IT Central Station is now PeerSpot: Here's why

AlienVault OSSIM OverviewUNIXBusinessApplication

AlienVault OSSIM is #12 ranked solution in top Security Information and Event Management (SIEM) tools. PeerSpot users give AlienVault OSSIM an average rating of 8 out of 10. AlienVault OSSIM is most commonly compared to AT&T AlienVault USM: AlienVault OSSIM vs AT&T AlienVault USM. AlienVault OSSIM is popular among the large enterprise segment, accounting for 46% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a comms service provider, accounting for 28% of all views.
Buyer's Guide

Download the Security Information and Event Management (SIEM) Buyer's Guide including reviews and more. Updated: June 2022

What is AlienVault OSSIM?

AlienVault OSSIM, Open Source Security Information and Event Management (SIEM), provides you with a feature-rich open source SIEM complete with event collection, normalization and correlation. Launched by security engineers because of the lack of available open source products, AlienVault OSSIM was created specifically to address the reality many security professionals face: A SIEM, whether it is open source or commercial, is virtually useless without the basic security controls necessary for security visibility.

AlienVault OSSIM was previously known as OSSIM.

AlienVault OSSIM Customers

Council Rock School District

AlienVault OSSIM Video

Archived AlienVault OSSIM Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
Research Assistant at a tech services company with 51-200 employees
Real User
Integrates more easily than other SIEM solutions, however the GUI needs improvement
Pros and Cons
  • "Better than other SIEM solutions because almost everything can be integrated."
  • "GUI could be improved."

What is our primary use case?

Our primary use case is for research purposes. For now, we're just playing with it and there's a potential learning curve regarding use of AlienVault as an SIEM solution. We plan to analyze different open source solutions to test strengths and weaknesses. We are customers of AlienVault and I'm a research assistant. 

What is most valuable?

A very good feature of AlienVault OSSIM is that it has many domains that can be integrated from different solutions. For example, if we have a firewall and I want to connect it with the AlienVault OSSIM, there is already a grid affecting that. From that perspective, it's a very good solution in that almost everything can be integrated and that makes it better than other SIEM solutions. The great thing is that the networking configuration features are good and integrations don't need to be done manually. Of course it's possible but there's an automatic option for configuring networks and there's a plug in for different kinds of solutions. Network security firewalls, IDS, and the like are things that already exist. 

What needs improvement?

The GUI could be improved, and the solution could include a specialization tool. The correlation engine and the scalability of this product should be improved. And then I think it also needs to have the grid potential because when we talk about SIEM it's not just a few machines, it's hundreds and that means thousands of logs so the product should be more easily scalable. The features I would like to see included will take some time to implement because the solution is open source and these are promotional products. On a basic level I'd like to see an open source visualization tool or a commercial visualization tool. 

For how long have I used the solution?

I've been using this solution for one year. 
Buyer's Guide
Security Information and Event Management (SIEM)
June 2022
Find out what your peers are saying about AT&T, Elastic, Splunk and others in Security Information and Event Management (SIEM). Updated: June 2022.
608,713 professionals have used our research since 2012.

What do I think about the stability of the solution?

I'd say the stability of the solution is moderate. 

How are customer service and support?

The documentation provided was not sufficient, so we worked it out by ourselves. 

How was the initial setup?

The initial setup was not so easy, partly because the documentation was not up to date. You end up learning from your mistakes. Deployment took us more than six months.  We have an open source intrusion detection system which is connected to it and endpoint systems. We implemented by ourselves, there are two people in the company with expertise in this area. 

What other advice do I have?

Those who are looking for a solution like this one should first conduct a survey. There are other solutions which are quite capable of doing similar things, even open source solutions. If a company can afford a commercial solution, they should go for that rather than for an open source solution. It requires an expert to assess the situation. A small mistake can lead to a big problem; opensource is there for those who know what they're doing.  If you're looking to add another feature, you need to have strong coding because tweaking them is not simple. I'm in a technical team so that's my perspective. I would rate this solution a six out of 10. 

