AlienVault OSSIM Reviews

This solution is very similar to most of the other MSSPs that you would find out there. When I look at use cases, AlienVault was initially aimed at small to medium businesses. It grew, and that was one of the things that AT&T aimed to do with it: to ensure they could scale the properties of AlienVault. The uniqueness of AlienVault is in its use of something called OTX, the Open Source Threat Exchange. LevelBlue and AT&T as partners have continued with OTX, an open-source threat exchange based on the premise that a rising tide lifts all boats. So, if you see something on the defensive side, you want to tell everyone. It is a place to exchange information open source there, and it has hundreds of thousands of users all over the planet. They also take in data from other agreements they have and aggregate information from across the Internet, which they incorporate back into not only OTX but also their MSSP products. They use that as they produce products that can be run basically for a low cost. A small, medium-sized business can hire AT&T, now LevelBlue, to manage all their small business functions, costing next to nothing compared to hiring an IT or dedicated security team. As they scaled that, of course, it becomes more challenging. So with the larger sets, they are doing the same thing but on a much larger scale. Everything they do now is cloud-based, offering services from the cloud.

OTX is one aspect of it, and it is part of that package. The most valuable part of it is that it can be a one-and-done solution for most small and medium businesses. Often larger businesses have a more granular understanding of their networks and what they're protecting to set up and work with LevelBlue to be effective in their overall structures. LevelBlue also, as an MSSP, can manage that for a medium or large enterprise. They also have other technologies to bring in. Enterprises or large businesses usually already have a technology stack and preferred vendors, and they'll ask MSSPs to manage those so that they are outsourcing that portion, which they can do pretty easily. With incredible amounts of experience, they basically pulled everything over from AT&T.

Scaling for USM is always challenging for any product unless it is purpose-built or overbuilt at the front end. They will use Palo Alto and its competitors, and LevelBlue will manage that implementation. The main area where the AlienVault product was lacking around the 2018 timeframe was in its ability to scale. By pushing it to a cloud-based system, they've largely alleviated scale issues. It's native in Amazon but will also run in Azure. They have worked with cloud service providers to offer enough throughput at a cost reasonable for a corporation. Scaling was their biggest problem, and they've largely conquered those issues.

The main area where the AlienVault product was lacking around the 2018 timeframe was in its ability to scale.

With the support, I would rate it probably an eight or a nine out of ten. They have really good support. However, it may not always be from the US, and some corporations prefer US support. They can arrange that, but it will incur an additional charge or a different structure for this support. It may be limited hours compared to a follow-the-sun model, which would suffice for most commercial users. For those with government contracts, they may choose only US support.

Positive

You need to have some knowledge of your network. It will have an associated cost. The major competitors, I think, on the lower end, if someone is already in an Azure system, Microsoft's going to push you towards their Defender products and their line of security. They'll attempt to do it for free, but it locks you into that ecosystem. For a small business, that may be worth it. For a medium business, you have more choices, and while being cost-conscious, you'll be more knowledgeable of your options because you'll probably have an IT staff of some type to make those decisions.

Returns on investment are particular to a company. If a company, for example, had set up a large in-house security team, some security functions could be offloaded to USM, offering a bit of savings. When you bring them in as an MSSP, you achieve more savings because you can eliminate positions. However, a larger enterprise company should maintain their own security system and team working with their MSSP. You're not going to get a one hundred percent return on investment or a complete elimination of your security team on a larger scale. For a smaller customer, that could be a significant return on investment. The cost for something like USM on a small scale would be small fractions of what it would cost to hire one security professional.

It depends. I would need to review their cost models, but generally, they are on a scaled basis based on throughput usage. Because it's a software as a service solution for their core product for USM Anywhere and its variants, delivered over a cloud connection. If everything is running in the cloud, you don't have much additional bandwidth. You're piping everything through USM, and that incurs a cost. Their scaling model allows for significant price breaks depending on bandwidth usage.

