USM Anywhere Reviews

A jack-of-all trades:

The best thing about AlienVault USM is it being a “Jack-of-All Trades” solution. It provides SIEM, HIDS/NIDS, FIM, NetFlow, Asset Management, Vulnerability Management, etc., under one USM platform. None of the commercial SIEM vendors like ArcSight, McAfee, etc., can boast of such a diverse feature set.

• QRadar is the closest to AV USM in terms of feature diversity. While all the features are formerly isolated Open Source community projects, the USM does a good job of integrating them into a feature set. While they are not great as individual parts, they more than make up as a sum of the parts.
• OTX – Open Threat Exchange is a wonderful community sharing platform that helps clients to share IP and URL reputation information so that all AV customers can benefit. This is true community sharing modeled on the likes of the Splunk Community (for app development). This has the potential to grow into a large source of Real World Intelligence and what AlienVault intends to do with this data remains to be seen. For now, it is being used by USM Correlation engine to provide better context and content for Security monitoring. AlienVault Labs, is also utilizing this infrastructure to constantly update Detection rules for malware vectors, vulnerability exploits etc. QRadar and ArcSight provide Intelligence, but it is commercial intelligence and not community intelligence. With community intelligence, you get more hits than misses.
• Multi-Tenancy – While this feature may not elucidate an interest from many readers, those who have worked in an MSSP environment can understand why this is a very important feature to have. AV USM does support Multi-Tenancy out of the box. This, when combined with the Architecture flexibility provide great MSSP models to sell and operate. The key is to understand how the multi-tenancy works. Basically, a single database is used to store data of several customers using a Data isolation Logic and Permission control. The data isolation logic is based on Entities created in USM (Assets, Users, Components Assigned (Sensors) etc., are grouped together as a Single Entity) and Permissions (applied in a granular fashion to data sets related to the Entities). QRadar, ArcSight and other major SIEM products provide this as well.
• Integration – While AV USM is known for being customization friendly, the amount of out-of-the-box plugins for Log Monitoring and Correlation is limited to the well-known products. It does not have comprehensive integration capabilities with say legacy applications, Directory services, databases, etc., that other SIEM vendors boast of. Similarly, it relies mostly on its own “pre-packaged” tools for data enrichment and hence has poor “Third Party” Integration capabilities. However, if you really are a developer of open source products, the integration challenge can be overcome. But how many are willing in the real world enterprise?

• Correlation and Workflow – What good is a SIEM product if it cannot perform advanced Correlation and Operational workflow? AV USM has a strong foundation in Correlation using XML driven Directives and Alarms thresholds. However, when it comes Head-to-Head with the Industry leaders like ArcSight, QRadar, Splunk, etc. it falls terribly short. We particularly like the Cyber Kill Chain flow which a lot of customers are using for complete visibility, but this is not the end game in real world enterprise operations where not all the data points required for the directive are available. Same thing goes for the workflow, where the integration with external ticketing or issue tracking system is very limited, and hence acts as a deterrent in large scale deployments.

Flexible Deployment Architecture – This is where the Open Source roots really start to flex their muscles when it comes to AV USM. The main components of the architecture are as follows:

• AV Sensor: AV Sensors perform Asset Discovery, Vulnerability Assessment, Threat Detection, and Behavioral Monitoring in addition to receiving raw data from event logs and helping in monitoring network traffic (including Flow). The sensors also perform normalization of the received raw events and communicates them to the AV Server for correlation and reporting.
• AV Server: AV Server is the Central Management Console that provides USM capabilities under a single GUI. The server receives normalized data from the sensors, correlates, and prioritizes the events and generates security alerts or alarms. The server also provide a variety of reporting and dashboarding capabilities as well.
• AV Logger: AV Logger provides the capability to archive log files for purposes of forensic analysis and to meet compliance requirements for long term retention and management.

