AlienVault OSSIM Reviews

The primary use case is local action, vulnerability scanning, and usage of Network IDS. We use some process and correlation rules for our business our customers' businesses.

When we forward in-traffic from our one interface to Network IDS in OSSIM, we can see all of the requests that we have to and from that interface. Because of integration with Open Threat Exchange from AlienVault, we see which IPs from these requests are malicious and we can use these IPs to block them on our firewall.

We need more dashboards and we need more customization for dashboards. It would be great if they would improve in this area.

The stability of OSSIM is not bad. Because it is an open-source version of a commercial product, it has some restrictions on the size of infrastructure that you can integrate with it. But if you don't go beyond these restrictions, it has great stability.

The server is the "brain" of the system, and there are the sensors. They are like collectors of information for the server. It depends on the size of the business and on geographical issues connected to the business. You can install sensors in all of your branch offices and the server in your main office and it works well in this type of deployment.

Great guys. They work fast and they have great experience with their solutions and give great support.

OSSIM was the first solution that I used in this area.

I started to work with its commercial brother, AlienVault USM. When I started to use that, I received some question from my customers about comparing USM and OSSIM. So at the time, I started to use OSSIM, to learn it and compare it with USM. I needed to answer the question, "Why do we need to pay AlienVault money to use their commercial product when they have open-source?" I needed to know the differences.

The initial setup is really straightforward. It's like a Windows program: "Next, next, next, and finish." I don't remember if it was in the open-source versions or the commercial, but it may be that in OSSIM you also have results that can help you with the initial configuration. But overall, the initial setup and configuration are really easy.

In terms of how long the setup took, it's a more complex question. We need to integrate modules such as Network IDS, we need to install agents, we need to perform the initial configuration of OSSIM. For example, we need to configure the SPAN port and send traffic from some of our network devices to AlienVault OSSIM. It can take one hour or one day. It depends on the environment and the size of infrastructure and the size of the business. You may have one firewall or 100 firewalls. It doesn't take a lot of time, but depending on the size of the business, it may take from one hour to a day or two.

When it comes to maintenance of the solution, it also depends on the size of the business. In some companies, where there are 100 users and a small room with servers, you need only one administrator for this system, for maintenance and deployment and everything. But when there is a big company with a big number of employees, 1,000-plus, we may need some more people for deployment and for maintenance.

I've done the setup by myself. In some types of deployments, when I have questions, I also include guys from the AlienVault team, but I haven't had to use them many times.

OSSIM is free.

I didn't look at other options. OSSIM is the only solution that includes the large number of modules that we need: a vulnerability scanner, a network IDS system, a host IDS system. The solution also provides us with a correlation engine for our logs. This is the best option on the market and I didn't see any similar solutions.

I used this product for about a year. It was on-premise.

My advice is to just read the manual. OSSIM is very simple. If you know why you need to use it, you will be happy.

The biggest lesson is that the logs are "power." In these logs, with a good normalization engine, you can find so much very useful information about your infrastructure, sometimes about your employees, and about your business-critical processes.

I would rate the solution at ten out of ten. It's really the best open-source CM on the market. It's simple, it has OTX integration. OTX, the Open Threat Exchange, is also a great product from AlienVault. It's like Facebook for indicators of compromises. 

Our primary use case for AlienVault is incident management. We started as a customer because one of our companies worked on it. Eventually, we started reselling the service. 

What I like about this product, is that it is a fully-fledged solution. I don't need to buy any complementary products, everything comes in one box.

I would like to see an improvement in their threat exchange database because the OTX is not the best thing in the marketplace. There are better solutions. So if they could enhance our feature development, it would make the product much better. 

For me, the user interface is very important, because the simpler the user interface is, the easier it is to find candidates to run the operation. If the user interface is very complicated, you need to expose your technical people to very intensive training in order to understand the system and to get the output right. So, from a user perspective, I would say the simpler the user interface, the better the product, especially for security issues. You need to let your tech people concentrate on the incident rather than on how to use the software to get the answer.

Lastly, if technical issues could be resolved faster, it would be a huge improvement. 

This solution is about 90% stable. I do have a problem with vulnerability.

It's a very scalable product. I will say it is 100% scalable. It is currently managing the entire security of the firm, but it's managed by four members of our staff because it's a 24/7 operation. Three of them work shifts, and one of them is the supervisor. 

I will give their technical support 80%. Although I am not completely satisfied, their response is good. I give their response 100% because whenever you open a ticket, you get communication on the spot. But sometimes it takes very long for your issue to get resolved. And that's why I'm only giving them 80%.

We also used IBM QRadar before, but we did not get proper support and that's why we switched to AlienVault. 

