USM Anywhere Reviews

AlienVault out of the box features for easy asset discovery, vulnerability scans, IDS setup are all beneficial, but the best feature we find most valuable is the main dashboard for how the information is bubbled up and presented to us.

With AlienVault we have been able to reduce lag times by not having to invest into specialized research for which we rely on AlienVault Security Labs and OTX (Open Threat Exchange).

With all the great features AlienVault has to offer, it would be nice to see improved search query functionality, similar to ELK stack.

18 months+

Easy setup out of the box as it comes as a virtual appliance. 

Solid platform built on debian system.

Haven't been able to break it yet.

5 Stars

It's a single solution that is meeting the needs of multiple of my PCI compliance objectives.

I was able to replace our log management solution with this product. A single server that allows for log management, vulnerability scanning, and file integrity monitoring.

The alarms section of the USM is very robust, yet I still find myself having to look back through the events to find more details. It would be nice if I could navigate straight to the event from the alarm.

I've been using it for six months.

I had a renegade plugin that was installed by the company who helped me with the initial setup. The plugin was missing a command to rotate logs and would fill my hard drives capacity to full quickly. Fortunately AlienVault support identified the problem and reported the issue to the designers. I opted to not run that plugin anymore, and probably still will not trust it even after the rotate function is fixed.

I have the ability to scale out further from where I am if necessary, so I have not had any scalability problems.

10/10

We did not previously have many of the systems that AlienVault offers. We switched to get a robust single solution.

The initial setup is both straightforward and complex. You can get the system up and running without any outside help but you will be missing out on many of the finer detailed features if you go that route. I appreciated getting professional setup help as I do not have enough time to dedicate to just learning USM. I also attended the five day training which was very valuable.

Speak with a rep to get the correct design. AlienVault will scale depending on the size of your environment but the licensing gets tricky when you get away from the single unified console.

I was not able to find any other tool that was able to meet as many needs as I the AlienVault USM. I spent the entire trial testing AlienVault to make sure it would suit my needs.

Use AlienVault's free trial of the USM. They will help you get the system installed which is very helpful to make sure you get test best test possible.

We run this product on our network 24/7 and it has helped identify many important events. We take the security of our network very seriously, and this helps to quickly identify and lock down any potential vulnerabilities or events that could escalate.

As an information security consultant that works across many diverse networks, these features offer by far the most critical information when analysing a client’s environment for issues that need to be addressed:

My biggest challenge has always been the fine tuning that is sometimes required for some networks. It requires a solid understanding of Linux and databases and how networks work. So a non-technical user may become frustrated, or not configure the product to work at its best, and therefore miss important events. So I see room for improvement in the following -

• Easy of deployment and configuration
• Easier way of testing if features are working as designed, e.g. Packet analysis
• Troubleshooting features that are not working as designed

I have not yet run into any issues regarding scalability, however I have not yet deployed this on a very large network yet (1000+ devices).

Excellent! Every time I have had an issue, the customer and technical support has been outstanding. The support desk is always very helpful, and goes out of their way to make sure the issues are resolved whenever possible.

The initial setup is not difficult at all, and can be done by someone with almost no technical knowledge. However, getting optimal performance from the features in AlienVault may not always be as easy.

We deployed using our own in-house team, led by myself. Depending on what you want from the product, be prepared to do some research and tinkering in the background. What you see on the surface is actually a very small part of what you can really do with AlienVault. If you are serious about getting the best out of AlienVault, use a vendor that is well versed in deploying AlienVault (like an MSSP) as they should have the experience needed to optimise a deployment, as well as having quick and easy access to the AlienVault support. Use the 30-day trial to get a good feel for what it can do, but remember there is a lot more.

As this product is still relatively new in South Africa, people are still learning about it, but thus far we have been able to show affordability and feasibility is every network we have deployed it on. Speak to an MSSP about a package that is affordable for your company. The product is easy to scale as your affordability improves.