All the architecture components including the Sensor, the Logger, the Correlation Engine, etc., can be deployed tier-based, isolated, or in a consolidated all-in-one style. This wide variety of deployment options help customers to have flexible and open architectures. This also helps control cost depending on the budget at hand. Very rarely can products boast of such flexibility.

This product is jack-of-all trades, but master of none. As mentioned in the good, being a jack-of-all trades is well suited for certain organizations. However, the lack of mature functionality and expertise in any of those areas is a strong negative.

For example, the correlation engine is nowhere close to the likes of ArcSight , QRadar, or Splunk, etc. The threat Intelligence is not as good as QRadar, McAfee, RSA, etc. When it comes to critical functionality expertise, AV USM is found lacking.

• Database: AV USM is using MySQL for its database. All the issues related to a structured DB for log collection, storage and management come to haunt AV USM as well. All SIEM logs are stored in the MySQL database and this causes an issue in terms of scalability, especially with high log volume environments because backup and restore is time and CPU/RAM consuming. USM can hugely benefit from moving to a non-DB Log storage architecture, thereby giving more flexibility in data management. It is doubtful if AV will take that route. Based on their product direction, they are looking at Percona Server to replace MySQL. While it is a good move, it is still customized MySQL replacement. It may not add much desired scale to the product.

Product Stability: The biggest issue we have seen with the product is its poor stability. With way too many components, myriad integration, a ton of scripts, and the product is really unstable. Every version upgrade is a nightmare. Re-installation or Re-start is the most common solution for the product to start working again. In a mission critical environment, this is a complete NO-NO. One of the most common and frequently failing components is the DB. Issues like DB corruptions, access issues, disk errors, unresponsive queries, etc., really test the patience of end users on a regular basis. These are the most damning negatives about AV USM.

One of the common issues we hear about AV technical support is that it is of inconsistent and poor quality. Most of the time, the solutions rely on re-install, re-start, or a bug-fix. There are way too many components to troubleshoot. This leaves support to resort to re-install or re-start, without thorough root cause analysis.

Customization: Again, this is one point where AlienVault outshines the competition in capability of customization. We have seen several customers who are using AV USM with heavy customization to perform threat detection, Asset Discovery, Threat scoring, APT detection, etc. This flexibility is really desired by Security analysts and AV USM is making good on this promise.

One of the areas where AV USM benefits is price. It is affordable while offering a whole lot of SIEM features. This turns out to be the deciding factor for small and medium enterprise segments. QRadar, ArcSight and Splunk are some of the most expensive SIEM security tools out there in the market and not everyone has the budget to buy them. In such cases, AV USM is a very cost effective alternative.

Product Vision Stagnation: This may not be much of an issue for potential users of AV USM. However, it is important to note that the product has not gone through major leaps in the last four years. It had more than three major releases and 20+ minor releases, but nothing path-breaking has been brought to the market. It has still remained in the “promising products to watch” for way too long. One of the main reasons we think this is the case is because of economies of scale. Since they are priced lower and cater to the SME segment, the amount of money invested in development is less, and hence the result.

The use case is for companies that want to have more visibility in their environment and want to apply governance. This solution is used for compliance management, vulnerability management, threat hunting, and threat protection.

I think all of the features are valuable. However, the most valuable feature is vulnerability management because it gives you insight into your environment to know what systems need to be updated or patched. You can avoid weaknesses in the computers and other systems by keeping them patched.

I think they need to broaden their compliance management to cover more areas of compliance. For example, they're very specific about HIPAA, CIS 8.0, and a few others, but they don't have a broad compliance management base. Some customers need compliance management with other standards or frameworks, which are unavailable on their platform. I want to see more compliance management capability because if they broadened it, it would be a much more attractive product. 

They have a lot of integrations, which is good, but the quality of integrations seems to be a little bit low. It's one thing to provide integration, and it's another to provide integration that works really well.

The solution is cloud-based and hybrid. A server is put into a customer's environment to collect information and send it to the cloud. Both the server installed in the customer's environment and the cloud solution are scalable. The solution has rapid elasticity and all the check marks a cloud-based solution needs to scale. It is definitely scalable.

