USM Anywhere Reviews

The NIDS/HIDS features have probably been the best features for us in our environment. We've had some open-source options and, while they work, it isn't the same as having commercial support. SIEM is the second-most useful feature.

We've been able to professionally generate alerts for IDS, SIEM and vulnerabilities where we didn't have those capabilities before.

Reporting still needs a lot of work, especially on the vulnerability side. Vulnerability management UI could be improved as well.

Vulnerability reports are clunky and difficult to manage. The layout is not really professional or intuitive and takes some time to understand how to navigate it. In general, while there are some customization options with reporting features as far a look and feel, reports still have an “open source” feeling. In general, the look is not as clean and professional as what one is used to seeing in other, similar products.

I have used it for 16 months.

We have not encountered any deployment issues.

We encountered one stability issue. With the amount of log data we were sending, our sensor drives were filling up within a day or two. We had to create some cron jobs to ensure logs were rotated more frequently.

We have not encountered any scalability issues. You just add another sensor; pretty easy.

Customer service is excellent! Always very responsive.

Technical support is excellent! Always very responsive.

We used Nexpose for vulnerability management and moving away from that was the primary reason we went with AlienVault.

Initial setup was very easy for the most part. We were paired with a third-party vendor for onboarding. We didn't work well with this group, but AlienVault happily transferred our service hours to another group and that relationship worked much better for us.

An in-house team implemented it.

Before choosing this product, we did not evaluate other options., we looked at Nessus SecurityCenter with Log Management.

We've been very happy with the purchase. While the list of supported vendors in the SIEM continues to grow, I do wish that creating plugins was a little easier.

AlienVault out of the box features for easy asset discovery, vulnerability scans, IDS setup are all beneficial, but the best feature we find most valuable is the main dashboard for how the information is bubbled up and presented to us.

With AlienVault we have been able to reduce lag times by not having to invest into specialized research for which we rely on AlienVault Security Labs and OTX (Open Threat Exchange).

With all the great features AlienVault has to offer, it would be nice to see improved search query functionality, similar to ELK stack.

18 months+

Easy setup out of the box as it comes as a virtual appliance. 

Solid platform built on debian system.

Haven't been able to break it yet.

5 Stars

It's a single solution that is meeting the needs of multiple of my PCI compliance objectives.

I was able to replace our log management solution with this product. A single server that allows for log management, vulnerability scanning, and file integrity monitoring.

The alarms section of the USM is very robust, yet I still find myself having to look back through the events to find more details. It would be nice if I could navigate straight to the event from the alarm.

I've been using it for six months.

I had a renegade plugin that was installed by the company who helped me with the initial setup. The plugin was missing a command to rotate logs and would fill my hard drives capacity to full quickly. Fortunately AlienVault support identified the problem and reported the issue to the designers. I opted to not run that plugin anymore, and probably still will not trust it even after the rotate function is fixed.

I have the ability to scale out further from where I am if necessary, so I have not had any scalability problems.

10/10

We did not previously have many of the systems that AlienVault offers. We switched to get a robust single solution.

The initial setup is both straightforward and complex. You can get the system up and running without any outside help but you will be missing out on many of the finer detailed features if you go that route. I appreciated getting professional setup help as I do not have enough time to dedicate to just learning USM. I also attended the five day training which was very valuable.

Speak with a rep to get the correct design. AlienVault will scale depending on the size of your environment but the licensing gets tricky when you get away from the single unified console.

I was not able to find any other tool that was able to meet as many needs as I the AlienVault USM. I spent the entire trial testing AlienVault to make sure it would suit my needs.

Use AlienVault's free trial of the USM. They will help you get the system installed which is very helpful to make sure you get test best test possible.

We run this product on our network 24/7 and it has helped identify many important events. We take the security of our network very seriously, and this helps to quickly identify and lock down any potential vulnerabilities or events that could escalate.

As an information security consultant that works across many diverse networks, these features offer by far the most critical information when analysing a client’s environment for issues that need to be addressed:

My biggest challenge has always been the fine tuning that is sometimes required for some networks. It requires a solid understanding of Linux and databases and how networks work. So a non-technical user may become frustrated, or not configure the product to work at its best, and therefore miss important events. So I see room for improvement in the following -

• Easy of deployment and configuration
• Easier way of testing if features are working as designed, e.g. Packet analysis
• Troubleshooting features that are not working as designed

I have not yet run into any issues regarding scalability, however I have not yet deployed this on a very large network yet (1000+ devices).

Excellent! Every time I have had an issue, the customer and technical support has been outstanding. The support desk is always very helpful, and goes out of their way to make sure the issues are resolved whenever possible.

The initial setup is not difficult at all, and can be done by someone with almost no technical knowledge. However, getting optimal performance from the features in AlienVault may not always be as easy.

