We just raised a $30M Series A: Read our story

AT&T AlienVault USM OverviewUNIXBusinessApplication

AT&T AlienVault USM is #12 ranked solution in Log Management Software and top Security Information and Event Management (SIEM) tools. IT Central Station users give AT&T AlienVault USM an average rating of 8 out of 10. AT&T AlienVault USM is most commonly compared to Splunk: AT&T AlienVault USM vs Splunk. The top industry researching this solution is Computer Software Company, accounting for 28% of all views.
What is AT&T AlienVault USM?

AlienVault USM Anywhere is a cloud-based security management solution that accelerates and centralizes threat detection, incident response, and compliance management for your cloud, hybrid cloud, and on-premises environments. USM Anywhere includes purpose-built cloud sensors that natively monitor your Amazon Web Services (AWS) and Microsoft Azure cloud environments. On premises, lightweight virtual sensors run on Microsoft Hyper-V and VMware ESXi to monitor your virtual private cloud and physical IT infrastructure.

With USM Anywhere, you can rapidly deploy sensors into your cloud and on-premises environments while centrally managing data collection, security analysis, and threat detection from the AlienVault Secure Cloud.

Five Essential Security Capabilities in a Single SaaS Platform

AlienVault USM Anywhere provides five essential security capabilities in a single SaaS solution, giving you everything you need for threat detection, incident response, and compliance management—all in a single pane of glass. With USM Anywhere, you can focus on finding and responding to threats, not managing software. An elastic, cloud-based security solution, USM Anywhere can readily scale to meet your threat detection needs as your hybrid cloud environment changes and grows.

  1. Asset Discovery
  2. Vulnerability Assessment
  3. Intrusion Detection
  4. Behavioral Monitoring
  5. SIEM

Try USM Anywhere in your environment—free for the first 14 days. 
www.alienvault.com/products/usm-anywhere/free-trial

AT&T AlienVault USM is also known as AlienVault, AlienVault USM, Alienvault Cybersecurity.

AT&T AlienVault USM Buyer's Guide

Download the AT&T AlienVault USM Buyer's Guide including reviews and more. Updated: October 2021

AT&T AlienVault USM Customers

Abel & Cole, Bank of Ireland, Bluegrass Cellular, CareerBuilder, Claire's, Hays Medical Center, Hope International, McCurrach, McKinsey & Company, Party Delights, Pepco Holdings, Richland School District, Ricoh, SaveMart, Shake Shack, Steelcase, TaxAct, Taylor Morrison, Vonage and Zoom

AT&T AlienVault USM Video

Archived AT&T AlienVault USM Reviews (more than two years old)

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
MA
‎SOC Manager at a tech services company with 11-50 employees
Real User
Good security management capabilities but the interface needs to be more user-friendly

What is our primary use case?

This is a SIEM solution that our customers use in an on-premises deployment.

What is most valuable?

The most valuable feature of this solution is security management for PCI DSS.

What needs improvement?

This solution could be easier to use. It is hard for some people to understand, and they need to get training and certification just to understand what it's showing them.

For how long have I used the solution?

I have been using this solution for three years.

What do I think about the stability of the solution?

In terms of stability, I would give it fifty percent.

What do I think about the scalability of the solution?

The scalability of this solution is good. We have a large number of customers who use this product on a daily basis.

How

What is our primary use case?

This is a SIEM solution that our customers use in an on-premises deployment.

What is most valuable?

The most valuable feature of this solution is security management for PCI DSS.

What needs improvement?

This solution could be easier to use. It is hard for some people to understand, and they need to get training and certification just to understand what it's showing them.

For how long have I used the solution?

I have been using this solution for three years.

What do I think about the stability of the solution?

In terms of stability, I would give it fifty percent.

What do I think about the scalability of the solution?

The scalability of this solution is good.

We have a large number of customers who use this product on a daily basis.

How are customer service and technical support?

Technical support is very good from their side.

How was the initial setup?

The initial setup of this solution is a bit complex. Specifically, it is the way that it integrates with other products.

What about the implementation team?

We deployed this solution in-house.

What other advice do I have?

This is a good product but it can be made more user-friendly.

I would rate this solution a seven out of ten.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
Denis L
Sales Solutions Engineer at a tech services company with 51-200 employees
Reseller
Top 5Leaderboard
Easy to deploy and flexible enough to create your own plugins

Pros and Cons

  • "This solution can identify many threats inside the organization (compromised endpoints, configuration issues), as well as "outside" threats (botnets, network scanners, web-attacks, etc)."
  • "It would be nice to see some machine learning and monitoring of the configuration in network devices."

What is our primary use case?

The primary use cases for this solution are log management, security events correlation, and any other enterprise use cases for SIEM (new plugins development, correlation rules development, risk assessment, and asset management).

How has it helped my organization?

This solution can identify many threats inside the organization, like compromised endpoints, configuration issues, as well as "outside" threats (botnets, network scanners, web-attacks, etc). During the first two weeks post-deployment, our client's cybersecurity certainly improves by using AT&T AlienVault USM.

What is most valuable?

The features that we have found most valuable are the out-of-box vulnerability scanner, Network IDS, Host IDS, Netflow Monitoring, and more than four thousand pre-installed correlation rules.

What needs improvement?

Having automatic agent deployment would be a great feature. It would be nice to see some machine learning and monitoring of the configuration in network devices.

For how long have I used the solution?

One to three years.

How was the initial setup?

This solution is very easy to deploy and integrates comfortably with data sources. AT&T AlienVault USM has a user-friendly engine for custom plugins development, so you can develop your own plugin for your own application without any problems.

Disclosure: My company has a business relationship with this vendor other than being a customer: Aurhorized distributor
Learn what your peers think about AT&T AlienVault USM. Get advice and tips from experienced pros sharing their opinions. Updated: October 2021.
543,424 professionals have used our research since 2012.
Erlon Sousa Pinheiro
DevOps Engineer at Two Hat Security
Consultant
The vulnerability scanner keeps our environment always updated about security threats

What is our primary use case?

Our initial need which brought us to acquire this solution was to be in compliance with GDPR requirements. Our environment is cloud-based (specifically AWS).

How has it helped my organization?

Beyond provided us with an IDS as was our initial need, but AlienVault gave us more useful resources, as SIEM, and as a vulnerability scanner (the last, one of my favourite resources).

What is most valuable?

My favourite one is the vulnerability scanner because while using it, our environment is always updated about security threats.

What needs improvement?

Taking into account that server access credentials are controlled by the tool, some more management-focused actions could be performed from AlienVault.

For how long have I used the solution?

Less…

What is our primary use case?

Our initial need which brought us to acquire this solution was to be in compliance with GDPR requirements. Our environment is cloud-based (specifically AWS).

How has it helped my organization?

Beyond provided us with an IDS as was our initial need, but AlienVault gave us more useful resources, as SIEM, and as a vulnerability scanner (the last, one of my favourite resources).

What is most valuable?

My favourite one is the vulnerability scanner because while using it, our environment is always updated about security threats.

What needs improvement?

Taking into account that server access credentials are controlled by the tool, some more management-focused actions could be performed from AlienVault.

For how long have I used the solution?

Less than one year.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
JM
I.T. Manager at a non-profit with 51-200 employees
Real User
We can collect logs, and also actively scan our network for vulnerabilities all from one tool

What is our primary use case?

We use AlienVault to collect all mission-critical logs and to pull data directly from G Suite. It provides our small IT operation with an easy-to-use tool to assess our security operations.

How has it helped my organization?

Before AlienVault, we had no central log collection tool of any kind, let alone security monitoring. AlienVault provides us with a very easy to use, central spot to view log files, and take appropriate action. It allows our small team the ability to take cybersecurity seriously.

What is most valuable?

The fact that AlienVault is several tools in one is most valuable to our small team. We can collect logs, and also actively scan our network for vulnerabilities all from one tool.

What needs improvement?

Long-term I'm genuinely concerned about AT&T's ownership of AlienVault. I have never had a good relationship with AT&T in +15 years, and fear they will destroy this good product.

What do I think about the stability of the solution?

Concerned long-term, due to AT&T.

