What is our primary use case?
The AT&T product comes with a lot of correlation rules and orchestration rules. But when we install the system for a particular client, we have been looking at their business objectives and then trying to customize the system to meet their unique business requirements.
For example, some of the clients would like to see what is happening on the perimeter and the traffic entering the network. This might be the case when they are concerned with any attacks always coming in a particular way or if there is any probing going on from outside parties. In other cases, the clients may be mostly trying to monitor what is going on inside their infrastructure and the focus is more internal to the network.
AlienVault provides you these capabilities. AT&T Management Security Services provides you not only with these SIEM (Security Information and Event Management) part of security, but also other areas like behavioral analytics. They are all built into one single package. This is the advantage: you have everything in one package.
What is most valuable?
What we do is offer SOC as a service in Sri Lanka. We have a physical SOC based on this product. We find the SIEM is, of course, the main focus of any client. The incident reporting, the logging, and then the alarms or alerts being reported come in as the number one purpose for adopting the product.
Next will come things like asset discovery where sometimes the client does not have the resources to put into the ultimate solution or their network. Then things like the summarization of events and incidents are important. Most clients like to have weekly reports from us which tell them where the areas are that they need to look at. With the AT&T MSSP (Managed Security Services Provider) product that we are using, it is very easy to customize the reports. Then the correlation of our drilling down to diagnose the incidents also becomes very easy. The features related to the SIEM are really easy to handle and once you get to know the dashboards and the features, they make it very easy to drill down to the issues.
What needs improvement?
The product has already improved in the sense that they are continuously making the effort to make the product better. We are now starting to work with a new version over this past month. The product improvement is there and new features are coming out. Then they have just announced something to do with the EDR (Endpoint Detection and Response).
In four months, feature-wise, a lot has been going on. They have concentrated their effort and their focus now is on USM Anywhere, which is the cloud-based system. But we already know that in our case, some of these clients will not want to send their information to the cloud. This is why we are focusing on USM on-premise and the appliance model. Otherwise, it would have been much easier for us to go into the USM Anywhere cloud-based product in terms of deployment and maintenance.
So in all, I would say the core improvements are going on. What I have seen in the product itself right now, is adequate to meet the present requirements. But of course, the requirements will keep on changing.
For how long have I used the solution?
AT&T Managed Security Services came into being only a little more than a year ago around the time AT&T purchased a company called AlienVault. AlienVault, AT&T Cybersecurity Consulting, and AT&T Managed Security Services were combined under the AT&T Cybersecurity division. We have been working with AlienVault as we are currently since the end of 2018 and before they were a part of AT&T. But we have also been involved in running our backend services for AlienVault support for two more years before that, starting from around 2016. We have been working as a SOC (Security Operations Center) and then with Managed Services in 2018. This product is becoming an all-in-one USM (Unified Security Management) system. Those are the areas of the product family that we have been involved with.
What do I think about the stability of the solution?
Managed Security Services is stable. Or I should say it is stable provided that you look after the system properly. One thing that we have seen is that you need to fine-tune the system so that you do not get unwanted alarms.
For example, if a firewall is giving out 100,000 alerts an hour, it is difficult for us to manage it efficiently at that rate of alerts. And then it will be difficult to log the visitors also. The trick there is to make sure that you have got the correct rules applied to the system to repress the unwanted alerts coming into the system. If that is done properly, then it is easy to manage and it is very stable.
What do I think about the scalability of the solution?
The system itself has scalability built into it. You can start with a single VM if you are implementing a smaller kind of plan — like those having an ECS count of up to about 1,000. To scale up from there then you only have to take certain components out and install them separately until you achieve another limit of the ECS count. You simply expand the system by adding modules. You do not have to take it out completely and then reinstall another one. But you can build upon the basic system and go up to a very high level.
How are customer service and technical support?
The technical support is really good. The only problem that we do face is the time difference. Say we are eight-and-a-half hours ahead of GMT. Our technical support comes from Ireland. They very rarely respond immediately because of the time difference. You have this AlienVault partner portal where you can raise tickets and they are almost immediately answered. But if you want someone to talk to you and someone to look at your system, it has to fall within the daytime working hours of Ireland where the support is coming from. Other than that, the technical team has been very supportive. They even follow up with us on what has happened afterward.
How was the initial setup?
The initial setup is easy. Right now what we are using is a product that comes in as a single virtual machine where you have a central server and a login.
It is easy to install, but when it comes to configuration, it all depends on your events per second count. Once you get to a certain rate of EPS count, then you go on to the standard format of taking the sensor out and installing these three components separately. This may seem a little complicated but there is lots of product installation support available from AlienVault and AT&T. The integration support comes with plugins for various devices. So it ends up being really easy to install and expand.
In some cases, we have run into a few installation problems, but AT&T has helped us to rectify those. In some cases, they go directly into the system and then try to see what is wrong and then rectify it.
What other advice do I have?
Advice that I would give to any customer considering the product is that if they want a top solution for their business model, they should do a 30-day proof of concept trial. That gives the customer the confidence that the product has the features that are required by the company and they can get a feel for how friendly the dashboards are.
We are not just selling a product but, in our case, we sell a complete service. To do that, we bundle it with other components like incident response so customers get a complete package solution. Before a customer selects AT&T products, the best thing to do is the POC. It is no obligation, very simple to obtain the product and to do the installation. Do that first and see how well it suits your organization.
On a scale from one to ten where one is the worst and ten is the best, I would rate AT&T MSSP as close to ten. I would say it is good to give it about an eight-out-of-ten.
Right now we are marketing to medium-level business entities and trying to step into the large scale enterprise services. So far with this product, we were not able to attain that goal and this is why I would only rate it up to about to an eight.
Additional features that I would like to see included in the next release to make it at least nine is first that the documentation center has to improve. There is a lot of documentation, but you need to take a lot of time to go through those documents to find out exactly what you want. In the current technical documentation, sometimes what happens is we search through it and then we do not find what we want. We have to end up contacting the support anyway and if it is something we have to talk with them about it will take even more time. It is still a web-based support portal and it is okay for basic information, but what they need to improve on mainly is having more technical documents with more depth of information. In our case that will be a plus point.
Of course, there is a solution. If you are a gold partner, you have an additional level of support. We are not a gold partner, we are a silver partner. Gold partners have a different timescale for your support. But for start-up like ours, we can not quite support that commitment. You have to look at the reality of business in our region as well. The networking is looked upon as the main focus rather than the security. AT&T should change their rules so that they become more supportive of silver partners so that we can grow as a business and afford to move on into the gold and then the platinum levels.
Which deployment model are you using for this solution?