Defender is primed for an Azure environment. It can work on individual PCs, but when scaling, it performs better in a one hundred percent Azure setup. If all your apps and operations are in Azure, with an Office 365 environment, Microsoft Defender works well and often comes at no cost for small enterprises or individuals. However, in comparison, I don't think its tailorability matches what you can get from USM. As you grow, you might find yourself limited by being locked into the Microsoft ecosystem.

I recommend it due to the experience of the people running it. From the owners down, they have a massive amount of cybersecurity experience. AT&T spun off all its cybersecurity into the new LevelBlue corporation. This joint LLC with LevelBlue has leveraged AT&T's experience and expertise, creating a smaller, more agile company. They can offer custom solutions and government-related services, equipping companies for success in cybersecurity. Overall, for LevelBlue, I would rate them eight or nine out of ten. They are still structuring operations to be completely independent of AT&T. They accomplished this early to mid-twenty twenty-four when they were spun off. Since then, there have been personnel changes, which happen in any IT system or business. However, they are on a more solid footing to serve various current and potential customers.

The primary use case is as a comprehensive Security Information and Event Management (SIEM) system, with more focus on internet access. It is used in the organization's threat detection and response strategies. 

Additionally, it was deployed in our on-premises servers to integrate log sources and enhance security monitoring.

It enables the discovery of each asset with their respective traffic signature, which is an amazing feature. Additionally, the setup has allowed us to save money.

Network traffic analysis is highly efficient. The vulnerability assessment feature could be enhanced with more AI features, as well as improving user behavior analytics.

There are somewhat more false positives with the user behavior analytics, which could benefit from an additional machine learning model to detect user patterns more rapidly. The integration capabilities, especially concerning log sources, need improvement for more flexibility and simplicity in integrating with nodes.

The solution has been used for one year.

I have not encountered performance issues with AlienVault.

The solution is undoubtedly scalable.

I have not interacted with customer service for support as I've been using the free version and am unsure if there is support for it, although there could be support in the paid or enterprise versions.

Positive

I have experience using Wazuh, which is more focused on host intrusion detection systems. It is not comprehensive but has a good community. Additionally, we used the enterprise version of TrueRider, but it is not as community-based as AlienVault.

The initial setup process involved identifying log sources and using a multi-server architecture. I was the one in charge of the deployment process.

The deployment process required four resources.

We evaluated Wazuh and TrueRider before choosing AlienVault.

My advice is to simply use it.

I'd rate the solution eight out of ten.

We are using AlienVault OSSIM to monitor any events happening on the devices. Since AlienVault OSSIM is an open-source tool, we cannot expect much from it. If basic things like file integrating and monitoring are happening, along with brute-force-related functionalities are happening, or some basic SQLs or something is happening on the web servers, we monitor for those things. There are directories that are already preconfigured. So, we have already deployed that on the servers which we want to look for. That is the basic thing and the main concern why we are using AlienVault OSSIM.

This may not be a feature. It is something like how you configure and how you analyze it. But since it's open-source, I'm talking more about this. So, since it's open-source, getting the features of going deep into an IP is good. For example, I get an alert in which I see this IP, source IP 8.8.8.8. Now if I want to drill deep down into this and know which other IP this IP has been communicating to and these kinds of things and, also, if I have, for example, firewall logs onboarded on this tool, I can just literally go to the filter section and put the IP and check all the logs, which have been collected on this device. From this, I can make the meaning and see if those have been affected or not. It is a basic feature, but since this is open-source, it is a good thing in terms of the results we are getting.

The area for improvement is a lot. When I started using it on our enterprise side, the issue we faced was, for example, if we were running at that time on AlienVault OSSIM v5.7.4. So, for some orders, we had to install some packages, and when we tried installing that package, some dependencies got upgraded to a new version. Now once that dependency got upgraded, the SQL, since you might be aware that OSSIM uses SQL database, now SQL and all the dependency in everything was not on the same version, and that caused the database to crash. The aforementioned area should be eased out by upgrading the patches and upgrading dependencies. This kind of thing is a disadvantage of OSSIM, and I would like them to work on this.

