USM Anywhere Reviews

AlienVault provides a central place for monitoring the logs from various security tools in our environment, such as CrowdStrike and Datrix. It gives us complete visibility into the logs from those tools and endpoints in our environment. We use AlienVault for managing logs and vulnerabilities with tools like CrowdStrike.

Having everything in a central place has been helpful. 

AlienVault cannot automatically respond to threats like other SIEM solutions, such as Sentinel and LogRhythm. Most of our clients are far away, so it's often challenging to handle alerts when they come up on our dashboard.

We have been using AlienVault for two years now.

I rate AlienVault seven out of 10 for stability. Deploying AlienVault on-prem has been a challenge. The network sometimes drops, and it disconnects the sensor. 

I rate AlienVault USM eight out of 10 for scalability.

We were using an open-source solution, then we upgraded to USM.

I rate AlienVault USM eight out of 10 for ease of setup. I've deployed it on-prem and in the cloud in EXI. You can deploy it in under 10 minutes. I deployed it by myself. It was easy for me because I attended the training, but some of my colleagues didn't. It was challenging for them to implement. However, one person is enough if you're trained.

You might have to pay an additional fee to increase the number of sensors. We have five sensors, but other clients have three. I think you need to pay more to extend to four or five. 

We tried Elastic Security, but it was difficult for us to implement.

I rate AlienVault USM seven out of 10. It can do the job if log management is what you want, but it lacks automated response. 

We use it for log management, which is connected to our active directory and other servers. It is agent-based and picklocks for our firewall. Every activity on the firewall is recorded, and notifications are sent with this solution.

It gives us everything we want. We don't use vulnerability management, and we use it specifically for the log.

We like the on-premises solution, but AT&T wants us to move to their cloud version. We are not interested in doing that because the storage in the cloud version is not cheap. We don't want to move to the cloud and be unable to afford the cost of maintaining the cloud. We are looking for a solution that we can afford long term. Since the support for on-premises is close to being eliminated, we are looking for a solution that fits our budget.

We have been using this solution for six years and are using the latest version of their on-premises USM.

We have had some issues, but we have been able to handle them.

We have tried to scale it with a partner, but one of the limitations is that we do not want to scale it if the on-premises is coming to the end of life. We have to manage our budget to ensure the business does not fail. In terms of assets, we have about 100 assets, and it is not difficult to maintain.

The partner that we liaised with during deployment manages any issues. We raise a ticket, push it to them, and work together on Zoom to fix it. Sometimes I handle the issues myself, but if I can't handle it, I push it to the partners. I rate the technical support an eight out of ten.

Positive

The setup was not difficult and was a bit straightforward. The tricky part was trying to correlate what to send alerts for. Sometimes the log is unclear, and the report is a bit ambiguous. So we need to do additional research to know what the log and raw data are saying. The deployment was done both in-house and with a third party.

The licensing cost is around 4 million naira. I rate the pricing a nine out of ten, with ten being the most reasonable.

I rate this solution an eight out of ten. Regarding advice, before you implement any solution, ensure it meets your technical needs and assess whether you can maintain the solution in terms of cost of support. Regarding additional features, the existing features are good, but if they could integrate file integrity monitoring, it would be great.

We use it for compliance. We're not using it as a security operation center type of thing. Its usage is more from an auditing standpoint at this point.

We partner with them for customers who need something like a SIEM, so we're a cloud provider and integrator.

It is deployed on the cloud. It is a combination of AT&T's own cloud and our cloud. We run our own infrastructure. So, it is a hybrid and private cloud.

We're using it more for reporting, that's all. We're using it to help our customers to pass any kind of audits that they receive.

I don't have any suggestions for improvement. On our side, as a provider, we should develop a real security operation center type of practice, which we don't have right now.

There could be some type of integration with our existing portal. We have our own customer portals, and it would be good if there was an integration so that our portal can provide reports. There could be some type of API into the AlienVault system with the USM system so that it is easy to show the customers high-level reports of the system through our portal.

It is pretty stable from what I hear. 

It is cloud-based, so it is very scalable. It really depends on how many devices they have in their environment. Our customers are more mid-sized companies, so it fits what we need.

We don't have a lot of clients using this SIEM. Usually, a client is interested in something like this to help them with their auditing. So, we don't have a lot of customers using it right now. Probably in the near future, its usage will be increased in terms of the customers requesting it from a security standpoint.

It is pretty good. I usually don't contact their support. I usually contact their sales team. I work with their pre-sales and sales engineer and account rep.