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Jim Poehlman - PeerSpot reviewer
Chief Wealth Cybersecurity Architect at PWcyber
Real User
Free to use but doesn't offer many integrations and doesn't have technical support
Pros and Cons
  • "The dashboard is the solution's most valuable aspect. It brings everything into one central point where I can actually look at it and go, "Okay, I understand what's going on.""
  • "I would like the solution to be able to integrate with my firewall, my IDS and my Honeypot solutions so that it can provide real-time reporting as things occur and then have alert sent to me on my phone when suspicious activity is happening."

What is our primary use case?

We primarily use the solution just to analyze events that occur based on security events.

How has it helped my organization?

I can't really discuss how this helps my organization. I'm running this from my home, so this is not a business I'm using it for. What I do is I log in infrequently to the device or to the service and I check and see if there's anything that's anomalous or anything that is of concern. 

What is most valuable?

The dashboard is the solution's most valuable aspect. It brings everything into one central point where I can actually look at it and go, "Okay, I understand what's going on."

The solution works well and allows me to have visibility into anomalous events.

What needs improvement?

I'm not sure if there's anything on the solution that needs improvement.

I would like the solution to be able to integrate with my firewall, my IDS and my Honeypot solutions so that it can provide real-time reporting as things occur and then have alert sent to me on my phone when suspicious activity is happening.

For how long have I used the solution?

I've only been using the solution for about a year.

What do I think about the stability of the solution?

The solution is very stable. It runs well and there are no issues that I can see that would make me concerned about its stability. I haven't faced any bugs or crashes that would make me worry.

What do I think about the scalability of the solution?

The solution is largely scalable. I'd rate it at about a seven out of ten in terms of how well you can expand it. 

There is room for improvement, but that's only because it depends upon the data that's feeding in. You have to understand that it's a collector. It collects data, it analyzes data. It's only going to be as good as the data you give it.

How are customer service and technical support?

The solution is free to use and therefore doesn't offer technical support.

Which solution did I use previously and why did I switch?

I didn't previously use a different solution, at least not at my house.

How was the initial setup?

The initial setup was very straightforward. I didn't run into any problems or complexities at all.

I maintain the solution myself. It doesn't require a lot of maintenance or man-hours to keep it running properly.

What about the implementation team?

I didn't use a reseller or integrator to assist me. I was able to handle the process from beginning to end on my own.

What's my experience with pricing, setup cost, and licensing?

The solution is free to use.

Which other solutions did I evaluate?

I didn't evaluate any other options. I already knew enough about them, and this was the only free solution, which is why I chose it.

What other advice do I have?

I would advise others to not implement it for any enterprise-level organization. However, it would definitely be a good solution for a small business environment.

I would rate the solution five out of ten. It's free, so there isn't support, first of all. Second of all, it doesn't have all the integrations that I would hope for. And thirdly, because since AT&T bought them, I worry AT&T will ultimately destroy the product. I don't like AT&T.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Security Information and Event Management (SIEM)
June 2022
Find out what your peers are saying about AT&T, Elastic, Splunk and others in Security Information and Event Management (SIEM). Updated: June 2022.
608,713 professionals have used our research since 2012.
Tamer Serag Ahmed - PeerSpot reviewer
Co-Founder at Besafe Technology
Consultant
Data correlation and vulnerability assessment help protect our customers against malicious activity
Pros and Cons
  • "The most valuable features of this solution are the data correlation and vulnerability assessment."
  • "The price of this solution is very high and it could be cheaper."

What is our primary use case?

We are a solution provider and this is one of the products that we implement for our clients.

Our clients use this SIEM solution to collect and analyze logs that are generated by different appliances or different machines. It is a correlation tool for event management that gathers all of the events in your environment. This includes different hardware and different operating systems. There are rules in AlienVault that might be triggered based on the logs, and you can tell when there is a security attack or something else that is malicious that comes to your network. These types of events raise a flag and send a notification.

