USM Anywhere Reviews

The UI is clean and easy to use. Lots of documentation, training, and community involvement available as well.

Holistic view of SIEM environment.

API, ETL, or connector to support BI tools such as Tableau, Power BI, etc.

Only for a few months. We just went live with the USM when we transitioned away from on-prem.

Not on the AV side, pretty easy to use.

No.

No.

Very good.

Very good.

N/A.

Yes.

Vendor. Not the best.

Too soon to tell.

Check logging.

N/A.

No.

SIEM capabilities, vulnerability scanning, asset discovery/management features.

Increased visibility, threat detection.

The web UI can be clunky at times, with poor error handling. Updates need more QC before release.

One year.

Deployment has always been smooth.

No, it has been quite stable.

Nothing except for networking challenges.

Seven out of 10.

Seven out of 10. First level of support is hit and miss, but higher level support technicians are great.

No, we started with OSSIM and then bought USM.

Very straightforward if you're prepared. Just deploy the OVA template and follow the instructions and you're up in less than an hour.

In-house.

I can't say.

The asset licenses are misleading. You can have as many as you want in AV and have NIDS work on all of them. The limit is more about logs and plugins for the assets.

No.

It's a good solution and has a promising future.

The setup was somewhat complex.

We have had this solution in place for about 10 months.

There were deployment issues. At the time, it was right after USM Anywhere had been released, and not all of the documentation was posted. This made the deployment have some issues.

The product has been very stable.

We have had no issues with scalabilty.

I would give customer service a rating of four out of five.

I would give technical support a rating of four out of five.

This is the first solution like this that I have deployed.

The setup was somewhat complex. One thing that was difficult was configuring log forwarding from Window systems.

We implemented using an in-house team.

The tool is a great way to meet logging requirements for PCI and HIPAA standards. It is very flexible and customizable.

I came into the company with USM Appliance already in place. However, from my previous experience with logging and security appliances, there have been many tasks that used to be a manual process like asset discovery, that are now automated and easy to implement through the UI.

Stability on certain components could be better, but for a system that is on 24/7/365 without reboots, it's fairly trouble free.

We have used this for one year.

There were no issues with deployment.

Stability issues were only due to issues with updates, and in extremely unusual use cases.

There were no issues with scalability.

They have amazing customer service. AlienVault Support takes care of all of my issues that come up.

I would give technical support a rating of 10 out of 10.

The setup was fairly straightforward. A more advanced setup is available for different use cases.

We did the implementation in-house.

Having our logs in a single system is in itself is a huge ROI.

When compared with other options, AlienVault is significantly less expensive for the amount of features that are packed into it.

I was not part of the product decision.

AlienVault support is what really makes this product a great investment. They are constantly improving their product and happy to help with anything that comes up.

A jack-of-all trades:

The best thing about AlienVault USM is it being a “Jack-of-All Trades” solution. It provides SIEM, HIDS/NIDS, FIM, NetFlow, Asset Management, Vulnerability Management, etc., under one USM platform. None of the commercial SIEM vendors like ArcSight, McAfee, etc., can boast of such a diverse feature set.

• QRadar is the closest to AV USM in terms of feature diversity. While all the features are formerly isolated Open Source community projects, the USM does a good job of integrating them into a feature set. While they are not great as individual parts, they more than make up as a sum of the parts.
• OTX – Open Threat Exchange is a wonderful community sharing platform that helps clients to share IP and URL reputation information so that all AV customers can benefit. This is true community sharing modeled on the likes of the Splunk Community (for app development). This has the potential to grow into a large source of Real World Intelligence and what AlienVault intends to do with this data remains to be seen. For now, it is being used by USM Correlation engine to provide better context and content for Security monitoring. AlienVault Labs, is also utilizing this infrastructure to constantly update Detection rules for malware vectors, vulnerability exploits etc. QRadar and ArcSight provide Intelligence, but it is commercial intelligence and not community intelligence. With community intelligence, you get more hits than misses.
• Multi-Tenancy – While this feature may not elucidate an interest from many readers, those who have worked in an MSSP environment can understand why this is a very important feature to have. AV USM does support Multi-Tenancy out of the box. This, when combined with the Architecture flexibility provide great MSSP models to sell and operate. The key is to understand how the multi-tenancy works. Basically, a single database is used to store data of several customers using a Data isolation Logic and Permission control. The data isolation logic is based on Entities created in USM (Assets, Users, Components Assigned (Sensors) etc., are grouped together as a Single Entity) and Permissions (applied in a granular fashion to data sets related to the Entities). QRadar, ArcSight and other major SIEM products provide this as well.
• Integration – While AV USM is known for being customization friendly, the amount of out-of-the-box plugins for Log Monitoring and Correlation is limited to the well-known products. It does not have comprehensive integration capabilities with say legacy applications, Directory services, databases, etc., that other SIEM vendors boast of. Similarly, it relies mostly on its own “pre-packaged” tools for data enrichment and hence has poor “Third Party” Integration capabilities. However, if you really are a developer of open source products, the integration challenge can be overcome. But how many are willing in the real world enterprise?

