AlienVault USM for SMB? Sure, if you have the time or don't mind a lot of emails.
Updated November 01, 2019
AlienVault USM for SMB? Sure, if you have the time or don't mind a lot of emails.
Score 8 out of 10
Vetted Review
Verified User
Software Version
USM Anywhere (SaaS)
Overall Satisfaction with AlienVault USM
We use AlienVault across the org, with accumulator appliances in two offices and in our cloud infrastructure. These devices are syslog targets and are used to scan traffic in each location. In addition, I also have deployed the AlientVault USM agent script to all servers and user systems. AlienVault sometimes notifies me of problems within integrated systems such as Sophos before that service itself. Notifications as simple as an improperly configured SSH config or something as significant as signs of SPECTRE traffic are delivered to my inbox so I may deal with these alerts ASAP.
- Alienvault USM is THOROUGH. We have a highly integrated workspace that's most SAAS, and I monitor those integrations and their security with AV. If I am trying to track the uptime of a laptop, I don't go to VPN or our Directory Services... I go to AV.
- As I mentioned before, we use Sophos to protect our laptops. If a questionable file shows up on someones laptop, I hear about it from AlienVault before I hear about it from our Sophos service.
- The OTX Pulse feature is a built-in feature that lets you subscribe to industries and you are notified about new threats that affect that industry on a daily basis. The pulse alerts are added to your AV watchlist.
- Personally, I've wished I could purchase a service that would configure AV for my environment. I get a lot of traffic on a daily basis and I almost need to hire an analyst that just works on AV.
- Some of the filters when looking for a specific alert aren't that easy to use.
AlienVault ticked the most boxes of what we wanted in a security appliance/service. It wasn't too expensive, it integrated with a lot of the SaaS services we were already using (more have been added since we started our subscription), and it was able to be present not only in our terrestrial infrastructure, but also in the cloud.
Using AlienVault USM
2 - As the sole SysAdmin and Security Admin, it was my responsibility to identify a vendor that met our needs: we're a small business with a large online footprint both at the front end and the back end. As such, we had been operating for far too long without any such service or device. We settled on AlienVault because it provided more than enough functionality (some of which I am still discovering) at a reasonable price.
My boss, the CIO/CTO uses the reporting functionality.
My boss, the CIO/CTO uses the reporting functionality.
1 - Like the song "Me, Myself, and I", I'm the sole operator of AlienVault. Because of this, I don't follow up on every alert email I get from AlienVault. It's highly likely that I could (should) bring in to just configure and monitor AlienVault. I am constantly impressed by the little features that either have been added since we started using it or have been added. I'm sure I could replace at least one of the SaaS services we're using with features included in AV.
- Syslog aggregation that was previously not being collected and parsed for vulnerabilities and malicious activity
- Intrusion detection. My heart stopped when I started working here and found out that there was only a basic firewall protecting software assets and end users.
- In depth endpoint scanning. This reveals patch updates, vulnerabilities, and improperly configured security settings that might be considered as ideal vectors for penetration.
- Bonus: we weren't actively seeking this, but the Integrations with G Suite, Sophos, and plugins for our networking gear have been an incredible boon and greatly increased visibility into our infrastructure.
- As I mentioned before, the Integrations and Plugins with other SaaS services we're using and plugins for other components of our infrastructure was a nice bonus feature we weren't expecting
- We were able to configure custom alerts for our staging and production web services and cancel Papertrail.
- This isn't in production yet, but I hope to do more work with deep scans and alerting and replace our Automox subscription.
- This isn't in production yet, but I hope to do more work with deep scans and alerting and replace our Automox subscription.
- I hope to further integrate AlienVault into our AWS infrastructure. We have several accounts that use VPC peering and ideally, all syslog traffic would route through the central VPC to the AlienVault collector.
- As our Cloud Services providers keep growing, I'd consider adding another collector to those services as well.
Evaluating AlienVault USM and Competitors
- Product Features
- Product Usability
- Product Reputation
- Analyst Reports
Simple. The graph where the price is one axis and the quality and quantity of features is the other axis, USM was in the sweet spot. Other companies with reviewed either had the wrong mix of features or not enough, or didn't support Cloud computing adequately, or were prohibitively expensive. Some of them had bizarre and confusing pricing structures or were integrated with other features such as antivirus that I had already acquired and deployed.
