AlienVault OSSIM Reviews

We are using this solution for collecting logs. We are not correlating or assessing any user behavior analytics (UBA). 

The most valuable feature is the logging capability.

The correlation engine needs to be improved.

The interface is not user-friendly, which is an area for improvement.

I have been using this solution for one year.

It's a stable solution.

This is certainly a scalable product.

The Community version does not have any technical support.

We have been able to resolve some issues through the community forums.

Previously, we did not use another similar product.

We are using the community version, which can be used for free.

We have decided to implement a fully-featured SIEM solution that has all of the features, including UBA.

Because we are using the community version, we were unable to explore features such as behavior analytics.

I would rate this solution a five out of ten.

This product would typically be used by a client who would be looking at dipping his feet into the SIEM space and understanding how to go about setting up an SOC without putting in a large up-front investment. I'm the director of our company and we are partners with AlienVault. 

The solution offers great models with good integration and this is one of the out-of-the-box features which you're able to easily enable and get it up and running. It's a big plus for the product, because you don't have to bother your head about doing the integrations.

Other good features include an inbuilt IDS, an inbuilt integration with their own threat intelligence platform which is the OTX, and integration with the vulnerability assessment modules.

I believe this solution still has a way to go. From a management console perspective and the maturity of the dashboards, I would probably put it slightly behind some of the other players that have been in the market for ages. The leading vendors of SIEM already have a very mature user interface with evolved dashboards and reporting mechanisms. There is a lot of depth in that, but not everybody is looking for that. If your requirements are functional and you're looking for something that's easily deployable and simple to understand and manage, without the necessity of a very large team, I would choose this solution. 

An additional feature I'd like to see would be an increase in the depth of reporting. IBM has AI enabled dashboards which are supposed to be intuitive. They are difficult to configure and that's a problem, but they are very rich in terms of the information that they provide. There is a lot of granular detail and different ways in which you can slice and dice and present the same data. I would also like to see the product handle larger scale deployments and more third party integrations.

I've been using this solution for three years. 

This is a stable solution. 

It's scalable, but AlienVault is not an enterprise class solution in the sense that it cannot go beyond 15000 EPS, which limits the market that it can address. That's a drawback, but expansion might not be what the company wants and they're happy to remain in the 2000 to 3000 EPS range, in which case it's a great product for its market. 

We don't use the support very much as we manage to deal with most issues in-house. The technical support they provide is okay. We haven't had too many problems but my reference point might be slightly slanted, because we don't have such a large installed base.

The initial setup is relatively straightforward and doesn't take much time. AlienVault has its own vulnerability module and its own OTX feed. All of these are pre-integrated which makes for a speedy deployment. The issue is that these days nobody employs SIEM alone. It needs to be able to correlate information not only from its own data sources, but also from third-party data sources, like vulnerability tools, like threat intelligence feeds, like forensic data, and these third party integrations add to implementation time. Each situation is different and deployment time depends on the scale of the infrastructure. 

Most of the SOC or SIEM enterprise class products are very expensive, whereas with OSSIM you can start out with a smaller setup and then expand as you wish. It's great because you get a pre-integrated, ready to run platform, which you can deploy. You don't have to bother about the integrations too much. This platform provides an adequate level of experience for that kind of an integrated intelligence gathering in any IT setup at a reasonable cost. It makes the entry easier for somebody who's not so well versed in these technologies and so on. I think that's the principal use case for AlienVault's product line.

Make sure to choose the right partner to do the implementation. It's important that they know and understand the technology. They should have a very good understanding of the tool as well as an understanding of the security and operations space so that they are able to deliver on what you want to achieve as an outcome. 

I would rate this solution an eight out of 10. 

We primarily use the solution just to analyze events that occur based on security events.

I can't really discuss how this helps my organization. I'm running this from my home, so this is not a business I'm using it for. What I do is I log in infrequently to the device or to the service and I check and see if there's anything that's anomalous or anything that is of concern. 

The dashboard is the solution's most valuable aspect. It brings everything into one central point where I can actually look at it and go, "Okay, I understand what's going on."

The solution works well and allows me to have visibility into anomalous events.

I'm not sure if there's anything on the solution that needs improvement.

I would like the solution to be able to integrate with my firewall, my IDS and my Honeypot solutions so that it can provide real-time reporting as things occur and then have alert sent to me on my phone when suspicious activity is happening.

I've only been using the solution for about a year.

The solution is very stable. It runs well and there are no issues that I can see that would make me concerned about its stability. I haven't faced any bugs or crashes that would make me worry.

The solution is largely scalable. I'd rate it at about a seven out of ten in terms of how well you can expand it. 