Our clients include banks and other financial institutions.

There are two versions of AlienVault. One is a community edition and the other requires a license. We are dealing with the licensed version and a hybrid-cloud environment.

What is most valuable?

The most valuable features of this solution are the data correlation and vulnerability assessment.

What needs improvement?

The price of this solution is very high and it could be cheaper. Normally it is sold to financial institutions, which is why it is high.

For how long have I used the solution?

I first implemented this solution in 2012, seven years ago.

What do I think about the stability of the solution?

This solution is very stable. It runs on a Linux box and you only interface with it through the GUI. It works behind the scenes. It has never crashed in the time that I have used it.

What do I think about the scalability of the solution?

Scalability is very good. It integrates with a number of other products, such as the help desk.

How are customer service and technical support?

Technical support for this solution is very good. They are now owned by AT&T Security, and their people do a pretty good job.

What about the implementation team?

We implement this solution for our customers.

We have a team of twenty engineers. Some work on infrastructure, while others handle security products. I am the head of the security team.

What's my experience with pricing, setup cost, and licensing?

There are two versions of AlienVault available. The Community Edition is free, and the other version requires a license. The licensing fees for the non-community edition are paid on an annual basis, and there are no costs in addition to this.

What other advice do I have?

There is a cloud version of this solution available, called AlienVault USM Anywhere, which defends data that is outside of the premises.

The OSSIM version is an open-source product, unlike AlienVault USM, or the cloud version, AlienVault USM Anywhere. You have to rely on the community for support. If you are a business or a bank or a financial institution then it would be better to go with the licensed version. You get support 24/7, while with the community you cannot find this support. On the other hand, an individual who is using it and can handle the issues should go with OSSIM because it's almost free. As long as you can handle problems, such as when it stops working, that you can fix over a couple of days or during the weekend, then it is fine. 

I would rate this solution a ten out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Denis L - PeerSpot reviewer
Sales Solutions Engineer at a tech services company with 51-200 employees
Reseller
Integration with OTX enables us to see which IPs are malicious
Pros and Cons
  • "OSSIM is the only solution that includes the large number of modules that we need: a vulnerability scanner, a network IDS system, a host IDS system."
  • "We need more dashboards and we need more customization for dashboards."

What is our primary use case?

The primary use case is local action, vulnerability scanning, and usage of Network IDS. We use some process and correlation rules for our business our customers' businesses.

How has it helped my organization?

When we forward in-traffic from our one interface to Network IDS in OSSIM, we can see all of the requests that we have to and from that interface. Because of integration with Open Threat Exchange from AlienVault, we see which IPs from these requests are malicious and we can use these IPs to block them on our firewall.

What needs improvement?

We need more dashboards and we need more customization for dashboards. It would be great if they would improve in this area.

What do I think about the stability of the solution?

The stability of OSSIM is not bad. Because it is an open-source version of a commercial product, it has some restrictions on the size of infrastructure that you can integrate with it. But if you don't go beyond these restrictions, it has great stability.

What do I think about the scalability of the solution?

The server is the "brain" of the system, and there are the sensors. They are like collectors of information for the server. It depends on the size of the business and on geographical issues connected to the business. You can install sensors in all of your branch offices and the server in your main office and it works well in this type of deployment.

How are customer service and technical support?

Great guys. They work fast and they have great experience with their solutions and give great support.

Which solution did I use previously and why did I switch?

OSSIM was the first solution that I used in this area.

I started to work with its commercial brother, AlienVault USM. When I started to use that, I received some question from my customers about comparing USM and OSSIM. So at the time, I started to use OSSIM, to learn it and compare it with USM. I needed to answer the question, "Why do we need to pay AlienVault money to use their commercial product when they have open-source?" I needed to know the differences.