I have actually looked at a few other products, however we decided on this product as the cost versus what you get, far outweighed any other product we looked at. Many companies can’t afford to deploy a SIEM solution from some of the top companies on the market, however no company should be without a SIEM on their network with the risks companies face today. AlienVault provided the best bang for buck.

Remember, there are many good products on the market, however affordability is usually a key factor. Sit down and properly analyse your network, and list expectation from whatever product you are considering. Identify what are your most critical assets, your “Crown Jewels”, and know how it needs to be protected. Then look at solutions within your budget, remembering that the most expensive is no necessarily always the best. There are many world class products out there, you need to find one that will fulfil your needs, within your budget.

Also, remember running a system like this means dedicating resources to monitoring it, you can’t deploy SIEM tools and think it’s going to run itself. Don’t expect your system administrator to have time to do this as InfoSec is a full time job. Either get a skilled resource, or consider an MSSP offering.

The product is very powerful and very flexible. However certain aspects can be very challenging to setup and configure for users that don’t have in-depth technical background. The default configuration would work well for a normal office network, however for more complex networks there is a lot more configuration required for optimal performance. The product is still under very active development, and the vendor is always receptive to feedback regarding feature requests or bugs.

• Raw logs
• Alarm section
• Security events

Once we placed AlienVault in the product we have now, the time it takes to find and respond to real anomalies has dropped from hours to minutes, it has so much potential to be an amazing product despite it's many issues. After working with so many other SIEMs, AlienVault is among my top three favorites, and I believe it has earned that spot well.

Directives and searches within security events. So many issues with directives. Creating directives is a pain on it's own, but editing them can be a nightmare filled with tedious unnecessary steps. You do not have an option to whitelist or blacklist specific traffic flows to trigger alarms (eg. Specific IP to specific IP) if your directive contains multiple alarms. A simple fix would be to allow the engineer to give "and" and "or" statements so you could get something along the lines of (SRC IP: 192.168.0.20, DST IP: 10.10.1.12 OR 10.10.1.13) AND (SRC IP: 192.168.10.5, DST IP: 10.10.2.5). Instead you have a list of source IPs and a list of destination IPs and no matter if the traffic you need to blacklist is specific, anything communicating from the source list to the destination list triggers an alarm, which is not always what you want.

A workaround for that is to split the alarm directive into separate directives for any specific flows you are looking for. Searching in security events comes with it's own minor inconvenience that isn't a deal breaker, however, a simple improvement could make things orders of magnitude better: Allow the analyst to decide everything he wants to search for and trigger the search themselves. Right now, if you want to search something by signature, time range, and port - for example - you have to do each individually and each search forces the query to reload before you get the information set you want. E.g.: I want to search for Admin Activity Events, surrounding a specific Admin, over the last week. I need to first search for Admin activity events, which reloads the whole set of data, then search for the username, reloading the whole set of data again, then choose the last week time range, reloading again. It would make more sense to be able to package the queries I intend to use, then click something along the lines of submit. AlienVault does offer predefined searches, which is a great tool, but I think fixing the search function of the SIEM would be great.

I've used it for two years.

Stability issues have been around, but I feel like AlienVault does a stand up job at responding to and fixing them.

I personally haven't seen any scalability issues, though that falls out of my purview.

10/10 - the AlienVault team is great, and the community is very active.

Straightforward. The guidance given in documentation sets you up for success, and the ease of adding agents to machines is phenomenal.

It was done in house. Be patient, focus on getting your firewalls connected to the SIEM.

I have used several SIEMs, but stick with ArcSight, Splunk, and AlienVault. It is more client dependent. I big pro for AlienVault is it's price point and resource requirements. Though I feel like AlienVault is best suited for small to mid sized business.

Take advantage of the support team at AlienVault, and read through the documentation. If you get lost, their is a good chance the information is in there. Also, you will quickly discover the limitations of AlienVault, so you should take your time to figure out workarounds for your issues.

Vulnerability scanning and OTX are powerful. The alerting and security intelligence is the engine of the product. Looking at the cockpit and monitoring your IT environment is now almost a one man job. There is no complex alerting or code review, just click and go.