It is pretty straightforward from what I've seen, but it has to be verified to make sure any changes in the environment are added to the configuration. Like anything, it is not set it and forget it. You really have to make sure that it is capturing everything if things change or new systems are brought online. It is more of a procedural thing where you have to make sure somebody is keeping it up to date.

For its maintenance, we have someone who manages the product itself. In our company, for IT people, we have around 100 or so staff. We have customers nationwide, but we probably have two to three people managing this product. They are in more of a security analyst type of role dedicated to security.

I don't know exactly, but I know it is based on the number of logs and the retention duration, such as 30 days or something like that. So, the smallest package is about 500 a month for 30 days of logs.

There is a virtual machine. You need resources for it. It is a log collecting VM. They provide the software, and you just have to load a virtual machine. So, you're going to incur some CPU RAM and storage for wherever this log collecting appliance is running, which typically is in our cloud and on our platform for the customer.

I would advise knowing your requirements and your data. What are you trying to protect or monitor? Before implementing something like this, you really should have basic security in place. You should have systems that are generating logs, for example, antivirus software and firewall. You have to have that all in place first to make this kind of product useful because this type of product is really meant to aggregate things after the fact. After you've put all the systems in place, then this system aggregates and collects everything together. You really need all the endpoint security, firewall security, and server security first, so you have meaningful data to look at. The SIEM is not going to be useful if you don't have any meaningful data for it to collect.

I still need to dig into it deeper to see exactly what it does. Our practice is kind of evolving, so this is probably something that we need to offer more to customers. We need to get more product knowledge on it and develop a practice around it. A lot of customers are asking for security operations center (SOC) services for remediation of problems. We don't do that right now, but that's something that I know is probably on the roadmap. With everything going on, that would be a helpful service to our customers, and I think they're asking for that. We've encountered customers asking for that type of service. We don't do it yet. I know there are other partners out there that do that, so really it's on our side to develop the product more. Whether it involves staying with this AT&T product or going for maybe another one, customers are looking for a little bit more. They are not just to have it set up, but also to have someone to act on any kind of alerts or any kind of potential breaches. They're looking for a service for somebody to actually remediate.

From what I know of the product, I would rate it an eight out of 10. 

I have used AT&T AlienVault USM for Log collection and management, priority, and incident analysis.

AT&T AlienVault USM has helped our organization by highlighting known vulnerabilities in our network and full visibility of our network to figure out if there is anything that we are not aware of. If there are any missing pieces, they would be found by the AT&T AlienVault USM.

The most valuable feature in AT&T AlienVault USM is the reporting.

AT&T AlienVault USM can improve searchable data. It should be available for more than 90 days. If you need more than 90 days of data, you have to put a request and they give you raw data, which is not easy to search. A good addition would be to allow users to search data older than 90 days.

In a future update, they should add more integrations with third-party devices.

I have been using AT&T AlienVault USM for approximately six months.

AT&T AlienVault USM is stable.

The scalability of AT&T AlienVault USM is good.

We have five IT administrators that use it. We plan to increase the usage in the future.

We don't reach out to technical support from AT&T AlienVault USM. We go through our third-party provider. They are the ones who we reach out for technical support. We only reach out to the MSP.

I did not use another solution prior to AT&T AlienVault USM.

The initial setup of AT&T AlienVault USM was straightforward. The deployment took approximately one hour.

We did the implementation in-house with the help of a consultant. We require one person for the maintenance and support.

I have seen a return on investment using AT&T AlienVault USM.

I rate the return on investment of AT&T AlienVault USM a four out of five.

I rate the price of AT&T AlienVault USM a four out of five.

We evaluated Microsoft Sentinel and IBM QRadar before choosing AT&T AlienVault USM.

AT&T AlienVault USM is very easy to deploy, user-friendly, easy to understand, and fits very well for small, and medium-sized businesses. I won't say it is a con for the other ones, but they are more suitable for larger-sized companies and sometimes it is cost a lot for Microsoft Sentinel and IBM QRadar.

My advice to others is you need a dedicated person to monitor the same solution. If not, you have to outsource it to a 24/7 SOC, or Security Operation Center, such as a managed security provider.

I rate AT&T AlienVault USM a nine out of ten.

The fact that I am a very small security team and AlienVault allows me to have a SIEM, FIM and Vulnerability scanner all in one.

I am able to scan for vulnerabilities quickly on existing devices and also for new devices being deployed. Since I don’t have a lot of time to learn new and complicated tools, being an e-commerce company, this allows me to increase the security posture of the overall organization and also to help pass PCI compliance.