How was the initial setup?

The initial setup is really straightforward. It's like a Windows program: "Next, next, next, and finish." I don't remember if it was in the open-source versions or the commercial, but it may be that in OSSIM you also have results that can help you with the initial configuration. But overall, the initial setup and configuration are really easy.

In terms of how long the setup took, it's a more complex question. We need to integrate modules such as Network IDS, we need to install agents, we need to perform the initial configuration of OSSIM. For example, we need to configure the SPAN port and send traffic from some of our network devices to AlienVault OSSIM. It can take one hour or one day. It depends on the environment and the size of infrastructure and the size of the business. You may have one firewall or 100 firewalls. It doesn't take a lot of time, but depending on the size of the business, it may take from one hour to a day or two.

When it comes to maintenance of the solution, it also depends on the size of the business. In some companies, where there are 100 users and a small room with servers, you need only one administrator for this system, for maintenance and deployment and everything. But when there is a big company with a big number of employees, 1,000-plus, we may need some more people for deployment and for maintenance.

What about the implementation team?

I've done the setup by myself. In some types of deployments, when I have questions, I also include guys from the AlienVault team, but I haven't had to use them many times.

What's my experience with pricing, setup cost, and licensing?

OSSIM is free.

Which other solutions did I evaluate?

I didn't look at other options. OSSIM is the only solution that includes the large number of modules that we need: a vulnerability scanner, a network IDS system, a host IDS system. The solution also provides us with a correlation engine for our logs. This is the best option on the market and I didn't see any similar solutions.

What other advice do I have?

I used this product for about a year. It was on-premise.

My advice is to just read the manual. OSSIM is very simple. If you know why you need to use it, you will be happy.

The biggest lesson is that the logs are "power." In these logs, with a good normalization engine, you can find so much very useful information about your infrastructure, sometimes about your employees, and about your business-critical processes.

I would rate the solution at ten out of ten. It's really the best open-source CM on the market. It's simple, it has OTX integration. OTX, the Open Threat Exchange, is also a great product from AlienVault. It's like Facebook for indicators of compromises. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
BonganiMkwananzi - PeerSpot reviewer
Owner & Cyber Security Consultant at Sekurisor
Consultant
Great solution for checking vulnerabilities, and it's free to use, but the initial setup is a bit tricky
Pros and Cons
  • "The open vault component and the checking of vulnerabilities are the most valuable features. The page management helps with this. If you know how your device is vulnerable at least you can do something about it."
  • "The initial setup was a bit complex. You've got to do a lot of reading. It's not an intuitive implementation."

What is our primary use case?

We primarily use the solution just to check on devices. OSSIM does a lot of different things to help with this, including a bit of analytics, vulnerability testing, assessment, etc.

What is most valuable?

The open vault component and the checking of vulnerabilities are the most valuable features. The page management helps with this. If you know how your device is vulnerable, at least you can do something about it.

What needs improvement?

It's not easy to add a device that doesn't have a steady IP. Particularly when you're not putting a sensor on-site. When you have a sensor on-site, then that sensor speaks to the main sensor. We are trying to look for quality devices that give a dynamic IP, so it makes it practically impossible to add a new device.

If there was a way to do dynamic DNS, I think that would help.

For how long have I used the solution?

I've been using the solution for almost one year.

What do I think about the stability of the solution?

The stability of the solution is fine.

What do I think about the scalability of the solution?

Scalability can be a bit tricky, especially for network devices. We have about 150 devices on the solution right now that I am monitoring.

Which solution did I use previously and why did I switch?

We didn't previously use another solution.

How was the initial setup?

The initial setup was a bit complex. You've got to do a lot of reading. It's not an intuitive implementation. The deployment didn't take a long time, however.

What about the implementation team?

I handled the implementation myself.

What's my experience with pricing, setup cost, and licensing?

The solution is open-source, so it's free to use.