• Correlation and Workflow – What good is a SIEM product if it cannot perform advanced Correlation and Operational workflow? AV USM has a strong foundation in Correlation using XML driven Directives and Alarms thresholds. However, when it comes Head-to-Head with the Industry leaders like ArcSight, QRadar, Splunk, etc. it falls terribly short. We particularly like the Cyber Kill Chain flow which a lot of customers are using for complete visibility, but this is not the end game in real world enterprise operations where not all the data points required for the directive are available. Same thing goes for the workflow, where the integration with external ticketing or issue tracking system is very limited, and hence acts as a deterrent in large scale deployments.

Flexible Deployment Architecture – This is where the Open Source roots really start to flex their muscles when it comes to AV USM. The main components of the architecture are as follows:

• AV Sensor: AV Sensors perform Asset Discovery, Vulnerability Assessment, Threat Detection, and Behavioral Monitoring in addition to receiving raw data from event logs and helping in monitoring network traffic (including Flow). The sensors also perform normalization of the received raw events and communicates them to the AV Server for correlation and reporting.
• AV Server: AV Server is the Central Management Console that provides USM capabilities under a single GUI. The server receives normalized data from the sensors, correlates, and prioritizes the events and generates security alerts or alarms. The server also provide a variety of reporting and dashboarding capabilities as well.
• AV Logger: AV Logger provides the capability to archive log files for purposes of forensic analysis and to meet compliance requirements for long term retention and management.

All the architecture components including the Sensor, the Logger, the Correlation Engine, etc., can be deployed tier-based, isolated, or in a consolidated all-in-one style. This wide variety of deployment options help customers to have flexible and open architectures. This also helps control cost depending on the budget at hand. Very rarely can products boast of such flexibility.

This product is jack-of-all trades, but master of none. As mentioned in the good, being a jack-of-all trades is well suited for certain organizations. However, the lack of mature functionality and expertise in any of those areas is a strong negative.

For example, the correlation engine is nowhere close to the likes of ArcSight , QRadar, or Splunk, etc. The threat Intelligence is not as good as QRadar, McAfee, RSA, etc. When it comes to critical functionality expertise, AV USM is found lacking.

• Database: AV USM is using MySQL for its database. All the issues related to a structured DB for log collection, storage and management come to haunt AV USM as well. All SIEM logs are stored in the MySQL database and this causes an issue in terms of scalability, especially with high log volume environments because backup and restore is time and CPU/RAM consuming. USM can hugely benefit from moving to a non-DB Log storage architecture, thereby giving more flexibility in data management. It is doubtful if AV will take that route. Based on their product direction, they are looking at Percona Server to replace MySQL. While it is a good move, it is still customized MySQL replacement. It may not add much desired scale to the product.

Product Stability: The biggest issue we have seen with the product is its poor stability. With way too many components, myriad integration, a ton of scripts, and the product is really unstable. Every version upgrade is a nightmare. Re-installation or Re-start is the most common solution for the product to start working again. In a mission critical environment, this is a complete NO-NO. One of the most common and frequently failing components is the DB. Issues like DB corruptions, access issues, disk errors, unresponsive queries, etc., really test the patience of end users on a regular basis. These are the most damning negatives about AV USM.

One of the common issues we hear about AV technical support is that it is of inconsistent and poor quality. Most of the time, the solutions rely on re-install, re-start, or a bug-fix. There are way too many components to troubleshoot. This leaves support to resort to re-install or re-start, without thorough root cause analysis.

Customization: Again, this is one point where AlienVault outshines the competition in capability of customization. We have seen several customers who are using AV USM with heavy customization to perform threat detection, Asset Discovery, Threat scoring, APT detection, etc. This flexibility is really desired by Security analysts and AV USM is making good on this promise.