With all these products there is always room for improvement. Whether it’s making the filtering of anomalies better, making setup and deployment faster, streamlining more of the functional aspects of the product, etc. There is really not one thing that stands out in particular.

About one year

I had some initial issues with some of the upgrades in version, but with the help of their support team, we were able to resolve all of them.

No, not yet. We are growing at a rapid pace and eventually will need more sensors, but I believe that will be a painless upgrade.

Tech support is great. Very knowledgeable, reliable, and have resolved all problems, escalated when necessary, and handled all my cases very professionally.

I have used different solutions at previous jobs. AlienVault was a new purchase and install. When asked for my opinion, I did recommend AlienVault as the solution since my comparison of all products came down to AlienVault being the best for our particular environment.

It was very straightforward. I had made a couple of little mistakes that most likely would have been avoided if I had not rushed a few aspects of the install, but tech support was able to get me back on the right track.

The pricing for this solution with the 3 major components: SIEM, FIM, and vulnerability scanning, can’t be beat. There are other systems that are way more robust, but way more complicates and way more expensive. This solution was perfect for us.

I had eliminated others prior to evaluating AlienVault based on prior experience. Tripwire for FIM, QRadar for SIM, eEye Digital for vulnerability scans. All of which are great tools, but much more pricey. We briefly looked at LogRhythm, Tenable, and Splunk as well.

I would say to implement it. It has all the components needed to help secure your environment as long as you have someone who can dedicate some time to it. But even if you don’t, like in my case, it is a much better solution that the others.

We were trying to get into the security market to be able to offer something to our clients who are asking for a monitoring event management system. We started looking at what we could offer as an MSP to our clients; that's what drove us into evaluating different SIEM products, to get a better understanding of how the billing is set up as a partner. Alien Vault had the best set up for MSPs — the way they are set up for billing and the way they set up their USM account. 

The reason why we went with AT&T AlienVault USM, was because we liked their reporting capability a little better than some of the other ones we evaluated; however, the biggest draw for us was how AT&T has their MSP program set up. In most cases, you have to buy a certain number of either agents or sensors which are, more or less, the program. With an MSP, our clients don't have to buy any — there are no minimum requirements. Alien Vault provided us with really good worksheets to detail the number of sensors needed when we are in negotiations with prospective clients. We can also use them to determine the number of devices that are going to be monitored, and how we can tailor the customer setup based on what the customer requirement is.

The other big selling feature for us was its integration capabilities with all the other security-based products, not just security-based, but application settings in general. It works with Google Drive, Gmail, and Microsoft 365. It also works with different antivirus software from Proof Point to Okta — all of the different pieces of applications that we normally provide as a best practice to our clients. This software can interact with them all and pull the event data and the security data from all of these different applications, and more.

I'd like to see a dashboard that's a little more descriptive. We can customize the dashboards, but the out-of-the-box dashboards are kind of bland. Since we give our customers access to their dashboards, it would be nice if they were a little bit more intuitive. We can go easily drill into it and show them everything, but the customer just sees the writing on the page. 

I'd like to see them dress up their out-of-the-box dashboard a little bit. We have the ability to do a lot of that. 

Since they have this image — they have a strong MSP program. I would love to see them allow branding, which they don't at this point.

We deployed the demo roughly eight months ago.

AT&T AlienVault USMIt's has been very stable.

Their support has been stellar, any issues that we had with trying to get it configured or trying to interpret instructions, we could just make a quick phone call and they were there to help us.

I'd say it was kind of in the middle, complexity-wise. It's actually fairly easy to deploy a new client. 

It's competitive with other similar solutions; however, I don't do the billing so I can't properly comment on it.

Most of our clients are small to medium-sized businesses; they can't afford to go out and purchase a SIEM on their own. They're looking for us to provide something for them. This was why we provide HCZ cybersecurity and Alien Vault, etc. 

If you're in an MSP and you're servicing small to medium-sized clients, this is definitely a product that you want to look at and evaluate. When we were doing our evaluations, we were looking at the applications that are supported out-of-the-box, without having to develop any special ATIs — we wanted a pre-built application that supported most of the applications that we use within our client base.

On a scale from one to ten, I would give this solution a rating of eight.

I'd like to see a little bit more work, out-of-the-box, regarding the dashboards. I'd like to see them provide us with branding capabilities, to be able to put our logos on the dashboard so that the client understands that it's coming from Ice Consulting instead of Alien Vault.