Which other solutions did I evaluate?

We did evaluate another solution.

What other advice do I have?

We use the cloud deployment model. I have a server that I subscribe people to.

I would advise others to consider, if they get more customers, to do the commercial version the OSSIM from AlienVault. It's now part of AT&T, so there's a lot of support.

I would rate the solution seven out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Kuzey Aksu - PeerSpot reviewer
Information Security Manager at a financial services firm with 201-500 employees
Real User
A cost-effective, stable solution that offers timely technical support
Pros and Cons
  • "You pay monthly for the solution. I think it's one of the best products. If you compare with other companies, like LogRhythm, etc., the top 8 or 10 CMs, I think Alien Vault has the best price-performance ratio."
  • "The user interface could be improved."

What is most valuable?

AlienVault's features are all quite valuable. Using the CM to get post pay logs and lateral pay logs to a connection is also helpful.

What needs improvement?

The biggest thing I always complain about is that the user intake is a very old version. In cloud versions, it is very good, but for on-premises versions, it's not so good. If they want to improve the on-premises version, they should upgrade the SQL.

The user interface could be improved.

For how long have I used the solution?

I've been using the solution for 18 months.

What do I think about the stability of the solution?

The solution is very stable. We've never had any availability issues. Our consultant used a 12 core CPU, but he only used half of it.

What do I think about the scalability of the solution?

From a scalability perspective, it's very good software. It is very scalable because it has a very flexible architecture. You can connect one source in one server, and then you can connect four additional ones off that. You can put one on in front of it and you can put four under it and you can put four each off of that, etc. It's pretty open to scalable architecture.

How are customer service and technical support?

Technical support was very good. They've always responded on time.

How was the initial setup?

The initial setup wasn't too complicated. We didn't have any problems.

What about the implementation team?

We implemented the solution with the help of a consultant.

What's my experience with pricing, setup cost, and licensing?

You pay monthly for the solution. I think it's one of the best products. If you compare with other companies, like LogRhythm, etc., the top 8 or 10 CMs, I think AlienVault has the best price-performance ratio.

What other advice do I have?

We use the on-premises deployment model.

I would rate the solution nine out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
S Mustafa Afzouni - PeerSpot reviewer
Development Manager at a tech services company with 51-200 employees
Real User
A free solution with an easy installation, but the system is slow

What is our primary use case?

I primarily use the solution for securing my traffic and the SIEM.

What is most valuable?

The fact that it is free is the most valuable aspect of the solution.

What needs improvement?

It's under heavy traffic. If you have heavy traffic, the system is slow. 

For how long have I used the solution?

I've been using the solution for two years.

What do I think about the scalability of the solution?

The scalability of the solution is okay. We have about 100 users right now.

How are customer service and technical support?

Technical support is fine, but if you have a problem, for example, if you have to decode or fix some bugs, you have to manage it yourself.

Which solution did I use previously and why did I switch?

We did not previously use a different solution.

How was the initial setup?

The initial setup was straightforward. I didn't have any problems.

What about the implementation team?

I implemented the solution myself.

What's my experience with pricing, setup cost, and licensing?

The solution is free to use.

Which other solutions did I evaluate?

We didn't evaluate other options before choosing this solution.

What other advice do I have?

The installation is easy, but it's not very compatible with some of our other solutions. Still, it's okay, it's very good. It integrates well with ELK.

I would rate the solution six out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
MohamedMohsen - PeerSpot reviewer
Founder & CEO at MnZ Technology Solutions
Reseller
Full fledged solution where everything comes in one box
Pros and Cons
  • "With AlienVault you get everything in one box."
  • "Sometimes technical issues take very long to get resolved."

What is our primary use case?

Our primary use case for AlienVault is incident management. We started as a customer because one of our companies worked on it. Eventually, we started reselling the service. 

What is most valuable?