There are currently 19 users in our company. I think over time we have plans to increase our usage of this solution, but as an MSP, we have clients with different requirements or needs, so we might pick a different solution because it's a better fit.  

The initial setup was pretty straightforward. It wasn't that difficult.

The initial steps of the implementation, getting the account and setting it up, only take a few hours. Then there's some fine-tuning that takes place afterward, and it takes a little bit longer. You need about a week to really get that fully configured with a good plan and deployed in the environment, and then from there, it's just fine-tuning as you go.

We handled the deployment in-house. The solution needs one person for deployment and one for management.

I don't recall exactly what their prices are, but they are a little more expensive than Microsoft. It really depends on what features in Microsoft you may already be using. If, for example, you're a company that has Microsoft's Defender for Endpoint and Defender for Identity, or basically any of their Defender Suite applications, you might already be paying a certain amount every month or every year for those features that the Microsoft Sentinel solution brings under one umbrella.

AlienVault also has additional fees for extra storage in the cloud. 

Recently, we were going to sell a customer AlienVault, but then they picked Microsoft Sentinel. We compared them because we wanted to make sure that  both solutions could do the same thing, and it turns out that Microsoft does it a little bit better.

It's like having a Swiss Army knife that has all of the tools you need to do a craft, or just having a regular pocketknife that you can only use to do one thing. In this case, AT&T is the pocketknife and Microsoft is the Swiss Army knife.

My advice would be to make sure the product is a good fit in terms of compliance and compatibility with your security solution, like your EDR and ATP solutions. Make sure that they play well together because you could have issues with the two fighting each other over protecting the computers.

I would rate this solution as a seven out of ten. 

It's a good product. They created AlienVault based off of an open source framework, so it's built on OSSIM. It's interesting that AT&T is going into the cybersecurity market since they're a huge mobile carrier. Right now, their marketing and advertisements are really good, but they need to invest more money into the product. If they focus more on building out the product, maybe invest a little bit more money into development, I think they'll have a stronger strategy and a very dominant winning solution in the market.

We use AWS for our application platform and wanted a SIEM that was easy to deploy as a service and that had functionality and integrations focused on AWS. We found AlienVault was the best on price vs features and the team at AlienVault worked hard to make sure we were happy during our on-boarding. Features are rolled out fast and issues addressed quickly. The integration of OTX out-of-box and at no additional cost was a real selling point and the AWS features made it a clear winner.

AlienVault USM Anywhere provides us with SIEM, at a low price-point and with a great array of functionality. SIEM is critical to our security operations and feeds incident response efforts and USM Anywhere enables us to filter the noise and concentrate the efforts of our small team on the real issues and threats.

AlienVault USM Anywhere is easy to deploy with their cloud-based model and deploying the required agents on-prem (or in the Cloud) is quick and easy. With many integrations out-of-the-box, you can pull in all the data from products you use and other sources, such as Amazon Cloudwatch Logs. Custom rules allow for alerting based on content from events and you can even trigger agents in response to threats, shutting down computers or grabbing forensic info for incident response. USM Anywhere also takes care of reporting for ISO and PCI, allowing you to pull reports for auditors at a moment’s notice.

We would love to be able to create custom rules based on a series of events, to create rule-sets where, for example, failed logins to the VPN Server are logged and then when a successful attempt follows soon after, it triggers an alarm for a Brute Force. It does this for things like OKTA already, so control over which events this applies to would be great.  

No major issues and problems are rectified quickly.  

Scales well, no on-prem requirement other than 1 sensor per network and these are cost-effective. AlienVault handles the performance and scalability for you for the backend.

Technical support and very quick to respond and follow up well on issues.

Very simple; follow a walk-through to deploy sensors and the back-end is provisioned for you by AlienVault.

In-house deployment; simple to setup.

Cost is very competitive and if your log ingestion is not huge, then you can get a SIEM for a small budget; AlienVault listen well to customers and work with you on the needs of your business.

