USM Anywhere Reviews

SIEM, Event Correlation and the Vulnerability Scanner.

Reduced the number of the false alarms generated by other devices. With AlienVault we can gather all data from different devices, analyze theme and extract the correct information.

Plugins: most plugins are not up to date with the newer versions of products.

Since 2013

We had problems with the MySQL database, but the technical support is very helpful. I'd give them a 9/10.

Yes, But AlienVault is the more appropriate solution, it's flexible, Linux based, and contains a large number of open source solutions.

Simple.

A vendor team, don't install the solution in a virtual platform except VMware ESXi. We had a long story with AlienVault with a Proxmox Virtual Environment.

It's a powerfull solution and contain more features than other products.

The most important part of the product is the event correlation and alerting that it provides. Sifting through tens of millions of logs a day looking for the proverbial needle in a haystack is impossible for a single person or even a team without automation

Being able to identify security issues as they occur at near real time. Being able to then respond to them as soon as they occur is priceless.

We have a relatively large deployment that spans multiple locations and domains. Having the ability to authenticated users across multiple domains would be useful, but is not critical. The log query capability is pretty restrictive and I find myself searching through raw logs via command line more often than the GUI. Full logging is not supported out of the box, you will need to modify configurations to store all logs if that is your concern or a requirement of your organization, AlienVault by default only stores alert logs, this can and will bite you at some point. The IDS Rules need better oversight when updated. The vulnerability scanner needs to have a power user mode that gives you a more complete interface to the vulnerability scanner (OpenVas).

3 years

Most problems were due to our environment and having to utilize the built-in VPN capabilities. Once a few sensors have been added via the VPN it is pretty simple to remember how to do it.

All interactions with customer service and technical support have been great. The engineering group is based in Spain and occasionally you may have timing issues with their team and yourself.

Another group in our company used QRadar before they were bought out. The buyout created a bad enough situation that the group refused to renew with QRadar, especially when they decided after 18 months that they did not want to support the hardware that their predecessors had sold. We also trialed LogRhythm which was a more mature product, but had its own quirks and annoyances. The largest issue I found the LogRhythm was the excessive amount of time to spend to deploy a single agent, much less repeating that process 390 times for our environment.   

We had a pretty large deployment most of our locations were straightforward some were more complex due having to route them through a MPLS connection with only limited connections to the main locations.

We integrated through a third party vendor recommended group, they caused many issues on their own some that were not discovered for over a year. Be wary of any third party that wants to do anything with the database.

ROI for AlienVault will probably not be about the money. The return is the time saved and the intelligence that you are able to gather about your environment that you did not have before.

Do your research in SIEM solutions and realize that it is not going to be a set and forget product. For 10 sensors like what we run there are weeks that it requires logging in and closing tickets and there are weeks where you will spend 10+ hours working on the deployment.

There are some things that are great and some that are annoying, this is not a perfect product. Most security products are never perfect especially based on different organizations that will run them.

• Correlation
• Customization

No, but that’s not really their fault, rather ours. I think this has a lot of valuable functions that really could be leveraged quite nicely.

They have the advantage of having a large community that uses the free version, and they really could use this as a sort of beta testing population for new releases. Yet, a lot of the releases break things that are used. I think they need to do more QA before releases. For example, I have custom rules written for the Suricata function. Some releases ago, there was a code change and now every single update requires that I reinstall the custom rules, and I am still waiting for the fix. They need to either stop allowing customization (which would be a mistake) or they need to embrace that a majority of their customer base does this and put in safe guards. I understand putting in limits to what’s supported, but simple things like this are part of the appeal of the product. Another example is that a few releases back, they broke the Nagios availability monitoring portion. All the functionality to watch your systems is there, and of course, I used it. When it broke, support told me it was really only meant to watch the AlienVault system itself, yet the entire interface is there, the options to enable the monitoring on hosts is there. I believe, first of all, that what I was told was wrong as availability monitoring is one of the core functions AlienVault touts, and secondly, that they need to be more careful with testing before releasing updates. It took like twp more updates before the functionality was restored.

