AlienVault provides excellent visibility into your network by combining centralized logging, host-based IDS and network IDS. This enables me to detect quite a lot of potential issues that have gone through AlienVault's correlation engine and our own policies.
Improvements to My Organization
On several occasions we have detected attacks (DDoS) just as they are starting and have been able to rapidly mitigate them. We have also noticed outdated Java and Flash versions due to the snort rules included in the appliance.
Room for Improvement
The biggest improvement they could do is to provide full support for IPv6 addressing. It currently has quite lightweight support for IPv6 addresses in the sense that it will record the source/destination addresses in all cases, but currently trying to search with IPv6 addresses is not possible and thus makes our lives harder.
Use of Solution
Including my experience with the previous version (v4) I have two years of professional experience with AlienVault.
We have not faced any large issues with the deployment.
We have not faced any large issues with the stability.
The only issues is related to the volume of alarms in a system - the UI/UX for working with a large mass - starting with several hundred alarms is suboptimal. I am hesitant to mention this as it is easily solved in the future by small UI changes.
Customer Service and Technical Support
All of the bug reports have been sent to AlienVault and have been handled with skill. At least once we got to talk to their experts who worked with us to debug the cases in our environment.
There are many steps, but the steps are not complex. The biggest hurdle in the deployment/setup phase is usually gathering the actual information (assets details, services, policies) about the environment, not the installation itself.
Our team did the implementation. If you have experience implementing a SIEM solution then you can implement this yourselves, otherwise you should get an external team do it. The issue is not with the technical skills needed for the actual implementation, but the knowledge needed to know what to include, what policies to write, and what not to include.
Pricing, Setup Cost and Licensing
For licensing you will need to contact an AlienVault reseller as it is comprised of (roughly) how many events per second you are processing, how many assets you are adding, and in how many physical locations.
Other Solutions Considered
I was not part of the process. I have heard that our team had tried other products, but mostly the cost was prohibitive in those alternatives.
As this is a product that will give you a lot of visibility into everything you can throw at it, it is good to note that you should have good working relations with the *people* in charge of the assets you have visibility over (e.g. with network mirroring).
You will get alarms about a plethora of things you couldn't have imagined, things that people have forgotten, that have been misconfigured and that are under attack. You will need to explain the remedies and mitigations to people. And that is possibly the biggest hurdle. This product will not help you if you cannot fix the problems it finds.
It may not have the same abilities as most tools off-the-shelf but it has the best bang for buck. Unless you already have a high-quality SOC operation running, you will be able to handle probably all of your SIEM needs with AlienVault for a few years with a fraction of the price of other more complete solutions.