Augmenting Security Effectiveness with a SIEM Automation Platform
Todd Fletcher profile photo
September 11, 2019

Augmenting Security Effectiveness with a SIEM Automation Platform

Score 10 out of 10
Vetted Review
Verified User
Review Source

Software Version

USM Anywhere (SaaS)

Overall Satisfaction with AlienVault USM

I have implemented USM Anywhere as our company SIEM. Additionally, I as working to extend it's functionality with Gartner's SOAR principles. The primary business drivers (problems) include controlling costs, mitigation of risk, and supporting agile business initiatives. It is utilitzed by the security team to monitor all business information systems.
  • Deployment is quick
  • Normalization of log data and threat identification is effective and simple to understand.
  • Vulnerability analysis along with CVE identification is better than Nessus
  • Investigations feature is robust
  • Cloud sensor depoyment and capabilities is robust
  • Custom Plugin creation/modification by the user is missing. If log data is unknown to the platform, the processing of getting a new plugin developed is lengthy. It would be ideal if the user could create custom plugins for their own platform.
  • Asset discovery adds every IP address in a subnet even if no host is present. The detection method is flawed. I don't have this issue on the same network with other asset discovery tools.
  • SaaS performance can be slow. When listing items more than 20 at a time, the UI refresh can be painfully slow.
As a SIEM, USM is easier and more user friendly than Splunk. however, Splunk isn't only geared for security. As a network engineering tool, USM isn't a good fit. We use both. Nessus is a great vulnerability scanning tool. But it does not serve the wider purpose of USM, which is a unifed security tool. We consider using both as a defense in depth principle. It would be amazing if we could ingest a Nessus scanning results tile into alienvault to augment the security visility in USM!
So far, I have not used a better tool for event correlation. Highlighting the events that have possible malicious intent and placing then in a kill chain has been very valuable. It provides an augmentation to an analyst's effectiveness.
This is primary purpose of implementing this tool. Leveraging the automation of ingestion, normalization and analysis allows our limited security staff to focus on relevent events. Addtionally, I have begun forwarding events from our DLP and Endpoint protection tools to USM to improve the centeralied monitoring and handling of threat detection. More time is now spend on handling the possible malicous events than on sifting through data finding them.
For an organization around 300 to 500 in size, it is a great tool. I feel that adding some network topology scanning and configuration features would allow it to deal with more complex networks better.