AlienVault and an honest comparison to Darktrace
June 10, 2019

AlienVault and an honest comparison to Darktrace

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Software Version

USM Appliance (On-Premises)

Overall Satisfaction with AlienVault USM

We are using AlienVault USM as the cornerstone of our layered security model. We use it for Incident Management, Event Logging and Anomaly Detection.

We have a Global Security Operations Centre and are deploying AlienVault globally. We want to standardize our security incident responses globally to ensure that we can implement a true 'follow the sun' model. AlienVault has a global presence and we want to leverage that capability to support our security teams.

Pros

  • Excellent feedback and reviews from external organisations and in-house experience
  • Good value for money
  • A reliable, all-round tool to avoid duplication / overlap with other products
  • Allowed us to build a security tool-set without wasting money on duplicated (and unused) functions
  • Global presence

Cons

  • Other products, like Darktrace, provide exceptional automatic isolation and intrusion protection. I want AlienVault to provide equivalent protection / isolation to protect environments out of working hours (public holidays etc)
  • External threat monitoring is a great way to identify threats mobilizing before they attack (horizon monitoring). Intsights (https://intsights.com/) provides this for a fee, but I would like to see a capability for monitoring key assets, such as domain names, C-Suite personnel etc.
  • Some simple mechanisms to reduce white noise. We are gradually improving our filtering, but machine learning (aka Darktrace) would be helpful to allow the system to 'learn' behaviours and then allow to be filtered by an administrator. Full AI learning is difficult (hence the costs for Darktrace) but a configuration dashboard to reduce 'noise' should be easy to deliver, rather than having to edit and apply filters individually.
  • Dashboards for ISO27001 and PCI. ISO27001 KPIs such as Threats Detected, Threats automatically prevented, Threats requiring human intervention etc are simple and should be easy to provide.
  • Anything you can do to link with Vulnerability Management, such as Nessus, Cyberark DNA etc would be helpful. Currently these are managed separately, but would be great if these could be integrated for running routine scans from a single dashboard, or reporting on a dashboard.
AlientVault does not compare to Darktrace anomaly detection with AntiGena. This is a superb product but does not include a SIEM.

AlienVault includes SIEM and Anomaly detection, although less mature than Darktrace. I hope and expect that AlienVault orchestration can work towards the performance of Darktrace, but I'm not entirely confident that it will be able to do so. AlienVault is cheaper and selection of your product avoided paying for unused functionality. But... Darktrace have agreed to match the AlienVault pricing for me if your orchestration fails to deliver!

We are happy to work with AlienVault to help mature the orchestration capability if that would be of interest.
Anomaly detection seems good, but there are a lot of false positives until the filtering is perfected. Unfortunately the filtering management is a huge overhead on teams until it is fine tuned. Anything to assist with bulk filter changes would help.

Off network monitoring would be helpful - a selectable client which allowed activity to be tracked could be useful, particularly where split horizon networks exist. This could just provide a summary of traffic / sites visited which may be inadvertently bypassing corporate controls (such as Corporate Cloud Storage, Webmail etc). This would help us provide awareness and training for users to explain the associated risks.

Comments

More Reviews of AlienVault USM