USM Anywhere Reviews

It's a single solution that is meeting the needs of multiple of my PCI compliance objectives.

I was able to replace our log management solution with this product. A single server that allows for log management, vulnerability scanning, and file integrity monitoring.

The alarms section of the USM is very robust, yet I still find myself having to look back through the events to find more details. It would be nice if I could navigate straight to the event from the alarm.

I've been using it for six months.

I had a renegade plugin that was installed by the company who helped me with the initial setup. The plugin was missing a command to rotate logs and would fill my hard drives capacity to full quickly. Fortunately AlienVault support identified the problem and reported the issue to the designers. I opted to not run that plugin anymore, and probably still will not trust it even after the rotate function is fixed.

I have the ability to scale out further from where I am if necessary, so I have not had any scalability problems.

10/10

We did not previously have many of the systems that AlienVault offers. We switched to get a robust single solution.

The initial setup is both straightforward and complex. You can get the system up and running without any outside help but you will be missing out on many of the finer detailed features if you go that route. I appreciated getting professional setup help as I do not have enough time to dedicate to just learning USM. I also attended the five day training which was very valuable.

Speak with a rep to get the correct design. AlienVault will scale depending on the size of your environment but the licensing gets tricky when you get away from the single unified console.

I was not able to find any other tool that was able to meet as many needs as I the AlienVault USM. I spent the entire trial testing AlienVault to make sure it would suit my needs.

Use AlienVault's free trial of the USM. They will help you get the system installed which is very helpful to make sure you get test best test possible.

We run this product on our network 24/7 and it has helped identify many important events. We take the security of our network very seriously, and this helps to quickly identify and lock down any potential vulnerabilities or events that could escalate.

As an information security consultant that works across many diverse networks, these features offer by far the most critical information when analysing a client’s environment for issues that need to be addressed:

My biggest challenge has always been the fine tuning that is sometimes required for some networks. It requires a solid understanding of Linux and databases and how networks work. So a non-technical user may become frustrated, or not configure the product to work at its best, and therefore miss important events. So I see room for improvement in the following -

• Easy of deployment and configuration
• Easier way of testing if features are working as designed, e.g. Packet analysis
• Troubleshooting features that are not working as designed

I have not yet run into any issues regarding scalability, however I have not yet deployed this on a very large network yet (1000+ devices).

Excellent! Every time I have had an issue, the customer and technical support has been outstanding. The support desk is always very helpful, and goes out of their way to make sure the issues are resolved whenever possible.

The initial setup is not difficult at all, and can be done by someone with almost no technical knowledge. However, getting optimal performance from the features in AlienVault may not always be as easy.

We deployed using our own in-house team, led by myself. Depending on what you want from the product, be prepared to do some research and tinkering in the background. What you see on the surface is actually a very small part of what you can really do with AlienVault. If you are serious about getting the best out of AlienVault, use a vendor that is well versed in deploying AlienVault (like an MSSP) as they should have the experience needed to optimise a deployment, as well as having quick and easy access to the AlienVault support. Use the 30-day trial to get a good feel for what it can do, but remember there is a lot more.

As this product is still relatively new in South Africa, people are still learning about it, but thus far we have been able to show affordability and feasibility is every network we have deployed it on. Speak to an MSSP about a package that is affordable for your company. The product is easy to scale as your affordability improves.

I have actually looked at a few other products, however we decided on this product as the cost versus what you get, far outweighed any other product we looked at. Many companies can’t afford to deploy a SIEM solution from some of the top companies on the market, however no company should be without a SIEM on their network with the risks companies face today. AlienVault provided the best bang for buck.

Remember, there are many good products on the market, however affordability is usually a key factor. Sit down and properly analyse your network, and list expectation from whatever product you are considering. Identify what are your most critical assets, your “Crown Jewels”, and know how it needs to be protected. Then look at solutions within your budget, remembering that the most expensive is no necessarily always the best. There are many world class products out there, you need to find one that will fulfil your needs, within your budget.

Also, remember running a system like this means dedicating resources to monitoring it, you can’t deploy SIEM tools and think it’s going to run itself. Don’t expect your system administrator to have time to do this as InfoSec is a full time job. Either get a skilled resource, or consider an MSSP offering.

The product is very powerful and very flexible. However certain aspects can be very challenging to setup and configure for users that don’t have in-depth technical background. The default configuration would work well for a normal office network, however for more complex networks there is a lot more configuration required for optimal performance. The product is still under very active development, and the vendor is always receptive to feedback regarding feature requests or bugs.

