USM Anywhere Reviews

AlienVault provides a central place for monitoring the logs from various security tools in our environment, such as CrowdStrike and Datrix. It gives us complete visibility into the logs from those tools and endpoints in our environment. We use AlienVault for managing logs and vulnerabilities with tools like CrowdStrike.

Having everything in a central place has been helpful. 

AlienVault cannot automatically respond to threats like other SIEM solutions, such as Sentinel and LogRhythm. Most of our clients are far away, so it's often challenging to handle alerts when they come up on our dashboard.

We have been using AlienVault for two years now.

I rate AlienVault seven out of 10 for stability. Deploying AlienVault on-prem has been a challenge. The network sometimes drops, and it disconnects the sensor. 

I rate AlienVault USM eight out of 10 for scalability.

We were using an open-source solution, then we upgraded to USM.

I rate AlienVault USM eight out of 10 for ease of setup. I've deployed it on-prem and in the cloud in EXI. You can deploy it in under 10 minutes. I deployed it by myself. It was easy for me because I attended the training, but some of my colleagues didn't. It was challenging for them to implement. However, one person is enough if you're trained.

You might have to pay an additional fee to increase the number of sensors. We have five sensors, but other clients have three. I think you need to pay more to extend to four or five. 

We tried Elastic Security, but it was difficult for us to implement.

I rate AlienVault USM seven out of 10. It can do the job if log management is what you want, but it lacks automated response. 

The use case is for companies that want to have more visibility in their environment and want to apply governance. This solution is used for compliance management, vulnerability management, threat hunting, and threat protection.

I think all of the features are valuable. However, the most valuable feature is vulnerability management because it gives you insight into your environment to know what systems need to be updated or patched. You can avoid weaknesses in the computers and other systems by keeping them patched.

I think they need to broaden their compliance management to cover more areas of compliance. For example, they're very specific about HIPAA, CIS 8.0, and a few others, but they don't have a broad compliance management base. Some customers need compliance management with other standards or frameworks, which are unavailable on their platform. I want to see more compliance management capability because if they broadened it, it would be a much more attractive product. 

They have a lot of integrations, which is good, but the quality of integrations seems to be a little bit low. It's one thing to provide integration, and it's another to provide integration that works really well.

The solution is cloud-based and hybrid. A server is put into a customer's environment to collect information and send it to the cloud. Both the server installed in the customer's environment and the cloud solution are scalable. The solution has rapid elasticity and all the check marks a cloud-based solution needs to scale. It is definitely scalable.

There are currently 19 users in our company. I think over time we have plans to increase our usage of this solution, but as an MSP, we have clients with different requirements or needs, so we might pick a different solution because it's a better fit.  

The initial setup was pretty straightforward. It wasn't that difficult.

The initial steps of the implementation, getting the account and setting it up, only take a few hours. Then there's some fine-tuning that takes place afterward, and it takes a little bit longer. You need about a week to really get that fully configured with a good plan and deployed in the environment, and then from there, it's just fine-tuning as you go.

We handled the deployment in-house. The solution needs one person for deployment and one for management.

I don't recall exactly what their prices are, but they are a little more expensive than Microsoft. It really depends on what features in Microsoft you may already be using. If, for example, you're a company that has Microsoft's Defender for Endpoint and Defender for Identity, or basically any of their Defender Suite applications, you might already be paying a certain amount every month or every year for those features that the Microsoft Sentinel solution brings under one umbrella.

AlienVault also has additional fees for extra storage in the cloud. 

Recently, we were going to sell a customer AlienVault, but then they picked Microsoft Sentinel. We compared them because we wanted to make sure that  both solutions could do the same thing, and it turns out that Microsoft does it a little bit better.

It's like having a Swiss Army knife that has all of the tools you need to do a craft, or just having a regular pocketknife that you can only use to do one thing. In this case, AT&T is the pocketknife and Microsoft is the Swiss Army knife.

My advice would be to make sure the product is a good fit in terms of compliance and compatibility with your security solution, like your EDR and ATP solutions. Make sure that they play well together because you could have issues with the two fighting each other over protecting the computers.

I would rate this solution as a seven out of ten. 

