How has it helped my organization?
A jack-of-all trades:
The best thing about AlienVault USM is it being a “Jack-of-All Trades” solution. It provides SIEM, HIDS/NIDS, FIM, NetFlow, Asset Management, Vulnerability Management, etc., under one USM platform. None of the commercial SIEM vendors like ArcSight, McAfee, etc., can boast of such a diverse feature set.
- QRadar is the closest to AV USM in terms of feature diversity. While all the features are formerly isolated Open Source community projects, the USM does a good job of integrating them into a feature set. While they are not great as individual parts, they more than make up as a sum of the parts.
- OTX – Open Threat Exchange is a wonderful community sharing platform that helps clients to share IP and URL reputation information so that all AV customers can benefit. This is true community sharing modeled on the likes of the Splunk Community (for app development). This has the potential to grow into a large source of Real World Intelligence and what AlienVault intends to do with this data remains to be seen. For now, it is being used by USM Correlation engine to provide better context and content for Security monitoring. AlienVault Labs, is also utilizing this infrastructure to constantly update Detection rules for malware vectors, vulnerability exploits etc. QRadar and ArcSight provide Intelligence, but it is commercial intelligence and not community intelligence. With community intelligence, you get more hits than misses.
- Multi-Tenancy – While this feature may not elucidate an interest from many readers, those who have worked in an MSSP environment can understand why this is a very important feature to have. AV USM does support Multi-Tenancy out of the box. This, when combined with the Architecture flexibility provide great MSSP models to sell and operate. The key is to understand how the multi-tenancy works. Basically, a single database is used to store data of several customers using a Data isolation Logic and Permission control. The data isolation logic is based on Entities created in USM (Assets, Users, Components Assigned (Sensors) etc., are grouped together as a Single Entity) and Permissions (applied in a granular fashion to data sets related to the Entities). QRadar, ArcSight and other major SIEM products provide this as well.
- Integration – While AV USM is known for being customization friendly, the amount of out-of-the-box plugins for Log Monitoring and Correlation is limited to the well-known products. It does not have comprehensive integration capabilities with say legacy applications, Directory services, databases, etc., that other SIEM vendors boast of. Similarly, it relies mostly on its own “pre-packaged” tools for data enrichment and hence has poor “Third Party” Integration capabilities. However, if you really are a developer of open source products, the integration challenge can be overcome. But how many are willing in the real world enterprise?
- Correlation and Workflow – What good is a SIEM product if it cannot perform advanced Correlation and Operational workflow? AV USM has a strong foundation in Correlation using XML driven Directives and Alarms thresholds. However, when it comes Head-to-Head with the Industry leaders like ArcSight, QRadar, Splunk, etc. it falls terribly short. We particularly like the Cyber Kill Chain flow which a lot of customers are using for complete visibility, but this is not the end game in real world enterprise operations where not all the data points required for the directive are available. Same thing goes for the workflow, where the integration with external ticketing or issue tracking system is very limited, and hence acts as a deterrent in large scale deployments.
What is most valuable?
Flexible Deployment Architecture – This is where the Open Source roots really start to flex their muscles when it comes to AV USM. The main components of the architecture are as follows:
- AV Sensor: AV Sensors perform Asset Discovery, Vulnerability Assessment, Threat Detection, and Behavioral Monitoring in addition to receiving raw data from event logs and helping in monitoring network traffic (including Flow). The sensors also perform normalization of the received raw events and communicates them to the AV Server for correlation and reporting.
- AV Server: AV Server is the Central Management Console that provides USM capabilities under a single GUI. The server receives normalized data from the sensors, correlates, and prioritizes the events and generates security alerts or alarms. The server also provide a variety of reporting and dashboarding capabilities as well.
- AV Logger: AV Logger provides the capability to archive log files for purposes of forensic analysis and to meet compliance requirements for long term retention and management.
All the architecture components including the Sensor, the Logger, the Correlation Engine, etc., can be deployed tier-based, isolated, or in a consolidated all-in-one style. This wide variety of deployment options help customers to have flexible and open architectures. This also helps control cost depending on the budget at hand. Very rarely can products boast of such flexibility.
What needs improvement?
This product is jack-of-all trades, but master of none. As mentioned in the good, being a jack-of-all trades is well suited for certain organizations. However, the lack of mature functionality and expertise in any of those areas is a strong negative.
For example, the correlation engine is nowhere close to the likes of ArcSight , QRadar, or Splunk, etc. The threat Intelligence is not as good as QRadar, McAfee, RSA, etc. When it comes to critical functionality expertise, AV USM is found lacking.
- Database: AV USM is using MySQL for its database. All the issues related to a structured DB for log collection, storage and management come to haunt AV USM as well. All SIEM logs are stored in the MySQL database and this causes an issue in terms of scalability, especially with high log volume environments because backup and restore is time and CPU/RAM consuming. USM can hugely benefit from moving to a non-DB Log storage architecture, thereby giving more flexibility in data management. It is doubtful if AV will take that route. Based on their product direction, they are looking at Percona Server to replace MySQL. While it is a good move, it is still customized MySQL replacement. It may not add much desired scale to the product.
What do I think about the stability of the solution?
Product Stability: The biggest issue we have seen with the product is its poor stability. With way too many components, myriad integration, a ton of scripts, and the product is really unstable. Every version upgrade is a nightmare. Re-installation or Re-start is the most common solution for the product to start working again. In a mission critical environment, this is a complete NO-NO. One of the most common and frequently failing components is the DB. Issues like DB corruptions, access issues, disk errors, unresponsive queries, etc., really test the patience of end users on a regular basis. These are the most damning negatives about AV USM.
How are customer service and technical support?
One of the common issues we hear about AV technical support is that it is of inconsistent and poor quality. Most of the time, the solutions rely on re-install, re-start, or a bug-fix. There are way too many components to troubleshoot. This leaves support to resort to re-install or re-start, without thorough root cause analysis.
Which solution did I use previously and why did I switch?
Customization: Again, this is one point where AlienVault outshines the competition in capability of customization. We have seen several customers who are using AV USM with heavy customization to perform threat detection, Asset Discovery, Threat scoring, APT detection, etc. This flexibility is really desired by Security analysts and AV USM is making good on this promise.
What's my experience with pricing, setup cost, and licensing?
One of the areas where AV USM benefits is price. It is affordable while offering a whole lot of SIEM features. This turns out to be the deciding factor for small and medium enterprise segments. QRadar, ArcSight and Splunk are some of the most expensive SIEM security tools out there in the market and not everyone has the budget to buy them. In such cases, AV USM is a very cost effective alternative.
What other advice do I have?
Product Vision Stagnation: This may not be much of an issue for potential users of AV USM. However, it is important to note that the product has not gone through major leaps in the last four years. It had more than three major releases and 20+ minor releases, but nothing path-breaking has been brought to the market. It has still remained in the “promising products to watch” for way too long. One of the main reasons we think this is the case is because of economies of scale. Since they are priced lower and cater to the SME segment, the amount of money invested in development is less, and hence the result.