What do I think about the scalability of the solution?

It is very scalable, just ask them to increase the amount of storage.

How are customer service and technical support?

Tech support has been a bit slow lately, and the level-1 techs do not have all the power they should have.

Which solution did I use previously and why did I switch?

Before AlienVault we had nothing. We learned about AlienVault through a company we contracted to do a full vulnerability assessment. They used AlienVault, so I felt like if it was good enough for them, then we should be using it.

How was the initial setup?

Very simple, just follow their directions step-by-step and you will be fine.

What about the implementation team?

I did the implementation myself. Their documentation made it easy.

What's my experience with pricing, setup cost, and licensing?

I'd push them for pricing. I sense the best time to negotiate with them is in June as the fiscal year ends.

Which other solutions did I evaluate?

We found other tools to be out of reach for our small department, so we did not seriously look at others.

What other advice do I have?

Be careful with AT&T, make sure you are confident the tool will be what you expect throughout the life of your contract. Make sure AT&T isn't going to change anything on you suddenly.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Senior Buyer & Operations Specialist at Nth Generation Computing
Real User
I've found the vulnerability assessment very valuable because it identifies vulnerabilities and AWS configuration issues

What is our primary use case?

We have used AlienVault for our security monitoring for threat protection and compliance management. We've seen an improvement against malware and viruses. It has definitely eased our concerns so we can focus on other things.

How has it helped my organization?

AlienVault is very user-friendly. We've had a great experience with asset discovery, compliance reporting, endpoint detection and response. Our team uses the network infrastructure monitoring as well.

What is most valuable?

  • In my experience, I've found the vulnerability assessment very valuable because it identifies vulnerabilities and AWS configuration issues, so we are less likely to have potential risks. 
  • The compliance reporting is also valuable for reporting purposes.

What needs improvement?

The only recommended changes I can think of is to have the ability to filter logs. Also, being able to navigate the dashboard. That seems to have been quite a challenge.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

There are multiple functions of this product, the stability and availability are awesome.

What do I think about the scalability of the solution?

The scalability of this solution is exceptional. I believe it's very reliable and dependable.

Which solution did I use previously and why did I switch?

I'm not familiar with what was used prior to AlienVault nor the reason the switch was made.  I'm just very pleased.

How was the initial setup?

Yes, our team did not have any issues with the initial setup of AlienValut and its functions.

What about the implementation team?

In-house.

What was our ROI?

The return on investment is great. I feel this product is well worth the price for all the functions and performance it can provide.

What's my experience with pricing, setup cost, and licensing?

I advise others on the pricing and licensing. I research to find the best pricing for the value of the products as well as register all licensing.

Which other solutions did I evaluate?

No, our tech department did the evaluating of all the options and chose AlienVault.

What other advice do I have?

AlienVault is an amazing product that I would highly recommend.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
kr1spy84
Security Systems Administrator at Vertical Screen
User
We develop additional rules and scripts to make it more usable. It provides a checklist answer when using SIEM. I believe we are on the verge of outgrowing this platform.

Pros and Cons

  • "AlienVault provides a checklist answer when using SIEM."
  • "We develop additional rules and scripts to make it more usable."

What is our primary use case?

This is a jack of all trades (master of none) SIEM/IDS/vulnerability management/OSSEC/NetFlow solution. We use it primarily as a SIEM and IDS solution.

How has it helped my organization?

AlienVault provides a checklist answer when using SIEM. We currently develop additional rules and scripts to make it more usable, but the overall solution is lackluster.

What is most valuable?

IDS is a nice capability to have. In the past, I have implemented standalone Suricata sensors and having this bundled in is very helpful. OTX is good when implemented correctly.

What needs improvement?

Many of the tasks on features are useless in our situation. NetFlow is worthless.  Many of the built-in correlation engine solutions are just okay.

For how long have I used the solution?

One to three years.

What's my experience with pricing, setup cost, and licensing?

The vulnerability management solution is worse than buying a Nessus Professional license.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Christian Caldarone
ISO (Information Security Officer) with 10,001+ employees
Real User
Enables managing everything from one place, including vulnerability assessments and asset management

Pros and Cons

  • "It provides a single pane of glass view, coupled with a whole security ecosystem. The ability to manage everything from a central point, including vulnerability assessments, asset management - including the services provided by the various hosts, NIDS, HIDS, etc. - provides a very efficient way of dealing with things."
  • "The reporting module could be a little easier to handle, as it requires quite some trial and error until you get the reports you want. Also, it would be great to have a graphical interface for the Network Intrusion Detection System's rule management."

What is our primary use case?

Our primary use case is Security Information and Event Management, as well as forensic analysis.

How has it helped my organization?

Undoubtedly having all security core technology under one roof, as provided by the all-in-one USM solution from AlienVault, is a big advantage for day-to-day business security operations. From real experience, it has enabled total transparency in terms of security information and events, from day one.

What is most valuable?

It provides a single pane of glass view, coupled with a whole security ecosystem. The ability to manage everything from a central point, including vulnerability assessments, asset management - including the services provided by the various hosts - NIDS, HIDS, etc., provides a very efficient way of dealing with things.

Their OTX intel is also great, as one needs to know who is running around threatening the IT infrastructure with a "crowbar."

What needs improvement?

The reporting module could be a little easier to handle, as it requires quite some trial and error until you get the reports you want. Also, it would be great to have a graphical interface for the Network Intrusion Detection System's rule management.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

The solution is rock solid; never any issues.

What do I think about the scalability of the solution?

We have not experienced any scalability issues, but we also know that you can easily add more sensors, which helps to spread the load.

How are customer service and technical support?

Technical support is always helpful and responsive. They do care about their customers.

Which solution did I use previously and why did I switch?

Our previous solution consisted of building a SIEM based on individual components/modules from the open-source space.

How was the initial setup?

The initial setup is absolutely straightforward. It is up and running in no time. This is definitely one of the unique selling propositions of the solution.

What's my experience with pricing, setup cost, and licensing?

So far, it has been a good solution for a tight budget.

What other advice do I have?

AlienVault is a great fit, especially for smaller organizations, as it will enable you to produce quick results with no need to worry about too many details.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PF
VP at Castra Consulting
Real User
Makes it easy to aggregate, correlate, and view different security logs in a single place

Pros and Cons

  • "The IDS and the threat intelligence are very useful. They are very intuitive and data-rich."
  • "One area that has room for improvement is storage. AllienVault is a good place to put logs, but sometimes it's a tough place to go get logs... The logger can only hold so much data. If they improved that, that would help."

What is our primary use case?

We use it to gain security visibility and to meet compliance.

We're not just a customer but we're a partner as well. We've deployed this into thousands of organizations and we continue to see that happening. It's a great tool.

How has it helped my organization?

It's really easy to aggregate and correlate and view several different security logs and several different data pieces in a single place. That's what allows us to see the security logs that we need to see to determine if there is something malicious on our network or not.

Also, aggregating the logs and putting them in a central place helps us to comply with certain regulations, the details of which I can't go into.

We have been able to use AlienVault to find critical vulnerabilities in our network and it has helped reduce the time it takes to respond to a threat.

What is most valuable?

The IDS and the threat intelligence are very useful. They are very intuitive and data-rich.

What needs improvement?

One area that has room for improvement is storage. AllienVault is a good place to put logs, but sometimes it's a tough place to go get logs. AlienVault has three components to it, a sensor, a server, and a logger. Sensors grab data, servers correlate data, and loggers store data. The logger can only hold so much data. If they improved that, that would help.

For how long have I used the solution?

More than five years.

What do I think about the scalability of the solution?

It has great scale. We have brought it into several publicly traded global organizations, with thousands of users. The users are anything from a CCO down to a network administrator.

For a large deployment like that, the number of our staff required depends on a few things but, generally, it would take one to three people. It also requires about three people for maintenance. Their roles would likely be anyone who is leading or managing an InfoSec team.

How are customer service and technical support?

The technical support team is responsive and helpful. They communicate and they are engaged. We work with them on a daily basis and they're on it.

Which solution did I use previously and why did I switch?

