What is our primary use case?
Our primary use case is for research purposes. For now, we're just playing with it and there's a potential learning curve regarding use of AlienVault as an SIEM solution. We plan to analyze different open source solutions to test strengths and weaknesses. We are customers of AlienVault and I'm a research assistant.
What is most valuable?
A very good feature of AlienVault OSSIM is that it has many domains that can be integrated from different solutions. For example, if we have a firewall and I want to connect it with the AlienVault OSSIM, there is already a grid affecting that. From that perspective, it's a very good solution in that almost everything can be integrated and that makes it better than other SIEM solutions.
The great thing is that the networking configuration features are good and integrations don't need to be done manually. Of course it's possible but there's an automatic option for configuring networks and there's a plug in for different kinds of solutions. Network security firewalls, IDS, and the like are things that already exist.
What needs improvement?
The GUI could be improved, and the solution could include a specialization tool. The correlation engine and the scalability of this product should be improved. And then I think it also needs to have the grid potential because when we talk about SIEM it's not just a few machines, it's hundreds and that means thousands of logs so the product should be more easily scalable.
The features I would like to see included will take some time to implement because the solution is open source and these are promotional products. On a basic level I'd like to see an open source visualization tool or a commercial visualization tool.
For how long have I used the solution?
I've been using this solution for one year.
What do I think about the stability of the solution?
I'd say the stability of the solution is moderate.
How are customer service and technical support?
The documentation provided was not sufficient, so we worked it out by ourselves.
How was the initial setup?
The initial setup was not so easy, partly because the documentation was not up to date. You end up learning from your mistakes. Deployment took us more than six months. We have an open source intrusion detection system which is connected to it and endpoint systems. We implemented by ourselves, there are two people in the company with expertise in this area.
What other advice do I have?
Those who are looking for a solution like this one should first conduct a survey. There are other solutions which are quite capable of doing similar things, even open source solutions. If a company can afford a commercial solution, they should go for that rather than for an open source solution. It requires an expert to assess the situation. A small mistake can lead to a big problem; opensource is there for those who know what they're doing.
If you're looking to add another feature, you need to have strong coding because tweaking them is not simple. I'm in a technical team so that's my perspective.
I would rate this solution a six out of 10.
Which deployment model are you using for this solution?