AlienVault USM for the win!
Software Version
USM Appliance (On-Premises)
Overall Satisfaction with AlienVault USM
AlienVault USM gets used to track events coming from assets and we also use it to track availability. Since we are also a reseller of this product, we use it as a test bed to deploy strategies, correlation directives and event plugins to our customers' production environment. We also use it for showing a demo of the product, to facilitate the sales process.
- Compliance: For each compliance aspect in each standard, there's an AlienVault USM feature which helps compliance. For instance, in PCI DSS Compliance you require File Integrity Monitoring, and AlienVault USM has it. Every component of the standard gets covered by the product.
- Data handling: Event management can become cumbersome if not well handled. AlienVault USM classifies event information properly where it belongs to the data it's useful to you. When you export a report, you can filter out easily what you don't need, so you only extract valuable information.
- Asset availability: It is really handy to cover every aspect of your asset classification, events to come in, services each asset has, location, all of the information really helps to draw alarms properly.
- Vulnerability Scanner reporting: The reporting from the integrated scanner (OpenVAS) are really difficult to read. They could have done a better job by scraping the report or creating a custom report from the data of the scan. However, leaving the default report template from OpenVAS makes the report somewhat useless.
- Sometimes the local integration fails because of the scope of the tool. Let me elaborate on that: The OpenVAS scanner has certificated that expire within a year, and that makes the USM fail scans if you don't renew certificates yourself. They should have made them last at least 10 years. Same with Nagios, sometimes the integration fails and one doesn't know why unless you jailbreak it and find out in the logs for sure.
- They do not provide a standalone installation of the product, because they modified so much the Linux distribution, that it must always be deployed as a virtual machine or appliance, but not on your own server.
AlienVault USM works well for any company size. LogRhythm might be too much if your company is not already big, and the same can be said of McAfee Enterprise Security Manager. If this is your first SIEM, it's a really good choice and has nothing to envy from the others I'm comparing it with. I also recommend the cloud version of AlienVault, the USM Anywhere, which the interface is a bit different, but the principles remain the same. Also, the McAfee Enterprise Security Manager has a Flash-based interface, for which Adobe is phasing out. AlienVault USM is HTML5 and can even be used mobile.