I've used it for three years.

Some, but they are hard to pin down. This is a system that has a lot of things that can stop working, and unless you are paying close attention, to the background processes, you would never realize it.

Some people are excellent, and others not so much. They also seem to sometimes have conflicting information. I often rely more on the community for answers than I do on support, depending on the issue.

We didn't have anything in place previously.

We had a consultant that was provided by AlienVault, which was great. Otherwise, it would have been a little confusing and though they have made improvements in the documentation, it was horrible initially.

Fair for all of the capabilities it has.

We looked at some but I can't remember which ones.

It has a lot of capabilities, but make sure there’s someone that can devote daily time to it and that there is buy in from all segments, or a majority of the capabilities become pointless.

Flexibility. As the source of AlienVault is based on an Open Source product, it is possible to implement nearly everything including fully customized plugins, scripts, etc. We haven't yet found any limitations.

We are now able to track any kind of threat including external (malware) or internal (people trying to bypass restrictions, USB keys etc.).

We are able to track changes in the authentication integrity (new user created, domain admin elevation, etc.) and get mail or tickets in cases of suspicious behavior.

It helps us with our ISO27001 compliance.

The search capabilities are not optimal and are going to be optimized in the next versions. For example, it is possible to search both username and IPs but not usernames and specific fields (aka user data) at the same time.

Documentation needs to be improved, especially due to the fact that AlienVault gets improved often with new features.

Vulnerability scanning does not support Nessus (after version 5) which is a leader in the market. The default vulnerability scanner is OpenVAS, it does the job but the report are not the same quality as Nessus.

3+ years

No stability issues were encountered.

No scalability issues as the product is highly scalable. You have to take care of what you want to integrate and think of use-cases instead of global log collection. In our opinion this is the key of success as you will scale your infrastructure with what you really need.

Customer service can be a great help depending on the kind of project. They are very reactive for commercial offers.

Technical support is good and reactive but you should also pass the training to have better knowledge of the solution.

We chose this product because of:

• Pricing model
• Flexibility of the solution
• Multi-tier architecture/scalability

Yes, when you don’t have experience with the product you have to learn and understand all the “concepts”. In this case AlienVault generally provide “free” technical service with third party companies to be able to operate something quickly.

We started with the free technical support provided for the test time. Then we quickly take the product in our hands, got certified on it and became independent.

The ROI is very good if you evaluate all the services which AlienVault can help you with: detection of Malware, bad activities, suspicious behavior, etc. All these threats can create high financial lose and a big part of them could be prevented using the SIEM.

If you don’t want to overpay, and want to have something working, you have to make an assessment based on:

- what are your assets?
- what is the criticality of each one?
- what use cases do you want to implement?

From there create a plan on how to implement them to limit the number of collection to the minimum to avoid flooding of data/high costs due to over-sized infrastructure.

Alerts derived from logs.

Simplified log analysis and log management.

More information about what the alerts mean and how they are derived would be useful when determining their significance. Support is good to provide this information though.

>12 months

No.

Excellent.

Fairly straightforward. It does take some time to tune the system to your environment – to prevent getting alerts on activity your find acceptable in your environment.

They do give discounts towards the end of quarters if your renewal is due.

You will wonder how you lived without it.

The integration of IDS and OSSEC is valuable as it enables correlation between Network IDS events and host system event logs.

AlienVault USM has improved how we manage events and incidents in our infrastructure. With AlienVault we are able to respond to incidents and take necessary action faster than we could before without the solution in place.

Some customizations with the integration between AlienVault components have room for improvement and enabling users with WebUI interfaces instead of having to edit configuration files on the system to achieve certain actions would be a good improvement.

Three years.

No issues with instability has been encountered in our environment.

No issues with scalability has been encountered in our environment.

The AlienVault Technical support is good and has helped out several time with some really specific configurations in our environment.

We used an outsourced MSSP solution but we needed to get the solution in-house in order to better integrate with our datacenters and systems and comply with financial regulatory and PCI-DSS requirements.