We did not work with a previous solution. We decided to bring it into our organization based on its value. It allows you to do a lot with a small price tag.

How was the initial setup?

As partners, we think the setup is pretty straightforward but I imagine it depends on whom you ask. There are a lot of people who don't think so, but we think it's pretty straightforward. It has an easy-to-go-along Start menu, and the overall GUI is easy to navigate. It's pretty step-by-step, as long as you can follow those directions.

It can be as simple or complex as you want it to be. But for the most part, it's just a very easy tool to be able to engage with, to click on. They make it intuitive.

Sometimes deployment takes a couple of hours, sometimes it takes a couple of days, depending on the size of deployment.

We definitely have an implementation strategy but there are a lot of details to that. Just stay organized, pay attention to the details, cross your T's and dot your I's.

What was our ROI?

There is an ROI although I don't have the exact figures on it. The ROI is in the area of technology products that we have to go purchase: Instead of having to go buy a million dollars worth of cybersecurity products, we have saved a lot of money on that. It has also saved us loads of time as a result of not having to integrate it with a ton of other things.

What's my experience with pricing, setup cost, and licensing?

The pricing is the best on the market.

Which other solutions did I evaluate?

We evaluated every single SIEM on the market. The major difference that made AlienVault stand out is the unification, meaning the integration of technologies out-of-the-box, as opposed to having to do it on your own.

What other advice do I have?

Have an idea of a plan and know where things in your network are and know who can give you access to certain things you might need.

In terms of how extensively we're using it, I'd be surprised if there was anyone outside of our team that is using it more extensively then we are.

I would rate AlienVault at ten out of ten.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner.
ITCS user
Manager, Security Operation Center at Ideal Integrations
Real User
It is easy to implement, and effective

What is our primary use case?

  • MDR provider
  • Logs aggregation
  • Vulnerability assessments
  • Some automation.

We needed a way to see all of these items under one pane of glass without spending incredible amounts of money on log aggregation, vulnerability assessments, etc., then putting it all together with an IR platform. 

How has it helped my organization?

It answered a bunch of questions for us, such as what will we use for vulnerability assessments on a continual basis, how do we tie those reports into alerts/incidents, log aggregation, correlation, etc.

What is most valuable?

  • Vulnerability assessments and log aggregation/correlation

These were the two answers we needed for our solution. It gave those solutions very easily. It is easy to implement, and effective.

What needs improvement?

The support could absolutely be better. It seems to have gotten worse with the AT&T acquisition. 

We have been hearing some not so great things from our associates in the field as well.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

Very stable so far. We have seen very few bugs, or downtime so far. 

What do I think about the scalability of the solution?

It is pretty scalable for small/medium businesses. It starts to fade at enterprise. It is possible, but you will definitely run into limitations.

How are customer service and technical support?

Eh. Our experiences have been very mixed. If you get someone who is motivated to help, expect to be good to go. Otherwise, expect the problem not to get a good priority, and it may even get dragged out to a conclusion.

Which solution did I use previously and why did I switch?

We used, tested, and tried several solutions prior to this solution. This solution answered too many questions under one reasonable cost, as opposed to piecemealing everything together for more money.

How was the initial setup?

Super simple, almost anyone could do it. It is quick as well. 

What about the implementation team?

We do everything in-house.

What was our ROI?

Good.

What's my experience with pricing, setup cost, and licensing?

It is I think for the market very straightforward, super easy to deploy. Licensing is straightforward in comparison to others.

Which other solutions did I evaluate?

We evaluated:

Disclosure: My company has a business relationship with this vendor other than being a customer: We currently use this, so therefore we are a customer, but we also deploy this as part of our MDR solution today.
Rajnikant Bhandare
Security Analyst SOC at Sumasoft Pvt Ltd
Real User
It is easy to deploy with their cloud-based model, and deploying the required agents is quick and easy

What is our primary use case?

AlienVault USM is a single pane of glass solution. It has not only SIEM capabilities but also other capabilities. AlienVault USM Anywhere is easy to deploy with their cloud-based model, and deploying the required agents on-prem (or in the cloud) is quick and easy. USM Anywhere also takes care of reporting for ISO and PCI, allowing you to pull reports for auditors at a moment's notice.

How has it helped my organization?

  • The system slows down considerably when a large number of events are fed in.
  • Also, AlienVault support has to make some improvements.

What is most valuable?

A vulnerability assessment feature is very helpful for me. Because of this feature, I can schedule a vulnerability assessment for my critical server.

What needs improvement?

While it is relatively easy to use, it takes a little time to get used to where everything is located in the web interface. I do wish that their support would help a bit more with the analysis of alarms.

For how long have I used the solution?

One to three years.

Which solution did I use previously and why did I switch?

No. This is the first security tool I am using.

What's my experience with pricing, setup cost, and licensing?

It is easy to deploy and install an entire solution. I don't have an idea about pricing.

Which other solutions did I evaluate?

N/A.

What other advice do I have?

They should have to improve support. So they can solve customers' problems in less time.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Lorenzo Ciolfi
VP IT Operations at a financial services firm with 51-200 employees
Real User
Enables us to search for critical vulnerabilities in our network

What is our primary use case?

We use it for the intrusion protection on our firewall. It's monitoring all our incoming traffic from the outside world through a firewall.

How has it helped my organization?

Previous to this, we really didn't have any protection, any intrusion system in place. It's made me more comfortable, since I'm in charge of IT for this company. I sleep better at night.

Using the solution, we have been able to look for critical vulnerabilities in our network. Thankfully, we haven't found any. It takes just a couple of hours.

What is most valuable?

The most valuable feature is what it can block, what it can prevent from coming in.

What needs improvement?

The only that I can think of is that is not ideal is sending Windows Server logs to their device, to the system. That has to be done on each server. I don't know if they have changed that.

What do I think about the stability of the solution?

It's a stable solution.

What do I think about the scalability of the solution?

It's very scalable.

How are customer service and technical support?

Tech support is very good. They usually respond very quickly.

Which solution did I use previously and why did I switch?

This is the first solution of its kind for us.

How was the initial setup?

The initial setup was pretty straightforward. The deployment took about a day. In terms of our implementation strategy, we have the cloud version. You create a VM in your system, it communicates with the cloud, and then you just log in through the cloud.

What's my experience with pricing, setup cost, and licensing?

It's very reasonably priced. It was one of the lowest among the ones I looked at. Licensing is pretty flexible. They can do a two-year or a three-year, even a one-year, perhaps.

Which other solutions did I evaluate?

I looked at two others but I don't remember their names.

What other advice do I have?

Compare it to the other vendors in the field, some of the top vendors. Make sure it fits your needs. It's more for a mid-sized company or a small company, not a large enterprise.

Regarding using it for discovering assets in our network which do not belong, our network isn't that big so we really don't use it for that. We also don't use the solution for compliance with regulations.

When it comes to staff using the solution, at the moment it is me and a monitoring service. We're the only ones who log into the solution. As for deployment, one person could probably do it because they help you deploy it. I did the deployment myself, with AlienVault. For maintenance, if you have a monitoring service that's fine, but if you're doing it yourself, you probably need somebody monitoring the log. When there's an incident, you probably need one or two other people.

I would rate it a nine out of ten. It does what we need and it's reliable.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
TS
Consultant at a tech services company with 11-50 employees
Reseller
The bundle of features is the killer feature, but search performance and Raw Logs are slow

Pros and Cons

  • "On any given day I could give you a different answer regarding the most valuable features of the product. The feature that is most important is the fact that it has a lot of features, that it's not just a log collection and correlation system, that it has a lot of other components built in. The bundle of features is really the killer feature."
  • "Search performance can be slow. The Raw Logs feature is painfully slow. And if we're talking about the newer, the Anywhere product, you can't even schedule reports on the thing. There are probably a dozen other features I'd really like to see there, but that would be one of the biggies."
  • "We've had some stability problems, not a lot, but a few. Updates seem to be the worst. That seems to be when the stability problems come up."

What is our primary use case?

Our use of the solution is all over the map. We use it for our own internal use. We use it in our security operations center. We're a reseller, we're an MSSP, and a Professional Services provider, so we do a lot of professional services on the platform. It's a standard SIEM solution and is used for log collection, log management, event correlation, alarming, and reporting.

