USM Anywhere Reviews

The vulnerability scans and network scans and alarms.

We were able to use the product to identify two security issues already. We had one situation where the appliance identified that a workstation on our network was infected with a DNS Blackhole virus. We were able to remove the computer from the network and replace it. We've also been able to use the scanning to identify security issues and take care of them before they become a problem.

I would like to see it be able to run on any hardware via just an installer.

We've had it in place for a year now.

Not really, but we had their engineers and a consultant helping.

We have not.

No.

Very high. Any issues I've had they've been quick to answer and help.

Their support is wonderful. I've had a couple of questions and had them answered very quickly.

No.

Very straightforward.

We implemented through a vendor. When we bought the product they included hours from a vendor for the implementation.

Unknown.

Nothing to advise.

No. We just had to decide if we wanted this or had time to work with it.

• Real-time email alerts
• Event correlations
• Log management
• System monitoring
• Network monitoring
• Up-time monitoring
• OTX threat intelligence
• Vulnerability scanning reporting

There are too many to list.

It has given us insight into our network:

• What is on it
• What traffic is on it
• What is happening on our servers

It is one location to view many things.

The menu system can be a little confusing, until you use it for a while. Such as at the top right there is a “settings” menu. Which is more of a user profile menu. I would like that to say what it is “My Profile.” Under the “Settings” menu I had rather see true system settings. Such as User Accounts, Configuration Backups/Restore, SMTP server Setting, AD (LDAP) settings, Password Policies, and other true System Settings. There is also a large button at the right called “Configuration.” I would change that to something like “Deployment Settings”. Under this menu I would have settings specifically related to “this deployment of AlienVault”. Such as Plugins, Sensors, Remote Locations, and Services Running on this deployment (with the ability to Enable/Disable these and Start/Stop these). Also here I would have a sub-menu called “System Performance” with metrics (CPU usage, Swap, Ram, database health (with cleanup and compress options), Network Traffic In/Out performance for each NIC, and etc. Currently Threat Intelligence items are also under Configuration. I would make a separate “Threat Intelligence” menu and expand upon it to cover more items. Just my thoughts.

I guess it comes down to my being old school and would like traditional menus. Such as text-style drop-down menus from the top and not the huge big button menus. Like File, Analysis, Environment, Reports, Settings, Deployment Settings, Preferences, help, and etc. The text-type tend to be much more explanatory as to what is in them below. I know a lot of software has gone to the big button/ribbon style menus (MS Office). I assume that is to make things mobile friendly. To me it makes navigation less easy and more confusing and the big buttons take up too much screen real estate that I have rather see for other things such as alarms and real-time system activities.

We have been using this solution for just over one year.

There have been no major deployment issues.

There have been no major stability issues.

There have been no scalability issues. We recently moved from 150 asset licenses to unlimited and the process was very easy.

Customer support is excellent. Support has been good for simple config issues and for alert questions. They have a great forum base as well as live support.

I would rate technical support as very good.

We used hardware based as well as open source solutions before. We still use some of them, but AlienVault allowed us to consolidate a lot of services into one.

The installation was straightforward. We use the VMware base All-In-One USM. It was quite straightforward. It required a little customization, but it was not too difficult to sort through.

It was a joint collaboration.

We saw a positive ROI within six months, especially in terms of manpower.

Just give them a call. They can work with you in many ways to help you get what you need.

We looked at several options. And we were already using several of them, both paid and open source. AlienVault allowed us to combine several solutions into one.

If you are interested, sign up for some of their webinars, download the free trial or open source versions, and play with it.

AlienVault is used in a classroom setting at Pittsburgh Technical College, which brings industry tools from the college classroom back into the field. We have several employers in the area that use AV so student acclimation to the product is key. AV is set up as a dashboard in the security lab where students can view and analyze the monitoring techniques of the product. If an event happens, they can process an analytical step to provide remediation.

Students becoming acclimated to the product can go out into the field and have first-hand knowledge on how to use a USM or SIEM product. This is a win-win solution for the vendor and future employers.

The school has used the product for over a year.

We were attempting to push HIDS on the domain controllers, and ran into an initial problem. This problem was immediately solved by the AV service technician that was able to remote in and fix the problem.

One of the problems we had with stability was a problem of our own. We were running AV on a VLAN that students were able to run DHCP servers, which caused our own problems.

We have had several tickets open with AV and they are prompt in their service time.

Technical support is prompt in acknowledging your needs and reply with a message that a service technician will be with you shortly. They make every attempt possible to work with your schedule.

A direct competitor to AV is IBM QRadar, which is also used in the classroom environment.

