AlienVault USM - A Solid Tool to Launch Your SecOps Program
Frank DePaola | TrustRadius Reviewer
July 19, 2019

AlienVault USM - A Solid Tool to Launch Your SecOps Program

Score 7 out of 10
Vetted Review
Verified User
Review Source

Software Version

USM Anywhere (SaaS)

Overall Satisfaction with AlienVault USM

AlienVault is a great SIEM for organizations who are either new to security operational logging, and wish to purchase a sound solution at a lower price point, or those with a smaller staff and potentially IT budget that wishes to buy a solution that can accomplish many different tasks. Our use of the platform extends across the global organization. We have documented multiple use cases that we are working through within the AlienVault platform such as vulnerability management and scanning, malware detection on clients and servers, malicious network traffic moving laterally and vertically throughout our environment, etc. As is the case with any SIEM, they are only as effective as the log sources that they ingest allow them to be. We are pulling in Windows client and server event logs (filtered to specific EventID's), DNS, DHCP, AWS CloudTrail/CloudWatch logs, NIDS sensor logs, firewall logs, and are also working to integrate the solution with other corporate systems to extend its capability, such as our ITSM. AlienVault is pretty featured rich compared to other SIEM solutions, but those features are mostly good, not great. There is also a growing list of 3rd party integrations as well, which can make the solution even stronger. With that said, there are other SIEM solutions that offer more flexible deployment models, have more 3rd party integrations, and offer more extensibility in terms of holistically supporting the incident response process. Our organization has found AlienVault to work pretty well for us, as this is the first SIEM the business has deployed. Additionally, we are early on in the process of cybersecurity program development, so AlienVault's inclusion of features such as vulnerability scanning and file integrity monitoring extend its value.
  • Feature-rich includes functionality not typically present in other SIEM's such as vulnerability scanning, UEBA, file integrity monitoring, NIDS
  • Simple to configure and deploy.
  • Relatively inexpensive compared to other enterprise SIEM solutions.
  • While there are many features, many of them are not very advanced. Vulnerability scanning as an example is extremely simplistic and almost unusable for an enterprise organization. It's just enough to get a program off the ground.
  • Cloud-only deployment model (SaaS) may not fit all organizations. Not all organizations are "cloud friendly".
  • Reporting capabilities out of the box are lack luster. Vulnerability management reporting as an example does not include a single canned report.
With the exception of Solar Winds, AlienVault USM is far easier to administer and support, but far less extensible. LogRhythm and Splunk are going to offer far more advanced capabilities in the way of deployment models, features, and automation capabilities. Also, other solutions will likely require a larger team to support, while AlienVault USM can be supported with smaller teams.
Like most situations, you get out what you put in. AlienVault is not going to filter up to every malicious activity occurring in an environment right out of the box. There is plenty of work to be done to get log sources ingested in a prioritized manner, to get basic rules tuned, and to integrate it with other solutions, where it makes sense. This maturity can take years to put in place in many cases. Once AlienVault USM is set up and tuned properly and has all log sources ingested, it is very good at finding things in an environment. It requires constant maintenance moving forward however to ensure that as tech landscapes change, the alarm rules are properly configured, and new ones are added.
Our organization has achieved this benefit. We send all security-related log sources to AlienVault, to include our corporate antivirus solution, DNS security solution, Windows logs, etc. Having all of this information in a single platform offers the ability to search through disparate logs while investigating an event. The simplicity of doing this in a single platform is significant. Also, as we configure and deploy more advanced alarm or event rules, the solution becomes even more valuable in this way. Once again, its all about the time and energy that you invest in building the solution to be as effective as it can be in your environment.
AlienVault USM is well suited for smaller organizations or organizations of any size that are just lifting their security operations or security monitoring program off the ground.

AlienVault USM is less appropriate for more mature organizations who have the staff to support more advanced security operational capabilities or engage in advanced threat hunting. Also, organizations who like more ability to add internally developed functionality into their SIEM through scripting or other automated response activities.