USM Anywhere Reviews

Our use of the solution is all over the map. We use it for our own internal use. We use it in our security operations center. We're a reseller, we're an MSSP, and a Professional Services provider, so we do a lot of professional services on the platform. It's a standard SIEM solution and is used for log collection, log management, event correlation, alarming, and reporting.

There are probably a billion examples I could give. As a service provider, it helps us because we have all of our clients connected in through our management platform, and we're able to leverage the tools that AlienVault provides to monitor and collect data from all of those systems and identify security incidents for all of our clients. It provides network and host-level visibility and it's easy to tune and manage.

On any given day I could give you a different answer regarding the most valuable features of the product. The feature that is most important is the fact that it has a lot of features, that it's not just a log collection and correlation system, that it has a lot of other components built in. The bundle of features is really the killer feature.

In particular though: 

• ease of use and deployment
• excellent cloud integration
• dynamic asset management
• vulnerability scanning
• network intrusion detection
• host-based agent monitoring and collection. 

All of these features combined create a compelling "one-stop" package for a business that needs security monitoring and analytics.

Search performance can be slow. The Raw Logs feature is painfully slow. And if we're talking about the newer, the Anywhere product, you can't even schedule reports on it. There are probably a dozen other features I'd really like to see there, but that would be one of the biggies.

Also, there is no visibility into the NIDS or HIDS agent configurations and no easy way to augment them. The same is true for vulnerability scanning, it's all or nothing; there are no fine-grain controls as there was in their older product. There is a lack of "real" visibility into the correlation rules, and the inability to create our own sophisticated rules (only very simple ones) is a big miss.

We've had some stability problems, not a lot, but a few. Updates seem to be the worst. That seems to be when the stability problems come up.

Sensors occasionally go down during updates and don't recover. Some maintenance cycles on the cloud controller have left the system in a weird state. In addition, there are times when the product seems very slow to respond. This may be related to back-end maintenance that we are not aware of.

It scales reasonably well. There is a scalability plan for it. There is a way to add additional collection components, what they call Sensors, and then scale up the central platform. At this point, I don't believe it will scale to the very high-end. It is not a large, global enterprise-type product. It's more of a small-enterprise-and-below product.

Their support has been good. I've always had good interactions with them.

We've used a lot of solutions. I've used, run, and supported a lot of different solutions over the years. There were two primary reasons for switching to AlienVault. One was price, and the other was the feature bundle that I was talking about earlier.

We chose this particular product for many other reasons. As a Professional Services provider, a service provider, MSSP, and a reseller, we're not using it the way most end-users would go out and shop around and look for something. A big part of our decision in selecting this product was the fact that we were able to establish that relationship with AlienVault as a company, as a business to business relationship, to be a reseller, to be an MSSP, to be all of those things.

The setup is pretty simple. The documentation is good. I've been setting up platforms like this for years, so it's not hard for me. For someone who is new to the product and hasn't used this type of product before, they'll have a little bit of a challenge, but it's not too bad. The system is pretty easy to install and, if you follow the documentation, it's pretty easy to configure.

Some cloud integration steps, like G Suite, were more complicated and prone to error.

Calculating ROI on security products is a funny endeavor, in my experience. It's not a hard science and it's not something you can easily throw a lot of numbers at. It's mostly guesswork.

The pricing is a good value and makes sense.

The key thing is that for the new product, the licensing of it is subscription-based and it's based on data. Clients need to be really careful when thinking about that, because odds are they're going to need to put a lot more data into it than what they initially estimate, which is going to drive their subscription costs up.

I do have concerns that if a payment is delayed or if there is any dispute about billing, that all of our data is held in the cloud and could be lost.

Overall, the automation features of this solution are good. The issue here is that there are really two solutions. There's the AlienVault Appliance product and then there's the AlienVault Anywhere product. The Appliance product, which is the older product, has a lot more customization and automation capabilities because it's very extensible. The newer product, the Anywhere product, is still very limited. We're very dependent on AlienVault to build in any kind of connections or integration.

If you are a mostly-cloud environment this is a good fit. If you have very few other security controls outside of a firewall this is a good step forward. But if you have a solid security program you may find this product lacking in a few areas. And most importantly, be very careful about subscription size and licensing.

The fact that I am a very small security team and AlienVault allows me to have a SIEM, FIM and Vulnerability scanner all in one.

I am able to scan for vulnerabilities quickly on existing devices and also for new devices being deployed. Since I don’t have a lot of time to learn new and complicated tools, being an e-commerce company, this allows me to increase the security posture of the overall organization and also to help pass PCI compliance.