Flexibility. As the source of AlienVault is based on an Open Source product, it is possible to implement nearly everything including fully customized plugins, scripts, etc. We haven't yet found any limitations.

We are now able to track any kind of threat including external (malware) or internal (people trying to bypass restrictions, USB keys etc.).

We are able to track changes in the authentication integrity (new user created, domain admin elevation, etc.) and get mail or tickets in cases of suspicious behavior.

It helps us with our ISO27001 compliance.

The search capabilities are not optimal and are going to be optimized in the next versions. For example, it is possible to search both username and IPs but not usernames and specific fields (aka user data) at the same time.

Documentation needs to be improved, especially due to the fact that AlienVault gets improved often with new features.

Vulnerability scanning does not support Nessus (after version 5) which is a leader in the market. The default vulnerability scanner is OpenVAS, it does the job but the report are not the same quality as Nessus.

3+ years

No stability issues were encountered.

No scalability issues as the product is highly scalable. You have to take care of what you want to integrate and think of use-cases instead of global log collection. In our opinion this is the key of success as you will scale your infrastructure with what you really need.

Customer service can be a great help depending on the kind of project. They are very reactive for commercial offers.

Technical support is good and reactive but you should also pass the training to have better knowledge of the solution.

We chose this product because of:

• Pricing model
• Flexibility of the solution
• Multi-tier architecture/scalability

Yes, when you don’t have experience with the product you have to learn and understand all the “concepts”. In this case AlienVault generally provide “free” technical service with third party companies to be able to operate something quickly.

We started with the free technical support provided for the test time. Then we quickly take the product in our hands, got certified on it and became independent.

The ROI is very good if you evaluate all the services which AlienVault can help you with: detection of Malware, bad activities, suspicious behavior, etc. All these threats can create high financial lose and a big part of them could be prevented using the SIEM.

If you don’t want to overpay, and want to have something working, you have to make an assessment based on:

- what are your assets?
- what is the criticality of each one?
- what use cases do you want to implement?

From there create a plan on how to implement them to limit the number of collection to the minimum to avoid flooding of data/high costs due to over-sized infrastructure.

The correlation from the Host Based Intrusion to Network Intrusion against the vulnerabilities in my network.

We had no visibility of our vulnerabilities without looking up WSUS and matching this against the Windows bulletins. This completely missed the mark when it came to third party patches and poor configuration and waster hours upon hours for half a story. Not to mention we have a much better understanding of how and when we are being attacked.

The reporting could do with some improvements for example the vulnerability report only tells you what vulnerabilities are open and lists them but there is no indication of how old they are at a glance and what vulnerabilities have been closed since the previous scans. I would also like to see the ability to scan my devices for compliance against the CIS Benchmarks.

I have had this solution in place for just over a year now.

I've not experienced any issues with this yet.

I've not experienced any issues with this yet.

The tech support guys have been very friendly and helped as soon as there has been any issue. I cannot fault their technical support.

I used multiple products to try and get someway towards the level of visibility afforded by AlienVault. ManageEngine SIEM, Qualys, vulnerability management, and Norton for HIDS. Having this all in one interface made more sense which swayed the decision to go with Alienvault.

Very easy for initial set-up. My system was up and running within two hours. When you start to get into it more, then you need a better technical understanding.

This is much cheaper than some of the big names it is very affordable and scalable.

We looked at managed services from Dell SecureWorks as well as Qualys & Nessus.

Being the only Security professional in an organisation of well over 1000 people AlienVault lets me keep a watchful eye whilst getting on with my day job. This is a very good product with excellent support. Personally I would have preferred to go on the AlienVault System Engineers course as I believe this would help in fine tuning the system.

We were looking to add another layer of security to our network, which included intrusion detection, intrusion prevention, SIEM collection, and more. After looking at a few solutions, we ended up purchasing AlienVault. We are located in a physical location with a 100 users.

AlienVault has provided me with a management console which gives me alerts and other information about the traffic on my network. AlienVault is my "security person" looking at irregularities and letting me know when something has occurred. I also see vulnerabilities in my systems and can assign tickets to other staff members.

SIEM log collection is great, and all of the rules that support updates with maintenance. 

More complimentary training needs to be done for use with this tool. If you get into a bind, then it will cost you.

Event monitoring and vulnerability scanning have been a huge benefit to us.

It provides a good platform to start looking at the traffic on your network.

Most of the troubleshooting requires going through the Linux command line and bypassing the GUI. We have a wide variety of users with different technical expertise. For some, any amount of command line troubleshooting scares them away from products.