How has it helped my organization?

There are probably a billion examples I could give. As a service provider, it helps us because we have all of our clients connected in through our management platform, and we're able to leverage the tools that AlienVault provides to monitor and collect data from all of those systems and identify security incidents for all of our clients. It provides network and host-level visibility and it's easy to tune and manage.

What is most valuable?

On any given day I could give you a different answer regarding the most valuable features of the product. The feature that is most important is the fact that it has a lot of features, that it's not just a log collection and correlation system, that it has a lot of other components built in. The bundle of features is really the killer feature.

In particular though: 

  • ease of use and deployment
  • excellent cloud integration
  • dynamic asset management
  • vulnerability scanning
  • network intrusion detection
  • host-based agent monitoring and collection. 

All of these features combined create a compelling "one-stop" package for a business that needs security monitoring and analytics.

What needs improvement?

Search performance can be slow. The Raw Logs feature is painfully slow. And if we're talking about the newer, the Anywhere product, you can't even schedule reports on it. There are probably a dozen other features I'd really like to see there, but that would be one of the biggies.

Also, there is no visibility into the NIDS or HIDS agent configurations and no easy way to augment them. The same is true for vulnerability scanning, it's all or nothing; there are no fine-grain controls as there was in their older product. There is a lack of "real" visibility into the correlation rules, and the inability to create our own sophisticated rules (only very simple ones) is a big miss.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

We've had some stability problems, not a lot, but a few. Updates seem to be the worst. That seems to be when the stability problems come up.

Sensors occasionally go down during updates and don't recover. Some maintenance cycles on the cloud controller have left the system in a weird state. In addition, there are times when the product seems very slow to respond. This may be related to back-end maintenance that we are not aware of.

What do I think about the scalability of the solution?

It scales reasonably well. There is a scalability plan for it. There is a way to add additional collection components, what they call Sensors, and then scale up the central platform. At this point, I don't believe it will scale to the very high-end. It is not a large, global enterprise-type product. It's more of a small-enterprise-and-below product.

How are customer service and technical support?

Their support has been good. I've always had good interactions with them.

Which solution did I use previously and why did I switch?

We've used a lot of solutions. I've used, run, and supported a lot of different solutions over the years. There were two primary reasons for switching to AlienVault. One was price, and the other was the feature bundle that I was talking about earlier.

We chose this particular product for many other reasons. As a Professional Services provider, a service provider, MSSP, and a reseller, we're not using it the way most end-users would go out and shop around and look for something. A big part of our decision in selecting this product was the fact that we were able to establish that relationship with AlienVault as a company, as a business to business relationship, to be a reseller, to be an MSSP, to be all of those things.

How was the initial setup?

The setup is pretty simple. The documentation is good. I've been setting up platforms like this for years, so it's not hard for me. For someone who is new to the product and hasn't used this type of product before, they'll have a little bit of a challenge, but it's not too bad. The system is pretty easy to install and, if you follow the documentation, it's pretty easy to configure.

Some cloud integration steps, like G Suite, were more complicated and prone to error.

What was our ROI?

Calculating ROI on security products is a funny endeavor, in my experience. It's not a hard science and it's not something you can easily throw a lot of numbers at. It's mostly guesswork.

What's my experience with pricing, setup cost, and licensing?

The pricing is a good value and makes sense.

The key thing is that for the new product, the licensing of it is subscription-based and it's based on data. Clients need to be really careful when thinking about that, because odds are they're going to need to put a lot more data into it than what they initially estimate, which is going to drive their subscription costs up.

I do have concerns that if a payment is delayed or if there is any dispute about billing, that all of our data is held in the cloud and could be lost.

What other advice do I have?

Overall, the automation features of this solution are good. The issue here is that there are really two solutions. There's the AlienVault Appliance product and then there's the AlienVault Anywhere product. The Appliance product, which is the older product, has a lot more customization and automation capabilities because it's very extensible. The newer product, the Anywhere product, is still very limited. We're very dependent on AlienVault to build in any kind of connections or integration.

If you are a mostly-cloud environment this is a good fit. If you have very few other security controls outside of a firewall this is a good step forward. But if you have a solid security program you may find this product lacking in a few areas. And most importantly, be very careful about subscription size and licensing.

Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller.
RS
Co-Founder at a photography company with 11-50 employees
Real User
Log-monitoring and alerting tell us when things happen that we need to know about

Pros and Cons

  • "Log-monitoring and alerting enable us to know when things happen that we need to know about."
  • "they seem to have bugs from time to time that go unfixed for a while and that is frustrating. I'm not saying the product needs to be bug-free, but they need to be responsive to bugs."

What is our primary use case?

It's part of our PCI compliance.

How has it helped my organization?

We didn't have any system before, so everything has been an improvement.

What is most valuable?

Log-monitoring and alerting, so we can find out when things happen that we need to know about.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

I have not encountered any issues with stability.

What do I think about the scalability of the solution?

There have not been any issues with scalability.

How is customer service and technical support?

I would rate their technical support at nine out of 10.

How was the initial setup?

The initial setup was straightforward. 

What's my experience with pricing, setup cost, and licensing?

I don't think the product's pricing is a good value because they try to raise the price 50 percent every year. If they do that again I won't be a customer, going forward. Their sales team is way too aggressive. The price they advertise is not always the price you get.

In terms of licensing, AlienVault needs to understand that not all customers are huge enterprises. They don't seem to understand that.

Which other solutions did I evaluate?

It was three years ago so I don't remember offhand. But AlienVault was one of two or three that I looked at.

What other advice do I have?

In terms of the product itself, it depends on what features you're looking for. We just use it for PCI compliance and it works for us. You need to do your own evaluation.

I would give the product an eight out of 10. The reason it's an eight is that it seems to have bugs from time to time that go unfixed for a while and that is frustrating. I'm not saying the product needs to be bug-free, but they need to be responsive to bugs.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
BS
Systems Administrator at a healthcare company
Real User
Activity alarms and events contain a plethora of useful and very descriptive data

Pros and Cons

  • "The dashboards are very descriptive and contain just the right amount of information. The activity alarms and events contain a plethora of data that is very descriptive and useful."
  • "The only room for improvement I can mention is the initial installation procedures. I found that the online installation instructions for the product were missing important details, they lacked necessary steps."

What is our primary use case?

Our primary use of AlienVault is as a SIEM tool.

How has it helped my organization?

This product has streamlined productivity by having all the information in one place. It has really helped eliminate a lot of manual work because its automation is pretty robust and important. It puts everything in one place for me.

It is also helping us get HITRUST certified, which is a certification we need for New York State. So this tool is a requirement, and it's going to help us stand out with New York State.

What is most valuable?

It's hard to pick just one valuable feature for this product. I like everything the product has to offer. The dashboards are very descriptive and contain just the right amount of information. The activity alarms and events contain a plethora of data that is very descriptive and useful. 

Vulnerability scans, IDS  scans, asset scans. It's pretty much the whole USM Anywhere tool. Everything in here is pretty important. It gives you all the vulnerabilities of your assets. It goes through and it actually shows you the software on there, if it's missing patches, the operating system.

Overall, I find that this product is amazing.

What needs improvement?

Honestly, the product itself is great. The only room for improvement I can mention is the initial installation procedures. I found that the online installation instructions for the product were missing important details, they lacked necessary steps. The product itself is fine.

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

I encountered some stability issues only because of a lack of knowledge regarding my network equipment and because AlienVault support was also not familiar with it. As long as you follow the recommendations for system requirements, there shouldn't be any issues.

What do I think about the scalability of the solution?

No issues with scalability. We're only a company of 50 people, so I haven't had any issues whatsoever yet.

How is customer service and technical support?

Technical support is very helpful. They know their product. The one person I used was very responsive. He actually called me, checked in with me, to make sure the issue we did once have was fixed, and that I was satisfied. I really appreciated his perseverance.

It would help if they knew more about different network hardware. I realize that there are so many different types that it is next to impossible to know all network equipment and its compatibility with their product.