The initial setup was straightforward and quite easy to setup. Requires Linux knowledge to manage but given that we use Linux for our critical infrastructure services it was no problem for us.

We chose AlienVault partly do the the many features and functionalities that was bundled with the product to the pricing and licensing models that was offered. Many other solutions did not have the full spectrum of features but was significantly more expensive so we would have been forced to get additional solutions to cover all our requirements. With AlienVault we got a all-in-one solution that covered our needs.

We had a look at the current offerings at that time, including Tripwire, McAfee, SourceFire, etc., but concluded that we would get the best-bang-for-the-bucks with AlienVault solution

As with any Security solution, you still need to have knowledgeable people to manage the solution and the solution is not a silver-bullet that takes care of all your issues without being properly managed. Make sure you have the necessary knowledge and headcount to use the solution before implementing this or any other solution. With Security, the most of the cost is in OPEX, not CAPEX, so make sure you have the necessary expertise to operate the solution as efficiently as possible.

Integrated vulnerability assessment, intrusion/anomaly detection and monitoring, with a simple management interface.

AlienVault provided improved visibility into the environment as well as the ability to report on the organization’s security posture.

Asset scanning and inventory (stale assets, scheduling scans) and correlation (false positives).

2 years

No.

Yes. Upgrading the network cards (from 1GB to 10GB) was not “supported” on the appliance, so we had to purchase a second one as a sensor. The secondary appliance with the 10GBs NICs is the same as the primary appliance, so this was disappointing.

High (seldom used).

No.

Simple and straightforward. The bulk of the work is understanding your own environment and tuning events (syslog, scans, alarm).

Pricing was a very important consideration and lower than the other SIEM solutions evaluated. The price point makes it accessible for SMB organizations that may be constrained of resources (budget and people/skills) so deployment can be gradual while still deriving value out of the solution.

SolarWinds, Splunk, LogRhythm.

As with any SIEM, it is not a “turn-key” or “set it and forget it” solution. It requires resources and skills to deploy, although this can be done in stages. Appropriate resources for maintenance is also key so the information is accurate, relevant and timely. Otherwise it becomes a repository of stale ignored events and alarms.

The fact that I am a very small security team and AlienVault allows me to have a SIEM, FIM and Vulnerability scanner all in one.

I am able to scan for vulnerabilities quickly on existing devices and also for new devices being deployed. Since I don’t have a lot of time to learn new and complicated tools, being an e-commerce company, this allows me to increase the security posture of the overall organization and also to help pass PCI compliance.

With all these products there is always room for improvement. Whether it’s making the filtering of anomalies better, making setup and deployment faster, streamlining more of the functional aspects of the product, etc. There is really not one thing that stands out in particular.

About one year

I had some initial issues with some of the upgrades in version, but with the help of their support team, we were able to resolve all of them.

No, not yet. We are growing at a rapid pace and eventually will need more sensors, but I believe that will be a painless upgrade.

Tech support is great. Very knowledgeable, reliable, and have resolved all problems, escalated when necessary, and handled all my cases very professionally.

I have used different solutions at previous jobs. AlienVault was a new purchase and install. When asked for my opinion, I did recommend AlienVault as the solution since my comparison of all products came down to AlienVault being the best for our particular environment.

It was very straightforward. I had made a couple of little mistakes that most likely would have been avoided if I had not rushed a few aspects of the install, but tech support was able to get me back on the right track.

The pricing for this solution with the 3 major components: SIEM, FIM, and vulnerability scanning, can’t be beat. There are other systems that are way more robust, but way more complicates and way more expensive. This solution was perfect for us.

I had eliminated others prior to evaluating AlienVault based on prior experience. Tripwire for FIM, QRadar for SIM, eEye Digital for vulnerability scans. All of which are great tools, but much more pricey. We briefly looked at LogRhythm, Tenable, and Splunk as well.

I would say to implement it. It has all the components needed to help secure your environment as long as you have someone who can dedicate some time to it. But even if you don’t, like in my case, it is a much better solution that the others.