We deployed using our own in-house team, led by myself. Depending on what you want from the product, be prepared to do some research and tinkering in the background. What you see on the surface is actually a very small part of what you can really do with AlienVault. If you are serious about getting the best out of AlienVault, use a vendor that is well versed in deploying AlienVault (like an MSSP) as they should have the experience needed to optimise a deployment, as well as having quick and easy access to the AlienVault support. Use the 30-day trial to get a good feel for what it can do, but remember there is a lot more.

As this product is still relatively new in South Africa, people are still learning about it, but thus far we have been able to show affordability and feasibility is every network we have deployed it on. Speak to an MSSP about a package that is affordable for your company. The product is easy to scale as your affordability improves.

I have actually looked at a few other products, however we decided on this product as the cost versus what you get, far outweighed any other product we looked at. Many companies can’t afford to deploy a SIEM solution from some of the top companies on the market, however no company should be without a SIEM on their network with the risks companies face today. AlienVault provided the best bang for buck.

Remember, there are many good products on the market, however affordability is usually a key factor. Sit down and properly analyse your network, and list expectation from whatever product you are considering. Identify what are your most critical assets, your “Crown Jewels”, and know how it needs to be protected. Then look at solutions within your budget, remembering that the most expensive is no necessarily always the best. There are many world class products out there, you need to find one that will fulfil your needs, within your budget.

Also, remember running a system like this means dedicating resources to monitoring it, you can’t deploy SIEM tools and think it’s going to run itself. Don’t expect your system administrator to have time to do this as InfoSec is a full time job. Either get a skilled resource, or consider an MSSP offering.

The product is very powerful and very flexible. However certain aspects can be very challenging to setup and configure for users that don’t have in-depth technical background. The default configuration would work well for a normal office network, however for more complex networks there is a lot more configuration required for optimal performance. The product is still under very active development, and the vendor is always receptive to feedback regarding feature requests or bugs.

• Raw logs
• Alarm section
• Security events

Once we placed AlienVault in the product we have now, the time it takes to find and respond to real anomalies has dropped from hours to minutes, it has so much potential to be an amazing product despite it's many issues. After working with so many other SIEMs, AlienVault is among my top three favorites, and I believe it has earned that spot well.

Directives and searches within security events. So many issues with directives. Creating directives is a pain on it's own, but editing them can be a nightmare filled with tedious unnecessary steps. You do not have an option to whitelist or blacklist specific traffic flows to trigger alarms (eg. Specific IP to specific IP) if your directive contains multiple alarms. A simple fix would be to allow the engineer to give "and" and "or" statements so you could get something along the lines of (SRC IP: 192.168.0.20, DST IP: 10.10.1.12 OR 10.10.1.13) AND (SRC IP: 192.168.10.5, DST IP: 10.10.2.5). Instead you have a list of source IPs and a list of destination IPs and no matter if the traffic you need to blacklist is specific, anything communicating from the source list to the destination list triggers an alarm, which is not always what you want.

A workaround for that is to split the alarm directive into separate directives for any specific flows you are looking for. Searching in security events comes with it's own minor inconvenience that isn't a deal breaker, however, a simple improvement could make things orders of magnitude better: Allow the analyst to decide everything he wants to search for and trigger the search themselves. Right now, if you want to search something by signature, time range, and port - for example - you have to do each individually and each search forces the query to reload before you get the information set you want. E.g.: I want to search for Admin Activity Events, surrounding a specific Admin, over the last week. I need to first search for Admin activity events, which reloads the whole set of data, then search for the username, reloading the whole set of data again, then choose the last week time range, reloading again. It would make more sense to be able to package the queries I intend to use, then click something along the lines of submit. AlienVault does offer predefined searches, which is a great tool, but I think fixing the search function of the SIEM would be great.

I've used it for two years.

Stability issues have been around, but I feel like AlienVault does a stand up job at responding to and fixing them.

I personally haven't seen any scalability issues, though that falls out of my purview.

10/10 - the AlienVault team is great, and the community is very active.

Straightforward. The guidance given in documentation sets you up for success, and the ease of adding agents to machines is phenomenal.

It was done in house. Be patient, focus on getting your firewalls connected to the SIEM.

I have used several SIEMs, but stick with ArcSight, Splunk, and AlienVault. It is more client dependent. I big pro for AlienVault is it's price point and resource requirements. Though I feel like AlienVault is best suited for small to mid sized business.

Take advantage of the support team at AlienVault, and read through the documentation. If you get lost, their is a good chance the information is in there. Also, you will quickly discover the limitations of AlienVault, so you should take your time to figure out workarounds for your issues.

Vulnerability scanning and OTX are powerful. The alerting and security intelligence is the engine of the product. Looking at the cockpit and monitoring your IT environment is now almost a one man job. There is no complex alerting or code review, just click and go.

AlienVault does not stop a security breach, but it detects and notifies the responsible people and they can immediately interact and take the necessary actions. Identifying security risks and minimizing downtime is the added value.