But I have also raised service requests many times and gave it a push on the community section too. However, since it is a local source, they don't reply much over there. That is why I don't like to work on OSSIM because it is unpredictable. Once the storage goes above 50 percent, it starts behaving unpredictably. If you get stuck with a situation, then you need to drill a lockdown into that. Sometimes you get no luck. Then you have to just reimage the server with the new fresh OS of AlienVault.

As for additional features, not much because if you move to the newer version, it is kind of getting more stable. But, to make my life easier, then I would say try to give more features. I know it's open source, so they also cannot provide me with more features. But still, if they can provide me with more features because right now it's becoming old. Right now, we are even moving from SIEM to Security Data Lake. So when we move to it, this will be literally outdated. No one can even expect anything out of it. The way security is moving, it will be outdated very soon. They have to also provide something new to keep this going for the future also.

I have been operating and deploying AlienVault OSSIM since January 2022. I am a user of the solution.

If I talk about OSSIM, it does not have bugs on the newest version. But if you stick to the older versions, then, yes, you might find bugs, and it might crash.

There are a lot of people you will find using OSSIM since they are also offering OTX as a service. So that is also the threat intelligence of AlienVault that they are providing. So I have seen many people using AlienVault.

All the servers and data which we had were on OSSIM v5.7.4. It was literally an outdated one. At that time, we were facing a lot of issues with installation because we did not know if we were moving forward and if some progress was happening or not. But the latest version, they have made the changes, so it is not difficult. It is easy to configure. Plus, documentations are available, which can help the person out as well.

AlienVault, AT&T, that's what we call it now. They have two things, one is USM, and one is OSSIM. OSSIM is open source, and USM is the paid license. So, if you want, you can switch to USM. There you will have to buy a license, and they have a support team that helps you out on issues you face.

I would definitely recommend anyone to get on this tool if they are starting a career in cybersecurity since there are not many tools available in the market which help you get an experience as a SIEM tool. The other ones are paid ones, where you need to buy a license, and then you can try it. So, if you're just starting your own lab, then this thing can provide you with a very great edge because you can experience many attacks and see how the logs are there on the system. So this kind of provides you with that.

Overall, I would rate it an eight out of ten.

AlienVault has an agent and OS X, which provide good detection. It is an open-source solution, and the agent gives more visibility to the endpoints. The alert feature is also good.

It gives us much more visibility if something is going on in the environment or if certain features are being used on the endpoint, copying files, or certain event codes that have been there for our servers. We need log in, log out, and every detail. It gives us much more information.

The log management could be improved because of the open source.

In the configuration of AlienVault OSSIM, users can determine backup frequency, retention policies, and other settings. There is a limitation on customizing backup settings for specific devices. Unfortunately, there's no option within the interface. Even accessing the backend database doesn't offer a solution, as it only allows for full database backups or none at all. This is a significant drawback, particularly for larger environments or clients with specific device backup needs. 

I have been using AlienVault OSSIM for 3 months. We are using the V5.6 of the solution.

The product is stable.

I rate the solution’s stability a ten out of ten.

The solution is not scalable. It impacts so hard. In the initial stages, AlienVault OSSIM can be suitable for small environments. There may be limitations if the customer expresses a desire to expand and add more devices. In such cases, we would need to either explore additional solutions or work within the constraints of the existing setup.

We have set up alerts and configured everything in AlienVault OSSIM. It actively monitors for any security incidents. It provides us with regular updates and notifications about any ongoing activities. 

Only one person is using the solution. It is the perfect solution for small businesses.

I rate the solution’s scalability a three out of ten.

There is no straightforward documentation available now at AT&T. They are focusing on the cloud. The on-prem documentation is not available there.

AT&T has removed the support. They are trying to force the customer to go with the cloud. They still have the tool up and going. They won't be able to configure it If something new is there.

