AT&T AlienVault USM Review

The bundle of features is the killer feature, but search performance and Raw Logs are slow


What is our primary use case?

Our use of the solution is all over the map. We use it for our own internal use. We use it in our security operations center. We're a reseller, we're an MSSP, and a Professional Services provider, so we do a lot of professional services on the platform. It's a standard SIEM solution and is used for log collection, log management, event correlation, alarming, and reporting.

How has it helped my organization?

There are probably a billion examples I could give. As a service provider, it helps us because we have all of our clients connected in through our management platform, and we're able to leverage the tools that AlienVault provides to monitor and collect data from all of those systems and identify security incidents for all of our clients. It provides network and host-level visibility and it's easy to tune and manage.

What is most valuable?

On any given day I could give you a different answer regarding the most valuable features of the product. The feature that is most important is the fact that it has a lot of features, that it's not just a log collection and correlation system, that it has a lot of other components built in. The bundle of features is really the killer feature.

In particular though: 

  • ease of use and deployment
  • excellent cloud integration
  • dynamic asset management
  • vulnerability scanning
  • network intrusion detection
  • host-based agent monitoring and collection. 

All of these features combined create a compelling "one-stop" package for a business that needs security monitoring and analytics.

What needs improvement?

Search performance can be slow. The Raw Logs feature is painfully slow. And if we're talking about the newer, the Anywhere product, you can't even schedule reports on it. There are probably a dozen other features I'd really like to see there, but that would be one of the biggies.

Also, there is no visibility into the NIDS or HIDS agent configurations and no easy way to augment them. The same is true for vulnerability scanning, it's all or nothing; there are no fine-grain controls as there was in their older product. There is a lack of "real" visibility into the correlation rules, and the inability to create our own sophisticated rules (only very simple ones) is a big miss.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

We've had some stability problems, not a lot, but a few. Updates seem to be the worst. That seems to be when the stability problems come up.

Sensors occasionally go down during updates and don't recover. Some maintenance cycles on the cloud controller have left the system in a weird state. In addition, there are times when the product seems very slow to respond. This may be related to back-end maintenance that we are not aware of.

What do I think about the scalability of the solution?

It scales reasonably well. There is a scalability plan for it. There is a way to add additional collection components, what they call Sensors, and then scale up the central platform. At this point, I don't believe it will scale to the very high-end. It is not a large, global enterprise-type product. It's more of a small-enterprise-and-below product.

How is customer service and technical support?

Their support has been good. I've always had good interactions with them.

Which solutions did we use previously?

We've used a lot of solutions. I've used, run, and supported a lot of different solutions over the years. There were two primary reasons for switching to AlienVault. One was price, and the other was the feature bundle that I was talking about earlier.

We chose this particular product for many other reasons. As a Professional Services provider, a service provider, MSSP, and a reseller, we're not using it the way most end-users would go out and shop around and look for something. A big part of our decision in selecting this product was the fact that we were able to establish that relationship with AlienVault as a company, as a business to business relationship, to be a reseller, to be an MSSP, to be all of those things.

How was the initial setup?

The setup is pretty simple. The documentation is good. I've been setting up platforms like this for years, so it's not hard for me. For someone who is new to the product and hasn't used this type of product before, they'll have a little bit of a challenge, but it's not too bad. The system is pretty easy to install and, if you follow the documentation, it's pretty easy to configure.

Some cloud integration steps, like G Suite, were more complicated and prone to error.

What was our ROI?

Calculating ROI on security products is a funny endeavor, in my experience. It's not a hard science and it's not something you can easily throw a lot of numbers at. It's mostly guesswork.

What's my experience with pricing, setup cost, and licensing?

The pricing is a good value and makes sense.

The key thing is that for the new product, the licensing of it is subscription-based and it's based on data. Clients need to be really careful when thinking about that, because odds are they're going to need to put a lot more data into it than what they initially estimate, which is going to drive their subscription costs up.

I do have concerns that if a payment is delayed or if there is any dispute about billing, that all of our data is held in the cloud and could be lost.

What other advice do I have?

Overall, the automation features of this solution are good. The issue here is that there are really two solutions. There's the AlienVault Appliance product and then there's the AlienVault Anywhere product. The Appliance product, which is the older product, has a lot more customization and automation capabilities because it's very extensible. The newer product, the Anywhere product, is still very limited. We're very dependent on AlienVault to build in any kind of connections or integration.

If you are a mostly-cloud environment this is a good fit. If you have very few other security controls outside of a firewall this is a good step forward. But if you have a solid security program you may find this product lacking in a few areas. And most importantly, be very careful about subscription size and licensing.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
1 Comment
Tami AndrewsVendor

Thank you for your time and comments. Your feedback is invaluable. If you'd like to discuss the concerns you've raised in the review, please feel free to reach out to me and I'll be happy to initiate the conversation.

08 October 18
Guest
Sign Up with Email