AlienVault USM Review 16 of 187
AlienVault USM: "More than SIEM: A whole Security Ecosystem which is easy to integrate, operate and use" USMUnspecified8311101
January 19, 2018

AlienVault USM: "More than SIEM: A whole Security Ecosystem which is easy to integrate, operate and use"

Score 9 out of 101
Vetted Review
Verified User
Review Source

Software Version
USM Appliance (On-Premises)

Overall Satisfaction with AlienVault USM

While a decision had to be made, which SIEM system would be the best fit for a "from-scratch" project, AlienVault USM had been chosen due to its easy and fast implementation path, as well as its rich feature set. The customer had been under a lot of time pressure and therefore an all-in-one solution had to be found and put in place. As the classical SIEM approach is missing the complete surrounding ecosystem, such as NIDS, HIDS, FIM, Vulnerability Scans, Availability Monitoring etc, you get everything in one solution here. Also AlienVault as a company was very helpful during the planning and implementation phase. Their documentation is pretty good and their service representatives are very helpful. This is definitively a big pro if you want to deliver fast results in getting it up and running to see your customer happy. Not to forget their pricing is very competitive too and most probably the most cost-efficient solution you can find in the marketplace by today. After the project became a real success, AlienVault USM is used subsidiary-wide and has already proven several times that is was the right decision.
  • AlienVault USM is based on well-known Open Source components, which each for itself, represents a quasi industry standard
  • Integration into the existing infrastructure works like a charm. Basically you just need to roll-out an OSSEC client to each server or PC and you have already a pretty high coverage of security information and events. They immediately show up in the AlienVault Webinterface
  • Due to the countless plugins, it is very easy to add network devices like firewalls, router, switches, but also servers running apache and the alike. You will just need to forward syslog and it will all your AlienVault Webinterface
  • The modular design of AlienVault USM in form of "deployable sensors", allows you to easily integrate different network segments, such as remote sites.
  • As regular vulnerability scans are a must to understand which CVEs your infrastructure is exposed at, this becomes an easy task with AlienVault. They provide you with a set-and-forget approach for running regular scans. Additionally there are helpful hints to how to get more secure.
  • Because AlienVault USM combines several well know components, you have to life with the fact, that they are not in their latest version, i.e. the integrated OSSEC, which should be replaced with the OSSEC-Wazuh fork instead.
  • Due to the all-in-one approach, the solution is quite resource hungry. You have to have a decent machine to run it.
  • The reporting module is nice, but sometimes it is quite a challenge to configure a custom report as you will only get the results you want after a trial and error run.
If you look at AlienVault USM, you will have to look at OSSIM too. For very small enterprises with limited budget or no budget at all, OSSIM might be a good alternative, it is the free version of AlienVault USM, but that means you are on your own with it. Another competitor is definitively Graylog as it provides a very good interface and is easy to use, plus it is using Elasticsearch as its data store. As stated previously, the ELK stack (Elasticsearch Logstash Kibana) is a good alternative too, but not ready to use off the shelf, nor an all-in-one solution. In fact, the components used by AlienVault, such as OpenVAS, OSSEC, Suricata, etc are its biggest competitors at the same time, but only if you make the effort to run each of the as an independent solution. In return you get a maximum of flexibility and full power over your solution. .
AlienVault USM is very effective in detecting real security threats, as their "OTX" integrated threat intelligence has a very good reputation in the industry. Thanks to its being-open to others too, other heavy weight champions like the Bro security monitor can integrate the OTX feed too (yes and this is done by many security people out there). This says more than words.
AlienVault USM really helps to reduce the amount of work you need to do in order to detect security threats as you getting security information from various sources into one place very easy. Another very important point is, that AlienVault USM helps you filter out the so called false positives with little effort and manpower. Getting rid of the false positives is most probably the most challenging task in running a SIEM (besides the integration work).
AlienVault is most probably the best choice for smaller companies with up to 200 assets, which have limited resources in security personnel and are looking for an easy-to-implement, easy-to-run and easy-to-use SIEM including a "detection ecosystem". If you are highly skilled and very sophisticated (and you have the time too), you better run all the components, each as a stand-alone solution and feed their results into an ELK stack. If you are looking for something in between: AlienVault is customizable too! You can go down on a very system level (they call it jail-breaking, ouch!), and get on a config Spree, but be warned: The next update can break your changes. You need to know what you can so and what not, but once you understand where you can go, and where not, AlienVault becomes a friend for a lifetime.