AlienVault does not stop a security breach, but it detects and notifies the responsible people and they can immediately interact and take the necessary actions. Identifying security risks and minimizing downtime is the added value.

The next release will include cloud security and it will support a hybrid IT environment, furthermore the OTX has a great added value but it will help when there is more OTX information in the database. Future releases will definitely need to improve on these items and it will position the product in a more enterprise ready strategic position.

As a professional user and reseller we've used this product for almost five years, starting with the free OSSIM level for home and development use, and the all-in-one unlimited version or a small 50 asset version for our customers. Scalability is also key, starting at 25 assets for small companies and supporting enterprise companies with a separate server, sensor and logger.

It has great scalability options. The installation is almost click and go, but be aware when implementing AlienVault in a big environment with a separate sensor, logger and server, it's useful to have the necessary skills and IT knowledge. Also, in-depth knowledge of your own IT is key, knowing where to position the sensors and where to pace the server is key since wrong architecture will impact performance. AlienVault can offer direct support or you can contact your local partner to assist during this process.

It has great scalability options. The installation is almost click and go, but be aware, when implementing AlienVault in a big environment with a separate sensor, logger and server, it would be useful to have the necessary skills and IT knowledge. Also in-depth knowledge of your own IT is key, knowing where to position the sensors and where to pace the server is key, wrong architecture will impact performance. AlienVault can offer direct support or you can contact your local partner to assist during this process.

When issues arise and the going gets tough, you can contact AlienVault directly via phone, email or web. Support is covered via the license and in our experience the technical guys (and girls) know their stuff. Real serious problems are solved via a remote VPN connection (build in the software), and the product has really improved regarding stability.

The installation is pretty straightforward. Just keep in mind to better plan a good architecture then to rebuild the system(s) until it works performance wise.

We performed the implementation, and the training was done by AlienVault trainers. Just know your stuff and do not hesitate to contact AlienVault or a reseller.

Other SIEM/USM products that we use are Splunk, LogRhythm and the free OSSIM version. The first two have a different cost model and compared to AlienVault they have (or lack) the real Swiss army knife approach. Furthermore there is a big difference in costs, this is why in the end AlienVault takes the lead.

The price is the unique selling point for AlienVault. The product is now stable and it is a Swiss army knife packed with lot of tools. All other professional products that compare to AlienVault are somewhat different but deliver the same result, but it is the price that tips the balance in favor of AlienVault.

Check the latest Gartner report on SIEM/USM 2016, and test the other products. Do not stick to one product for testing, but when you do not have the time to test all products (who does have the time), choose only two or three products to check out. Compare the prices and always ask for a demo.

AlienVault provides excellent visibility into your network by combining centralized logging, host-based IDS and network IDS. This enables me to detect quite a lot of potential issues that have gone through AlienVault's correlation engine and our own policies.

On several occasions we have detected attacks (DDoS) just as they are starting and have been able to rapidly mitigate them. We have also noticed outdated Java and Flash versions due to the snort rules included in the appliance.

The biggest improvement they could do is to provide full support for IPv6 addressing. It currently has quite lightweight support for IPv6 addresses in the sense that it will record the source/destination addresses in all cases, but currently trying to search with IPv6 addresses is not possible and thus makes our lives harder.

Including my experience with the previous version (v4) I have two years of professional experience with AlienVault.

We have not faced any large issues with the deployment.

We have not faced any large issues with the stability.

The only issues is related to the volume of alarms in a system - the UI/UX for working with a large mass - starting with several hundred alarms is suboptimal. I am hesitant to mention this as it is easily solved in the future by small UI changes.

All of the bug reports have been sent to AlienVault and have been handled with skill. At least once we got to talk to their experts who worked with us to debug the cases in our environment.

There are many steps, but the steps are not complex. The biggest hurdle in the deployment/setup phase is usually gathering the actual information (assets details, services, policies) about the environment, not the installation itself.

