USM Anywhere Reviews

• Raw logs
• Alarm section
• Security events

Once we placed AlienVault in the product we have now, the time it takes to find and respond to real anomalies has dropped from hours to minutes, it has so much potential to be an amazing product despite it's many issues. After working with so many other SIEMs, AlienVault is among my top three favorites, and I believe it has earned that spot well.

Directives and searches within security events. So many issues with directives. Creating directives is a pain on it's own, but editing them can be a nightmare filled with tedious unnecessary steps. You do not have an option to whitelist or blacklist specific traffic flows to trigger alarms (eg. Specific IP to specific IP) if your directive contains multiple alarms. A simple fix would be to allow the engineer to give "and" and "or" statements so you could get something along the lines of (SRC IP: 192.168.0.20, DST IP: 10.10.1.12 OR 10.10.1.13) AND (SRC IP: 192.168.10.5, DST IP: 10.10.2.5). Instead you have a list of source IPs and a list of destination IPs and no matter if the traffic you need to blacklist is specific, anything communicating from the source list to the destination list triggers an alarm, which is not always what you want.

A workaround for that is to split the alarm directive into separate directives for any specific flows you are looking for. Searching in security events comes with it's own minor inconvenience that isn't a deal breaker, however, a simple improvement could make things orders of magnitude better: Allow the analyst to decide everything he wants to search for and trigger the search themselves. Right now, if you want to search something by signature, time range, and port - for example - you have to do each individually and each search forces the query to reload before you get the information set you want. E.g.: I want to search for Admin Activity Events, surrounding a specific Admin, over the last week. I need to first search for Admin activity events, which reloads the whole set of data, then search for the username, reloading the whole set of data again, then choose the last week time range, reloading again. It would make more sense to be able to package the queries I intend to use, then click something along the lines of submit. AlienVault does offer predefined searches, which is a great tool, but I think fixing the search function of the SIEM would be great.

I've used it for two years.

Stability issues have been around, but I feel like AlienVault does a stand up job at responding to and fixing them.

I personally haven't seen any scalability issues, though that falls out of my purview.

10/10 - the AlienVault team is great, and the community is very active.

Straightforward. The guidance given in documentation sets you up for success, and the ease of adding agents to machines is phenomenal.

It was done in house. Be patient, focus on getting your firewalls connected to the SIEM.

I have used several SIEMs, but stick with ArcSight, Splunk, and AlienVault. It is more client dependent. I big pro for AlienVault is it's price point and resource requirements. Though I feel like AlienVault is best suited for small to mid sized business.

Take advantage of the support team at AlienVault, and read through the documentation. If you get lost, their is a good chance the information is in there. Also, you will quickly discover the limitations of AlienVault, so you should take your time to figure out workarounds for your issues.

Vulnerability scanning and OTX are powerful. The alerting and security intelligence is the engine of the product. Looking at the cockpit and monitoring your IT environment is now almost a one man job. There is no complex alerting or code review, just click and go.

AlienVault does not stop a security breach, but it detects and notifies the responsible people and they can immediately interact and take the necessary actions. Identifying security risks and minimizing downtime is the added value.

The next release will include cloud security and it will support a hybrid IT environment, furthermore the OTX has a great added value but it will help when there is more OTX information in the database. Future releases will definitely need to improve on these items and it will position the product in a more enterprise ready strategic position.

As a professional user and reseller we've used this product for almost five years, starting with the free OSSIM level for home and development use, and the all-in-one unlimited version or a small 50 asset version for our customers. Scalability is also key, starting at 25 assets for small companies and supporting enterprise companies with a separate server, sensor and logger.

It has great scalability options. The installation is almost click and go, but be aware when implementing AlienVault in a big environment with a separate sensor, logger and server, it's useful to have the necessary skills and IT knowledge. Also, in-depth knowledge of your own IT is key, knowing where to position the sensors and where to pace the server is key since wrong architecture will impact performance. AlienVault can offer direct support or you can contact your local partner to assist during this process.

It has great scalability options. The installation is almost click and go, but be aware, when implementing AlienVault in a big environment with a separate sensor, logger and server, it would be useful to have the necessary skills and IT knowledge. Also in-depth knowledge of your own IT is key, knowing where to position the sensors and where to pace the server is key, wrong architecture will impact performance. AlienVault can offer direct support or you can contact your local partner to assist during this process.

When issues arise and the going gets tough, you can contact AlienVault directly via phone, email or web. Support is covered via the license and in our experience the technical guys (and girls) know their stuff. Real serious problems are solved via a remote VPN connection (build in the software), and the product has really improved regarding stability.

The installation is pretty straightforward. Just keep in mind to better plan a good architecture then to rebuild the system(s) until it works performance wise.

We performed the implementation, and the training was done by AlienVault trainers. Just know your stuff and do not hesitate to contact AlienVault or a reseller.

Other SIEM/USM products that we use are Splunk, LogRhythm and the free OSSIM version. The first two have a different cost model and compared to AlienVault they have (or lack) the real Swiss army knife approach. Furthermore there is a big difference in costs, this is why in the end AlienVault takes the lead.

The price is the unique selling point for AlienVault. The product is now stable and it is a Swiss army knife packed with lot of tools. All other professional products that compare to AlienVault are somewhat different but deliver the same result, but it is the price that tips the balance in favor of AlienVault.