How was the initial setup?

The initial setup procedures were definitely missing some key steps. They need to keep in mind that not everyone is an expert on network equipment and perhaps be more descriptive and provide more details. That would have been helpful. 

I think they look at it as if you're a very knowledgeable person. I hate saying the word "dumb," but they need to dumb it down a little bit and think about all the types of people they need to hit, not just the people who have been doing networking for 20 years. They need to keep in mind that there are people who are just out of college or who are not as
knowledgeable. They need to keep in mind that all walks of life need to be considered.

I just hope that AlienVault realizes that they need their instructions to be a little bit more detailed and descriptive. Through the troubleshooting I did with them, they realized that there were issues, and they put in a request to update their instructions.

What's my experience with pricing, setup cost, and licensing?

So far, I feel the product's pricing is a good value. The technology is decent. You get what you pay for. I think it's fair.

Which other solutions did I evaluate?

I did look at other options but I don't recall which ones. We were vetting for a while, but this one came highly recommended by a company we use locally for pen and vulnerability testing. They recommended AlienVault because they've seen it used in the area and they liked it a lot. We vetted it and said, "The heck with it. We're going with them."

What other advice do I have?

It is a great product. Just get it.

Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Jason G.
Market Development Manager, Cyber Security Consultant at Abacode LLC
User
Cloud-based solution that is easy to deploy and easy to scale as well.

What is our primary use case?

As a product-agnostic Managed Security Services Provider (MSSP), AlienVault USM is one of several SIEM solutions we utilize in our Security Operation Center (SOC). We deploy, manage, and monitor the solution for other clients, and we use it for ourselves. As do most SIEMs, AlienVault allows us a central location to monitor the cybersecurity of an IT environment. It's impossible to avoid 100% of attacks, so after setting up defenses, the next best thing is to have 24/7 eyes-on-glass to be able to quickly respond to incidents as they happen. 

How has it helped my organization?

As stated before, the solution allows us to continuously detect cybersecurity incidents that may occur throughout our environment.

What is most valuable?

    AlienVault USM Anywhere has a modern, user-friendly, and intuitive GUI, making it easy to use. It is a cloud-based solution that is easy to deploy and easy to scale as well. On top of having built-in support with several technologies, AlienVault USM Anywhere has an API that allows you to develop additional plugins if necessary.

What needs improvement?

Although they use machine learning, the algorithms that they use are graph-based. Their AI/ML capabilities could be improved a bit.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

The solution is very stable.

What do I think about the scalability of the solution?

It's a cloud-based solution so it's easy to scale.

How are customer service and technical support?

In our experience, AlienVault has good customer service. 

Which solution did I use previously and why did I switch?

I did use other solutions with different clients, and we do so now. We find AlienVault to have the best price to performance value. There are better solutions, but the price is reflected. 

How was the initial setup?

It's straightforward and relatively easy for someone who is tech-oriented.

What about the implementation team?

In-house.

What was our ROI?

It's difficult to judge the ROI on cybersecurity, but just look at the news to see the cost of breaches and how detrimental they could be.

What's my experience with pricing, setup cost, and licensing?

As stated before, I believe this is the best SIEM solution for its value, especially for SMB.

Which other solutions did I evaluate?

Yes, I myself have had experience with IBM QRadar, Splunk Enterprise, and Logrhythm, but my company has experience with several others. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
Matthew White
Production DBA at BLUE MOTOR FINANCE LIMITED
Real User
Easy to deploy with their cloud-based model and deploying the required agents on-prem (or in the Cloud) is quick and easy.

What is our primary use case?

We use AWS for our application platform and wanted a SIEM that was easy to deploy as a service and that had functionality and integrations focused on AWS. We found AlienVault was the best on price vs features and the team at AlienVault worked hard to make sure we were happy during our on-boarding. Features are rolled out fast and issues addressed quickly. The integration of OTX out-of-box and at no additional cost was a real selling point and the AWS features made it a clear winner.

How has it helped my organization?

AlienVault USM Anywhere provides us with SIEM, at a low price-point and with a great array of functionality. SIEM is critical to our security operations and feeds incident response efforts and USM Anywhere enables us to filter the noise and concentrate the efforts of our small team on the real issues and threats.

What is most valuable?

AlienVault USM Anywhere is easy to deploy with their cloud-based model and deploying the required agents on-prem (or in the Cloud) is quick and easy. With many integrations out-of-the-box, you can pull in all the data from products you use and other sources, such as Amazon Cloudwatch Logs. Custom rules allow for alerting based on content from events and you can even trigger agents in response to threats, shutting down computers or grabbing forensic info for incident response. USM Anywhere also takes care of reporting for ISO and PCI, allowing you to pull reports for auditors at a moment’s notice.

What needs improvement?

We would love to be able to create custom rules based on a series of events, to create rule-sets where, for example, failed logins to the VPN Server are logged and then when a successful attempt follows soon after, it triggers an alarm for a Brute Force. It does this for things like OKTA already, so control over which events this applies to would be great.  

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No major issues and problems are rectified quickly.  

What do I think about the scalability of the solution?

Scales well, no on-prem requirement other than 1 sensor per network and these are cost-effective. AlienVault handles the performance and scalability for you for the backend.

How is customer service and technical support?

Technical support and very quick to respond and follow up well on issues.

How was the initial setup?

Very simple; follow a walk-through to deploy sensors and the back-end is provisioned for you by AlienVault.

What about the implementation team?

In-house deployment; simple to setup.

What's my experience with pricing, setup cost, and licensing?

Cost is very competitive and if your log ingestion is not huge, then you can get a SIEM for a small budget; AlienVault listen well to customers and work with you on the needs of your business.

Which other solutions did I evaluate?

Alert Logic, Cloud Passage and Event Tracker.

What other advice do I have?

Efficiency Of Security Team: Yes, a team of 2 managing a reasonable sized network has been achieved.

Events Per Day: 700,000

Disclosure: I am a real user, and this review is based on my own experience and opinions.
GP
Consultant at Embratel
User
It has helped us in improving our visualization and incident response during cybersecurity situations

Pros and Cons

  • "AlientVault has helped us in improving our visualization and incident response during cybersecurity situations."
  • "Different functions to customize reports should be added."

What is our primary use case?

I use AlienVault to comply with PCI DSS requirements. For on-premises, I am using the AlienVault USM All-In-One 150A Virtual Appliance.

How has it helped my organization?

AlienVault has helped us in improving our visualization and incident response during cybersecurity situations.

I have also used it in a project to comply with PCI DSS requirements.

What is most valuable?

I have found the host-based intrusion detection system (HIDS) extremely useful, as it

  • Allows me to identify possible threats and vulnerabilities.
  • Allows anyone with little knowledge of a cybersecurity devise to work with a high level threat discovery solution.

What needs improvement?

  • They should improve the reporting capabilities. 
  • Different functions to customize reports should be added. 
  • Export features should not be limited to spreadsheets (.XLS) only.

For how long have I used the solution?

Three to five years.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
admin at KIL A&T
Real User
I can easily check all logs and data in relation to attacks in one place

Pros and Cons

  • "I can easily check (in one place) all the logs and data in relation to attacks. It also gives me an overview if a server is not configured properly."
  • "Plugins could be better utilized, as some of them do not recognize all logs."
  • "It was easy on PoC, but when we got to the product it was different story. We had to learn the product again and got feeling that the PoC was a different product."

What is our primary use case?

My company wanted to get software which would be able to monitor resources in AWS, mainly IDS in one cumulative GUI, then add extra requirements with AlienVault match. 

How has it helped my organization?

From my perspective, it saves me about two to seven hours weekly. Now, I can easily check (in one place) all the logs and data in relation to attacks. It also gives me an overview if a server is not configured properly.  

What is most valuable?

  • Centralized logs: All the details are in one place. This is helpful if you have over 100 servers.
  • Centralized IDS: We need this as we are able to see what is happening in (almost) real time.

What needs improvement?

  • Plugins could be better utilized, as some of them do not recognize all logs.
  • We could add little more customization to dashboards.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

Everything has worked fine since we have had this tool.

What do I think about the scalability of the solution?