We use it to gain security visibility and to meet compliance.

We're not just a customer but we're a partner as well. We've deployed this into thousands of organizations and we continue to see that happening. It's a great tool.

It's really easy to aggregate and correlate and view several different security logs and several different data pieces in a single place. That's what allows us to see the security logs that we need to see to determine if there is something malicious on our network or not.

Also, aggregating the logs and putting them in a central place helps us to comply with certain regulations, the details of which I can't go into.

We have been able to use AlienVault to find critical vulnerabilities in our network and it has helped reduce the time it takes to respond to a threat.

The IDS and the threat intelligence are very useful. They are very intuitive and data-rich.

One area that has room for improvement is storage. AllienVault is a good place to put logs, but sometimes it's a tough place to go get logs. AlienVault has three components to it, a sensor, a server, and a logger. Sensors grab data, servers correlate data, and loggers store data. The logger can only hold so much data. If they improved that, that would help.

It has great scale. We have brought it into several publicly traded global organizations, with thousands of users. The users are anything from a CCO down to a network administrator.

For a large deployment like that, the number of our staff required depends on a few things but, generally, it would take one to three people. It also requires about three people for maintenance. Their roles would likely be anyone who is leading or managing an InfoSec team.

The technical support team is responsive and helpful. They communicate and they are engaged. We work with them on a daily basis and they're on it.

We did not work with a previous solution. We decided to bring it into our organization based on its value. It allows you to do a lot with a small price tag.

As partners, we think the setup is pretty straightforward but I imagine it depends on whom you ask. There are a lot of people who don't think so, but we think it's pretty straightforward. It has an easy-to-go-along Start menu, and the overall GUI is easy to navigate. It's pretty step-by-step, as long as you can follow those directions.

It can be as simple or complex as you want it to be. But for the most part, it's just a very easy tool to be able to engage with, to click on. They make it intuitive.

Sometimes deployment takes a couple of hours, sometimes it takes a couple of days, depending on the size of deployment.

We definitely have an implementation strategy but there are a lot of details to that. Just stay organized, pay attention to the details, cross your T's and dot your I's.

There is an ROI although I don't have the exact figures on it. The ROI is in the area of technology products that we have to go purchase: Instead of having to go buy a million dollars worth of cybersecurity products, we have saved a lot of money on that. It has also saved us loads of time as a result of not having to integrate it with a ton of other things.

The pricing is the best on the market.

We evaluated every single SIEM on the market. The major difference that made AlienVault stand out is the unification, meaning the integration of technologies out-of-the-box, as opposed to having to do it on your own.

Have an idea of a plan and know where things in your network are and know who can give you access to certain things you might need.

In terms of how extensively we're using it, I'd be surprised if there was anyone outside of our team that is using it more extensively then we are.

I would rate AlienVault at ten out of ten.

• MDR provider
• Logs aggregation
• Vulnerability assessments
• Some automation.

We needed a way to see all of these items under one pane of glass without spending incredible amounts of money on log aggregation, vulnerability assessments, etc., then putting it all together with an IR platform. 

It answered a bunch of questions for us, such as what will we use for vulnerability assessments on a continual basis, how do we tie those reports into alerts/incidents, log aggregation, correlation, etc.

• Vulnerability assessments and log aggregation/correlation

These were the two answers we needed for our solution. It gave those solutions very easily. It is easy to implement, and effective.

The support could absolutely be better. It seems to have gotten worse with the AT&T acquisition. 

We have been hearing some not so great things from our associates in the field as well.

Very stable so far. We have seen very few bugs, or downtime so far. 

It is pretty scalable for small/medium businesses. It starts to fade at enterprise. It is possible, but you will definitely run into limitations.

Eh. Our experiences have been very mixed. If you get someone who is motivated to help, expect to be good to go. Otherwise, expect the problem not to get a good priority, and it may even get dragged out to a conclusion.

We used, tested, and tried several solutions prior to this solution. This solution answered too many questions under one reasonable cost, as opposed to piecemealing everything together for more money.

Super simple, almost anyone could do it. It is quick as well. 

We do everything in-house.

Good.

It is I think for the market very straightforward, super easy to deploy. Licensing is straightforward in comparison to others.

We evaluated:

• Splunk
• LogRhythm
• ArcSight
• EventTracker
• RSA NetWitness
• SolarWinds
• QRadar
• FortiSIEM.
• And I may be leaving out a few. This was around one year ago.