It's a good product. They created AlienVault based off of an open source framework, so it's built on OSSIM. It's interesting that AT&T is going into the cybersecurity market since they're a huge mobile carrier. Right now, their marketing and advertisements are really good, but they need to invest more money into the product. If they focus more on building out the product, maybe invest a little bit more money into development, I think they'll have a stronger strategy and a very dominant winning solution in the market.

We use it for compliance. We're not using it as a security operation center type of thing. Its usage is more from an auditing standpoint at this point.

We partner with them for customers who need something like a SIEM, so we're a cloud provider and integrator.

It is deployed on the cloud. It is a combination of AT&T's own cloud and our cloud. We run our own infrastructure. So, it is a hybrid and private cloud.

We're using it more for reporting, that's all. We're using it to help our customers to pass any kind of audits that they receive.

I don't have any suggestions for improvement. On our side, as a provider, we should develop a real security operation center type of practice, which we don't have right now.

There could be some type of integration with our existing portal. We have our own customer portals, and it would be good if there was an integration so that our portal can provide reports. There could be some type of API into the AlienVault system with the USM system so that it is easy to show the customers high-level reports of the system through our portal.

It is pretty stable from what I hear. 

It is cloud-based, so it is very scalable. It really depends on how many devices they have in their environment. Our customers are more mid-sized companies, so it fits what we need.

We don't have a lot of clients using this SIEM. Usually, a client is interested in something like this to help them with their auditing. So, we don't have a lot of customers using it right now. Probably in the near future, its usage will be increased in terms of the customers requesting it from a security standpoint.

It is pretty good. I usually don't contact their support. I usually contact their sales team. I work with their pre-sales and sales engineer and account rep.

It is pretty straightforward from what I've seen, but it has to be verified to make sure any changes in the environment are added to the configuration. Like anything, it is not set it and forget it. You really have to make sure that it is capturing everything if things change or new systems are brought online. It is more of a procedural thing where you have to make sure somebody is keeping it up to date.

For its maintenance, we have someone who manages the product itself. In our company, for IT people, we have around 100 or so staff. We have customers nationwide, but we probably have two to three people managing this product. They are in more of a security analyst type of role dedicated to security.

I don't know exactly, but I know it is based on the number of logs and the retention duration, such as 30 days or something like that. So, the smallest package is about 500 a month for 30 days of logs.

There is a virtual machine. You need resources for it. It is a log collecting VM. They provide the software, and you just have to load a virtual machine. So, you're going to incur some CPU RAM and storage for wherever this log collecting appliance is running, which typically is in our cloud and on our platform for the customer.

I would advise knowing your requirements and your data. What are you trying to protect or monitor? Before implementing something like this, you really should have basic security in place. You should have systems that are generating logs, for example, antivirus software and firewall. You have to have that all in place first to make this kind of product useful because this type of product is really meant to aggregate things after the fact. After you've put all the systems in place, then this system aggregates and collects everything together. You really need all the endpoint security, firewall security, and server security first, so you have meaningful data to look at. The SIEM is not going to be useful if you don't have any meaningful data for it to collect.

I still need to dig into it deeper to see exactly what it does. Our practice is kind of evolving, so this is probably something that we need to offer more to customers. We need to get more product knowledge on it and develop a practice around it. A lot of customers are asking for security operations center (SOC) services for remediation of problems. We don't do that right now, but that's something that I know is probably on the roadmap. With everything going on, that would be a helpful service to our customers, and I think they're asking for that. We've encountered customers asking for that type of service. We don't do it yet. I know there are other partners out there that do that, so really it's on our side to develop the product more. Whether it involves staying with this AT&T product or going for maybe another one, customers are looking for a little bit more. They are not just to have it set up, but also to have someone to act on any kind of alerts or any kind of potential breaches. They're looking for a service for somebody to actually remediate.

From what I know of the product, I would rate it an eight out of 10. 

The fact that I am a very small security team and AlienVault allows me to have a SIEM, FIM and Vulnerability scanner all in one.

I am able to scan for vulnerabilities quickly on existing devices and also for new devices being deployed. Since I don’t have a lot of time to learn new and complicated tools, being an e-commerce company, this allows me to increase the security posture of the overall organization and also to help pass PCI compliance.

With all these products there is always room for improvement. Whether it’s making the filtering of anomalies better, making setup and deployment faster, streamlining more of the functional aspects of the product, etc. There is really not one thing that stands out in particular.