Alert Logic, Cloud Passage and Event Tracker.

Efficiency Of Security Team: Yes, a team of 2 managing a reasonable sized network has been achieved.

Events Per Day: 700,000

I use AlienVault to comply with PCI DSS requirements. For on-premises, I am using the AlienVault USM All-In-One 150A Virtual Appliance.

AlienVault has helped us in improving our visualization and incident response during cybersecurity situations.

I have also used it in a project to comply with PCI DSS requirements.

I have found the host-based intrusion detection system (HIDS) extremely useful, as it

• Allows me to identify possible threats and vulnerabilities.
• Allows anyone with little knowledge of a cybersecurity devise to work with a high level threat discovery solution.

• They should improve the reporting capabilities. 
• Different functions to customize reports should be added. 
• Export features should not be limited to spreadsheets (.XLS) only.
  

My company wanted to get software which would be able to monitor resources in AWS, mainly IDS in one cumulative GUI, then add extra requirements with AlienVault match. 

From my perspective, it saves me about two to seven hours weekly. Now, I can easily check (in one place) all the logs and data in relation to attacks. It also gives me an overview if a server is not configured properly.  

• Centralized logs: All the details are in one place. This is helpful if you have over 100 servers.
• Centralized IDS: We need this as we are able to see what is happening in (almost) real time.

• Plugins could be better utilized, as some of them do not recognize all logs.
• We could add little more customization to dashboards.

Everything has worked fine since we have had this tool.

We have been adding more servers, and it has been working. We have run out of storage space once or twice, so we had to check and choose which logs that we needed to minimize this problem.

It has very good customer service. I have opened about five cases. They were ones which I did not have time to search or could not find information on the support website.

I previously worked with Nagios, SolarWinds, and Big Brother. Though, this was at a different company. 

These products did not match the requirements in AWS at the time that we were getting AlienVault.

Setup required time. It will take time to set it up and utilize it at a percentage with which you will be satisfied. 

It was easy on PoC, but when we got to the product it was different story. We had to learn the product again and got feeling that the PoC was a different product.

We were also looking at LogRhythm, Splunk, and few others. We decided on AlienVault, as they had a nice presentation (which told us what we wanted to hear) and the PoC proved it could do what we needed.

Check other products, do POC as change from one to other get be very pricey and time consuming. Also training of people and changes cost lots of resources and not all employees like such changes every year.

We used to have to monitor and review logs for each device. Now, everything comes into AlienVault and it alerts us when we need to respond. We now have real-time monitoring 24x7x365 using an in-house team.

The ease of use and customization. The USM is a work horse, no matter what devices or the number of logs we throw at it, the system processes them in real time, correlates the events, and alerts on only events that need human review.

The one thing I continue to dislike about the USM is the limitation on reports. Hard to get what you need in a report and once you do, there is no control over the formatting.

There used to be some issues with database stability in versions pre 5.x but the database has since been tuned and rock solid since.

The only issue I have run into with scalability is the 1TB limit for raw log storage. When you collect as many logs as I do you need additional space to keep logs for compliance.

Customer Service:

I give customer service five stars, they are always available and very helpful.

Technical Support:

Technical support gets 4 1/2 stars. Like any support, it varies on the person that gets your ticket.

I have used many solutions with different companies but always move to AlienVault. You get so many more features for the money. AlienVault always comes in way less in price than any other solution.

Initial install is easy, the complexity only comes in as you start to add logs to the system to collect. If you do not take the time to plan out your installation and get a complete list of devices to collect from you could run into issues.

We implemented using our in-house team.

We are able to monnitor 24x7x365 with minimal staffing. Once it is tuned you only get the alerts you need to see. We used to have to monitor and review logs for each device. Now, everything comes into AlienVault and it alerts us when we need to respond.

