USM Anywhere Reviews

This has helped improve our overall IT security by allowing us to implement a full suite of security tools that allows us to roll out log management on clients and servers, host-based IDS, and network-based IDS. It also provides vulnerability scanning; however, we use a separate product for that.

The best feature of this product is the ease of use. It is extremely easy to set up and get going. This is a very useful tool for a small organization.

I feel that some areas of improvement would be vulnerability scanning. We use a separate product that seems to do a much better job.

We have not encountered any stability issues.

We have not encountered any scalability issues; the product scales very easy.

Customer Service:

I would rate customer service an 8/10. I've received calls from customer service a few times a month and it gets a little overbearing, especially when you are busy, as IT professionals are.

Technical Support:

I would rate technical support a 9/10.

This was our first solution for HIDS, NIDS, and log management.

The initial setup was straightforward. I simply followed the steps in the setup wizard and the steps provided by technical support, and I had a trial version (later converted to paid version with additional steps) set up in about an hour or less.

This was set up in-house.

It is really hard to put a number on ROI but I will say that AlienVault has allowed us to close the gap on security alert timing and we can respond to incidents in a much more timely fashion which, to me, is much more valuable than a number.

AlienVault is flexible on their pricing for unlimited licenses.

We evaluated Splunk as well. AlienVault was a much cheaper solution and required less time to be rolled out. Splunk is a much more difficult product to work with and almost requires a dedicated employee to manage.

I highly recommend AlienVault USM for anybody that is seeking a SIEM solution that is easy to implement and easy to manage. It works very well for small- and medium-size businesses.

AlienVault's "Overview" dashboard makes it very easy to see everything going on in your network that needs your immediate attention. You can easily customize the dashboard to you or your company's needs.

I now have the ability to report all vulnerabilities and threats hitting our network to upper management in an easy-to-understand format.

Offer solutions based on a PoC (Proof of Concept) to fit each company's specific needs, rather than letting the company guess or piece together the solution they need.

I have used it for six months.

We have not encountered any deployment issues; the setup was very easy and support was by my side to assist me with any issues that arose.

We have encountered stability issues; we have a high volume of logs passing through our SIEM and the default configuration couldn't handle all the data. Working with support, we were able to remediate all the crashes we were having.

We have encountered scalability issues. We had to keep changing our configuration or updating our storage capabilities as we added more logs.

Customer service is 8/10.

Technical support is 9/10. Engineers are very knowledgeable about their product!

We did not previously use a different solution.

The setup was very straightforward. AlienVault provides simple, step-by-step instructions for each of their products!

As a single Analyst, I was able to implement this product very easily.

At this time, it is too early to tell ROI.

Know your capabilities and storage needs before negotiating a price! Make sure you ask about log storage options before purchase.

Before choosing, we evaluated other options. We were looking at Splunk and Rapid7.

It's a single solution that is meeting the needs of multiple of my PCI compliance objectives.

I was able to replace our log management solution with this product. A single server that allows for log management, vulnerability scanning, and file integrity monitoring.

The alarms section of the USM is very robust, yet I still find myself having to look back through the events to find more details. It would be nice if I could navigate straight to the event from the alarm.

I've been using it for six months.

I had a renegade plugin that was installed by the company who helped me with the initial setup. The plugin was missing a command to rotate logs and would fill my hard drives capacity to full quickly. Fortunately AlienVault support identified the problem and reported the issue to the designers. I opted to not run that plugin anymore, and probably still will not trust it even after the rotate function is fixed.

I have the ability to scale out further from where I am if necessary, so I have not had any scalability problems.

10/10

We did not previously have many of the systems that AlienVault offers. We switched to get a robust single solution.

The initial setup is both straightforward and complex. You can get the system up and running without any outside help but you will be missing out on many of the finer detailed features if you go that route. I appreciated getting professional setup help as I do not have enough time to dedicate to just learning USM. I also attended the five day training which was very valuable.

Speak with a rep to get the correct design. AlienVault will scale depending on the size of your environment but the licensing gets tricky when you get away from the single unified console.

I was not able to find any other tool that was able to meet as many needs as I the AlienVault USM. I spent the entire trial testing AlienVault to make sure it would suit my needs.

Use AlienVault's free trial of the USM. They will help you get the system installed which is very helpful to make sure you get test best test possible.

Flexibility. As the source of AlienVault is based on an Open Source product, it is possible to implement nearly everything including fully customized plugins, scripts, etc. We haven't yet found any limitations.

We are now able to track any kind of threat including external (malware) or internal (people trying to bypass restrictions, USB keys etc.).

We are able to track changes in the authentication integrity (new user created, domain admin elevation, etc.) and get mail or tickets in cases of suspicious behavior.

It helps us with our ISO27001 compliance.

The search capabilities are not optimal and are going to be optimized in the next versions. For example, it is possible to search both username and IPs but not usernames and specific fields (aka user data) at the same time.

Documentation needs to be improved, especially due to the fact that AlienVault gets improved often with new features.

Vulnerability scanning does not support Nessus (after version 5) which is a leader in the market. The default vulnerability scanner is OpenVAS, it does the job but the report are not the same quality as Nessus.

3+ years

No stability issues were encountered.

No scalability issues as the product is highly scalable. You have to take care of what you want to integrate and think of use-cases instead of global log collection. In our opinion this is the key of success as you will scale your infrastructure with what you really need.