The initial setup is straightforward. It takes a week for everything, including onboarding of the devices.

The only issue is the support for certain network devices. We needed to onboard them onto AlienVault OSSIM, but few pre-existing integrations were available. As a result, we had to create custom configurations for those devices. For example, when attempting to onboard Cisco Unified Communication Manager, which allows centralized management of Cisco routers and other equipment, we faced challenges with the configuration process.

I followed the documentation provided for AlienVault OSSIM, which included straightforward commands. After downloading the setup, running the command established the management console as expected. Additional steps were required for agents. The agents needed to be installed, and their IPs were configured. There are discrepancies in some configuration files that were not documented. We had to edit these files to ensure that the IPs matched.

I rate the initial setup as seven out of ten, where one is difficult, and ten is easy.

The solution is free.

Asset discovery is good. You give the IP range, and it'll scan everything in the network. You can select it and onboard it.

If you're new to AlienVault OSSIM, dive in and start configuring it. Experiment, play around with its features, and get comfortable with it. If it meets your needs and you feel confident using it, you can continue using it. However, if you encounter issues with scalability or log management that you can't resolve, it may be necessary to explore alternative solutions.

Overall, I rate the solution an eight out of ten.

We must collect user information, including login details and activities within our system. We focus on gathering data on user actions, such as uploads and cloud-related activities. 

The tool's security detection is good. It helps us with login tracking and generating reports. We aim to identify potential issues, such as brute-force attacks on user accounts or server-level anomalies. For instance, if I receive a report indicating a server is at an abnormal level, I investigate and address the issue.

Regular meetings are conducted every ten to twenty days to update network issues. Due to restrictions, users face challenges when accessing WhatsApp from outside Saudi Arabia. To bypass this, they use VPNs. When a user logs into Office 365 via VPN, the system sends me a notification indicating their login. 

AlienVault OSSIM gives unwanted notifications. 

I have been using the product for three years. 

I rate the tool's stability an eight out of ten. The system's performance is contingent on all three servers' configuration and operational status. When all servers are operational, data retrieval and notifications function smoothly. However, if any server experiences downtime may interrupt notifications, necessitating a restart or investigation into the underlying issue.

AlienVault OSSIM's scalability is complicated, and I rate it a five out of ten. 

Support response times vary; there are instances where they respond promptly, while in others, it may take some time. For example, when my account was locked, it took over ten days to resolve. Despite sending emails, there were issues with providing the correct URL for accessing an alternative account.

Neutral

The tool's deployment is neither difficult nor easy. If you have Linux or Windows experience, it is easy. I rate it an eight out of ten. 

AlienVault OSSIM is expensive compared to its competitors. 

All components, including cloud integration, Microsoft Office 365, local servers, and domain controllers, are integrated into the system. Deploying three servers across various locations allows for the collection of data, which is then uploaded to generate reports. I rate the overall product a six out of ten. 

I am using AlienVault OSSIM to get my title as a cybersecurity technician.

AlienVault OSSIM's GUI is very user-friendly.

AlienVault OSSIM should add many features that can be used on the directives and correlation policies. AlienVault OSSIM should improve the deployment and make it unified like the USM.

I have been using AlienVault OSSIM for about two months.

I rate AlienVault OSSIM a seven out of ten for stability because it crashes sometimes.

I rate AlienVault OSSIM an eight out of ten for scalability.

It is not too hard to deploy AlienVault OSSIM, but it could be improved.

AlienVault OSSIM is an open-source solution.

The solution has a paid version, which is expensive and costs around $6,000.

I am using the latest version of AlienVault OSSIM.

The people who work with AlienVault OSSIM have just a few tutorials on YouTube where they teach people to use it.

I totally recommend AlienVault OSSIM to other users.

Overall, I rate AlienVault OSSIM a seven out of ten.

We are using AlienVault OSSIM for our internal team to support a SOC capability.

The most valuable features of AlienVault OSSIM are case management, ease of configuration, and investigation.