With all these products there is always room for improvement. Whether it’s making the filtering of anomalies better, making setup and deployment faster, streamlining more of the functional aspects of the product, etc. There is really not one thing that stands out in particular.

About one year

I had some initial issues with some of the upgrades in version, but with the help of their support team, we were able to resolve all of them.

No, not yet. We are growing at a rapid pace and eventually will need more sensors, but I believe that will be a painless upgrade.

Tech support is great. Very knowledgeable, reliable, and have resolved all problems, escalated when necessary, and handled all my cases very professionally.

I have used different solutions at previous jobs. AlienVault was a new purchase and install. When asked for my opinion, I did recommend AlienVault as the solution since my comparison of all products came down to AlienVault being the best for our particular environment.

It was very straightforward. I had made a couple of little mistakes that most likely would have been avoided if I had not rushed a few aspects of the install, but tech support was able to get me back on the right track.

The pricing for this solution with the 3 major components: SIEM, FIM, and vulnerability scanning, can’t be beat. There are other systems that are way more robust, but way more complicates and way more expensive. This solution was perfect for us.

I had eliminated others prior to evaluating AlienVault based on prior experience. Tripwire for FIM, QRadar for SIM, eEye Digital for vulnerability scans. All of which are great tools, but much more pricey. We briefly looked at LogRhythm, Tenable, and Splunk as well.

I would say to implement it. It has all the components needed to help secure your environment as long as you have someone who can dedicate some time to it. But even if you don’t, like in my case, it is a much better solution that the others.

We primarily use the solution for cybersecurity events and management.

The SIEM, security information management is very, very good. Basically, it's great at analyzing the logs of our servers.

The setup is very easy and straightforward.

The solution is a bit complicated. It could be simplified quite a bit.

The correlation engine could be improved. Much improvement could be made there, as it is an important open-source solution. 

The solution could benefit from including security orchestration. It's still not available yet. It would be really nice to have in a future release.

It could use something like a pen test. Tools like that would make it more comprehensive from a cybersecurity aspect. 

I've been using the solution since about 2015. It's been approximately six years or so.

The solution is extremely stable. We don't have any issues with its reliability. It doesn't crash or freeze and it's not buggy at all.

The solution doesn't scale well if you are talking about enterprises using it. However, for our purposes, we've never had an issue with this. Larger companies might. We do intend to continue to use the solution and potentially increase usage.

Technical support is extremely reliable. We've very satisfied with the level of service we receive. They are always knowledgeable, helpful, and responsive.

The initials setup is not complex. It's a very straightforward implementation.

The overall deployment is quite quick. It might take about 30 minutes or so. That's all.

The solution has a subscription-based annual payment option. It's not a perpetual license.

We use both on-premises and cloud deployment models.

We both use the solution and sell the solution as well.

Overall, on a scale from one to ten, I would rate the solution at an eight.

We're more focused on servicing medium to small businesses. This solution may not be suitable for a large enterprise-level organization.

That said, we highly recommend it. I'd recommend that new users decide to first go for the trial. Take the trial and then make sure that you like it before investing in the subscription. The company offers a free trial - you might as well use it.

• MDR provider
• Logs aggregation
• Vulnerability assessments
• Some automation.

We needed a way to see all of these items under one pane of glass without spending incredible amounts of money on log aggregation, vulnerability assessments, etc., then putting it all together with an IR platform. 

It answered a bunch of questions for us, such as what will we use for vulnerability assessments on a continual basis, how do we tie those reports into alerts/incidents, log aggregation, correlation, etc.

• Vulnerability assessments and log aggregation/correlation

These were the two answers we needed for our solution. It gave those solutions very easily. It is easy to implement, and effective.

The support could absolutely be better. It seems to have gotten worse with the AT&T acquisition. 

We have been hearing some not so great things from our associates in the field as well.

Very stable so far. We have seen very few bugs, or downtime so far. 

It is pretty scalable for small/medium businesses. It starts to fade at enterprise. It is possible, but you will definitely run into limitations.

Eh. Our experiences have been very mixed. If you get someone who is motivated to help, expect to be good to go. Otherwise, expect the problem not to get a good priority, and it may even get dragged out to a conclusion.

We used, tested, and tried several solutions prior to this solution. This solution answered too many questions under one reasonable cost, as opposed to piecemealing everything together for more money.

Super simple, almost anyone could do it. It is quick as well. 

We do everything in-house.

Good.

It is I think for the market very straightforward, super easy to deploy. Licensing is straightforward in comparison to others.

