping in monitoring network traffic (including Flow). The sensors also perform normalization of the received raw events and communicates them to the AV Server for correlation and reporting.
- AV Server – AV Server is the central management console that provides USM capabilities under a single GUI. The Server receives normalized data from the sensors, correlates and prioritizes the events and generates security alerts or alarms. The server also provides a variety of reporting and dashboarding capabilities as well.
- AV Logger – AV Logger provides the capability to archive log files for purposes of forensic analysis and to meet compliance requirements for long term retention and management.
- All the architecture components including the Sensor, the Logger, the Correlation Engine etc, can be deployed tier based, isolated or in a consolidated All-in-One style. This wide variety of deployment options help customers to have flexible and open architectures. This also in a way helps control cost depending on the budget at hand. Very rarely can products boast of such flexibility.
- OTX – Open Threat Exchange is a wonderful community sharing platform that helps clients to share IP and URL reputation information so that all AV customers can benefit. This is true community sharing modeled on the likes of the Splunk Community (for app development). This has the potential to grow into a large source of Real World Intelligence and what AlienVault intends to do with this data remains to be seen. For now, it is being used by USM Correlation engine to provide better context and content for Security monitoring. AlienVault Labs, is also utilizing this infrastructure to constantly update Detection rules for malware vectors, vulnerability exploits etc. QRadar and ArcSight provide Intelligence, but it is commercial intelligence and not community intelligence. With community intelligence, you get more hits than misses.
- Multi-Tenancy – While this feature may not elucidate an interest from many readers, those who have worked in an MSSP environment can understand why this is a very important feature to have. AV USM does support Multi-Tenancy out of the box. This, when combined with the Architecture flexibility provide great MSSP models to sell and operate. The key is to understand how the multi-tenancy works. Basically, a single database is used to store data of several customers using a Data isolation Logic and Permission control. The data isolation logic is based on Entities created in USM (Assets, Users, Components Assigned (Sensors) etc. are grouped together as a Single Entity) and Permissions (applied in a granular fashion to data sets related to the Entities). QRadar, ArcSight and other major SIEM products provide this as well.
- Database – AV USM is using MySQL for its database. All the issues related to a structured DB for log collection, storage and management come to haunt AV USM as well. All SIEM logs are stored in the MySQL database and this causes an issue in terms of scalability, especially with High log volume environments because backup and restore is time and CPU/RAM consuming. USM can hugely benefit from moving to a Non-DB Log storage architecture, thereby giving more flexibility in data management, but will AV take that route is doubtful. Based on their product direction, they are looking at Percona Server to replace MySQL. While it is a good move, it is still customized MySQL replacement, and may not add much desired scale to the product.
- Product Stability – The biggest issue, we have seen with the product is its poor stability. With way too many components, myriad integration, a ton of scripts, the product is really unstable. Every version upgrade is a nightmare. Re-installation or Re-start is the most common solution for the product to start working again. In a mission critical environment, this is a complete NO-NO. One of the most common and frequently failing components is the DB. Issues like DB corruptions, Access issues, disk errors, unresponsive queries etc. really test the patience of end users on a regular basis. This in our opinion is the most damning negatives about AV USM.
- Integration – While AV USM is known for being customization friendly, the amount of Out-of-the-box plugins for Log Monitoring and Correlation is limited to the well known products. It does not have comprehensive integration capabilities with say legacy applications, Directory services, databases etc that other SIEM vendors boast of. Similarly, it relies mostly on its own “pre-packaged” tools for data enrichment and hence has poor “Third Party” Integration capabilities. However, if you really are a developer of open source products, the integration challenge can be overcome. But how many are willing in the real world enterprise?
McAfee, QRadar, ArcSight were evaluated. Price and Open source environment was the main reason.