Check the latest Gartner report on SIEM/USM 2016, and test the other products. Do not stick to one product for testing, but when you do not have the time to test all products (who does have the time), choose only two or three products to check out. Compare the prices and always ask for a demo.

The primary use case of this solution is for security.

The solution is very user-friendly, but the dashboard could be improved as well as the level of customization.

I have been using the solution for one year.

The solution is stable.

The deployment of this solution is easy, but you need some level of understanding.

The price of this solution is reasonable, which is one of the reasons why we selected it over other solutions.

I would recommend this solution to other users.

We were looking to add another layer of security to our network, which included intrusion detection, intrusion prevention, SIEM collection, and more. After looking at a few solutions, we ended up purchasing AlienVault. We are located in a physical location with a 100 users.

AlienVault has provided me with a management console which gives me alerts and other information about the traffic on my network. AlienVault is my "security person" looking at irregularities and letting me know when something has occurred. I also see vulnerabilities in my systems and can assign tickets to other staff members.

SIEM log collection is great, and all of the rules that support updates with maintenance. 

More complimentary training needs to be done for use with this tool. If you get into a bind, then it will cost you.

The tool is a great way to meet logging requirements for PCI and HIPAA standards. It is very flexible and customizable.

I came into the company with USM Appliance already in place. However, from my previous experience with logging and security appliances, there have been many tasks that used to be a manual process like asset discovery, that are now automated and easy to implement through the UI.

Stability on certain components could be better, but for a system that is on 24/7/365 without reboots, it's fairly trouble free.

We have used this for one year.

There were no issues with deployment.

Stability issues were only due to issues with updates, and in extremely unusual use cases.

There were no issues with scalability.

They have amazing customer service. AlienVault Support takes care of all of my issues that come up.

I would give technical support a rating of 10 out of 10.

The setup was fairly straightforward. A more advanced setup is available for different use cases.

We did the implementation in-house.

Having our logs in a single system is in itself is a huge ROI.

When compared with other options, AlienVault is significantly less expensive for the amount of features that are packed into it.

I was not part of the product decision.

AlienVault support is what really makes this product a great investment. They are constantly improving their product and happy to help with anything that comes up.

• Vulnerability scanning
• Cross co-relation
• Reports in a grouped manner
• OTX for threat intelligence

It helps to monitor the entire office in in a single point.

The report section needs to be improved. Most of the correlation rules are based on the NIDS event, which needs to be improved. In other words, we have to use the device logs also.

We have been using this solution for almost two years.

I did not encounter any issues with deployment.

I did not encounter any issues with scalability.

I did not encounter any issues with scalability.

Customer service is available 8 to 5 EDT. In emergency cases, it is difficult to reach them. Response-wise, it is good. I would give customer service a rating of 7/10.

I would give technical support a rating of 7/10.

We did not use a previous solution.

The setup was very straightforward.

We did it in-house.

N/A/

I feel that the license cost was a bit high, but compared to others, it is less. For mid-range companies, they feel that the cost is high, but that it is worth it.

We did not evaluation any other options.

I do not have any additional comments.

Enabling visibility of traffic on our network, merging of multiple systems reporting and analysis and clear method to highlight potential issues.

Previously we had no single way to analyze traffic and threats on our network, relying instead on multiple, independent systems. We can now correlate reported threats and anomalies to better determine what threats we face.

The configuration is somewhat complex and the interface a bit non-intuitive. Whilst very useful for reporting, interpretation of the results can be difficult: improved features to help with this would be welcome.

I've been using it for six months.

We’ve had 100% uptime since installation.

We have not had any requirements to change the scope of the installation since first deployment.

Good. Initial help with deployment was excellent, and the facility to create a tunnel for tech support personnel to troubleshoot system is very useful.

We didn't have anything like AlienVault previously.

It's fairly complex. There is quite a bit of additional config required in order to get the most from the system. A base config allows for monitoring, but to get the most, you need to add plugins for various systems on your network: this config is somewhat complex and requires a good knowledge of how AV works.

Unless you have a small network, you really need the unlimited endpoint license, which is the most expensive option. Best to negotiate to get this version, otherwise scalability will be an issue (unless your total number of endpoints in under approx. 100).

We also looked at Tripwire.

The initial onboarding during the trial period, including assisted setup, was most useful. Ensure you get the most from this, as if you require further setup assistance, it comes under (paid-for) professional services. AV is a very useful tool, but must be configured correctly in order to get the most out of it.

We are an MSP and we utilize an AlienVault USM Anywhere solution for threat detection in client networks. 

Alienvault USM Anywhere is a great evolution of a proven product. While the feedback and customization requirements remain largely the same, the user interface has been significantly improved. This significantly improves the interaction our clients have with their data, and we have received significant positive feedback.

The cloud console is by far the best improvement of the product. In the past, our less technical clients had trouble sorting through the dashboards within the USM console, and we had received complaints on viewing the real-time data versus our prepared reports.

The new cloud-based panel is excellent both for client review as well as for our SOC to review and respond to threats. It is much easier to configure and use than the previous solution from AlienVault.

It can still be difficult to feed products that are not supported out-of-the-box. It would be good if they had a better plugin exchange/store with AlienVault QA to ensure data is being processed properly.