Customer service can be a great help depending on the kind of project. They are very reactive for commercial offers.

Technical support is good and reactive but you should also pass the training to have better knowledge of the solution.

We chose this product because of:

• Pricing model
• Flexibility of the solution
• Multi-tier architecture/scalability

Yes, when you don’t have experience with the product you have to learn and understand all the “concepts”. In this case AlienVault generally provide “free” technical service with third party companies to be able to operate something quickly.

We started with the free technical support provided for the test time. Then we quickly take the product in our hands, got certified on it and became independent.

The ROI is very good if you evaluate all the services which AlienVault can help you with: detection of Malware, bad activities, suspicious behavior, etc. All these threats can create high financial lose and a big part of them could be prevented using the SIEM.

If you don’t want to overpay, and want to have something working, you have to make an assessment based on:

- what are your assets?
- what is the criticality of each one?
- what use cases do you want to implement?

From there create a plan on how to implement them to limit the number of collection to the minimum to avoid flooding of data/high costs due to over-sized infrastructure.

Integrated vulnerability assessment, intrusion/anomaly detection and monitoring, with a simple management interface.

AlienVault provided improved visibility into the environment as well as the ability to report on the organization’s security posture.

Asset scanning and inventory (stale assets, scheduling scans) and correlation (false positives).

2 years

No.

Yes. Upgrading the network cards (from 1GB to 10GB) was not “supported” on the appliance, so we had to purchase a second one as a sensor. The secondary appliance with the 10GBs NICs is the same as the primary appliance, so this was disappointing.

High (seldom used).

No.

Simple and straightforward. The bulk of the work is understanding your own environment and tuning events (syslog, scans, alarm).

Pricing was a very important consideration and lower than the other SIEM solutions evaluated. The price point makes it accessible for SMB organizations that may be constrained of resources (budget and people/skills) so deployment can be gradual while still deriving value out of the solution.

SolarWinds, Splunk, LogRhythm.

As with any SIEM, it is not a “turn-key” or “set it and forget it” solution. It requires resources and skills to deploy, although this can be done in stages. Appropriate resources for maintenance is also key so the information is accurate, relevant and timely. Otherwise it becomes a repository of stale ignored events and alarms.

The SIEM and intrusion detection.

We already used a lot of the open source products in this suite but they were too cumbersome for our IT team to handle. This brought them all under one roof and allowed one person to do what 10 could not in a few hours a day.

They need to be faster in developing custom plugins.

We've been using it for six months.

We've had no issues so far and the product works great.

We have not scaled it yet but it handles our entire environment without a problem.

4/10 - they need to provide faster responses to emails.

We previously used Splunk for SIEM.

It is a complex product, but a lot less complex than the products it's built on like Snort and Splunk.

Get the Virtual Appliance and build the unit yourself. The software is the valuable piece as AlienVault is not a hardware builder and the machine they sell is fine but you could build better yourself for much less.

We also looked at Solarwinds SIEM and network monitoring.

Go slow and get everything into your SIEM so you can do some really neat correlations and alerts.

We are a managed security service provider and we offer AlienVault USM to our clients. We use it to monitoring their environments and to maintain their logs.

The most valuable feature is threat intelligence. Their community is a very helpful tool and I think it's one of the values of AlienVault.

They set aside a lot of the functionality from the on-premises version that we found very helpful in managing tickets. As it is now, the cloud-based deployment is lacking these useful features.

The reporting is mediocre and is something that needs to be improved.

I have been using the cloud-based deployment of this solution for about two years.

The stability is fine.

Scalability in a cloud solution is tied to costs. With any cloud solution, the more data you have and the larger your company, the higher the price point. I wouldn't say that scaling is easy, but it is standard.

Technical support is slow to respond when we put in a ticket. We're a number. 

We use both the on-premises version and USM Anywhere. The latter is a SaaS solution.

The initial setup is okay. At an additional cost, they offer services to assist with deployment.

Our take on it is that we are paying more for this product because of the AT&T name. We don't necessarily find that we are getting more functionality or quality, given the price point.

The licensing fees are dependent on usage.

We are currently evaluating different SIEM solutions. I have found that all of them have issues, whether it is related to functionality or price point. Even the ones that have a high price don't provide everything that you need.

My advice for anybody who is considering this product is to evaluate all of the options that are out there. There is no one, great answer, so you have to figure out what best fits your needs.

I would rate this solution a seven out of ten.

SIEM, Log ingestion and evaluation. We use this not only for internal but also for clients that we manage. It has proven its worth and more. We are currently very pleased with this product and has performed as advertised. We obviously use this for being able to ascertain visibility on each network in which it is deployed not only from the NIDS/HIDS side but also evaluation of each interaction every device has. 

We have benefited greatly due to gaining the visibility we need for different instances. It has improved our security posture and has helps us respond to alarms/events as they have come down through the pipeline to our ticketing system we use. All in all, it has improved our SOC. 

AlienApps that we use to integrate with our current setup is awesome! Not only that, they have roadmapped being able to open up their API so we can integrate and flex the USM Anywhere as much as we want and when we want to. The staff has been incredibly helpful on getting us further down the line with our constructive feedback and have worked on implementing changes to their system to help improve their product.

A tailored OTX map for each customer's central would be awesome to have for displays.  A lot of companies like to have visuals for their central instance in order to be able to see when an IOC comes through and it would help have something in front of analysts/engineers to respond to promptly if they were away from central working downstream.