More than SIEM: A whole Security Ecosystem which is easy to integrate, operate and use
January 19, 2018
More than SIEM: A whole Security Ecosystem which is easy to integrate, operate and use
Score 9 out of 10
Vetted Review
Verified User
Software Version
USM Appliance (On-Premises)
Overall Satisfaction with AlienVault USM
While a decision had to be made, which SIEM system would be the best fit for a "from-scratch" project, AlienVault USM had been chosen due to its easy and fast implementation path, as well as its rich feature set. The customer had been under a lot of time pressure and therefore an all-in-one solution had to be found and put in place. As the classical SIEM approach is missing the complete surrounding ecosystem, such as NIDS, HIDS, FIM, Vulnerability Scans, Availability Monitoring etc, you get everything in one solution here. Also AlienVault as a company was very helpful during the planning and implementation phase. Their documentation is pretty good and their service representatives are very helpful. This is definitively a big pro if you want to deliver fast results in getting it up and running to see your customer happy. Not to forget their pricing is very competitive too and most probably the most cost-efficient solution you can find in the marketplace by today. After the project became a real success, AlienVault USM is used subsidiary-wide and has already proven several times that is was the right decision.
- AlienVault USM is based on well-known Open Source components, which each for itself, represents a quasi industry standard
- Integration into the existing infrastructure works like a charm. Basically you just need to roll-out an OSSEC client to each server or PC and you have already a pretty high coverage of security information and events. They immediately show up in the AlienVault Webinterface
- Due to the countless plugins, it is very easy to add network devices like firewalls, router, switches, but also servers running apache and the alike. You will just need to forward syslog and it will all appear in your AlienVault Webinterface
- The modular design of AlienVault USM in form of "deployable sensors", allows you to easily integrate different network segments, such as remote sites.
- As regular vulnerability scans are a must to understand which CVEs your infrastructure is exposed at, this becomes an easy task with AlienVault. They provide you with a set-and-forget approach for running regular scans. Additionally there are helpful hints to how to get more secure.
- Because AlienVault USM combines several well know components, you have to life with the fact, that they are not in their latest version, i.e. the integrated OSSEC, which should be replaced with the OSSEC-Wazuh fork instead.
- Due to the all-in-one approach, the solution is quite resource hungry. You have to have a decent machine to run it.
- The reporting module is nice, but sometimes it is quite a challenge to configure a custom report as you will only get the results you want after a trial and error run.
If you look at AlienVault USM, you will have to look at OSSIM too. For very small enterprises with limited budget or no budget at all, OSSIM might be a good alternative, it is the free version of AlienVault USM, but that means you are on your own with it. Another competitor is definitively GrayLog as it provides a very good interface and is easy to use, plus it is using ElasticSearch as its data store. As stated previously, the ELK stack (ElasticSearch Logstash Kibana) is a good alternative too, but not ready to use off the shelf, nor an all-in-one solution. In fact, the components used by AlienVault, such as OpenVAS, OSSEC, Suricata, etc are its biggest competitors at the same time, but only if you make the effort to run each of the as an independent solution. In return you get a maximum of flexibility and full power over your solution. .