About one year

I had some initial issues with some of the upgrades in version, but with the help of their support team, we were able to resolve all of them.

No, not yet. We are growing at a rapid pace and eventually will need more sensors, but I believe that will be a painless upgrade.

Tech support is great. Very knowledgeable, reliable, and have resolved all problems, escalated when necessary, and handled all my cases very professionally.

I have used different solutions at previous jobs. AlienVault was a new purchase and install. When asked for my opinion, I did recommend AlienVault as the solution since my comparison of all products came down to AlienVault being the best for our particular environment.

It was very straightforward. I had made a couple of little mistakes that most likely would have been avoided if I had not rushed a few aspects of the install, but tech support was able to get me back on the right track.

The pricing for this solution with the 3 major components: SIEM, FIM, and vulnerability scanning, can’t be beat. There are other systems that are way more robust, but way more complicates and way more expensive. This solution was perfect for us.

I had eliminated others prior to evaluating AlienVault based on prior experience. Tripwire for FIM, QRadar for SIM, eEye Digital for vulnerability scans. All of which are great tools, but much more pricey. We briefly looked at LogRhythm, Tenable, and Splunk as well.

I would say to implement it. It has all the components needed to help secure your environment as long as you have someone who can dedicate some time to it. But even if you don’t, like in my case, it is a much better solution that the others.

We were trying to get into the security market to be able to offer something to our clients who are asking for a monitoring event management system. We started looking at what we could offer as an MSP to our clients; that's what drove us into evaluating different SIEM products, to get a better understanding of how the billing is set up as a partner. Alien Vault had the best set up for MSPs — the way they are set up for billing and the way they set up their USM account. 

The reason why we went with AT&T AlienVault USM, was because we liked their reporting capability a little better than some of the other ones we evaluated; however, the biggest draw for us was how AT&T has their MSP program set up. In most cases, you have to buy a certain number of either agents or sensors which are, more or less, the program. With an MSP, our clients don't have to buy any — there are no minimum requirements. Alien Vault provided us with really good worksheets to detail the number of sensors needed when we are in negotiations with prospective clients. We can also use them to determine the number of devices that are going to be monitored, and how we can tailor the customer setup based on what the customer requirement is.

The other big selling feature for us was its integration capabilities with all the other security-based products, not just security-based, but application settings in general. It works with Google Drive, Gmail, and Microsoft 365. It also works with different antivirus software from Proof Point to Okta — all of the different pieces of applications that we normally provide as a best practice to our clients. This software can interact with them all and pull the event data and the security data from all of these different applications, and more.

I'd like to see a dashboard that's a little more descriptive. We can customize the dashboards, but the out-of-the-box dashboards are kind of bland. Since we give our customers access to their dashboards, it would be nice if they were a little bit more intuitive. We can go easily drill into it and show them everything, but the customer just sees the writing on the page. 

I'd like to see them dress up their out-of-the-box dashboard a little bit. We have the ability to do a lot of that. 

Since they have this image — they have a strong MSP program. I would love to see them allow branding, which they don't at this point.

We deployed the demo roughly eight months ago.

AT&T AlienVault USMIt's has been very stable.

Their support has been stellar, any issues that we had with trying to get it configured or trying to interpret instructions, we could just make a quick phone call and they were there to help us.

I'd say it was kind of in the middle, complexity-wise. It's actually fairly easy to deploy a new client. 

It's competitive with other similar solutions; however, I don't do the billing so I can't properly comment on it.

Most of our clients are small to medium-sized businesses; they can't afford to go out and purchase a SIEM on their own. They're looking for us to provide something for them. This was why we provide HCZ cybersecurity and Alien Vault, etc. 

If you're in an MSP and you're servicing small to medium-sized clients, this is definitely a product that you want to look at and evaluate. When we were doing our evaluations, we were looking at the applications that are supported out-of-the-box, without having to develop any special ATIs — we wanted a pre-built application that supported most of the applications that we use within our client base.

On a scale from one to ten, I would give this solution a rating of eight.

I'd like to see a little bit more work, out-of-the-box, regarding the dashboards. I'd like to see them provide us with branding capabilities, to be able to put our logos on the dashboard so that the client understands that it's coming from Ice Consulting instead of Alien Vault.

We use it to gain security visibility and to meet compliance.

We're not just a customer but we're a partner as well. We've deployed this into thousands of organizations and we continue to see that happening. It's a great tool.

