USM Anywhere Reviews

SIEM, Log ingestion and evaluation. We use this not only for internal but also for clients that we manage. It has proven its worth and more. We are currently very pleased with this product and has performed as advertised. We obviously use this for being able to ascertain visibility on each network in which it is deployed not only from the NIDS/HIDS side but also evaluation of each interaction every device has. 

We have benefited greatly due to gaining the visibility we need for different instances. It has improved our security posture and has helps us respond to alarms/events as they have come down through the pipeline to our ticketing system we use. All in all, it has improved our SOC. 

AlienApps that we use to integrate with our current setup is awesome! Not only that, they have roadmapped being able to open up their API so we can integrate and flex the USM Anywhere as much as we want and when we want to. The staff has been incredibly helpful on getting us further down the line with our constructive feedback and have worked on implementing changes to their system to help improve their product.

A tailored OTX map for each customer's central would be awesome to have for displays.  A lot of companies like to have visuals for their central instance in order to be able to see when an IOC comes through and it would help have something in front of analysts/engineers to respond to promptly if they were away from central working downstream. 

This has an OTX feed. With it, we are able to get notifications about every incident that happens.

By forwarding device logs, we are able to get alerts perfectly with FIM and VA features.

We are the Partners in Sri Lanka. We are doing deployments in Sri Lanka, Maldives, and Bangladesh. 

This is a USM, so being able to get all the features under one roof makes it a good product with good new features.

Unified Security Manager (USM). In every SIEM, having only SIEM features (log management, alerting, notifications, etc.) is typical. Here we can get file integrity monitoring and a vulnerability assessment tool together with SIEM. 

I have never seen a tool like this.

The Log Management and configuration of email notifications should be user-friendly. Pay attention to false-positive event automatic correlations. 

Yes.

60.

No, we did not have issues with stability.

No, we did not have issues with scalability.

Good. They have technically fluent engineers there.

Yes. We switched because this is a USM (SIEM, FIM, and VA tool in one product) and the price.

The initial setup is straightforward, but some features are little bit difficult.

We are the partners in Sri Lanka. Therefore, we are directly involved with implementations.

It has good pricing.

We evaluated EventTracker.

Our customers have good references about AlienVault.

We are using AT&T AlienVault USM for SIEM, collecting logs from clients, traffic, analyzing, forensics, and security.

AT&T AlienVault USM is good for ELK Stack, the user experience is great because of its architecture. The ELK has a great performance and it has very good speed in the search and Kibana. Additionally, the visuals and dashboards and very nice and customizable.

The AT&T AlienVault USM is okay, but the relational database is not very good for large amounts of data. For example, many logs cannot be processed. It has been very slow for the queries and some data which are large, it is not very good in this case.

I have been using AT&T AlienVault USM for approximately five years.

We are using AT&T AlienVault USM as a client, if we want to increase the data we can collect more data because the solution can expand well horizontally.

Between the cellphones and laptops usage, we have more than 250 users using his solution in my organization.

We have not used the technical support but we have clear documentation that we use.

The initial setup was straightforward. We have a server room which we deploy from.

The maintenance of the solution is not very difficult.

I would recommend this solution because it is simple to deploy, has high performance, and has a great user experience.

I rate AT&T AlienVault USM a nine out of ten.

We provide information security services to clients. We are seeking some clients to provide monitoring services by using AlienVault. We are also providing AlienVault USM Anywhere, which is cloud-based and has integration with cloud platforms such as AWS, Azure, and Google Cloud. 

Asset discovery and vulnerability scanner are good features. The integration between this solution and OTX, which is an AlienVault platform for Open Threat Exchange, is also a valuable feature. It is also quick and easy to deploy, so you can quickly engage with a customer's environment.

Its reporting tools need improvements. It would be good if they can provide integration with other ticketing systems. Currently, we only have integration with Slack and Jira.

It is also a bit slow, and its replication engine can be improved.

I have been using this solution for six months.

We provide technical support for our clients.

I have used McAfee ESM. McAfee ESM has many good features, but it is not very integrated with cloud-based assets. AlienVault is already a cloud-based solution, and it is native to cloud assets, which gives AlienVault an advantage over McAfee ESM. On the other hand, McAfee ESM is much better than AlienVault in terms of search engine, data collection, and events. 

It is very easy to deploy. It just takes one or two days and allows you to engage with your customer's environment quickly.

