USM SaaS implementation for AWS and linux instances
Overall Satisfaction with AlienVault USM
We use AlienVault USM across our entire organization, which includes 5 separate SaaS products. At a basic level, we use the core/default functionality of AlienVault to watch our AWS account. Beyond that, we use it to collect and analyze logs for suspicious activity. The ability to track and respond to suspicious events and document them completely is super key to our organization. The reporting functionality is key in allowing me to demonstrate our processes over time to show we watch and respond to alerts.
Pros
- Log analysis, both syslog and AWS cloud trail, and searchability/reporting is actually better than most of our other related tools: All of our systems send log information using rsyslog to our AlienVault USM system. AlienVault is able to alert us of many issues with minimal configuration, including adding/removing users to sensitive groups, creating or removing resources such as EBS volumes, S3 buckets, or security groups.
- AWS loadbalancer traffic/log analysis: AlienVault automatically identifies threatening IPs or entries that match suspicious traffic patterns.
- The ability to search the many logs AlienVault collects in a way that even novice users can follow is super valuable. Logs can be quickly sorted by source, log type, and/or keyword searches. There have been many occasions where we were able to find non-security related issues due to the simple yet advanced search abilities of AlienVault. This has led to the challenge of deciding when and how long to allow non-security personnel access for troubleshooting.
Cons
- AlienVaults lack of support for Docker may be its undoing at my company. It clearly stands above other products that fit our company, but we are adopting Docker at an ever-increasing rate. I don't want to support multiple security products, so it would be super cool if a solution to this challenge were found quickly.
- Enriching data is super key to allowing us to set up alerts for and filer events. This process is rather painful. This significantly increases the cost of maintaining AlienVault. Specifically, several auditd and standard AWS logs do not allow me to filter based on keywords in the message.
- Here is one example:
- User: arn:aws:sts::2#########:assumed-role/qe-lambda-role/qe-batch-run-dev-frontend_batch_runner is not authorized to perform: logs:CreateLogStream on resource: arn:aws:logs:us-east-1:#########:log-group:/aws/lambda/qe-batch-run-dev-frontend_batch_runner:log-stream:2019/05/30/[$LATEST]########################
- The ability to configure AlienVault to run security scans using SSH on systems is prohibitively difficult to use, especially when using a Bastion.
- Making OSSIM work is a huge pain. I could not find AlienVault documentation that covers how things work and how to properly integrate it.
Qualys was a well-packaged product that was easy to implement. It was expensive and lacked a lot of the alerting and log searching abilities.
The other products listed are not complete and would need to have other services to provide full security coverage.
AWS Inspector: Fantastic at scanning base builds. It is not very customizable and is very expensive at scale.
The other products listed are not complete and would need to have other services to provide full security coverage.
AWS Inspector: Fantastic at scanning base builds. It is not very customizable and is very expensive at scale.
Comments
Please log in to join the conversation