Have a look at how AlienVault does Events Per Second (EPS) compared to others. Most other products charge based on EPS, the more events the more you have to pay. This causes most companies to limit the amount of logs sent and processed. AlienVault charges by the number of devices managed. You can send anything and everything to the USM. The more logs you can process the better correlation you will have. I have found that companies that limit their logs and then have a security incident would have been able to identify the attack if they would have been monitoring all events in their logs.

Splunk, QRadar, LogRythm, etc.

If you are thinking about a solution, give their free product OSSIM a try and once you see all it does you will want to upgrade to the commercial USM to get even more.

We have three main uses for the solution. They are compliance, incident response, and as a tool for information security.

The solution has excellent compliance and has good incident response.

There are multiple tools for information security. The solution includes all the latest advances on the network and host intrusion detection systems.

The out-of-the-box features are great. You don't have to jump to different consoles as everything is right there. Everything from a security standpoint can be handled via one screen.

The solution could be improved in three ways. The first one is user behavioral analytics. They need work.

The second one is cloud-related usage. The solution already has quite good tools, however, they need better integration tools for linking with Office 365, Google Suite, and so on.

The third one improvement could be a bit more customization for security products. If someone has an antivirus where it is customizable they need to have the ability to easily connect everything together.

I've been dealing with the solution for four years.

The solution is very stable. We haven't had issues so far in terms of using it.

The solution is quite easy to scale. You just need to install the standard solution. You don't have to change the whole installation. In the case of the cloud deployment version, you only need to add sensors. In either case, you need to have the correct licenses, however, it's quite simple to accomplish.

Technical support has always been quite good. With the product itself, we haven't personally had any issues. However, a lot of times our customers or engineers contact AlienVault support with a request to help to start a new correlation rule, integration, or other issues. When that happens, support always answers and gives them all the details they need.

As a reseller, we've looked into other solutions, however, we find this product to be the best option for our customers time after time.

The initial setup is pretty easy. Anyone can install this solution within four or five hours. They don't need to be engineers in order to do that.

By that point, it will already be prepped and can show us what is happening from a security point of view.

It's quite easy to install and deploy. You don't need a security team for ten people. There's a lot of automation within the tool, so you only really need one or two security staff to operate it for a company of, for example, 500 people.

In comparison to the competition, it's a very inexpensive option, whether you use the cloud or the on-premises deployment models. You also get great value for money as you do get a lot of very good tools that come standard with the solution as well.

We're not using the solution ourselves. We're resellers.

USM Anywhere is cloud-based, although they have a different version that is on-premises or on a private cloud called the USM Appliance. We're using the on-premises version, which is quite different from the cloud version.

Overall, I'd rate the solution nine out of ten. There are a few areas where they can improve, however, overall, it's been a very good product for us and our customers.

We'd recommend the solution. We've looked into other options and we always come back to this product.

We have used AlienVault for our security monitoring for threat protection and compliance management. We've seen an improvement against malware and viruses. It has definitely eased our concerns so we can focus on other things.

AlienVault is very user-friendly. We've had a great experience with asset discovery, compliance reporting, endpoint detection and response. Our team uses the network infrastructure monitoring as well.

• In my experience, I've found the vulnerability assessment very valuable because it identifies vulnerabilities and AWS configuration issues, so we are less likely to have potential risks. 
• The compliance reporting is also valuable for reporting purposes.
  

The only recommended changes I can think of is to have the ability to filter logs. Also, being able to navigate the dashboard. That seems to have been quite a challenge.

There are multiple functions of this product, the stability and availability are awesome.

The scalability of this solution is exceptional. I believe it's very reliable and dependable.

I'm not familiar with what was used prior to AlienVault nor the reason the switch was made.  I'm just very pleased.

Yes, our team did not have any issues with the initial setup of AlienValut and its functions.

In-house.

The return on investment is great. I feel this product is well worth the price for all the functions and performance it can provide.

I advise others on the pricing and licensing. I research to find the best pricing for the value of the products as well as register all licensing.

No, our tech department did the evaluating of all the options and chose AlienVault.

AlienVault is an amazing product that I would highly recommend.