What needs improvement with AlienVault OSSIM?

Honestly, I don't know what can be improved in the product. I am trying to get a comparison between AlienVault OSSIM and the other solutions in the market. AlienVault OSSIM failed to provide our company a full insight, while also giving out a lot of false positives. The tool has certain areas where improvements are required.

Collecting logs can sometimes be tedious, especially compared to my experience with Microsoft Sentinel. I suggest more in-built rules based on modern threats and environments to make it a more competitive solution.

The log management could be improved because of the open source. In the configuration of AlienVault OSSIM, users can determine backup frequency, retention policies, and other settings. There is a limitation on customizing backup settings for specific devices. Unfortunately, there's no option within the interface. Even accessing the backend database doesn't offer a solution, as it only allows for full database backups or none at all. This is a significant drawback, particularly for larger environments or clients with specific device backup needs.

AlienVault OSSIM gives unwanted notifications.

AlienVault OSSIM’s configuration and integration could be a little easier. I had to do a little bit of research to understand the process.

AlienVault OSSIM is costly.

AlienVault OSSIM should add many features that can be used on the directives and correlation policies. AlienVault OSSIM should improve the deployment and make it unified like the USM.

The area for improvement is a lot. When I started using it on our enterprise side, the issue we faced was, for example, if we were running at that time on AlienVault OSSIM v5.7.4. So, for some orders, we had to install some packages, and when we tried installing that package, some dependencies got upgraded to a new version. Now once that dependency got upgraded, the SQL, since you might be aware that OSSIM uses SQL database, now SQL and all the dependency in everything was not on the same version, and that caused the database to crash. The aforementioned area should be eased out by upgrading the patches and upgrading dependencies. This kind of thing is a disadvantage of OSSIM, and I would like them to work on this. But I have also raised service requests many times and gave it a push on the community section too. However, since it is a local source, they don't reply much over there. That is why I don't like to work on OSSIM because it is unpredictable. Once the storage goes above 50 percent, it starts behaving unpredictably. If you get stuck with a situation, then you need to drill a lockdown into that. Sometimes you get no luck. Then you have to just reimage the server with the new fresh OS of AlienVault. As for additional features, not much because if you move to the newer version, it is kind of getting more stable. But, to make my life easier, then I would say try to give more features. I know it's open source, so they also cannot provide me with more features. But still, if they can provide me with more features because right now it's becoming old. Right now, we are even moving from SIEM to Security Data Lake. So when we move to it, this will be literally outdated. No one can even expect anything out of it. The way security is moving, it will be outdated very soon. They have to also provide something new to keep this going for the future also.

AlienVault OSSIM could improve by having better integration with some of the newer tools. Ina future releases, it would be beneficial to modernize some of their UI features.

AlienVault OSSIM on-premise version is more difficult to implement than the cloud version. Additionally, they should add integration between several different environments at once and improve their online knowledge base.

ArcSight works better than AlienVault right now. The incidence reporting could be better. We'd like to be able to better privatize certain logs that handle certain detections. It's really important to us. The integration capabilities could be improved.

When comparing AlienVault OSSIM to other solutions it looks a bit outdated. Additionally, they need to improve their integration.

The correlation engine needs to be improved. The interface is not user-friendly, which is an area for improvement.

They can add more compliance templates.

There needs to be more focus on the NOC and IIS in terms of developing applications for behavior detection. The backup features use a lot of storage space. The documentation could be improved. Asset management and filtering are in need of fine-tuning and enhancement.

The pricing of the solution needs to be improved. There needs to be more support or some kind of training program so users can self-learn the system more effectively.