What I like about this product, is that it is a fully-fledged solution. I don't need to buy any complementary products, everything comes in one box.

What needs improvement?

I would like to see an improvement in their threat exchange database because the OTX is not the best thing in the marketplace. There are better solutions. So if they could enhance our feature development, it would make the product much better. 

For me, the user interface is very important, because the simpler the user interface is, the easier it is to find candidates to run the operation. If the user interface is very complicated, you need to expose your technical people to very intensive training in order to understand the system and to get the output right. So, from a user perspective, I would say the simpler the user interface, the better the product, especially for security issues. You need to let your tech people concentrate on the incident rather than on how to use the software to get the answer.

Lastly, if technical issues could be resolved faster, it would be a huge improvement. 

For how long have I used the solution?

We've been using this solution for two years now.

What do I think about the stability of the solution?

This solution is about 90% stable. I do have a problem with vulnerability.

What do I think about the scalability of the solution?

It's a very scalable product. I will say it is 100% scalable. It is currently managing the entire security of the firm, but it's managed by four members of our staff because it's a 24/7 operation. Three of them work shifts, and one of them is the supervisor. 

How are customer service and technical support?

I will give their technical support 80%. Although I am not completely satisfied, their response is good. I give their response 100% because whenever you open a ticket, you get communication on the spot. But sometimes it takes very long for your issue to get resolved. And that's why I'm only giving them 80%.

Which solution did I use previously and why did I switch?

We also used IBM QRadar before, but we did not get proper support and that's why we switched to AlienVault. 

How was the initial setup?

The initial setup was rather complex and it took us about a day to finalize everything. When we did the deployment, we had some support from AlienVault. And eventually, when we installed it for our customers, our technical team did it by themselves. They didn't require any kind of support from AlienVault.

What's my experience with pricing, setup cost, and licensing?

The price was good and it matched out budget at that stage.

Which other solutions did I evaluate?

We looked at ArcSight as an option at the beginning, but the pricing was not what we were looking for. And we don't have the proper channel to sell ArcSight in Egypt. That's why we decided to go to AlienVault.

What other advice do I have?

If anybody asked me if am I happy with AlienVault, I would say that it is a very good product. Frankly speaking, if anybody asked me about QRadar or ArcSight I will say the same, but it requires lots of training and you need to have a source for the product and for the pricing, otherwise, you will end up paying an enormous amount of money.

With AlienVault you get everything in one box. I will rate this product an eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Chief Operating Officer at a insurance company with 201-500 employees
Reseller
Top 20
A good open-source solution for small setups, but needs more analytic functionality
Pros and Cons
  • "The solution has a very good open source community, and whenever we have problems, we are always able to resolve it online."
  • "The solution needs more integration with cyber intelligence systems."

What needs improvement?

The solution needs more integration with cyber intelligence systems. 

Our customers want to use a single tool for managing cybersecurity. We want integration with existing tools and integration with newer tools that offer the ability to manage or to identify security vulnerabilities in a gateway system or firewall. Basically, we want the solution to offer configuration management. 

I would want it to be integrated with lasting search, in terms that it could gather a lot of intelligence and dump it into the database. Also, it would be useful if we were able to run analytics on the solution. If they can integrate it with an analytic function it would be better.

For how long have I used the solution?

I've been using the solution for four years.

What do I think about the stability of the solution?

I haven't had time to compare the stability to other solutions, but for our purposes it's okay.

How are customer service and technical support?

You need to pay for technical support, but I didn't pay for it, so I can't say much about it. The solution has a very good open source community, and whenever we have problems, we are always able to resolve it online.

How was the initial setup?

The initial setup was straightforward. 

There wasn't any complexity. The only issue we had was when we installed it on a virtual layer. We found a way around it, however. It was the open-source virtualization that gave us trouble. There was a workaround and we applied it and it was okay.

What's my experience with pricing, setup cost, and licensing?

The solution is open-source. You need to pay for support if you want it.