Our team did the implementation. If you have experience implementing a SIEM solution then you can implement this yourselves, otherwise you should get an external team do it. The issue is not with the technical skills needed for the actual implementation, but the knowledge needed to know what to include, what policies to write, and what not to include.

For licensing you will need to contact an AlienVault reseller as it is comprised of (roughly) how many events per second you are processing, how many assets you are adding, and in how many physical locations.

I was not part of the process. I have heard that our team had tried other products, but mostly the cost was prohibitive in those alternatives.

As this is a product that will give you a lot of visibility into everything you can throw at it, it is good to note that you should have good working relations with the *people* in charge of the assets you have visibility over (e.g. with network mirroring).

You will get alarms about a plethora of things you couldn't have imagined, things that people have forgotten, that have been misconfigured and that are under attack. You will need to explain the remedies and mitigations to people. And that is possibly the biggest hurdle. This product will not help you if you cannot fix the problems it finds.

It may not have the same abilities as most tools off-the-shelf but it has the best bang for buck. Unless you already have a high-quality SOC operation running, you will be able to handle probably all of your SIEM needs with AlienVault for a few years with a fraction of the price of other more complete solutions.

SIEM, Event Correlation and the Vulnerability Scanner.

Reduced the number of the false alarms generated by other devices. With AlienVault we can gather all data from different devices, analyze theme and extract the correct information.

Plugins: most plugins are not up to date with the newer versions of products.

Since 2013

We had problems with the MySQL database, but the technical support is very helpful. I'd give them a 9/10.

Yes, But AlienVault is the more appropriate solution, it's flexible, Linux based, and contains a large number of open source solutions.

Simple.

A vendor team, don't install the solution in a virtual platform except VMware ESXi. We had a long story with AlienVault with a Proxmox Virtual Environment.

It's a powerfull solution and contain more features than other products.

The most important part of the product is the event correlation and alerting that it provides. Sifting through tens of millions of logs a day looking for the proverbial needle in a haystack is impossible for a single person or even a team without automation

Being able to identify security issues as they occur at near real time. Being able to then respond to them as soon as they occur is priceless.

We have a relatively large deployment that spans multiple locations and domains. Having the ability to authenticated users across multiple domains would be useful, but is not critical. The log query capability is pretty restrictive and I find myself searching through raw logs via command line more often than the GUI. Full logging is not supported out of the box, you will need to modify configurations to store all logs if that is your concern or a requirement of your organization, AlienVault by default only stores alert logs, this can and will bite you at some point. The IDS Rules need better oversight when updated. The vulnerability scanner needs to have a power user mode that gives you a more complete interface to the vulnerability scanner (OpenVas).

3 years

Most problems were due to our environment and having to utilize the built-in VPN capabilities. Once a few sensors have been added via the VPN it is pretty simple to remember how to do it.

All interactions with customer service and technical support have been great. The engineering group is based in Spain and occasionally you may have timing issues with their team and yourself.

Another group in our company used QRadar before they were bought out. The buyout created a bad enough situation that the group refused to renew with QRadar, especially when they decided after 18 months that they did not want to support the hardware that their predecessors had sold. We also trialed LogRhythm which was a more mature product, but had its own quirks and annoyances. The largest issue I found the LogRhythm was the excessive amount of time to spend to deploy a single agent, much less repeating that process 390 times for our environment.   

We had a pretty large deployment most of our locations were straightforward some were more complex due having to route them through a MPLS connection with only limited connections to the main locations.

We integrated through a third party vendor recommended group, they caused many issues on their own some that were not discovered for over a year. Be wary of any third party that wants to do anything with the database.

ROI for AlienVault will probably not be about the money. The return is the time saved and the intelligence that you are able to gather about your environment that you did not have before.

Do your research in SIEM solutions and realize that it is not going to be a set and forget product. For 10 sensors like what we run there are weeks that it requires logging in and closing tickets and there are weeks where you will spend 10+ hours working on the deployment.

There are some things that are great and some that are annoying, this is not a perfect product. Most security products are never perfect especially based on different organizations that will run them.

