AlienVault USM for Small Business
Jeremy Cejka profile photo
November 13, 2019

AlienVault USM for Small Business

Score 4 out of 10
Vetted Review
Verified User
Review Source

Software Version

USM Anywhere (SaaS)

Overall Satisfaction with AlienVault USM

The business problem it addresses is derived from governance and compliance set by the USG and the DFARS regulations to have a SEIM. I have experience with paid products such as QRADAR and Splunk, and open source products such as Graylog/Elk/Wazah/security_onion. This is a department tool to consume the whole organization's security related data. We currently use it as the SEIM.
  • It's a decent log aggregator.
  • Does correlation between events well, if set up correctly.
  • Control on attribute mapping within USM Anywhere or fully disclose the mappings between ingested raw logs and attributes those values map to, in order to be searchable, and give power to the end user to create meaningful alerts and queries for the right content.
  • Notifications for alerts tend to lack the essentials to make a determination off of the email. Often times alerts within cloud products are benign and part of the user experience and behavior, but get classified as violations, because they meet the criteria of equivalent alerts that are actionable.
Not at all. The use of USM was picked by directors and the owner above me because of the other activities that prohibited the setup of a customizable SIEM. It does its job, but again my biggest gripe is with the inability to create attribute mappings that make sense. And/OR to inability to make meaningful alerts/notification rules because the internal processing of logs maps it to an attribute that either doesn't make sense or isn't in the drop down. The GUI also doesn't help in allowing the end user to make head or tails of the mapping because the search criteria isn't the the same as the viewable attribute name.

OSSIM products give you full control. It would be easier if one had more resource to instantiate their own OSSIM appliance and then subscribe to the AlienVault or other Threat exchange feeds.

Everything wrong with USM is the inconsistencies between attribute mappings, the creation of those attributes, the naming convention for those attributes on the front and back end, and the mismatch between the front and backend attribute names.
It's a catch 22 whether AlienVault has provided a reduction in work to detect security threats. I don't believe this is unique to AlienVault in the sense that they're are always false positives, more than true hits. So it's just a shift in the work to then invalidate a threat notification. Business that want security overlook the amount of work a security department requires. Unless you outsource the SOC work, mitigating the work in the SIEM does not alleviate the need or work a SOC has to do.
To be honest, AlienVault is run of the mill. I can get more power out of Gralyog/ ELK and pay for the threat exchanges they have, and still have complete control over how my SIEM works for me. AlienVault USM isn't a bad product, but as an end user you give up too much control and get little back from the company when it comes to attribute mapping. Also not a fan of the updates the break my appliance for a couple days. Which falls in the category of control. I think USM is a good starter for small companies needing SIEM where resources otherwise prohibit having someone/something better. As businesses grow and compliance becomes more instituted, the businesses need may be very unique where AlienVault may not be able to satisfy the burden of their specific SIEM needs.

Using AlienVault USM

200 - Development, DevOps, Business OPs, Business Development, Testing, C suite, HR, IT
2 - Jack of all trades IT with a specialization in Security.

Support from the desktop to the Internet and everything in between. You cannot adequately make a security boundary and policy without 1) understanding the end users' needs, 2) understanding the end users' behavior (specific to the end user) 3) the business needs 4) the business procedures on what they expect from the end user and the rules that govern the end user 5) the services and applications (infra) the end user consumes to complete their job 6) and the security requirements in between.
  • DFARS compliance
  • Threat mitigation
Renewing AlienVault hinges on 1) pricing year to year (now that it's part of AT&T we shall see how much price hike that takes it) 2) finding a comparable on-prem solution.

Evaluating AlienVault USM and Competitors

We did not have an OSSIEM / SIEM product in place prior to USM
  • Price
  • Product Usability
  • Existing Relationship with the Vendor
Yes. I'd probably not select USM personally because of the lack of control over the attributes.

It took 4 months from the help desk/engineering to get them to distribute the mapping guide, and even then it was lacking. I had to go back and re-request it and waited another 2 months.

That's 6 months of potential holes we had to address specific threats within our environment that are unique to our environment.