What other advice do I have?

We use the on-premises deployment model.

We have a small setup. It's an environment that supports only about 20 users, so, it's not really a complex setup.

I would give the solution a rating of seven out of ten. I believe if I paid for the support I'd get a higher quality of software and other additional functionalities.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Cyber Security Specialist at AEC
Real User
A good, stable open-source solution for small environments
Pros and Cons
  • "The solution is very stable. Compared to Qradar and Splunk, it's very stable."
  • "The user interface needs to be friendlier across the board."

What is our primary use case?

I primarily use the solution for log collection.

What is most valuable?

AlienVault sometimes works like an appendix. It's not accurate in most cases, but we use an agent like WinCollect to collect logs. We collate the information. The solution is fast-acting when it comes to collecting the logs, and for all the inter-process work.

What needs improvement?

The log collection is okay, but tracing the logs or tracing the events is a bit difficult. It's not user-friendly. A user must be an expert and must know how to give the logs, how to configure the system, etc. He has to be an expert on this product.

The user interface needs to be friendlier across the board. Also, I would prefer if the kill chain scenario with every event was not stacked. I need to be able to do an SQL query and figure out where the event came from and tag to the source and destination. I cannot see this easily as it is right now.

For how long have I used the solution?

I've been using the solution for 1.5 years.

What do I think about the stability of the solution?

The solution is very stable. Compared to Qradar and Splunk, it's very stable.

How are customer service and technical support?

I've never had to use technical support.

Which solution did I use previously and why did I switch?

I previously used QRadar and Splunk.

How was the initial setup?

I'm not sure how difficult the initial setup was, but it did take a very long time to implement.

What's my experience with pricing, setup cost, and licensing?

The solution is open-source, so there are no licensing costs.

What other advice do I have?

I've used this for a small environment, and it was amazing. I'm currently converting to QRadar now because I am expanding. I am handling more than 30,000 events per second. I can't use Alien Vault, as it's too high a threshold.

I do recommend the solution, however, for those with small environments that don't handle as many events. It works great for anything under 1,000 events per second.

I would rate the solution eight out of ten.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
RajaniKant Singh - PeerSpot reviewer
CISO with 1,001-5,000 employees
Real User
Provides threat alerts on harmful code in the network
Pros and Cons
  • "The threat alerts it gives me from time to time on harmful code within the network, or if they are generating any network traffic, are very useful."
  • "It takes some time. It does not give me a prompt response for any such [malicious] traffic. It takes time to get that alert from the AlienVault system."

What is our primary use case?

I use it for monitoring. I use it for getting alerts on various malicious activities, if there are such on my network. I'm using the free version of this product, OSSIM.

As a media company, we follow MPAA, which is a set of controls for media businesses. The other set of compliance that we follow is DPP. We use AlienVault to comply to their standards.

How has it helped my organization?

We have various media organizations from which we get data into our network and then it goes out. If you put any control, any device, or anything to sense the traffic, it will say that it's malicious traffic, because of the nature of most of the traffic that we generate. We usually upload or download TV shows or films, they go in and out. The same size of IP packets increase because of the kind of transfer that we do.

In addition to that, we also are into broadcasting. We send the data to broadcasting stations, and from there it gets broadcasted on air.

It has really helped find critical vulnerabilities in our network at times. There was a brute force attack, a web attack, and I was able to discover that using AlienVault. There was a WannaCry in one of my systems, a trojan, and it was generating traffic towards the WannaCry domain. I was able to see that through the AlienVault system. It was not immediate. It was after almost three days that I was able to discover that there was a vulnerability within our network.

What is most valuable?

The threat alerts it gives me from time to time on harmful code within the network, or if it is generating any network traffic, are very useful. However, it takes some time. It does not give me a prompt response for any such traffic. It takes time to get that alert from the AlienVault system.