The next release will include cloud security and it will support a hybrid IT environment, furthermore the OTX has a great added value but it will help when there is more OTX information in the database. Future releases will definitely need to improve on these items and it will position the product in a more enterprise ready strategic position.

As a professional user and reseller we've used this product for almost five years, starting with the free OSSIM level for home and development use, and the all-in-one unlimited version or a small 50 asset version for our customers. Scalability is also key, starting at 25 assets for small companies and supporting enterprise companies with a separate server, sensor and logger.

It has great scalability options. The installation is almost click and go, but be aware when implementing AlienVault in a big environment with a separate sensor, logger and server, it's useful to have the necessary skills and IT knowledge. Also, in-depth knowledge of your own IT is key, knowing where to position the sensors and where to pace the server is key since wrong architecture will impact performance. AlienVault can offer direct support or you can contact your local partner to assist during this process.

It has great scalability options. The installation is almost click and go, but be aware, when implementing AlienVault in a big environment with a separate sensor, logger and server, it would be useful to have the necessary skills and IT knowledge. Also in-depth knowledge of your own IT is key, knowing where to position the sensors and where to pace the server is key, wrong architecture will impact performance. AlienVault can offer direct support or you can contact your local partner to assist during this process.

When issues arise and the going gets tough, you can contact AlienVault directly via phone, email or web. Support is covered via the license and in our experience the technical guys (and girls) know their stuff. Real serious problems are solved via a remote VPN connection (build in the software), and the product has really improved regarding stability.

The installation is pretty straightforward. Just keep in mind to better plan a good architecture then to rebuild the system(s) until it works performance wise.

We performed the implementation, and the training was done by AlienVault trainers. Just know your stuff and do not hesitate to contact AlienVault or a reseller.

Other SIEM/USM products that we use are Splunk, LogRhythm and the free OSSIM version. The first two have a different cost model and compared to AlienVault they have (or lack) the real Swiss army knife approach. Furthermore there is a big difference in costs, this is why in the end AlienVault takes the lead.

The price is the unique selling point for AlienVault. The product is now stable and it is a Swiss army knife packed with lot of tools. All other professional products that compare to AlienVault are somewhat different but deliver the same result, but it is the price that tips the balance in favor of AlienVault.

Check the latest Gartner report on SIEM/USM 2016, and test the other products. Do not stick to one product for testing, but when you do not have the time to test all products (who does have the time), choose only two or three products to check out. Compare the prices and always ask for a demo.

AlienVault provides excellent visibility into your network by combining centralized logging, host-based IDS and network IDS. This enables me to detect quite a lot of potential issues that have gone through AlienVault's correlation engine and our own policies.

On several occasions we have detected attacks (DDoS) just as they are starting and have been able to rapidly mitigate them. We have also noticed outdated Java and Flash versions due to the snort rules included in the appliance.

The biggest improvement they could do is to provide full support for IPv6 addressing. It currently has quite lightweight support for IPv6 addresses in the sense that it will record the source/destination addresses in all cases, but currently trying to search with IPv6 addresses is not possible and thus makes our lives harder.

Including my experience with the previous version (v4) I have two years of professional experience with AlienVault.

We have not faced any large issues with the deployment.

We have not faced any large issues with the stability.

The only issues is related to the volume of alarms in a system - the UI/UX for working with a large mass - starting with several hundred alarms is suboptimal. I am hesitant to mention this as it is easily solved in the future by small UI changes.

All of the bug reports have been sent to AlienVault and have been handled with skill. At least once we got to talk to their experts who worked with us to debug the cases in our environment.

There are many steps, but the steps are not complex. The biggest hurdle in the deployment/setup phase is usually gathering the actual information (assets details, services, policies) about the environment, not the installation itself.

Our team did the implementation. If you have experience implementing a SIEM solution then you can implement this yourselves, otherwise you should get an external team do it. The issue is not with the technical skills needed for the actual implementation, but the knowledge needed to know what to include, what policies to write, and what not to include.

For licensing you will need to contact an AlienVault reseller as it is comprised of (roughly) how many events per second you are processing, how many assets you are adding, and in how many physical locations.

I was not part of the process. I have heard that our team had tried other products, but mostly the cost was prohibitive in those alternatives.

As this is a product that will give you a lot of visibility into everything you can throw at it, it is good to note that you should have good working relations with the *people* in charge of the assets you have visibility over (e.g. with network mirroring).

You will get alarms about a plethora of things you couldn't have imagined, things that people have forgotten, that have been misconfigured and that are under attack. You will need to explain the remedies and mitigations to people. And that is possibly the biggest hurdle. This product will not help you if you cannot fix the problems it finds.

It may not have the same abilities as most tools off-the-shelf but it has the best bang for buck. Unless you already have a high-quality SOC operation running, you will be able to handle probably all of your SIEM needs with AlienVault for a few years with a fraction of the price of other more complete solutions.