When given the option of fish or cut bait, I would've cut bait and selected AlienVault sooner. I have a hard time cutting off vendors when I've already removed them from the selection pool. AlienVault's sales team weren't too pushy and actually extended (though I can't make that promise for everyone) our trial.
AlienVault USM Implementation
- Implemented in-house
Change management was minimal - We kept any perceived changes to end-users minimal and used various tools at hand to deploy scripts and agents and so on. We're actually still hammering out the finer points of our change management policy.
- Educating my C-levels on what AlienVault is and why we need it. Again, probably a problem faced more commonly in SMBs. The AlienVault sales team was a huge help in this and didn't seem too pushy.
- My lack of knowledge. I learn by doing and trying and usually breaking things. In this case, I forced myself to learn the tool via traditional means.
- The sheer volume of things you can do with this tool can be daunting if you've never used it. Think of the first time you logged in to AWS or Azure and saw all those features staring at you without a clear picture of where to start.
AlienVault USM Training
- Online training
I did do some further training. Their Youtube channel is helpful as well. I think if someone who was a part of a larger team or someone who was more organized with their time than I am would be able to put in the extra miles in off-hours in order to get things taken care of.
AlienVault USM Support
| Pros | Cons |
|---|---|
Quick Resolution Good followup Knowledgeable team Problems get solved Kept well informed Support understands my problem Support cares about my success Quick Initial Response | None |
No - We already pay enough. If we had a higher incidence of alerts or were consistently hitting our log ingestion, I might consider paying for premium support. Something I'd probably pay for before paying for a support contract is on-site consultancy that can help me dig in and do a better job of configuring USM for my environment. That way, I'm certain I'd be able to remove a few things from my budget sheet.
We have a few VMWare servers that use CPUs with the SPECTRE vulnerability. I had no clue what some of the alerts meant that were coming from USM. Panicked, I contacted support and they were able to explain exactly what the problem was and how USM was interpreting the log data, AND how to mitigate the problem until a suitable fix was released by Intel.
The support engineer walked me through the vulnerability though I did have an understanding already, sent me some links of Intel's plans on resolving the problem, walked me through some settings in vSphere to disable a feature that was generating the alerts, and fine-tuned the alert to reduce the number of false-positives it was generating.
The support engineer walked me through the vulnerability though I did have an understanding already, sent me some links of Intel's plans on resolving the problem, walked me through some settings in vSphere to disable a feature that was generating the alerts, and fine-tuned the alert to reduce the number of false-positives it was generating.
Using AlienVault USM
| Pros | Cons |
|---|---|
Like to use Relatively simple Well integrated Consistent Convenient Feel confident using | Requires technical support Slow to learn |
- I think it's brilliant that they've got so many third-party plugins built for log ingestion that just work. They're uncomplicated and AlienvVault even helped me build my own plug-in when I found they did not have a plug-in for Ubiquiti products.
- Regarding computer scanning, I really enjoy the system they've built centered on building a list of credentials and being able to simply right-click and deploy credentials on a given computer. Once this happens, which takes just a few moments, the same right-click menu let's you perform simple or in-depth scans on that machine.
- The SaaS or Cloud integrations they have work well and are fairly easy to navigate and configure.
- Some of the things I found a bit unnecessarily complex is the deployment of the USM Sensors. The AWS Cloudfront deployment was especially complicated. Once it was deployed though, it's been great.
- Suppression filters are always a challenge because it's not always clear what you need to keep from the dozen or so things listed in an alert and what you can remove and still have it be a functional filter.
Integrating AlienVault USM
- G suite
- Sophos
- Office365
G Suite was the most complicated because of the Google API needs. Sophos and Office365 were very simple.
- File import/export
- API (e.g. SOAP or REST)
Be prepared to get your hands dirty. Sometimes it's very straightforward, and sometimes not so much. You should have a decent grasp on Google API basics if you plan to integrate with G Suite.