I believe this solution still has a way to go. From a management console perspective and the maturity of the dashboards, I would probably put it slightly behind some of the other players that have been in the market for ages. The leading vendors of SIEM already have a very mature user interface with evolved dashboards and reporting mechanisms. There is a lot of depth in that, but not everybody is looking for that. If your requirements are functional and you're looking for something that's easily deployable and simple to understand and manage, without the necessity of a very large team, I would choose this solution. An additional feature I'd like to see would be an increase in the depth of reporting. IBM has AI enabled dashboards which are supposed to be intuitive. They are difficult to configure and that's a problem, but they are very rich in terms of the information that they provide. There is a lot of granular detail and different ways in which you can slice and dice and present the same data. I would also like to see the product handle larger scale deployments and more third party integrations.

The GUI could be improved, and the solution could include a specialization tool. The correlation engine and the scalability of this product should be improved. And then I think it also needs to have the grid potential because when we talk about SIEM it's not just a few machines, it's hundreds and that means thousands of logs so the product should be more easily scalable. The features I would like to see included will take some time to implement because the solution is open source and these are promotional products. On a basic level I'd like to see an open source visualization tool or a commercial visualization tool.

I'm not sure if there's anything on the solution that needs improvement. I would like the solution to be able to integrate with my firewall, my IDS and my Honeypot solutions so that it can provide real-time reporting as things occur and then have alert sent to me on my phone when suspicious activity is happening.

We need more dashboards and we need more customization for dashboards. It would be great if they would improve in this area.

The price of this solution is very high and it could be cheaper. Normally it is sold to financial institutions, which is why it is high.

It's not easy to add a device that doesn't have a steady IP. Particularly when you're not putting a sensor on-site. When you have a sensor on-site, then that sensor speaks to the main sensor. We are trying to look for quality devices that give a dynamic IP, so it makes it practically impossible to add a new device. If there was a way to do dynamic DNS, I think that would help.

The biggest thing I always complain about is that the user intake is a very old version. In cloud versions, it is very good, but for on-premises versions, it's not so good. If they want to improve the on-premises version, they should upgrade the SQL. The user interface could be improved.

It's under heavy traffic. If you have heavy traffic, the system is slow.

I would like to see an improvement in their threat exchange database because the OTX is not the best thing in the marketplace. There are better solutions. So if they could enhance our feature development, it would make the product much better. For me, the user interface is very important, because the simpler the user interface is, the easier it is to find candidates to run the operation. If the user interface is very complicated, you need to expose your technical people to very intensive training in order to understand the system and to get the output right. So, from a user perspective, I would say the simpler the user interface, the better the product, especially for security issues. You need to let your tech people concentrate on the incident rather than on how to use the software to get the answer. Lastly, if technical issues could be resolved faster, it would be a huge improvement.

The log collection is okay, but tracing the logs or tracing the events is a bit difficult. It's not user-friendly. A user must be an expert and must know how to give the logs, how to configure the system, etc. He has to be an expert on this product. The user interface needs to be friendlier across the board. Also, I would prefer if the kill chain scenario with every event was not stacked. I need to be able to do an SQL query and figure out where the event came from and tag to the source and destination. I cannot see this easily as it is right now.

The solution needs more integration with cyber intelligence systems. Our customers want to use a single tool for managing cybersecurity. We want integration with existing tools and integration with newer tools that offer the ability to manage or to identify security vulnerabilities in a gateway system or firewall. Basically, we want the solution to offer configuration management. I would want it to be integrated with lasting search, in terms that it could gather a lot of intelligence and dump it into the database. Also, it would be useful if we were able to run analytics on the solution. If they can integrate it with an analytic function it would be better.

I find it very useful when it is for a small or mid-size enterprise. The problem I see in this product is that it is not meant for a large business or for managing critical business services. AlienVault-like products are not meant for businesses like the banking sector or insurance and places that require strong regulatory compliance, in my experience, because of delays in response. And sometimes it is very complicated to configure this for specific requirements. Writing APIs, etc. takes time. On the other hand, if you look into other products in the market, it's easy to write APIs or integrate them with other database services or middleware and your application layer services, and get the alerts. It does not help me to respond to the threats all the time. That's why we are also working with Splunk. Splunk is used by one of our service providers and we can directly ask them to use Splunk instead of any other SIEM solutions.