We have been using this solution for a year.

Our deployment was rather unique and is pushing the limitations of the architecture that we chose. Given from what I have learned, if you have large deployments of the separate networks, then do not attempt to use remote sensors on those network segments.

Many of the patches typically have some bugs that we end up finding. We ended up implementing a deployment in our lab so as to fully test it internally, before patching.

The system is quite scalable however, it is best to understand the limitations of the different architectures offered.

The customer service is excellent, we have quick and knowledgeable help on all our calls.

The support team is also excellent with very knowledgeable engineers.

This was our first solution for this type of security appliance.

The initial setup was straightforward, but adding in more sensors made it a bit more complex.

We had vendor help for the initial setup, however, the additional sensor expansion was in-house.

We quickly found some issues after deploying and have used the vulnerability scanner to verify patches are properly applied in the environment.

If you expect to have a significant amount of devices on a sensor, then look at the cost/performance of going to a full server.

We evaluated LogRhythm and QRadar.

Vulnerability scanning and OTX are powerful. The alerting and security intelligence is the engine of the product. Looking at the cockpit and monitoring your IT environment is now almost a one man job. There is no complex alerting or code review, just click and go.

AlienVault does not stop a security breach, but it detects and notifies the responsible people and they can immediately interact and take the necessary actions. Identifying security risks and minimizing downtime is the added value.

The next release will include cloud security and it will support a hybrid IT environment, furthermore the OTX has a great added value but it will help when there is more OTX information in the database. Future releases will definitely need to improve on these items and it will position the product in a more enterprise ready strategic position.

As a professional user and reseller we've used this product for almost five years, starting with the free OSSIM level for home and development use, and the all-in-one unlimited version or a small 50 asset version for our customers. Scalability is also key, starting at 25 assets for small companies and supporting enterprise companies with a separate server, sensor and logger.

It has great scalability options. The installation is almost click and go, but be aware when implementing AlienVault in a big environment with a separate sensor, logger and server, it's useful to have the necessary skills and IT knowledge. Also, in-depth knowledge of your own IT is key, knowing where to position the sensors and where to pace the server is key since wrong architecture will impact performance. AlienVault can offer direct support or you can contact your local partner to assist during this process.

It has great scalability options. The installation is almost click and go, but be aware, when implementing AlienVault in a big environment with a separate sensor, logger and server, it would be useful to have the necessary skills and IT knowledge. Also in-depth knowledge of your own IT is key, knowing where to position the sensors and where to pace the server is key, wrong architecture will impact performance. AlienVault can offer direct support or you can contact your local partner to assist during this process.

When issues arise and the going gets tough, you can contact AlienVault directly via phone, email or web. Support is covered via the license and in our experience the technical guys (and girls) know their stuff. Real serious problems are solved via a remote VPN connection (build in the software), and the product has really improved regarding stability.

The installation is pretty straightforward. Just keep in mind to better plan a good architecture then to rebuild the system(s) until it works performance wise.

We performed the implementation, and the training was done by AlienVault trainers. Just know your stuff and do not hesitate to contact AlienVault or a reseller.

Other SIEM/USM products that we use are Splunk, LogRhythm and the free OSSIM version. The first two have a different cost model and compared to AlienVault they have (or lack) the real Swiss army knife approach. Furthermore there is a big difference in costs, this is why in the end AlienVault takes the lead.

The price is the unique selling point for AlienVault. The product is now stable and it is a Swiss army knife packed with lot of tools. All other professional products that compare to AlienVault are somewhat different but deliver the same result, but it is the price that tips the balance in favor of AlienVault.

Check the latest Gartner report on SIEM/USM 2016, and test the other products. Do not stick to one product for testing, but when you do not have the time to test all products (who does have the time), choose only two or three products to check out. Compare the prices and always ask for a demo.

I work for a Managed Service Provider, who uses AlienVault USM Anywhere as the backbone of our vulnerability management and logging solution, which we deliver to our clients.

AlienVault has allowed us to help our customers satisfy compliance needs around logging and monitoring (HIPAA, PCI, etc.) and has also provided a comprehensive platform that goes beyond just being a SIEM. It allows us to serve our customers in many different ways.

The Vulnerability Scanning Engine using OpenVAS is a quality tool. The asset management functionality (active and passive scans) is also really important. You can't protect what you do not know about, so having an inventory of all your devices and software is critical to a security management program.

AlienVault needs to continue to integrate with other third-party technologies that clients want to have monitored. The plugin builder in the most recent version update is helpful, but it is still a little "clunky" at times.