AlienVault OSSIM Review

Provides threat alerts on harmful code in the network


What is our primary use case?

I use it for monitoring. I use it for getting alerts on various malicious activities, if there are such on my network. I'm using the free version of this product, OSSIM.

As a media company, we follow MPAA, which is a set of controls for media businesses. The other set of compliance that we follow is DPP. We use AlienVault to comply to their standards.

How has it helped my organization?

We have various media organizations from which we get data into our network and then it goes out. If you put any control, any device, or anything to sense the traffic, it will say that it's malicious traffic, because of the nature of most of the traffic that we generate. We usually upload or download TV shows or films, they go in and out. The same size of IP packets increase because of the kind of transfer that we do.

In addition to that, we also are into broadcasting. We send the data to broadcasting stations, and from there it gets broadcasted on air.

It has really helped find critical vulnerabilities in our network at times. There was a brute force attack, a web attack, and I was able to discover that using AlienVault. There was a WannaCry in one of my systems, a trojan, and it was generating traffic towards the WannaCry domain. I was able to see that through the AlienVault system. It was not immediate. It was after almost three days that I was able to discover that there was a vulnerability within our network.

What is most valuable?

The threat alerts it gives me from time to time on harmful code within the network, or if it is generating any network traffic, are very useful. However, it takes some time. It does not give me a prompt response for any such traffic. It takes time to get that alert from the AlienVault system.

I'm using it for discovering assets every day. If there are any changes in my network, I give it additional subnets which have been added. It adds all the assets to my dashboard.

What needs improvement?

I find it very useful when it is for a small or mid-size enterprise. The problem I see in this product is that it is not meant for a large business or for managing critical business services.

AlienVault-like products are not meant for businesses like the banking sector or insurance and places that require strong regulatory compliance, in my experience, because of delays in response. And sometimes it is very complicated to configure this for specific requirements. Writing APIs, etc. takes time. On the other hand, if you look into other products in the market, it's easy to write APIs or integrate them with other database services or middleware and your application layer services, and get the alerts.

It does not help me to respond to the threats all the time. That's why we are also working with Splunk. Splunk is used by one of our service providers and we can directly ask them to use Splunk instead of any other SIEM solutions.

For how long have I used the solution?

More than five years.

What do I think about the stability of the solution?

I find it to be stable. That's why I'm using it. Given that it's free of cost, whatever it gives us is more than enough.

What do I think about the scalability of the solution?

I haven't explored scalability very much but the scalability is open. It's scalable up to a level where we can manage a mid-size business. As I said earlier, it is not suitable for the banking sector at all, because they require stringent controls and monitoring, real-time monitoring, which this tool doesn't have; at least, I haven't seen it. Perhaps it's my bad that I haven't seen this tool give me a proper response, on time. It takes time for it to give a response.

Which solutions did we use previously?

I've used and evaluated QRadar vs AlientVault very extensively - I was working with IBM. I used it for ten years. I used and have compared ArcSight vs AlienVault as well, at my previous organization. At that organization, I also deployed AlienVault because I am comfortable with AlienVault.

Those competitors to AlienVault are very user-friendly, their interfaces are very user-friendly. They have multiple options such as generating reports and getting immediate alerts.

If somebody changes the privileges in the system or some code changes the privileges in the system, AlienVault is lacking there. Machine-learning and artificial intelligence are things that AlienVault should explore. If those were added to it, no product could replace it.

How was the initial setup?

My setup is very complex. The network is segmented and configured differently for different customers.

The initial deployment started around two years ago. It took around one-and-a-half years to make this product stable and to talk to each and every device in my network and give me some sort of report which would actually give me the right posture of my security status. I did the complete deployment myself.

The implementation strategy was there and that's why it took a long time. We were also engaged in other business activities, so it took a long time to make this into a proper deployment.

What about the implementation team?

We didn't have any third-parties involved. It was all mine. I started with the web, through YouTube, through various other social media, and a couple of people who used it earlier. I now have several years of experience. That has helped me a lot in getting this deployed.

What was our ROI?

There is a financial value. It's giving me some value and I've already had a good amount of results on AlienVault products. I deployed it at multiple stations, three or four cities in India, two in the US, and one in the UK. I have deployed it widely because I find that it gives value for money. If I got the paid version at the right cost, I think it would be the best product available in the market for a business like ours.

What's my experience with pricing, setup cost, and licensing?

A product like Splunk will squeeze you for money if you ask them to provide similar services. So I find this solution very useful in that sense.

AlienVault pricing is the best. Whatever cost you are paying, you are getting a return on every penny. I have advised multiple friends of mine, those who are into the security arena, to go for AlienVault. It's not like your IBM, your QRadar, or Splunk, where the cost is too high.

What other advice do I have?

If your network is flat, if it is not that complicated, then you should go for it. I'm using it free of cost, so I'm very happy with AlienVault.

I'm the only one who's controlling it. I have a team of five. They are my soft team. They monitor all the alerts 24/7. It takes a team of five to maintain it. I lead the security section and among the other five, two are network specialists and three are system administrators.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Add a Comment
Guest
Sign Up with Email