We evaluated:

• Splunk
• LogRhythm
• ArcSight
• EventTracker
• RSA NetWitness
• SolarWinds
• QRadar
• FortiSIEM.
• And I may be leaving out a few. This was around one year ago.

I use AlienVault to comply with PCI DSS requirements. For on-premises, I am using the AlienVault USM All-In-One 150A Virtual Appliance.

AlienVault has helped us in improving our visualization and incident response during cybersecurity situations.

I have also used it in a project to comply with PCI DSS requirements.

I have found the host-based intrusion detection system (HIDS) extremely useful, as it

• Allows me to identify possible threats and vulnerabilities.
• Allows anyone with little knowledge of a cybersecurity devise to work with a high level threat discovery solution.

• They should improve the reporting capabilities. 
• Different functions to customize reports should be added. 
• Export features should not be limited to spreadsheets (.XLS) only.
  

It's part of our PCI compliance.

We didn't have any system before, so everything has been an improvement.

Log-monitoring and alerting, so we can find out when things happen that we need to know about.

I have not encountered any issues with stability.

There have not been any issues with scalability.

I would rate their technical support at nine out of 10.

The initial setup was straightforward. 

I don't think the product's pricing is a good value because they try to raise the price 50 percent every year. If they do that again I won't be a customer, going forward. Their sales team is way too aggressive. The price they advertise is not always the price you get.

In terms of licensing, AlienVault needs to understand that not all customers are huge enterprises. They don't seem to understand that.

It was three years ago so I don't remember offhand. But AlienVault was one of two or three that I looked at.

In terms of the product itself, it depends on what features you're looking for. We just use it for PCI compliance and it works for us. You need to do your own evaluation.

I would give the product an eight out of 10. The reason it's an eight is that it seems to have bugs from time to time that go unfixed for a while and that is frustrating. I'm not saying the product needs to be bug-free, but they need to be responsive to bugs.

We have devices in AWS and in the data center. The main reason is to do an IDS inspection in the cloud, as it was really hard to get proper software to do this and we did not want to install a virtual firewall in each timezone. We have over 200 servers being protected with this software.  

It has allowed us to see what is happening on our servers. You can do a similar setup with AWS, but monitoring it can give you a headache if you ave over 10 servers. 

The main menu: You can see everything there, what is happening on the servers, and in the logs, you can view more details of each event. Everything you need is in 'one place'.

As this software is in the cloud, you do not have control on updates and general changes which are happening. It can be a somewhat annoying that DC sensors are updated and you will not have control when this happens. 

So far, stability has been okay.

So far, no issues with scalability. We see that too many logs are being sent out, but you have to work out logging what you need.

They quickly respond on what you need, not on what they know.

We did not use a previous solution.

It was easy to set up. AlienVault was helpful here.

We used our team, but with the help of the AlienVault team.

We have been using it less then a year, but it does saves time when searching logs.

Negotiate the best package for your environment.

We ran a few PoCs. The price and feature set were the best with AlienVault.

AlienVault is used in our infrastructure for compliance purposes. It was brought in as a replacement for use in multiple products at the time, such as Kiwi and Nexpose scanner. With the environment being new, it was the best place to start with being everything into one location for Syslog and Asset management. The vulnerability scanner also made the difference where the scans created tickets for remediation.

The all-in-one source for the needs of compliance has put everything into one location without the need of other applications and tools to accomplish the tasks. It brought our logs into one place for review and set up alarms based on changes we were missing due to lack of having one place for everything to go. Vulnerability scanning helped out shortcomings of what was not patched in the past and what needed to be patched. This assisted with fine tuning the environment for compliance. The reports also helped upper management with the ease the product was doing in its job and holes that were being filled.

The asset management of nodes has been a large help in terms of being able to track applications with more detail and have changes made being monitored into one source. The vulnerability scanning has also been an aide of reviewing the systems and having feedback of what is missing patches and holes in our environment that need review and remediation. The all-in-one aspect has been helpful to see items and correlate within one source rather then multiple.

Source material on the forums to be more up-to-date with the changes happening within the product. Forums being out-of-date with information due to the changes makes troubleshooting a little more difficult - specific to the HIDS agents. Troubleshooting connectivity is limited to very view articles with very little information. Perhaps adding templates into the HIDS agents for collection based on systems or a clickable addition of files to collect with check boxes rather than configuring the HIDS agents through text. 

Also, more information on how specific sections relate to PCI and how to use/setup the SIEM to follow the guidelines of the areas. Some information is vague on how to accomplish specific items within PCI on help forums through AlienVault.