Its price is much lower than McAfee ESM.

I would encourage others to go with this solution because it is easy to deploy, and it provides good tools to know more about your network and the traffic on it. Its reporting needs some improvements, but it fulfills the needs.

I would rate AlienVault USM an eight out of ten.

We are an MSP and we utilize an AlienVault USM Anywhere solution for threat detection in client networks. 

Alienvault USM Anywhere is a great evolution of a proven product. While the feedback and customization requirements remain largely the same, the user interface has been significantly improved. This significantly improves the interaction our clients have with their data, and we have received significant positive feedback.

The cloud console is by far the best improvement of the product. In the past, our less technical clients had trouble sorting through the dashboards within the USM console, and we had received complaints on viewing the real-time data versus our prepared reports.

The new cloud-based panel is excellent both for client review as well as for our SOC to review and respond to threats. It is much easier to configure and use than the previous solution from AlienVault.

It can still be difficult to feed products that are not supported out-of-the-box. It would be good if they had a better plugin exchange/store with AlienVault QA to ensure data is being processed properly.

• Supporting an MSSP.
• Supporting clients with minimum on-premise install.
• We are rolling out a USM appliance.

It allows for a lot of out-of-the-box features: vuln scanning, HIDS/HIPS, and IDS. The Suricata rule set is pretty lame

Asset discovery seems to be good. Nice that everything is bundled.  

Scaling, and it has no APIs! 

It would be hard for any legitimate MSSP to use it.  

The price point is good.

The most important part of the product is the event correlation and alerting that it provides. Sifting through tens of millions of logs a day looking for the proverbial needle in a haystack is impossible for a single person or even a team without automation

Being able to identify security issues as they occur at near real time. Being able to then respond to them as soon as they occur is priceless.

We have a relatively large deployment that spans multiple locations and domains. Having the ability to authenticated users across multiple domains would be useful, but is not critical. The log query capability is pretty restrictive and I find myself searching through raw logs via command line more often than the GUI. Full logging is not supported out of the box, you will need to modify configurations to store all logs if that is your concern or a requirement of your organization, AlienVault by default only stores alert logs, this can and will bite you at some point. The IDS Rules need better oversight when updated. The vulnerability scanner needs to have a power user mode that gives you a more complete interface to the vulnerability scanner (OpenVas).

3 years

Most problems were due to our environment and having to utilize the built-in VPN capabilities. Once a few sensors have been added via the VPN it is pretty simple to remember how to do it.

All interactions with customer service and technical support have been great. The engineering group is based in Spain and occasionally you may have timing issues with their team and yourself.

Another group in our company used QRadar before they were bought out. The buyout created a bad enough situation that the group refused to renew with QRadar, especially when they decided after 18 months that they did not want to support the hardware that their predecessors had sold. We also trialed LogRhythm which was a more mature product, but had its own quirks and annoyances. The largest issue I found the LogRhythm was the excessive amount of time to spend to deploy a single agent, much less repeating that process 390 times for our environment.   

We had a pretty large deployment most of our locations were straightforward some were more complex due having to route them through a MPLS connection with only limited connections to the main locations.

We integrated through a third party vendor recommended group, they caused many issues on their own some that were not discovered for over a year. Be wary of any third party that wants to do anything with the database.

ROI for AlienVault will probably not be about the money. The return is the time saved and the intelligence that you are able to gather about your environment that you did not have before.

Do your research in SIEM solutions and realize that it is not going to be a set and forget product. For 10 sensors like what we run there are weeks that it requires logging in and closing tickets and there are weeks where you will spend 10+ hours working on the deployment.

There are some things that are great and some that are annoying, this is not a perfect product. Most security products are never perfect especially based on different organizations that will run them.

This is a jack of all trades (master of none) SIEM/IDS/vulnerability management/OSSEC/NetFlow solution. We use it primarily as a SIEM and IDS solution.

AlienVault provides a checklist answer when using SIEM. We currently develop additional rules and scripts to make it more usable, but the overall solution is lackluster.

IDS is a nice capability to have. In the past, I have implemented standalone Suricata sensors and having this bundled in is very helpful. OTX is good when implemented correctly.

Many of the tasks on features are useless in our situation. NetFlow is worthless.  Many of the built-in correlation engine solutions are just okay.

The vulnerability management solution is worse than buying a Nessus Professional license.