The initial setup was rather complex and it took us about a day to finalize everything. When we did the deployment, we had some support from AlienVault. And eventually, when we installed it for our customers, our technical team did it by themselves. They didn't require any kind of support from AlienVault.

The price was good and it matched out budget at that stage.

We looked at ArcSight as an option at the beginning, but the pricing was not what we were looking for. And we don't have the proper channel to sell ArcSight in Egypt. That's why we decided to go to AlienVault.

If anybody asked me if am I happy with AlienVault, I would say that it is a very good product. Frankly speaking, if anybody asked me about QRadar or ArcSight I will say the same, but it requires lots of training and you need to have a source for the product and for the pricing, otherwise, you will end up paying an enormous amount of money.

With AlienVault you get everything in one box. I will rate this product an eight out of ten.

Our primary use case is for research purposes. For now, we're just playing with it and there's a potential learning curve regarding use of AlienVault as an SIEM solution. We plan to analyze different open source solutions to test strengths and weaknesses. We are customers of AlienVault and I'm a research assistant. 

A very good feature of AlienVault OSSIM is that it has many domains that can be integrated from different solutions. For example, if we have a firewall and I want to connect it with the AlienVault OSSIM, there is already a grid affecting that. From that perspective, it's a very good solution in that almost everything can be integrated and that makes it better than other SIEM solutions.

The great thing is that the networking configuration features are good and integrations don't need to be done manually. Of course it's possible but there's an automatic option for configuring networks and there's a plug in for different kinds of solutions. Network security firewalls, IDS, and the like are things that already exist. 

The GUI could be improved, and the solution could include a specialization tool. The correlation engine and the scalability of this product should be improved. And then I think it also needs to have the grid potential because when we talk about SIEM it's not just a few machines, it's hundreds and that means thousands of logs so the product should be more easily scalable.

The features I would like to see included will take some time to implement because the solution is open source and these are promotional products. On a basic level I'd like to see an open source visualization tool or a commercial visualization tool. 

I've been using this solution for one year. 

I'd say the stability of the solution is moderate. 

The documentation provided was not sufficient, so we worked it out by ourselves. 

The initial setup was not so easy, partly because the documentation was not up to date. You end up learning from your mistakes. Deployment took us more than six months.  We have an open source intrusion detection system which is connected to it and endpoint systems. We implemented by ourselves, there are two people in the company with expertise in this area. 

Those who are looking for a solution like this one should first conduct a survey. There are other solutions which are quite capable of doing similar things, even open source solutions. If a company can afford a commercial solution, they should go for that rather than for an open source solution. It requires an expert to assess the situation. A small mistake can lead to a big problem; opensource is there for those who know what they're doing. 

If you're looking to add another feature, you need to have strong coding because tweaking them is not simple. I'm in a technical team so that's my perspective.

I would rate this solution a six out of 10. 

The self-paced training is pretty good. 

The initial setup is straightforward. 

We've found the solution to be very stable. 

You can scale the solution.

Technical support is excellent. They are very helpful and responsive. 

ArcSight works better than AlienVault right now.

The incidence reporting could be better. We'd like to be able to better privatize certain logs that handle certain detections. It's really important to us. 

The integration capabilities could be improved. 

I've been using the solution for over three years at this point. 

The solution has been quite stable for us. There are no bugs or glitches. It doesn't crash or freeze. It's reliable.

The product can scale. The only problem we have with it is the integration. For example, we were trying to integrate a solution in the server for retaining logs on AlienVault. We tried everything possible, however, it just wouldn't integrate. In contrast, when we move to ArcSight, we could do it one time and it was working just fine. There were no integration issues. 

When we have had to reach out to them, they were brilliant. They were prompt and very precise. 

We've used ArcSight as well. We used it on a particular project recently. It's easier to integrate items in it as compared to AlienVault. Aside from that, they are very similar products. 

The implementation process is pretty simple and straightforward. It's not difficult or complex at all. A company shouldn't have issues handling it. 

The only issue that comes into play is when you want to integrate it with other vendors. 

Overall, I'd rate the deployment process at a four out of five. 

I'm a consultant. 

I'd rate the solution at an eight out of ten. For the most part, I am satisfied with its capabilities. 

The solution needs more integration with cyber intelligence systems. 

Our customers want to use a single tool for managing cybersecurity. We want integration with existing tools and integration with newer tools that offer the ability to manage or to identify security vulnerabilities in a gateway system or firewall. Basically, we want the solution to offer configuration management. 

I would want it to be integrated with lasting search, in terms that it could gather a lot of intelligence and dump it into the database. Also, it would be useful if we were able to run analytics on the solution. If they can integrate it with an analytic function it would be better.

