USM SaaS implementation for AWS and linux instances
May 31, 2019

USM SaaS implementation for AWS and linux instances

John DeLay | TrustRadius Reviewer
Score 9 out of 10
Vetted Review
Verified User

Software Version

USM Anywhere (SaaS)

Overall Satisfaction with AlienVault USM

We use AlienVault USM across our entire organization, which includes 5 separate SaaS products. At a basic level, we use the core/default functionality of AlienVault to watch our AWS account. Beyond that, we use it to collect and analyze logs for suspicious activity. The ability to track and respond to suspicious events and document them completely is super key to our organization. The reporting functionality is key in allowing me to demonstrate our processes over time to show we watch and respond to alerts.
  • Log analysis, both syslog and AWS cloud trail, and searchability/reporting is actually better than most of our other related tools: All of our systems send log information using rsyslog to our AlienVault USM system. AlienVault is able to alert us of many issues with minimal configuration, including adding/removing users to sensitive groups, creating or removing resources such as EBS volumes, S3 buckets, or security groups.
  • AWS loadbalancer traffic/log analysis: AlienVault automatically identifies threatening IPs or entries that match suspicious traffic patterns.
  • The ability to search the many logs AlienVault collects in a way that even novice users can follow is super valuable. Logs can be quickly sorted by source, log type, and/or keyword searches. There have been many occasions where we were able to find non-security related issues due to the simple yet advanced search abilities of AlienVault. This has led to the challenge of deciding when and how long to allow non-security personnel access for troubleshooting.
  • AlienVaults lack of support for Docker may be its undoing at my company. It clearly stands above other products that fit our company, but we are adopting Docker at an ever-increasing rate. I don't want to support multiple security products, so it would be super cool if a solution to this challenge were found quickly.
  • Enriching data is super key to allowing us to set up alerts for and filer events. This process is rather painful. This significantly increases the cost of maintaining AlienVault. Specifically, several auditd and standard AWS logs do not allow me to filter based on keywords in the message.
  • Here is one example:
  • User: arn:aws:sts::2#########:assumed-role/qe-lambda-role/qe-batch-run-dev-frontend_batch_runner is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:us-east-1:#########:log-group:/aws/lambda/qe-batch-run-dev-frontend_batch_runner:log-stream:2019/05/30/[$LATEST]########################
  • The ability to configure AlienVault to run security scans using SSH on systems is prohibitively difficult to use, especially when using a Bastion.
  • Making OSSIM work is a huge pain. I could not find AlienVault documentation that covers how things work and how to properly integrate it.
Qualys was a well-packaged product that was easy to implement. It was expensive and lacked a lot of the alerting and log searching abilities.
The other products listed are not complete and would need to have other services to provide full security coverage.

AWS Inspector: Fantastic at scanning base builds. It is not very customizable and is very expensive at scale.
AlienVault is great and ingesting and processing information from multiple sources. It is excellent at monitoring AWS "things" out of the box, such as user management, network traffic through load balancers, or monitoring devices with sensitive data. I was surprised at how easy this was to start using immediately after purchase. This was a huge selling point. We had tools in place to monitor much of our environment, except AWS. Once the AlienVault system was in place, the rest happened naturally. It's now the most critical security system that we have.

It seems a bit poor when creating alarm filters that only trigger after "x" number of times. I know this can be done with escalation alerts. Keeping noisy alerts out of the UI is key to prevent alert fatigue in our more junior team members.
In general, AlienVault seems to be noisy. I'd like the ability to specify a group of users that can create security groups with sensitive ports exposed to the web, but I don't believe this is possible. I know how to do this per user. I don't believe groups are something we can specify.