We have been adding more servers, and it has been working. We have run out of storage space once or twice, so we had to check and choose which logs that we needed to minimize this problem.

How are customer service and technical support?

It has very good customer service. I have opened about five cases. They were ones which I did not have time to search or could not find information on the support website.

Which solution did I use previously and why did I switch?

I previously worked with Nagios, SolarWinds, and Big Brother. Though, this was at a different company. 

These products did not match the requirements in AWS at the time that we were getting AlienVault.

How was the initial setup?

Setup required time. It will take time to set it up and utilize it at a percentage with which you will be satisfied. 

It was easy on PoC, but when we got to the product it was different story. We had to learn the product again and got feeling that the PoC was a different product.

Which other solutions did I evaluate?

We were also looking at LogRhythm, Splunk, and few others. We decided on AlienVault, as they had a nice presentation (which told us what we wanted to hear) and the PoC proved it could do what we needed.

What other advice do I have?

Check other products, do POC as change from one to other get be very pricey and time consuming. Also training of people and changes cost lots of resources and not all employees like such changes every year.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
it_user752880
Security Analyst at a tech services company with 1-10 employees
User
Its powerful correlation engine helps reduce time in manually correlating events

How has it helped my organization?

Its powerful correlation engine helps reduce time in manually correlating events.

What is most valuable?

Alarms Correlation

What needs improvement?

It should be able to communicate with other security solutions to stop threats.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No stability issues.

What do I think about the scalability of the solution?

No scalability issues.

How are customer service and technical support?

Customer Service: I would rate customer service as a nine out of 10. Technical Support: I would rate technical support as a nine out of 10.

Which solution did I use previously and why did I switch?

We did not previously use a different…

How has it helped my organization?

Its powerful correlation engine helps reduce time in manually correlating events.

What is most valuable?

  • Alarms
  • Correlation

What needs improvement?

It should be able to communicate with other security solutions to stop threats.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No stability issues.

What do I think about the scalability of the solution?

No scalability issues.

How are customer service and technical support?

Customer Service:

I would rate customer service as a nine out of 10.

Technical Support:

I would rate technical support as a nine out of 10.

Which solution did I use previously and why did I switch?

We did not previously use a different solution.

How was the initial setup?

The only complex area of the setup was writing the custom scripts.

What about the implementation team?

We use both a vendor team and an in-house team for implementation.

What was our ROI?

The ROI is quite good.

What's my experience with pricing, setup cost, and licensing?

Use an MSSP instead. It is much cheaper.

Which other solutions did I evaluate?

We did not evaluate other options.

What other advice do I have?

It is quite awesome.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Client Development Manager at a tech services company with 51-200 employees
Consultant
Allowed us to help our customers satisfy compliance needs around logging and monitoring

Pros and Cons

  • "The asset management functionality (active and passive scans) is also really important. You can't protect what you do not know about, so having an inventory of all your devices and software is critical to a security management program."
  • "Allowed us to help our customers satisfy compliance needs around logging and monitoring."
  • "AlienVault needs to continue to integrate with other third-party technologies that clients want to have monitored."

Primary Use Case

I work for a Managed Service Provider, who uses AlienVault USM Anywhere as the backbone of our vulnerability management and logging solution, which we deliver to our clients.

Improvements to My Organization

AlienVault has allowed us to help our customers satisfy compliance needs around logging and monitoring (HIPAA, PCI, etc.) and has also provided a comprehensive platform that goes beyond just being a SIEM. It allows us to serve our customers in many different ways.

Valuable Features

The Vulnerability Scanning Engine using OpenVAS is a quality tool. The asset management functionality (active and passive scans) is also really important. You can't protect what you do not know about, so having an inventory of all your devices and software is critical to a security management program.

Room for Improvement

AlienVault needs to continue to integrate with other third-party technologies that clients want to have monitored. The plugin builder in the most recent version update is helpful, but it is still a little "clunky" at times.

Use of Solution

One to three years.
Disclosure: My company has a business relationship with this vendor other than being a customer: Sword & Shield is one of AlienVault's premier training partners and offers 24/7/365 SOC services around the AlienVault platform.
reviewer847167
Network and Securirty Engineer at a tech vendor with 501-1,000 employees
User
It has allowed us to see what is happening on our servers

Pros and Cons

  • "The main menu: You can see everything there, what is happening on the servers, and in the logs, you can view more details of each event."
  • "It has allowed us to see what is happening on our servers."
  • "As this software is in the cloud, you do not have control on updates and general changes which are happening."

What is our primary use case?

We have devices in AWS and in the data center. The main reason is to do an IDS inspection in the cloud, as it was really hard to get proper software to do this and we did not want to install a virtual firewall in each timezone. We have over 200 servers being protected with this software.  

How has it helped my organization?

It has allowed us to see what is happening on our servers. You can do a similar setup with AWS, but monitoring it can give you a headache if you ave over 10 servers. 

What is most valuable?

The main menu: You can see everything there, what is happening on the servers, and in the logs, you can view more details of each event. Everything you need is in 'one place'.

What needs improvement?

As this software is in the cloud, you do not have control on updates and general changes which are happening. It can be a somewhat annoying that DC sensors are updated and you will not have control when this happens. 

For how long have I used the solution?

Less than one year.

What do I think about the stability of the solution?

So far, stability has been okay.

What do I think about the scalability of the solution?

So far, no issues with scalability. We see that too many logs are being sent out, but you have to work out logging what you need.

How are customer service and technical support?

They quickly respond on what you need, not on what they know.

Which solution did I use previously and why did I switch?

We did not use a previous solution.

How was the initial setup?

It was easy to set up. AlienVault was helpful here.

What about the implementation team?

We used our team, but with the help of the AlienVault team.

What was our ROI?

We have been using it less then a year, but it does saves time when searching logs.

What's my experience with pricing, setup cost, and licensing?

Negotiate the best package for your environment.

Which other solutions did I evaluate?

We ran a few PoCs. The price and feature set were the best with AlienVault.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
SOC Analyst II at Shatter I.T.
Real User
Incoming alarms provide an overview of suspicious traffic going through the network

Pros and Cons

  • "The Event Correlation and vulnerability scans have been the most useful. As a 24/7 SOC, we use the incoming alarms to give an overview of suspicious traffic going through the network. It's easy to look at the correlated events and see the broad picture of traffic for that customer. Vulnerability scans are good for providing patch and remediation guidelines to keep customer systems secure."
  • "The UI and overall processes need a little bit more love. This shows in the error banners that come up when you select certain things. There isn't a day that goes by that the UI doesn't error out and I can't view events for an alarm."
  • "The reporting tools are a bit lacking for building reports to give directly to customers, but support has been helpful in giving our requests for new features to the development team and following up with us."

What is our primary use case?

We are an MSSP. We have a distributed environment that spans multiple networks and customers in various locations. We have one federated that receives information from all of our children servers deployed at customer locations.

How has it helped my organization?

AlienVault has provided a nice, unified system for monitoring and reporting.  Since we use this for customer security services, the vulnerability scans have come in handy for overall system health checks, for making sure customers aren't vulnerable to known attacks.

What is most valuable?

The Event Correlation and vulnerability scans have been the most useful. As a 24/7 SOC, we use the incoming alarms to give an overview of suspicious traffic going through the network. It's easy to look at the correlated events and see the broad picture of traffic for that customer. Vulnerability scans are good for providing patch and remediation guidelines to keep customer systems secure.

What needs improvement?

The UI and overall processes need a little bit more love. The development job postings have the requirement, for prospective candidates, of "values progress over perfection". This shows in the error banners that come up when you select certain things. There isn't a day that goes by that the UI doesn't error out and I can't view events for an alarm. It's nice that they have new features rolling, keeping up with demand, but fixing the events/alarm database errors would be nice too.

The reporting tools are a bit lacking for building reports to give directly to customers, but support has been helpful in giving our requests for new features to the development team and following up with us.

Network Breach

We have not, but being a 24/7 SOC we have someone checking at all hours.

Efficiency of Security Team

Yes.

Events per Day

500,000.

For how long have I used the solution?

One to three years.