There is room for improvement, but that's only because it depends upon the data that's feeding in. You have to understand that it's a collector. It collects data, it analyzes data. It's only going to be as good as the data you give it.

The solution is free to use and therefore doesn't offer technical support.

I didn't previously use a different solution, at least not at my house.

The initial setup was very straightforward. I didn't run into any problems or complexities at all.

I maintain the solution myself. It doesn't require a lot of maintenance or man-hours to keep it running properly.

I didn't use a reseller or integrator to assist me. I was able to handle the process from beginning to end on my own.

The solution is free to use.

I didn't evaluate any other options. I already knew enough about them, and this was the only free solution, which is why I chose it.

I would advise others to not implement it for any enterprise-level organization. However, it would definitely be a good solution for a small business environment.

I would rate the solution five out of ten. It's free, so there isn't support, first of all. Second of all, it doesn't have all the integrations that I would hope for. And thirdly, because since AT&T bought them, I worry AT&T will ultimately destroy the product. I don't like AT&T.

We are a solution provider and this is one of the products that we implement for our clients.

Our clients use this SIEM solution to collect and analyze logs that are generated by different appliances or different machines. It is a correlation tool for event management that gathers all of the events in your environment. This includes different hardware and different operating systems. There are rules in AlienVault that might be triggered based on the logs, and you can tell when there is a security attack or something else that is malicious that comes to your network. These types of events raise a flag and send a notification.

Our clients include banks and other financial institutions.

There are two versions of AlienVault. One is a community edition and the other requires a license. We are dealing with the licensed version and a hybrid-cloud environment.

The most valuable features of this solution are the data correlation and vulnerability assessment.

The price of this solution is very high and it could be cheaper. Normally it is sold to financial institutions, which is why it is high.

I first implemented this solution in 2012, seven years ago.

This solution is very stable. It runs on a Linux box and you only interface with it through the GUI. It works behind the scenes. It has never crashed in the time that I have used it.

Scalability is very good. It integrates with a number of other products, such as the help desk.

Technical support for this solution is very good. They are now owned by AT&T Security, and their people do a pretty good job.

We implement this solution for our customers.

We have a team of twenty engineers. Some work on infrastructure, while others handle security products. I am the head of the security team.

There are two versions of AlienVault available. The Community Edition is free, and the other version requires a license. The licensing fees for the non-community edition are paid on an annual basis, and there are no costs in addition to this.

There is a cloud version of this solution available, called AlienVault USM Anywhere, which defends data that is outside of the premises.

The OSSIM version is an open-source product, unlike AlienVault USM, or the cloud version, AlienVault USM Anywhere. You have to rely on the community for support. If you are a business or a bank or a financial institution then it would be better to go with the licensed version. You get support 24/7, while with the community you cannot find this support. On the other hand, an individual who is using it and can handle the issues should go with OSSIM because it's almost free. As long as you can handle problems, such as when it stops working, that you can fix over a couple of days or during the weekend, then it is fine. 

I would rate this solution a ten out of ten.

The primary use case is local action, vulnerability scanning, and usage of Network IDS. We use some process and correlation rules for our business our customers' businesses.

When we forward in-traffic from our one interface to Network IDS in OSSIM, we can see all of the requests that we have to and from that interface. Because of integration with Open Threat Exchange from AlienVault, we see which IPs from these requests are malicious and we can use these IPs to block them on our firewall.

We need more dashboards and we need more customization for dashboards. It would be great if they would improve in this area.

The stability of OSSIM is not bad. Because it is an open-source version of a commercial product, it has some restrictions on the size of infrastructure that you can integrate with it. But if you don't go beyond these restrictions, it has great stability.

The server is the "brain" of the system, and there are the sensors. They are like collectors of information for the server. It depends on the size of the business and on geographical issues connected to the business. You can install sensors in all of your branch offices and the server in your main office and it works well in this type of deployment.

Great guys. They work fast and they have great experience with their solutions and give great support.

OSSIM was the first solution that I used in this area.

I started to work with its commercial brother, AlienVault USM. When I started to use that, I received some question from my customers about comparing USM and OSSIM. So at the time, I started to use OSSIM, to learn it and compare it with USM. I needed to answer the question, "Why do we need to pay AlienVault money to use their commercial product when they have open-source?" I needed to know the differences.

The initial setup is really straightforward. It's like a Windows program: "Next, next, next, and finish." I don't remember if it was in the open-source versions or the commercial, but it may be that in OSSIM you also have results that can help you with the initial configuration. But overall, the initial setup and configuration are really easy.

