TrustRadius
AlienVault USM for SMB? Sure, if you have the time or don't mind a lot of emails.
https://www.trustradius.com/security-information-event-management-siemAlienVault USMUnspecified7.9599101
Christian Holton profile photo
Updated November 01, 2019

AlienVault USM for SMB? Sure, if you have the time or don't mind a lot of emails.

Score 8 out of 101
Vetted Review
Verified User
Review Source

Software Version

USM Anywhere (SaaS)

Overall Satisfaction with AlienVault USM

We use AlienVault across the org, with accumulator appliances in two offices and in our cloud infrastructure. These devices are syslog targets and are used to scan traffic in each location. In addition, I also have deployed the AlientVault USM agent script to all servers and user systems. AlienVault sometimes notifies me of problems within integrated systems such as Sophos before that service itself. Notifications as simple as an improperly configured SSH config or something as significant as signs of SPECTRE traffic are delivered to my inbox so I may deal with these alerts ASAP.
  • Alienvault USM is THOROUGH. We have a highly integrated workspace that's most SAAS, and I monitor those integrations and their security with AV. If I am trying to track the uptime of a laptop, I don't go to VPN or our Directory Services... I go to AV.
  • As I mentioned before, we use Sophos to protect our laptops. If a questionable file shows up on someones laptop, I hear about it from AlienVault before I hear about it from our Sophos service.
  • The OTX Pulse feature is a built-in feature that lets you subscribe to industries and you are notified about new threats that affect that industry on a daily basis. The pulse alerts are added to your AV watchlist.
  • Personally, I've wished I could purchase a service that would configure AV for my environment. I get a lot of traffic on a daily basis and I almost need to hire an analyst that just works on AV.
  • Some of the filters when looking for a specific alert aren't that easy to use.
AlienVault ticked the most boxes of what we wanted in a security appliance/service. It wasn't too expensive, it integrated with a lot of the SaaS services we were already using (more have been added since we started our subscription), and it was able to be present not only in our terrestrial infrastructure, but also in the cloud.
To be honest, I feel like I've just scratched the surface with AlienVault. For example, we are paying for a service that installs agents on each laptop or server that 1) notifies me when there are patches or updates, 2) notifies me when common features are configured in a way that would constitute a vulnerability (IE allowing password authentication in sshd_config) and 3) can automatically apply patches and reboot the machine. AlienVault can do 1 and 2 without much additional configuration and when you install the AlienVault Agent and set up some basic scripts or commands, you can mostly do 3.
I've mentioned this several times in my review. I don't think we've reached the point where I feel like I've spent enough time tuning the specifics and exploring the capabilities to their fullest. Does AlienVault excel at identifying threats? Yes, absolutely. Is the amount of work I need to do to detect security threats reduced by AlienVault? Yes, absolutely. Do I feel like I should spend weeks delving deeper into the capabilities of AlienVault and further configuring the detection engine to reduce the countless false positives that actually ADD to my workday? Yes, absolutely.

Is it significantly more likely that my organization would have suffered security breaches had AlienVault not notified me in advance? Yes, absolutely.
AlienVault is an amazing product. The only reason my rating isn't higher is that most of my colleagues work for smaller businesses where the IT staff is less than 5 people. There are a lot of moving parts to AlienVault and it is almost another job. Folks in my circle of colleagues, for the most part, don't have the bandwidth that AlienVault demands.

Using AlienVault USM

2 - As the sole SysAdmin and Security Admin, it was my responsibility to identify a vendor that met our needs: we're a small business with a large online footprint both at the front end and the back end. As such, we had been operating for far too long without any such service or device. We settled on AlienVault because it provided more than enough functionality (some of which I am still discovering) at a reasonable price.

My boss, the CIO/CTO uses the reporting functionality.
1 - Like the song "Me, Myself, and I", I'm the sole operator of AlienVault. Because of this, I don't follow up on every alert email I get from AlienVault. It's highly likely that I could (should) bring in to just configure and monitor AlienVault. I am constantly impressed by the little features that either have been added since we started using it or have been added. I'm sure I could replace at least one of the SaaS services we're using with features included in AV.
  • Syslog aggregation that was previously not being collected and parsed for vulnerabilities and malicious activity
  • Intrusion detection. My heart stopped when I started working here and found out that there was only a basic firewall protecting software assets and end users.
  • In depth endpoint scanning. This reveals patch updates, vulnerabilities, and improperly configured security settings that might be considered as ideal vectors for penetration.
  • Bonus: we weren't actively seeking this, but the Integrations with G Suite, Sophos, and plugins for our networking gear have been an incredible boon and greatly increased visibility into our infrastructure.
  • As I mentioned before, the Integrations and Plugins with other SaaS services we're using and plugins for other components of our infrastructure was a nice bonus feature we weren't expecting
  • We were able to configure custom alerts for our staging and production web services and cancel Papertrail.
  • This isn't in production yet, but I hope to do more work with deep scans and alerting and replace our Automox subscription.
  • This isn't in production yet, but I hope to do more work with deep scans and alerting and replace our Automox subscription.
  • I hope to further integrate AlienVault into our AWS infrastructure. We have several accounts that use VPC peering and ideally, all syslog traffic would route through the central VPC to the AlienVault collector.
  • As our Cloud Services providers keep growing, I'd consider adding another collector to those services as well.
AlienVault does a superb job as a security appliance/service. My only hesitation in giving it a higher rating is that I was not expecting it to need this much attention to configuration and setup. For what we're getting, I feel like it's worth the price we're paying, which is not insignificant. Their support is always forthcoming and helpful, and with very few exceptions, their uptime is stellar.