It's really easy to aggregate and correlate and view several different security logs and several different data pieces in a single place. That's what allows us to see the security logs that we need to see to determine if there is something malicious on our network or not.

Also, aggregating the logs and putting them in a central place helps us to comply with certain regulations, the details of which I can't go into.

We have been able to use AlienVault to find critical vulnerabilities in our network and it has helped reduce the time it takes to respond to a threat.

The IDS and the threat intelligence are very useful. They are very intuitive and data-rich.

One area that has room for improvement is storage. AllienVault is a good place to put logs, but sometimes it's a tough place to go get logs. AlienVault has three components to it, a sensor, a server, and a logger. Sensors grab data, servers correlate data, and loggers store data. The logger can only hold so much data. If they improved that, that would help.

It has great scale. We have brought it into several publicly traded global organizations, with thousands of users. The users are anything from a CCO down to a network administrator.

For a large deployment like that, the number of our staff required depends on a few things but, generally, it would take one to three people. It also requires about three people for maintenance. Their roles would likely be anyone who is leading or managing an InfoSec team.

The technical support team is responsive and helpful. They communicate and they are engaged. We work with them on a daily basis and they're on it.

We did not work with a previous solution. We decided to bring it into our organization based on its value. It allows you to do a lot with a small price tag.

As partners, we think the setup is pretty straightforward but I imagine it depends on whom you ask. There are a lot of people who don't think so, but we think it's pretty straightforward. It has an easy-to-go-along Start menu, and the overall GUI is easy to navigate. It's pretty step-by-step, as long as you can follow those directions.

It can be as simple or complex as you want it to be. But for the most part, it's just a very easy tool to be able to engage with, to click on. They make it intuitive.

Sometimes deployment takes a couple of hours, sometimes it takes a couple of days, depending on the size of deployment.

We definitely have an implementation strategy but there are a lot of details to that. Just stay organized, pay attention to the details, cross your T's and dot your I's.

There is an ROI although I don't have the exact figures on it. The ROI is in the area of technology products that we have to go purchase: Instead of having to go buy a million dollars worth of cybersecurity products, we have saved a lot of money on that. It has also saved us loads of time as a result of not having to integrate it with a ton of other things.

The pricing is the best on the market.

We evaluated every single SIEM on the market. The major difference that made AlienVault stand out is the unification, meaning the integration of technologies out-of-the-box, as opposed to having to do it on your own.

Have an idea of a plan and know where things in your network are and know who can give you access to certain things you might need.

In terms of how extensively we're using it, I'd be surprised if there was anyone outside of our team that is using it more extensively then we are.

I would rate AlienVault at ten out of ten.

• MDR provider
• Logs aggregation
• Vulnerability assessments
• Some automation.

We needed a way to see all of these items under one pane of glass without spending incredible amounts of money on log aggregation, vulnerability assessments, etc., then putting it all together with an IR platform. 

It answered a bunch of questions for us, such as what will we use for vulnerability assessments on a continual basis, how do we tie those reports into alerts/incidents, log aggregation, correlation, etc.

• Vulnerability assessments and log aggregation/correlation

These were the two answers we needed for our solution. It gave those solutions very easily. It is easy to implement, and effective.

The support could absolutely be better. It seems to have gotten worse with the AT&T acquisition. 

We have been hearing some not so great things from our associates in the field as well.

Very stable so far. We have seen very few bugs, or downtime so far. 

It is pretty scalable for small/medium businesses. It starts to fade at enterprise. It is possible, but you will definitely run into limitations.

Eh. Our experiences have been very mixed. If you get someone who is motivated to help, expect to be good to go. Otherwise, expect the problem not to get a good priority, and it may even get dragged out to a conclusion.

We used, tested, and tried several solutions prior to this solution. This solution answered too many questions under one reasonable cost, as opposed to piecemealing everything together for more money.

Super simple, almost anyone could do it. It is quick as well. 

We do everything in-house.

Good.

It is I think for the market very straightforward, super easy to deploy. Licensing is straightforward in comparison to others.

We evaluated:

• Splunk
• LogRhythm
• ArcSight
• EventTracker
• RSA NetWitness
• SolarWinds
• QRadar
• FortiSIEM.
• And I may be leaving out a few. This was around one year ago.