In terms of how long the setup took, it's a more complex question. We need to integrate modules such as Network IDS, we need to install agents, we need to perform the initial configuration of OSSIM. For example, we need to configure the SPAN port and send traffic from some of our network devices to AlienVault OSSIM. It can take one hour or one day. It depends on the environment and the size of infrastructure and the size of the business. You may have one firewall or 100 firewalls. It doesn't take a lot of time, but depending on the size of the business, it may take from one hour to a day or two.

When it comes to maintenance of the solution, it also depends on the size of the business. In some companies, where there are 100 users and a small room with servers, you need only one administrator for this system, for maintenance and deployment and everything. But when there is a big company with a big number of employees, 1,000-plus, we may need some more people for deployment and for maintenance.

I've done the setup by myself. In some types of deployments, when I have questions, I also include guys from the AlienVault team, but I haven't had to use them many times.

OSSIM is free.

I didn't look at other options. OSSIM is the only solution that includes the large number of modules that we need: a vulnerability scanner, a network IDS system, a host IDS system. The solution also provides us with a correlation engine for our logs. This is the best option on the market and I didn't see any similar solutions.

I used this product for about a year. It was on-premise.

My advice is to just read the manual. OSSIM is very simple. If you know why you need to use it, you will be happy.

The biggest lesson is that the logs are "power." In these logs, with a good normalization engine, you can find so much very useful information about your infrastructure, sometimes about your employees, and about your business-critical processes.

I would rate the solution at ten out of ten. It's really the best open-source CM on the market. It's simple, it has OTX integration. OTX, the Open Threat Exchange, is also a great product from AlienVault. It's like Facebook for indicators of compromises. 

We primarily use the solution just to check on devices. OSSIM does a lot of different things to help with this, including a bit of analytics, vulnerability testing, assessment, etc.

The open vault component and the checking of vulnerabilities are the most valuable features. The page management helps with this. If you know how your device is vulnerable, at least you can do something about it.

It's not easy to add a device that doesn't have a steady IP. Particularly when you're not putting a sensor on-site. When you have a sensor on-site, then that sensor speaks to the main sensor. We are trying to look for quality devices that give a dynamic IP, so it makes it practically impossible to add a new device.

If there was a way to do dynamic DNS, I think that would help.

The stability of the solution is fine.

Scalability can be a bit tricky, especially for network devices. We have about 150 devices on the solution right now that I am monitoring.

We didn't previously use another solution.

The initial setup was a bit complex. You've got to do a lot of reading. It's not an intuitive implementation. The deployment didn't take a long time, however.

I handled the implementation myself.

The solution is open-source, so it's free to use.

We did evaluate another solution.

We use the cloud deployment model. I have a server that I subscribe people to.

I would advise others to consider, if they get more customers, to do the commercial version the OSSIM from AlienVault. It's now part of AT&T, so there's a lot of support.

I would rate the solution seven out of ten.

AlienVault's features are all quite valuable. Using the CM to get post pay logs and lateral pay logs to a connection is also helpful.

The biggest thing I always complain about is that the user intake is a very old version. In cloud versions, it is very good, but for on-premises versions, it's not so good. If they want to improve the on-premises version, they should upgrade the SQL.

The user interface could be improved.

The solution is very stable. We've never had any availability issues. Our consultant used a 12 core CPU, but he only used half of it.

From a scalability perspective, it's very good software. It is very scalable because it has a very flexible architecture. You can connect one source in one server, and then you can connect four additional ones off that. You can put one on in front of it and you can put four under it and you can put four each off of that, etc. It's pretty open to scalable architecture.

Technical support was very good. They've always responded on time.

The initial setup wasn't too complicated. We didn't have any problems.

We implemented the solution with the help of a consultant.

You pay monthly for the solution. I think it's one of the best products. If you compare with other companies, like LogRhythm, etc., the top 8 or 10 CMs, I think AlienVault has the best price-performance ratio.

We use the on-premises deployment model.

I would rate the solution nine out of ten.

I primarily use the solution for securing my traffic and the SIEM.

The fact that it is free is the most valuable aspect of the solution.

It's under heavy traffic. If you have heavy traffic, the system is slow. 

The scalability of the solution is okay. We have about 100 users right now.

Technical support is fine, but if you have a problem, for example, if you have to decode or fix some bugs, you have to manage it yourself.

We did not previously use a different solution.

The initial setup was straightforward. I didn't have any problems.

I implemented the solution myself.

The solution is free to use.

We didn't evaluate other options before choosing this solution.

The installation is easy, but it's not very compatible with some of our other solutions. Still, it's okay, it's very good. It integrates well with ELK.

I would rate the solution six out of ten.