USM Anywhere Reviews

We were looking to add another layer of security to our network, which included intrusion detection, intrusion prevention, SIEM collection, and more. After looking at a few solutions, we ended up purchasing AlienVault. We are located in a physical location with a 100 users.

AlienVault has provided me with a management console which gives me alerts and other information about the traffic on my network. AlienVault is my "security person" looking at irregularities and letting me know when something has occurred. I also see vulnerabilities in my systems and can assign tickets to other staff members.

SIEM log collection is great, and all of the rules that support updates with maintenance. 

More complimentary training needs to be done for use with this tool. If you get into a bind, then it will cost you.

AlienVault Unified Security Management (USM) has powerful threat detection, incident response, and compliance management. We can use this across cloud, on-premise and hybrid environments. 

The reason to use USM is that it has the following components in its package: 

• Asset Discovery
• Vulnerability Assessment
• Intrusion Detection
• Behavioral Monitoring
• SIEM & Log Management.

AlienVault has an advanced component within one package. With this, we can cover more area with one solution. 

As a example, it has vulnerability assessment component built-in. From this, we can do the vulnerability assessment easily and we do not have to buy another solution for the vulnerability assessment. It is easy to use and we can take better advantage from an all-in-one solution like USM. 

AlienVault USM has a vulnerability assessment feature and only one SIEM feature compared to other SIEM solutions. 

AlienVault must improve their correlation feature. Some of the events do not match with the correlation rules and some of the correlation events are false-positive.

It is the most valuable tool that I have seen of the SIEM solutions.

This has an OTX feed. With it, we are able to get notifications about every incident that happens.

By forwarding device logs, we are able to get alerts perfectly with FIM and VA features.

We are the Partners in Sri Lanka. We are doing deployments in Sri Lanka, Maldives, and Bangladesh. 

This is a USM, so being able to get all the features under one roof makes it a good product with good new features.

Unified Security Manager (USM). In every SIEM, having only SIEM features (log management, alerting, notifications, etc.) is typical. Here we can get file integrity monitoring and a vulnerability assessment tool together with SIEM. 

I have never seen a tool like this.

The Log Management and configuration of email notifications should be user-friendly. Pay attention to false-positive event automatic correlations. 

Yes.

60.

No, we did not have issues with stability.

No, we did not have issues with scalability.

Good. They have technically fluent engineers there.

Yes. We switched because this is a USM (SIEM, FIM, and VA tool in one product) and the price.

The initial setup is straightforward, but some features are little bit difficult.

We are the partners in Sri Lanka. Therefore, we are directly involved with implementations.

It has good pricing.

We evaluated EventTracker.

Our customers have good references about AlienVault.

• Supporting an MSSP.
• Supporting clients with minimum on-premise install.
• We are rolling out a USM appliance.

It allows for a lot of out-of-the-box features: vuln scanning, HIDS/HIPS, and IDS. The Suricata rule set is pretty lame

Asset discovery seems to be good. Nice that everything is bundled.  

Scaling, and it has no APIs! 

It would be hard for any legitimate MSSP to use it.  

The price point is good.

I'm a re-seller of AlienVault SIEM in Sri Lanka. We have deployed AlienVault SIEM in one of the bank in Sri Lanka three months back. Currently we are working on the fine tuning. It took me two weeks to complete the basic deployment and integration of devices up-to 50 with the clients technical team.

Since we are re-seller, AlienVault helped us because of their cheaper price compared to other SIEM solutions and the addition of FIM in the solution. Implementation took few days and it's easy to complete the task within the given project time line.

Raw logs: Clients require to store their raw logs in a data-store rather than keep it in the actual device.

Alarm section: It's very easy to see the Alarms for any incidents rather than going through all the logs.

Security events: Categorization of Security events helps our SOC analyst for further analysis.

User friendly interface could be an advantage. Sometimes we may face trouble when we were going through the settings of AlienVault SIEM.

Working as the CIO for a small community bank, resources for staffing and manpower can be limited. AlienVault helps to simplify the management of Information Security and helps me to detect threats and manage alerts with ease!

AlienVault gave our organization a centralized tool to manage our security with its intrusion detection, asset management, vulnerability assessments, along with all of its other features, it has become an invaluable asset for our small organization.

We have found the AIO USM the most valuable because of its centralized grouping of all of the tools necessary to manage our security in an "All In One" solution.  Of its parts, the scheduled vulnerability assessment tool has been helpful as a preventative measure to help keep ahead of security threats!

As with many of its users, I have submitted suggestions in the past and AlienVault has seemed to listen to suggestions from its users and have implemented them every time.  I am happy with the product as it is today.

We use the appliance in a few of ways: monitoring network behaviour, asset discovery, and running vulnerability scans. We can monitor the availability of servers and any particular software. As we have to service several servers, we can manage them in a economical way, which is beneficial to our team and business.