The setup was straightforward. We installed AV to vSphere ESXi as a virtual appliance deployed as an OVA template.

The ROI is unmeasured since we are an academic partner; there is no way of knowing how much positive impact the product will attain from students getting first-hand knowledge of an industry product before they go out into the field upon graduation.

The NIDS/HIDS features have probably been the best features for us in our environment. We've had some open-source options and, while they work, it isn't the same as having commercial support. SIEM is the second-most useful feature.

We've been able to professionally generate alerts for IDS, SIEM and vulnerabilities where we didn't have those capabilities before.

Reporting still needs a lot of work, especially on the vulnerability side. Vulnerability management UI could be improved as well.

Vulnerability reports are clunky and difficult to manage. The layout is not really professional or intuitive and takes some time to understand how to navigate it. In general, while there are some customization options with reporting features as far a look and feel, reports still have an “open source” feeling. In general, the look is not as clean and professional as what one is used to seeing in other, similar products.

I have used it for 16 months.

We have not encountered any deployment issues.

We encountered one stability issue. With the amount of log data we were sending, our sensor drives were filling up within a day or two. We had to create some cron jobs to ensure logs were rotated more frequently.

We have not encountered any scalability issues. You just add another sensor; pretty easy.

Customer service is excellent! Always very responsive.

Technical support is excellent! Always very responsive.

We used Nexpose for vulnerability management and moving away from that was the primary reason we went with AlienVault.

Initial setup was very easy for the most part. We were paired with a third-party vendor for onboarding. We didn't work well with this group, but AlienVault happily transferred our service hours to another group and that relationship worked much better for us.

An in-house team implemented it.

Before choosing this product, we did not evaluate other options., we looked at Nessus SecurityCenter with Log Management.

We've been very happy with the purchase. While the list of supported vendors in the SIEM continues to grow, I do wish that creating plugins was a little easier.

Integrated vulnerability assessment, intrusion/anomaly detection and monitoring, with a simple management interface.

AlienVault provided improved visibility into the environment as well as the ability to report on the organization’s security posture.

Asset scanning and inventory (stale assets, scheduling scans) and correlation (false positives).

2 years

No.

Yes. Upgrading the network cards (from 1GB to 10GB) was not “supported” on the appliance, so we had to purchase a second one as a sensor. The secondary appliance with the 10GBs NICs is the same as the primary appliance, so this was disappointing.

High (seldom used).

No.

Simple and straightforward. The bulk of the work is understanding your own environment and tuning events (syslog, scans, alarm).

Pricing was a very important consideration and lower than the other SIEM solutions evaluated. The price point makes it accessible for SMB organizations that may be constrained of resources (budget and people/skills) so deployment can be gradual while still deriving value out of the solution.

SolarWinds, Splunk, LogRhythm.

As with any SIEM, it is not a “turn-key” or “set it and forget it” solution. It requires resources and skills to deploy, although this can be done in stages. Appropriate resources for maintenance is also key so the information is accurate, relevant and timely. Otherwise it becomes a repository of stale ignored events and alarms.

The SIEM and intrusion detection.

We already used a lot of the open source products in this suite but they were too cumbersome for our IT team to handle. This brought them all under one roof and allowed one person to do what 10 could not in a few hours a day.

They need to be faster in developing custom plugins.

We've been using it for six months.

We've had no issues so far and the product works great.

We have not scaled it yet but it handles our entire environment without a problem.

4/10 - they need to provide faster responses to emails.

We previously used Splunk for SIEM.

It is a complex product, but a lot less complex than the products it's built on like Snort and Splunk.

Get the Virtual Appliance and build the unit yourself. The software is the valuable piece as AlienVault is not a hardware builder and the machine they sell is fine but you could build better yourself for much less.

We also looked at Solarwinds SIEM and network monitoring.

Go slow and get everything into your SIEM so you can do some really neat correlations and alerts.

Our use of the solution is all over the map. We use it for our own internal use. We use it in our security operations center. We're a reseller, we're an MSSP, and a Professional Services provider, so we do a lot of professional services on the platform. It's a standard SIEM solution and is used for log collection, log management, event correlation, alarming, and reporting.

There are probably a billion examples I could give. As a service provider, it helps us because we have all of our clients connected in through our management platform, and we're able to leverage the tools that AlienVault provides to monitor and collect data from all of those systems and identify security incidents for all of our clients. It provides network and host-level visibility and it's easy to tune and manage.

On any given day I could give you a different answer regarding the most valuable features of the product. The feature that is most important is the fact that it has a lot of features, that it's not just a log collection and correlation system, that it has a lot of other components built in. The bundle of features is really the killer feature.