One of the areas where AV USM benefits is price. It is affordable while offering a whole lot of SIEM features. This turns out to be the deciding factor for small and medium enterprise segments. QRadar, ArcSight and Splunk are some of the most expensive SIEM security tools out there in the market and not everyone has the budget to buy them. In such cases, AV USM is a very cost effective alternative.

Product Vision Stagnation: This may not be much of an issue for potential users of AV USM. However, it is important to note that the product has not gone through major leaps in the last four years. It had more than three major releases and 20+ minor releases, but nothing path-breaking has been brought to the market. It has still remained in the “promising products to watch” for way too long. One of the main reasons we think this is the case is because of economies of scale. Since they are priced lower and cater to the SME segment, the amount of money invested in development is less, and hence the result.

I have worked with a Managed Security Team that uses AlienVault USM for the past two years. The user interface is as good as it gets. The setup is greatly simplified with intensive documentation and a great tech support.

The USM has been instrumental in the discovery and tracking down of emerging threats which has helped us instantly evaluate and resolve security incidents for our clients.

I would say the menus could use some tweaking and custom rule creation could be made simpler.

2 years.

No. I did not face any deployment issues.

No. I did not face any stability issues.

No. I did not face any scalability issues.

Impressive.

Great.

AlienVault was the first and only choice.

Setup was straightforward and priming and fine-tuning was reasonably simple too.

In-house team.

The product greatly reduces the need for human review and by bringing so many feature-rich capabilities under one roof, it makes it hassle-free for collecting evidence for ISO 27001 compliance.

AlienVault is one of the best to consider in terms of price advantage. AV is giving tools that charge you based on EPS a run for their money. Forget about procuring licensing and setting up stand-alone detection and prevention systems and then having them all integrate for log interpretation.

Splunk Enterprise Security.

The customizable reports

I can monitor less things and just read reports or alarms.

I don't have any, as I've been pretty satisfied with the product.

1 Year

No, it was pretty smooth. There's a little bit of a learning curve out the gate, but they have lots of help available.

No

Just learning the language, it's a new product, and it takes time to learn all of it's capabilities.

10, they have great customer Service

10

We had a MARs and it was EOF.

It was pretty straightforward, you take a class and then you get extra help. There wasn't any confusion.

In-house.

N/A

It's worth it!

Yes, but I wasn't apart of the research team.

I'm glad we purchased it, wished we would have gone with outside monitoring instead of inhouse an there is a lot to learn. Great product though.

We used to have to monitor and review logs for each device. Now, everything comes into AlienVault and it alerts us when we need to respond. We now have real-time monitoring 24x7x365 using an in-house team.

The ease of use and customization. The USM is a work horse, no matter what devices or the number of logs we throw at it, the system processes them in real time, correlates the events, and alerts on only events that need human review.

The one thing I continue to dislike about the USM is the limitation on reports. Hard to get what you need in a report and once you do, there is no control over the formatting.

There used to be some issues with database stability in versions pre 5.x but the database has since been tuned and rock solid since.

The only issue I have run into with scalability is the 1TB limit for raw log storage. When you collect as many logs as I do you need additional space to keep logs for compliance.

Customer Service:

I give customer service five stars, they are always available and very helpful.

Technical Support:

Technical support gets 4 1/2 stars. Like any support, it varies on the person that gets your ticket.

I have used many solutions with different companies but always move to AlienVault. You get so many more features for the money. AlienVault always comes in way less in price than any other solution.

Initial install is easy, the complexity only comes in as you start to add logs to the system to collect. If you do not take the time to plan out your installation and get a complete list of devices to collect from you could run into issues.

We implemented using our in-house team.

We are able to monnitor 24x7x365 with minimal staffing. Once it is tuned you only get the alerts you need to see. We used to have to monitor and review logs for each device. Now, everything comes into AlienVault and it alerts us when we need to respond.

Have a look at how AlienVault does Events Per Second (EPS) compared to others. Most other products charge based on EPS, the more events the more you have to pay. This causes most companies to limit the amount of logs sent and processed. AlienVault charges by the number of devices managed. You can send anything and everything to the USM. The more logs you can process the better correlation you will have. I have found that companies that limit their logs and then have a security incident would have been able to identify the attack if they would have been monitoring all events in their logs.

Splunk, QRadar, LogRythm, etc.

If you are thinking about a solution, give their free product OSSIM a try and once you see all it does you will want to upgrade to the commercial USM to get even more.