We have been able to ensure the health of our servers. We can also use vulnerability scans to ensure our system is as good as it could be.

Any unusual behaviour, we can monitor. We have alerts set up to be sent when we receive signs of any unusual behaviour. The ranking can be modified to allow us to apply a standard rule and also be customized, which suits our business needs.

I have used the asset discovery and the vulnerability scans the most. As a system administrator, it is important that we are prepared for any eventualities. I also like how you can use the hardware “out-of-the-box”, or using logs you can actually customise the performance to fit your environment and needs.

For creating new rules, you have to be familiar with regular expressions. I feel there could be something built-in to make sure that process is easier.

No stability issues.

No scalability issues.

We did not have any sustainable solution, previously.

Use the AlienVault team. They are helpful and the documentation that they provide is second to none.

We checked out several competitors. For what it can do and the cost, it was the best SIEM tool!

AlienVault is used in our infrastructure for compliance purposes. It was brought in as a replacement for use in multiple products at the time, such as Kiwi and Nexpose scanner. With the environment being new, it was the best place to start with being everything into one location for Syslog and Asset management. The vulnerability scanner also made the difference where the scans created tickets for remediation.

The all-in-one source for the needs of compliance has put everything into one location without the need of other applications and tools to accomplish the tasks. It brought our logs into one place for review and set up alarms based on changes we were missing due to lack of having one place for everything to go. Vulnerability scanning helped out shortcomings of what was not patched in the past and what needed to be patched. This assisted with fine tuning the environment for compliance. The reports also helped upper management with the ease the product was doing in its job and holes that were being filled.

The asset management of nodes has been a large help in terms of being able to track applications with more detail and have changes made being monitored into one source. The vulnerability scanning has also been an aide of reviewing the systems and having feedback of what is missing patches and holes in our environment that need review and remediation. The all-in-one aspect has been helpful to see items and correlate within one source rather then multiple.

Source material on the forums to be more up-to-date with the changes happening within the product. Forums being out-of-date with information due to the changes makes troubleshooting a little more difficult - specific to the HIDS agents. Troubleshooting connectivity is limited to very view articles with very little information. Perhaps adding templates into the HIDS agents for collection based on systems or a clickable addition of files to collect with check boxes rather than configuring the HIDS agents through text. 

Also, more information on how specific sections relate to PCI and how to use/setup the SIEM to follow the guidelines of the areas. Some information is vague on how to accomplish specific items within PCI on help forums through AlienVault.

The primary use case for AlienVault is Log Management and SIEM functionality with the added benefit of IDS.

It has streamlined log aggregation and analysis to meet organizational and regulatory needs.

The most useful feature is the customization for alarms, alerts, and reports. AlienVault is situated to be adapted and changed to meet many different needs and use cases, but still being effective at most of them. 

Reporting and Windows log collection is the biggest drawback. Reporting is convoluted and difficult at times, although they claim to have hundreds of pre-built reports, very few of them are actually useful for anything but what the USM is doing. Windows log collection works with HIDS, but documentation is sparse and confusing. You have to trace back to how Windows Event ID ultimately correlates with AlienVault events through HID's IDs. 

Some minor issues here and there with updating/services not working, but AlienVault support is quick and easy to work with and will handle it. 

No issues. Make sure you do size appropriately though for the level of logs you want to collect and retain. 

Complex in some ways, but AlienVault is pretty easy and will help along the way. Also, taking the training class is very valuable. 

Do the one month trial and try to work out the kinks during it, as it has free support and service hours. The staff is great at knowing what to do and what they can do to help. 

Yes. Our SIEM tool list, from which we were evaluating, included Splunk and LogRhythm.

It has allowed us to gain a better understanding of how data flows within our network, and has helped us think about what type of things we want to be alerted on, or not alerted on.

AlienVault provides you with a unified view for all aspects of what is going on in your environment. It allows you to define what alerts you want to see, or not to see, as well as if you want them grouped, or ungrouped.

The reporting aspect could be improved. While there are a lot of different options available, there are still pieces which are missing. The views are also very static and do not give you a lot of options on how the data is presented.

No, the product is stable.

No, our network has stayed for the most part the same. In the future, it should be scalable with additional sensors.

Customer Service:

This is an area that could be improved.

Technical Support:

This is an area that could be improved. However, once you get a knowledgeable tech support person, they are good to work with.

No, this is our first SIEM device.

Both. It was simple to just get up and running. However, when you start tweaking it for your organization it gets more complex.

A little bit of both. The vendor team's expertise was amazing. I highly recommend using them.

The time that it would take to manually investigate events versus looking at one dashboard.

Definitely get professional services.

Darktrace and QRadar.

Once set up, for the most part, it is a "set it and forget it" solution. There is some upkeep with making sure all the things are monitored, but other than that AlienVault provides what you need out-of-the-box.