In particular though: 

• ease of use and deployment
• excellent cloud integration
• dynamic asset management
• vulnerability scanning
• network intrusion detection
• host-based agent monitoring and collection. 

All of these features combined create a compelling "one-stop" package for a business that needs security monitoring and analytics.

Search performance can be slow. The Raw Logs feature is painfully slow. And if we're talking about the newer, the Anywhere product, you can't even schedule reports on it. There are probably a dozen other features I'd really like to see there, but that would be one of the biggies.

Also, there is no visibility into the NIDS or HIDS agent configurations and no easy way to augment them. The same is true for vulnerability scanning, it's all or nothing; there are no fine-grain controls as there was in their older product. There is a lack of "real" visibility into the correlation rules, and the inability to create our own sophisticated rules (only very simple ones) is a big miss.

We've had some stability problems, not a lot, but a few. Updates seem to be the worst. That seems to be when the stability problems come up.

Sensors occasionally go down during updates and don't recover. Some maintenance cycles on the cloud controller have left the system in a weird state. In addition, there are times when the product seems very slow to respond. This may be related to back-end maintenance that we are not aware of.

It scales reasonably well. There is a scalability plan for it. There is a way to add additional collection components, what they call Sensors, and then scale up the central platform. At this point, I don't believe it will scale to the very high-end. It is not a large, global enterprise-type product. It's more of a small-enterprise-and-below product.

Their support has been good. I've always had good interactions with them.

We've used a lot of solutions. I've used, run, and supported a lot of different solutions over the years. There were two primary reasons for switching to AlienVault. One was price, and the other was the feature bundle that I was talking about earlier.

We chose this particular product for many other reasons. As a Professional Services provider, a service provider, MSSP, and a reseller, we're not using it the way most end-users would go out and shop around and look for something. A big part of our decision in selecting this product was the fact that we were able to establish that relationship with AlienVault as a company, as a business to business relationship, to be a reseller, to be an MSSP, to be all of those things.

The setup is pretty simple. The documentation is good. I've been setting up platforms like this for years, so it's not hard for me. For someone who is new to the product and hasn't used this type of product before, they'll have a little bit of a challenge, but it's not too bad. The system is pretty easy to install and, if you follow the documentation, it's pretty easy to configure.

Some cloud integration steps, like G Suite, were more complicated and prone to error.

Calculating ROI on security products is a funny endeavor, in my experience. It's not a hard science and it's not something you can easily throw a lot of numbers at. It's mostly guesswork.

The pricing is a good value and makes sense.

The key thing is that for the new product, the licensing of it is subscription-based and it's based on data. Clients need to be really careful when thinking about that, because odds are they're going to need to put a lot more data into it than what they initially estimate, which is going to drive their subscription costs up.

I do have concerns that if a payment is delayed or if there is any dispute about billing, that all of our data is held in the cloud and could be lost.

Overall, the automation features of this solution are good. The issue here is that there are really two solutions. There's the AlienVault Appliance product and then there's the AlienVault Anywhere product. The Appliance product, which is the older product, has a lot more customization and automation capabilities because it's very extensible. The newer product, the Anywhere product, is still very limited. We're very dependent on AlienVault to build in any kind of connections or integration.

If you are a mostly-cloud environment this is a good fit. If you have very few other security controls outside of a firewall this is a good step forward. But if you have a solid security program you may find this product lacking in a few areas. And most importantly, be very careful about subscription size and licensing.

It has allowed us to gain a better understanding of how data flows within our network, and has helped us think about what type of things we want to be alerted on, or not alerted on.

AlienVault provides you with a unified view for all aspects of what is going on in your environment. It allows you to define what alerts you want to see, or not to see, as well as if you want them grouped, or ungrouped.

The reporting aspect could be improved. While there are a lot of different options available, there are still pieces which are missing. The views are also very static and do not give you a lot of options on how the data is presented.

No, the product is stable.

No, our network has stayed for the most part the same. In the future, it should be scalable with additional sensors.

Customer Service:

This is an area that could be improved.

Technical Support:

This is an area that could be improved. However, once you get a knowledgeable tech support person, they are good to work with.

No, this is our first SIEM device.

Both. It was simple to just get up and running. However, when you start tweaking it for your organization it gets more complex.

A little bit of both. The vendor team's expertise was amazing. I highly recommend using them.

The time that it would take to manually investigate events versus looking at one dashboard.

Definitely get professional services.

Darktrace and QRadar.

Once set up, for the most part, it is a "set it and forget it" solution. There is some upkeep with making sure all the things are monitored, but other than that AlienVault provides what you need out-of-the-box.