What do I think about the stability of the solution?

No issues with stability.

What do I think about the scalability of the solution?

No issues with scalability.

How are customer service and technical support?

AV support has never been anything less than amazing.

Which solution did I use previously and why did I switch?

We did not use anything else prior. We tried the free version of AV then decided to go with the paid option and become an MSSP, since it fit our company needs for the right price.

How was the initial setup?

Straightforward, once going through a course.

What about the implementation team?

In-house.

What's my experience with pricing, setup cost, and licensing?

Our company normally handles everything from setup to configuration, refinement, and monitoring. We are an MSSP so we all handle this for the customer when they inquire about services.

Which other solutions did I evaluate?

No, AlienVault fit what we needed for the phase we were in with the SOC.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
ITCS user
Network Architect at Envision IT LLC
Reseller
Cloud-based panel is excellent, enabling our SOC to review and respond to threats

Pros and Cons

  • "The new cloud-based panel is excellent both for client review as well as for our SOC to review and respond to threats. It is much easier to configure and use than the previous solution from AlienVault.​"

    What is our primary use case?

    We are an MSP and we utilize an AlienVault USM Anywhere solution for threat detection in client networks. 

    How has it helped my organization?

    Alienvault USM Anywhere is a great evolution of a proven product. While the feedback and customization requirements remain largely the same, the user interface has been significantly improved. This significantly improves the interaction our clients have with their data, and we have received significant positive feedback.

    What is most valuable?

    The cloud console is by far the best improvement of the product. In the past, our less technical clients had trouble sorting through the dashboards within the USM console, and we had received complaints on viewing the real-time data versus our prepared reports.

    The new cloud-based panel is excellent both for client review as well as for our SOC to review and respond to threats. It is much easier to configure and use than the previous solution from AlienVault.

    What needs improvement?

    It can still be difficult to feed products that are not supported out-of-the-box. It would be good if they had a better plugin exchange/store with AlienVault QA to ensure data is being processed properly.

    For how long have I used the solution?

    One to three years.
    Disclosure: My company has a business relationship with this vendor other than being a customer: MSSP/Reseller
    it_user829383
    Engineer - Network Security at a tech company with 11-50 employees
    User
    Review about AlienVault

    What is our primary use case?

    I'm a System Engineer working for a IT Security Solution Provider. My organization received a request for SIEM and FIM solution to be deployed for a Financial Organization. We have found AlienVault provide SIEM and FIM features in USM All In One

    This was my first ever SIEM deployment and started from the scratch after doing a good POC with the customer.

    How has it helped my organization?

    It has helped me to give some InfoSec guidance to my customer after deployed the AlienVault in their premises.

    Now they were able to get to know what kind of traffic passing through the firewalls and what kind of traffic hits the traffic.

    What is most valuable?

    SIEM and the FIM are the first preferences when I started the deployment. Because the customer wanted to monitor network security incidents of the Servers and any file modification done to their critical files residing in the production servers. 

    Vulnerability scanning and OTX helped us to manage all in one single point.

    The alerting and security intelligence is the heart of the product. Monitoring customer's critical network is now almost a one man job.

    What needs improvement?

    Still I was working on the implementation I have found difficulties in searches within security events. Configuring some areas looks complicated.

    I had issues while installing OSSEC agent in Solaris and CentOS Servers. A workaround for this issue will give some value for users.

    For how long have I used the solution?

    Still implementing.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user833982
    Cybersecurity Analyst at a tech company with 51-200 employees
    User
    Review about AlienVault

    What is our primary use case?

    SIEM, Log ingestion and evaluation. We use this not only for internal but also for clients that we manage. It has proven its worth and more. We are currently very pleased with this product and has performed as advertised. We obviously use this for being able to ascertain visibility on each network in which it is deployed not only from the NIDS/HIDS side but also evaluation of each interaction every device has. 

    How has it helped my organization?

    We have benefited greatly due to gaining the visibility we need for different instances. It has improved our security posture and has helps us respond to alarms/events as they have come down through the pipeline to our ticketing system we use. All in all, it has improved our SOC. 

    What is most valuable?

    AlienApps that we use to integrate with our current setup is awesome! Not only that, they have roadmapped being able to open up their API so we can integrate and flex the USM Anywhere as much as we want and when we want to. The staff has been incredibly helpful on getting us further down the line with our constructive feedback and have worked on implementing changes to their system to help improve their product.

    What needs improvement?

    A tailored OTX map for each customer's central would be awesome to have for displays.  A lot of companies like to have visuals for their central instance in order to be able to see when an IOC comes through and it would help have something in front of analysts/engineers to respond to promptly if they were away from central working downstream. 

    For how long have I used the solution?

    Less than one year.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Javier Ramirez
    Network Security Specialist at SEFISA
    Real User
    This solution can completely detect and prevent incidents on your network

    Pros and Cons

    • "Using the communication within the security device, it is easier to create plugins."
    • "This solution can completely detect and prevent incidents on your network."
    • "Reports are customized, so you can present them to executives or engineers.​"
    • "The other thing is the agent is OSSEC. They needed to create its own agent to help to find threats on the devices that it happens to be installed."
    • "Maybe logs are the problem, as the database query is too slow. If you want to search something, you need time to find it."

    What is our primary use case?

    The solution has everything that you want: SIEM, vulnerability management, NetFlow, IDS, and more. This solution can completely detect and prevent incidents on your network. This solution can completely detect and prevent incidents on your network

    How has it helped my organization?

    It has helped not only in the security, but also on the network when we have problems with slowness, we can go to the NetFlow section and see who is generating a lot of traffic. 

    Using the communication within the security device, it is easier to create plugins. Therefore, if you want to create plugins, there is an option called plugin creator to assist with this.

    What is most valuable?

    AlienVault has the necessary all-in-one product with the function of vulnerability scanner integrated with detections, so when you detect an incident in a vulnerable port you can act faster and prevent more incidents.

    What needs improvement?

    Maybe logs are the problem, as the database query is too slow. If you want to search something, you need time to find it.

    The other thing is the agent is OSSEC. They needed to create its own agent to help to find threats on the devices that it happens to be installed.

    For how long have I used the solution?

    Three to five years.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    CEO at a tech services company with 1-10 employees
    Reseller
    Enabled us to create an SOC on a budget with smaller than usual staff requirements

    Pros and Cons

    • "The AlienVault solution has enabled us to create a SOC on a budget with smaller than usual staff requirements, offering a wider range of solutions for our customers."
    • "We would like more plugins. This being the main point of improvement which would benefit the users."

    What is our primary use case?

    As a cyber security company, we have used AlienVault to set the foundations of our security solutions offerings.

    Giving our customers all the services that they require via a single console environment, either self-managed or managed by ourselves, enabling companies with little to no IT department to have an all-in-one security compliance and reporting solution.

    How has it helped my organization?

    The AlienVault solution has enabled us to create an SOC on a budget with smaller than usual staff requirements, offering a wider range of solutions for our customers.

    What is most valuable?

    The below features are what make the solution so powerful, particularly saving time and money (most importantly):
    • Real-time email alerts
    • Event correlations
    • Log management
    • System monitoring
    • Network monitoring
    • Uptime monitoring
    • OTX threat intelligence
    • Vulnerability scanning/reporting
    • Compliance reporting

    What needs improvement?

    All products have room for improvement. AlienVault is always looking at ways to improve their solution. 

    We would like more plugins. This being the main point of improvement which would benefit the users.

    For how long have I used the solution?

    Less than one year.
    Disclosure: My company has a business relationship with this vendor other than being a customer: MSSP/Reseller
    it_user829533
    IT Manager at a manufacturing company with 51-200 employees
    User
    It is my "security person" looking at irregularities and letting me know when something has occurred

    Pros and Cons

    • "SIEM log collection is great, and all of the rules that support updates with maintenance."
    • "It is my "security person" looking at irregularities and letting me know when something has occurred."
    • "More complimentary training needs to be done for use with this tool. If you get into a bind, then it will cost you."

    What is our primary use case?

    We were looking to add another layer of security to our network, which included intrusion detection, intrusion prevention, SIEM collection, and more. After looking at a few solutions, we ended up purchasing AlienVault. We are located in a physical location with a 100 users.