• Correlation
• Customization

No, but that’s not really their fault, rather ours. I think this has a lot of valuable functions that really could be leveraged quite nicely.

They have the advantage of having a large community that uses the free version, and they really could use this as a sort of beta testing population for new releases. Yet, a lot of the releases break things that are used. I think they need to do more QA before releases. For example, I have custom rules written for the Suricata function. Some releases ago, there was a code change and now every single update requires that I reinstall the custom rules, and I am still waiting for the fix. They need to either stop allowing customization (which would be a mistake) or they need to embrace that a majority of their customer base does this and put in safe guards. I understand putting in limits to what’s supported, but simple things like this are part of the appeal of the product. Another example is that a few releases back, they broke the Nagios availability monitoring portion. All the functionality to watch your systems is there, and of course, I used it. When it broke, support told me it was really only meant to watch the AlienVault system itself, yet the entire interface is there, the options to enable the monitoring on hosts is there. I believe, first of all, that what I was told was wrong as availability monitoring is one of the core functions AlienVault touts, and secondly, that they need to be more careful with testing before releasing updates. It took like twp more updates before the functionality was restored.

I've used it for three years.

Some, but they are hard to pin down. This is a system that has a lot of things that can stop working, and unless you are paying close attention, to the background processes, you would never realize it.

Some people are excellent, and others not so much. They also seem to sometimes have conflicting information. I often rely more on the community for answers than I do on support, depending on the issue.

We didn't have anything in place previously.

We had a consultant that was provided by AlienVault, which was great. Otherwise, it would have been a little confusing and though they have made improvements in the documentation, it was horrible initially.

Fair for all of the capabilities it has.

We looked at some but I can't remember which ones.

It has a lot of capabilities, but make sure there’s someone that can devote daily time to it and that there is buy in from all segments, or a majority of the capabilities become pointless.

Flexibility. As the source of AlienVault is based on an Open Source product, it is possible to implement nearly everything including fully customized plugins, scripts, etc. We haven't yet found any limitations.

We are now able to track any kind of threat including external (malware) or internal (people trying to bypass restrictions, USB keys etc.).

We are able to track changes in the authentication integrity (new user created, domain admin elevation, etc.) and get mail or tickets in cases of suspicious behavior.

It helps us with our ISO27001 compliance.

The search capabilities are not optimal and are going to be optimized in the next versions. For example, it is possible to search both username and IPs but not usernames and specific fields (aka user data) at the same time.

Documentation needs to be improved, especially due to the fact that AlienVault gets improved often with new features.

Vulnerability scanning does not support Nessus (after version 5) which is a leader in the market. The default vulnerability scanner is OpenVAS, it does the job but the report are not the same quality as Nessus.

3+ years

No stability issues were encountered.

No scalability issues as the product is highly scalable. You have to take care of what you want to integrate and think of use-cases instead of global log collection. In our opinion this is the key of success as you will scale your infrastructure with what you really need.

Customer service can be a great help depending on the kind of project. They are very reactive for commercial offers.

Technical support is good and reactive but you should also pass the training to have better knowledge of the solution.

We chose this product because of:

• Pricing model
• Flexibility of the solution
• Multi-tier architecture/scalability

Yes, when you don’t have experience with the product you have to learn and understand all the “concepts”. In this case AlienVault generally provide “free” technical service with third party companies to be able to operate something quickly.

We started with the free technical support provided for the test time. Then we quickly take the product in our hands, got certified on it and became independent.

The ROI is very good if you evaluate all the services which AlienVault can help you with: detection of Malware, bad activities, suspicious behavior, etc. All these threats can create high financial lose and a big part of them could be prevented using the SIEM.

If you don’t want to overpay, and want to have something working, you have to make an assessment based on:

- what are your assets?
- what is the criticality of each one?
- what use cases do you want to implement?

From there create a plan on how to implement them to limit the number of collection to the minimum to avoid flooding of data/high costs due to over-sized infrastructure.