I'm using it for discovering assets every day. If there are any changes in my network, I give it additional subnets which have been added. It adds all the assets to my dashboard.

What needs improvement?

I find it very useful when it is for a small or mid-size enterprise. The problem I see in this product is that it is not meant for a large business or for managing critical business services.

AlienVault-like products are not meant for businesses like the banking sector or insurance and places that require strong regulatory compliance, in my experience, because of delays in response. And sometimes it is very complicated to configure this for specific requirements. Writing APIs, etc. takes time. On the other hand, if you look into other products in the market, it's easy to write APIs or integrate them with other database services or middleware and your application layer services, and get the alerts.

It does not help me to respond to the threats all the time. That's why we are also working with Splunk. Splunk is used by one of our service providers and we can directly ask them to use Splunk instead of any other SIEM solutions.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

I find it to be stable. That's why I'm using it. Given that it's free of cost, whatever it gives us is more than enough.

What do I think about the scalability of the solution?

I haven't explored scalability very much but the scalability is open. It's scalable up to a level where we can manage a mid-size business. As I said earlier, it is not suitable for the banking sector at all, because they require stringent controls and monitoring, real-time monitoring, which this tool doesn't have; at least, I haven't seen it. Perhaps it's my bad that I haven't seen this tool give me a proper response, on time. It takes time for it to give a response.

Which solution did I use previously and why did I switch?

I've used and evaluated QRadar vs AlientVault very extensively - I was working with IBM. I used it for ten years. I used and have compared ArcSight vs AlienVault as well, at my previous organization. At that organization, I also deployed AlienVault because I am comfortable with AlienVault.

Those competitors to AlienVault are very user-friendly, their interfaces are very user-friendly. They have multiple options such as generating reports and getting immediate alerts.

If somebody changes the privileges in the system or some code changes the privileges in the system, AlienVault is lacking there. Machine-learning and artificial intelligence are things that AlienVault should explore. If those were added to it, no product could replace it.

How was the initial setup?

My setup is very complex. The network is segmented and configured differently for different customers.

The initial deployment started around two years ago. It took around one-and-a-half years to make this product stable and to talk to each and every device in my network and give me some sort of report which would actually give me the right posture of my security status. I did the complete deployment myself.

The implementation strategy was there and that's why it took a long time. We were also engaged in other business activities, so it took a long time to make this into a proper deployment.

What about the implementation team?

We didn't have any third-parties involved. It was all mine. I started with the web, through YouTube, through various other social media, and a couple of people who used it earlier. I now have several years of experience. That has helped me a lot in getting this deployed.

What was our ROI?

There is a financial value. It's giving me some value and I've already had a good amount of results on AlienVault products. I deployed it at multiple stations, three or four cities in India, two in the US, and one in the UK. I have deployed it widely because I find that it gives value for money. If I got the paid version at the right cost, I think it would be the best product available in the market for a business like ours.

What's my experience with pricing, setup cost, and licensing?

A product like Splunk will squeeze you for money if you ask them to provide similar services. So I find this solution very useful in that sense.

AlienVault pricing is the best. Whatever cost you are paying, you are getting a return on every penny. I have advised multiple friends of mine, those who are into the security arena, to go for AlienVault. It's not like your IBM, your QRadar, or Splunk, where the cost is too high.

What other advice do I have?

If your network is flat, if it is not that complicated, then you should go for it. I'm using it free of cost, so I'm very happy with AlienVault.

I'm the only one who's controlling it. I have a team of five. They are my soft team. They monitor all the alerts 24/7. It takes a team of five to maintain it. I lead the security section and among the other five, two are network specialists and three are system administrators.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Download our free Security Information and Event Management (SIEM) Report and find out what your peers are saying about AT&T, Elastic, Splunk, and more!
Updated: June 2022
Buyer's Guide
Download our free Security Information and Event Management (SIEM) Report and find out what your peers are saying about AT&T, Elastic, Splunk, and more!