Evaluating AlienVault USM and Competitors

We didn't fully deploy OSSIM, but I did do a brief analysis and test run. TBH, if your organization does not have the funds to go with the fully licensed USM, I highly recommend going with OSSIM as a stepping stone.

The primary reasons we went with the full USM is support, a more robust integration and plug-in system, and the OTX subscriptions. Plus there's the fact that as a small business, I don't have a lot of time to monkey with open source resources.
  • Product Features
  • Product Usability
  • Product Reputation
  • Analyst Reports
Simple. The graph where the price is one axis and the quality and quantity of features is the other axis, USM was in the sweet spot. Other companies with reviewed either had the wrong mix of features or not enough, or didn't support Cloud computing adequately, or were prohibitively expensive. Some of them had bizarre and confusing pricing structures or were integrated with other features such as antivirus that I had already acquired and deployed.
When given the option of fish or cut bait, I would've cut bait and selected AlienVault sooner. I have a hard time cutting off vendors when I've already removed them from the selection pool. AlienVault's sales team weren't too pushy and actually extended (though I can't make that promise for everyone) our trial.

AlienVault USM Implementation

Still a lot of things that I feel could use a lot more fine-tuning and exploration. Learn the tools and attend all the training sessions they provide, then don't stop learning. It's an amazing tool but don't let it intimidate you. Use the support team and the community for help, ideas, and finding new ways to use the tool.
Change management was minimal - We kept any perceived changes to end-users minimal and used various tools at hand to deploy scripts and agents and so on. We're actually still hammering out the finer points of our change management policy.
  • Educating my C-levels on what AlienVault is and why we need it. Again, probably a problem faced more commonly in SMBs. The AlienVault sales team was a huge help in this and didn't seem too pushy.
  • My lack of knowledge. I learn by doing and trying and usually breaking things. In this case, I forced myself to learn the tool via traditional means.
  • The sheer volume of things you can do with this tool can be daunting if you've never used it. Think of the first time you logged in to AWS or Azure and saw all those features staring at you without a clear picture of where to start.

AlienVault USM Training

The instructor was very knowledgeable and was able to answer everyone's questions. He also was able to teach to many different levels. Some folks in the class had already been using USM or a similar product whereas I and a few others were brand new. He also provided a way of reaching out with questions after the training was over. Everyone in the training seemed to enjoy the class.
I did do some further training. Their Youtube channel is helpful as well. I think if someone who was a part of a larger team or someone who was more organized with their time than I am would be able to put in the extra miles in off-hours in order to get things taken care of.

AlienVault USM Support

There's nothing they don't know. Granted, I haven't had to use them too recently, but the few oddball alarms I've experienced, the support team went above and beyond to ensure I was taken care of. We have a few VMWare servers that use CPUs with the SPECTRE vulnerability. I had no clue what some of the alerts meant that were coming from USM. Panicked, I contacted support and they were able to explain exactly what the problem was and how USM was interpreting the log data, AND how to mitigate the problem until a suitable fix was released by Intel.
ProsCons
Quick Resolution
Good followup
Knowledgeable team
Problems get solved
Kept well informed
Support understands my problem
Support cares about my success
Quick Initial Response
None
No - We already pay enough. If we had a higher incidence of alerts or were consistently hitting our log ingestion, I might consider paying for premium support. Something I'd probably pay for before paying for a support contract is on-site consultancy that can help me dig in and do a better job of configuring USM for my environment. That way, I'm certain I'd be able to remove a few things from my budget sheet.
We have a few VMWare servers that use CPUs with the SPECTRE vulnerability. I had no clue what some of the alerts meant that were coming from USM. Panicked, I contacted support and they were able to explain exactly what the problem was and how USM was interpreting the log data, AND how to mitigate the problem until a suitable fix was released by Intel.

The support engineer walked me through the vulnerability though I did have an understanding already, sent me some links of Intel's plans on resolving the problem, walked me through some settings in vSphere to disable a feature that was generating the alerts, and fine-tuned the alert to reduce the number of false-positives it was generating.

Using AlienVault USM

There's definitely a learning curve, and I strongly recommend attending the training they give you when you first sign up and the follow-up webcasts and so on to give you an edge on your training. Once you get a baseline understanding of all the moving parts, you can get in and get your hands dirty.
ProsCons
Like to use
Relatively simple
Well integrated
Consistent
Convenient
Feel confident using
Requires technical support
Slow to learn
  • I think it's brilliant that they've got so many third-party plugins built for log ingestion that just work. They're uncomplicated and AlienvVault even helped me build my own plug-in when I found they did not have a plug-in for Ubiquiti products.
  • Regarding computer scanning, I really enjoy the system they've built centered on building a list of credentials and being able to simply right-click and deploy credentials on a given computer. Once this happens, which takes just a few moments, the same right-click menu let's you perform simple or in-depth scans on that machine.
  • The SaaS or Cloud integrations they have work well and are fairly easy to navigate and configure.
  • Some of the things I found a bit unnecessarily complex is the deployment of the USM Sensors. The AWS Cloudfront deployment was especially complicated. Once it was deployed though, it's been great.
  • Suppression filters are always a challenge because it's not always clear what you need to keep from the dozen or so things listed in an alert and what you can remove and still have it be a functional filter.

Integrating AlienVault USM

Google G Suite took the longest because of the extra setup in the Google API interface.
  • G suite
  • Sophos
  • Office365
G Suite was the most complicated because of the Google API needs. Sophos and Office365 were very simple.
  • File import/export
  • API (e.g. SOAP or REST)
Be prepared to get your hands dirty. Sometimes it's very straightforward, and sometimes not so much. You should have a decent grasp on Google API basics if you plan to integrate with G Suite.