AlienVault OSSIM could improve by having better integration with some of the newer tools.

Ina future releases, it would be beneficial to modernize some of their UI features.

I used AlienVault OSSIM for approximately five years.

The solution is stable. However, sometimes the UMS can disappear but overall the stability is good.

I rate the stability of AlienVault OSSIM a seven out of ten.

The solution scales well. Some of the volumes of data can be done in a way it can scale better.

I rare the scalability of AlienVault OSSIM an eight out of ten.

I rate the stability of AlienVault OSSIM a seven out of ten.

I have utilized Microsoft Sentinel, which includes a case management system. This system requires the creation of rule sets using KQL and is primarily pre-configured with AlienVault OSSIM. However, we have made some interesting customizations to enhance its functionality.

The initial setup of AlienVault OSSIM is straightforward. The deployment takes a few days.

I rate the initial setup of AlienVault OSSIM a seven out of ten.

When comparing AlienVault OSSIM to Microsoft Sentinel, AlienVault OSSIM incurs additional costs due to its licensing price structure. If you are using AlienVault for security purposes at a certain level it can have a higher price point than the current pricing of Microsoft Sentinel.

My advice to others would be to do the webinars and stay as standard as possible.

It is simple to configure and use this system as it calculates all the necessary components. Looking ahead, it is crucial for Microsoft to maintain its position in the top quadrant, as determined by Gartner, considering the investments made by both Google and Microsoft in this space.

I rate AlienVault OSSIM a seven out of ten.

We use AlienVault OSSIM to provide cyber security for a telecommunication company.

The product is easy to use.

AlienVault OSSIM’s configuration and integration could be a little easier. I had to do a little bit of research to understand the process.

I have been using AlienVault OSSIM for a month or two.

It is a stable product.

It is a scalable product.

The setup process is easy.

I rate AlienVault OSSIM a nine out of ten.

I use the solution for my project.

The solution is free to use. 

However, I have found a lot of issues in general that have given me problems. For example, their stability is not great. 

There is no alarm in my system, so I don't know if that's something right, or if there is nothing attached to my system. It's like there is no alarm in my system.

It's so hard to configure and explore something new on it.

It is not easy to find the steps we need to follow in order to use the solution effectively. 

We've been using this solution for one month. We might use it for three months or so. 

I have not found the stability to be very good. It's not, for example, showing any alarms. 

I cannot speak to technical support. I've never used them.

We did not previously use a different version of the solution. 

The solution is complex to set up. It is not straightforward. 

I set up the solution myself without the help of outside assistance. 

We are using the free version of the solution. 

I'm an end-user of the product. 

I'd rate the solution five out of ten. 

I use AlienVault OSSIM for the protection of our customers and to find critical events. 

There are two different versions of AlienVault OSSIM, one is on-premise and the other is cloud.

The most valuable features of AlienVault OSSIM are vulnerability assessment, network intrusion detection system, response to critical events, and awareness of the whole network.

AlienVault OSSIM on-premise version is more difficult to implement than the cloud version. Additionally, they should add integration between several different environments at once and improve their online knowledge base.

I have been using AlienVault OSSIM for three years.

The older versions of AlienVault OSSIM were not stable, but the latest version was better.

I rate the stability of AlienVault OSSIM a four out of five.

I rate the scalability of AlienVault OSSIM a four out of five.

We have three people who use this solution in my company.

The support from AlienVault OSSIM is good, they are responsive.

I rate the support from AlienVault OSSIM a five out of five.

Positive

The initial setup of AlienVault OSSIM was easy. However, I have many years of experience in the field of network administration. The process took one day to complete.

We did the implementation of AlienVault OSSIM, we are all certified. We have five engineers that did the implementation of the solution.

The price of AlienVault OSSIM is too high sometimes for us to present to our customers. The price should be lower. We are on a three-year license to use the solution. We had to pay extra for the support.

We have two people that do the maintenance for the solution.

I rate AlienVault OSSIM an eight out of ten.