I haven't had time to compare the stability to other solutions, but for our purposes it's okay.

You need to pay for technical support, but I didn't pay for it, so I can't say much about it. The solution has a very good open source community, and whenever we have problems, we are always able to resolve it online.

The initial setup was straightforward. 

There wasn't any complexity. The only issue we had was when we installed it on a virtual layer. We found a way around it, however. It was the open-source virtualization that gave us trouble. There was a workaround and we applied it and it was okay.

The solution is open-source. You need to pay for support if you want it.

We use the on-premises deployment model.

We have a small setup. It's an environment that supports only about 20 users, so, it's not really a complex setup.

I would give the solution a rating of seven out of ten. I believe if I paid for the support I'd get a higher quality of software and other additional functionalities.

I primarily use the solution for log collection.

AlienVault sometimes works like an appendix. It's not accurate in most cases, but we use an agent like WinCollect to collect logs. We collate the information. The solution is fast-acting when it comes to collecting the logs, and for all the inter-process work.

The log collection is okay, but tracing the logs or tracing the events is a bit difficult. It's not user-friendly. A user must be an expert and must know how to give the logs, how to configure the system, etc. He has to be an expert on this product.

The user interface needs to be friendlier across the board. Also, I would prefer if the kill chain scenario with every event was not stacked. I need to be able to do an SQL query and figure out where the event came from and tag to the source and destination. I cannot see this easily as it is right now.

The solution is very stable. Compared to Qradar and Splunk, it's very stable.

I've never had to use technical support.

I previously used QRadar and Splunk.

I'm not sure how difficult the initial setup was, but it did take a very long time to implement.

The solution is open-source, so there are no licensing costs.

I've used this for a small environment, and it was amazing. I'm currently converting to QRadar now because I am expanding. I am handling more than 30,000 events per second. I can't use Alien Vault, as it's too high a threshold.

I do recommend the solution, however, for those with small environments that don't handle as many events. It works great for anything under 1,000 events per second.

I would rate the solution eight out of ten.

We primarily use the solution just to analyze events that occur based on security events.

I can't really discuss how this helps my organization. I'm running this from my home, so this is not a business I'm using it for. What I do is I log in infrequently to the device or to the service and I check and see if there's anything that's anomalous or anything that is of concern. 

The dashboard is the solution's most valuable aspect. It brings everything into one central point where I can actually look at it and go, "Okay, I understand what's going on."

The solution works well and allows me to have visibility into anomalous events.

I'm not sure if there's anything on the solution that needs improvement.

I would like the solution to be able to integrate with my firewall, my IDS and my Honeypot solutions so that it can provide real-time reporting as things occur and then have alert sent to me on my phone when suspicious activity is happening.

I've only been using the solution for about a year.

The solution is very stable. It runs well and there are no issues that I can see that would make me concerned about its stability. I haven't faced any bugs or crashes that would make me worry.

The solution is largely scalable. I'd rate it at about a seven out of ten in terms of how well you can expand it. 

There is room for improvement, but that's only because it depends upon the data that's feeding in. You have to understand that it's a collector. It collects data, it analyzes data. It's only going to be as good as the data you give it.

The solution is free to use and therefore doesn't offer technical support.

I didn't previously use a different solution, at least not at my house.

The initial setup was very straightforward. I didn't run into any problems or complexities at all.

I maintain the solution myself. It doesn't require a lot of maintenance or man-hours to keep it running properly.

I didn't use a reseller or integrator to assist me. I was able to handle the process from beginning to end on my own.

The solution is free to use.

I didn't evaluate any other options. I already knew enough about them, and this was the only free solution, which is why I chose it.

I would advise others to not implement it for any enterprise-level organization. However, it would definitely be a good solution for a small business environment.

I would rate the solution five out of ten. It's free, so there isn't support, first of all. Second of all, it doesn't have all the integrations that I would hope for. And thirdly, because since AT&T bought them, I worry AT&T will ultimately destroy the product. I don't like AT&T.

I primarily use the solution for securing my traffic and the SIEM.

The fact that it is free is the most valuable aspect of the solution.

It's under heavy traffic. If you have heavy traffic, the system is slow. 

The scalability of the solution is okay. We have about 100 users right now.

Technical support is fine, but if you have a problem, for example, if you have to decode or fix some bugs, you have to manage it yourself.

We did not previously use a different solution.

The initial setup was straightforward. I didn't have any problems.

I implemented the solution myself.

The solution is free to use.

We didn't evaluate other options before choosing this solution.

The installation is easy, but it's not very compatible with some of our other solutions. Still, it's okay, it's very good. It integrates well with ELK.

I would rate the solution six out of ten.