What is our primary use case?
This product would typically be used by a client who would be looking at dipping his feet into the SIEM space and understanding how to go about setting up an SOC without putting in a large up-front investment. I'm the director of our company and we are partners with AlienVault.
What is most valuable?
The solution offers great models with good integration and this is one of the out-of-the-box features which you're able to easily enable and get it up and running. It's a big plus for the product, because you don't have to bother your head about doing the integrations.
Other good features include an inbuilt IDS, an inbuilt integration with their own threat intelligence platform which is the OTX, and integration with the vulnerability assessment modules.
What needs improvement?
I believe this solution still has a way to go. From a management console perspective and the maturity of the dashboards, I would probably put it slightly behind some of the other players that have been in the market for ages. The leading vendors of SIEM already have a very mature user interface with evolved dashboards and reporting mechanisms. There is a lot of depth in that, but not everybody is looking for that. If your requirements are functional and you're looking for something that's easily deployable and simple to understand and manage, without the necessity of a very large team, I would choose this solution.
An additional feature I'd like to see would be an increase in the depth of reporting. IBM has AI enabled dashboards which are supposed to be intuitive. They are difficult to configure and that's a problem, but they are very rich in terms of the information that they provide. There is a lot of granular detail and different ways in which you can slice and dice and present the same data. I would also like to see the product handle larger scale deployments and more third party integrations.
For how long have I used the solution?
I've been using this solution for three years.
What do I think about the stability of the solution?
This is a stable solution.
What do I think about the scalability of the solution?
It's scalable, but AlienVault is not an enterprise class solution in the sense that it cannot go beyond 15000 EPS, which limits the market that it can address. That's a drawback, but expansion might not be what the company wants and they're happy to remain in the 2000 to 3000 EPS range, in which case it's a great product for its market.
How are customer service and technical support?
We don't use the support very much as we manage to deal with most issues in-house. The technical support they provide is okay. We haven't had too many problems but my reference point might be slightly slanted, because we don't have such a large installed base.
How was the initial setup?
The initial setup is relatively straightforward and doesn't take much time. AlienVault has its own vulnerability module and its own OTX feed. All of these are pre-integrated which makes for a speedy deployment. The issue is that these days nobody employs SIEM alone. It needs to be able to correlate information not only from its own data sources, but also from third-party data sources, like vulnerability tools, like threat intelligence feeds, like forensic data, and these third party integrations add to implementation time. Each situation is different and deployment time depends on the scale of the infrastructure.
What other advice do I have?
Most of the SOC or SIEM enterprise class products are very expensive, whereas with OSSIM you can start out with a smaller setup and then expand as you wish. It's great because you get a pre-integrated, ready to run platform, which you can deploy. You don't have to bother about the integrations too much. This platform provides an adequate level of experience for that kind of an integrated intelligence gathering in any IT setup at a reasonable cost. It makes the entry easier for somebody who's not so well versed in these technologies and so on. I think that's the principal use case for AlienVault's product line.
Make sure to choose the right partner to do the implementation. It's important that they know and understand the technology. They should have a very good understanding of the tool as well as an understanding of the security and operations space so that they are able to deliver on what you want to achieve as an outcome.
I would rate this solution an eight out of 10.
Which deployment model are you using for this solution?