    How has it helped my organization?

    AlienVault has provided me with a management console which gives me alerts and other information about the traffic on my network. AlienVault is my "security person" looking at irregularities and letting me know when something has occurred. I also see vulnerabilities in my systems and can assign tickets to other staff members.

    What is most valuable?

    SIEM log collection is great, and all of the rules that support updates with maintenance. 

    What needs improvement?

    More complimentary training needs to be done for use with this tool. If you get into a bind, then it will cost you.

    For how long have I used the solution?

    One to three years.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Tharaka Ranasinghe
    Network and Security Engineer at a tech services company with 51-200 employees
    Real User
    It has powerful threat detection, incident response, and compliance management

    Pros and Cons

    • "It has powerful threat detection, incident response, and compliance management."
    • "AlienVault has an advanced component within one package. With this, we can cover more area with one solution."
    • "AlienVault must improve their correlation feature. Some of the events do not match with the correlation rules and some of the correlation events are false-positive."

    What is our primary use case?

    AlienVault Unified Security Management (USM) has powerful threat detection, incident response, and compliance management. We can use this across cloud, on-premise and hybrid environments. 

    The reason to use USM is that it has the following components in its package: 

    • Asset Discovery
    • Vulnerability Assessment
    • Intrusion Detection
    • Behavioral Monitoring
    • SIEM & Log Management.

    How has it helped my organization?

    AlienVault has an advanced component within one package. With this, we can cover more area with one solution. 

    As a example, it has vulnerability assessment component built-in. From this, we can do the vulnerability assessment easily and we do not have to buy another solution for the vulnerability assessment. It is easy to use and we can take better advantage from an all-in-one solution like USM. 

    What is most valuable?

    AlienVault USM has a vulnerability assessment feature and only one SIEM feature compared to other SIEM solutions. 

    What needs improvement?

    AlienVault must improve their correlation feature. Some of the events do not match with the correlation rules and some of the correlation events are false-positive.

    For how long have I used the solution?

    Less than one year.

    What other advice do I have?

    It is the most valuable tool that I have seen of the SIEM solutions.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner in Sri Lanka.
    ITCS user
    Network and Security Engineer at a tech services company with 11-50 employees
    Real User
    We are able to get alerts perfectly with FIM and VA features

    Pros and Cons

    • "This is a USM, so being able to get all the features under one roof makes it a good product with good new features."
    • "We are able to get alerts perfectly with FIM and VA features."
    • "Pay attention to false-positive event automatic correlations."

    What is our primary use case?

    This has an OTX feed. With it, we are able to get notifications about every incident that happens.

    By forwarding device logs, we are able to get alerts perfectly with FIM and VA features.

    How has it helped my organization?

    We are the Partners in Sri Lanka. We are doing deployments in Sri Lanka, Maldives, and Bangladesh. 

    This is a USM, so being able to get all the features under one roof makes it a good product with good new features.

    What is most valuable?

    Unified Security Manager (USM). In every SIEM, having only SIEM features (log management, alerting, notifications, etc.) is typical. Here we can get file integrity monitoring and a vulnerability assessment tool together with SIEM

    I have never seen a tool like this.

    What needs improvement?

    The Log Management and configuration of email notifications should be user-friendly. Pay attention to false-positive event automatic correlations. 

    Efficiency of Security Team

    Yes.

    Events per Day

    60.

    For how long have I used the solution?

    One to three years.

    What do I think about the stability of the solution?

    No, we did not have issues with stability.

    What do I think about the scalability of the solution?

    No, we did not have issues with scalability.

    How are customer service and technical support?

    Good. They have technically fluent engineers there.

    Which solution did I use previously and why did I switch?

    Yes. We switched because this is a USM (SIEM, FIM, and VA tool in one product) and the price.

    How was the initial setup?

    The initial setup is straightforward, but some features are little bit difficult.

    What about the implementation team?

    We are the partners in Sri Lanka. Therefore, we are directly involved with implementations.

    What's my experience with pricing, setup cost, and licensing?

    It has good pricing.

    Which other solutions did I evaluate?

    We evaluated EventTracker.

    What other advice do I have?

    Our customers have good references about AlienVault.

    Disclosure: My company has a business relationship with this vendor other than being a customer: We are partners in Sri Lanka
    ITCS user
    Head of MSS Platform and Product Management at a tech services company with 51-200 employees
    Consultant
    Allows for a lot of out-of-the-box features but it does not have APIs

    What is our primary use case?

    Supporting an MSSP. Supporting clients with minimum on-premise install. We are rolling out a USM appliance.

    How has it helped my organization?

    It allows for a lot of out-of-the-box features: vuln scanning, HIDS/HIPS, and IDS. The Suricata rule set is pretty lame

    What is most valuable?

    Asset discovery seems to be good. Nice that everything is bundled.  

    What needs improvement?

    Scaling, and it has no APIs!  It would be hard for any legitimate MSSP to use it.  

    For how long have I used the solution?

    Still implementing.

    What's my experience with pricing, setup cost, and licensing?

    The price point is good.

    What is our primary use case?

    • Supporting an MSSP.
    • Supporting clients with minimum on-premise install.
    • We are rolling out a USM appliance.

    How has it helped my organization?

    It allows for a lot of out-of-the-box features: vuln scanning, HIDS/HIPS, and IDS. The Suricata rule set is pretty lame

    What is most valuable?

    Asset discovery seems to be good. Nice that everything is bundled.  

    What needs improvement?

    Scaling, and it has no APIs! 

    It would be hard for any legitimate MSSP to use it.  

    For how long have I used the solution?

    Still implementing.

    What's my experience with pricing, setup cost, and licensing?

    The price point is good.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Shayanthan Karunaharan
    Engineer - Information Security at a tech services company with 11-50 employees
    Reseller
    Categorization of Security Events Helps Our Soc Analyst for Further Analysis.

    What is our primary use case?

    I'm a re-seller of AlienVault SIEM in Sri Lanka. We have deployed AlienVault SIEM in one of the bank in Sri Lanka three months back. Currently we are working on the fine tuning. It took me two weeks to complete the basic deployment and integration of devices up-to 50 with the clients technical team.

    How has it helped my organization?

    Since we are re-seller, AlienVault helped us because of their cheaper price compared to other SIEM solutions and the addition of FIM in the solution. Implementation took few days and it's easy to complete the task within the given project time line.

    What is most valuable?

    Raw logs: Clients require to store their raw logs in a data-store rather than keep it in the actual device.

    Alarm section: It's very easy to see the Alarms for any incidents rather than going through all the logs.

    Security events: Categorization of Security events helps our SOC analyst for further analysis.

    What needs improvement?

    User friendly interface could be an advantage. Sometimes we may face trouble when we were going through the settings of AlienVault SIEM.

    For how long have I used the solution?

    Less than one year.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    IT/IS Officer - Marketing Director at a tech services company with 51-200 employees
    Real User
    It Has Become an Invaluable Asset for Our Small Organization

    What is our primary use case?

    Working as the CIO for a small community bank, resources for staffing and manpower can be limited. AlienVault helps to simplify the management of Information Security and helps me to detect threats and manage alerts with ease!

    How has it helped my organization?

    AlienVault gave our organization a centralized tool to manage our security with its intrusion detection, asset management, vulnerability assessments, along with all of its other features, it has become an invaluable asset for our small organization.

    What is most valuable?

    We have found the AIO USM the most valuable because of its centralized grouping of all of the tools necessary to manage our security in an "All In One" solution.  Of its parts, the scheduled vulnerability assessment tool has been helpful as a preventative measure to help keep ahead of security threats!

    What needs improvement?

    As with many of its users, I have submitted suggestions in the past and AlienVault has seemed to listen to suggestions from its users and have implemented them every time.  I am happy with the product as it is today.

    For how long have I used the solution?

    Three to five years.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    System Administrator at a tech services company with 10,001+ employees
    MSP
    We have been able to ensure the health of our servers

    Pros and Cons

    • "As we have to service several servers, we can manage them in a economical way, which is beneficial to our team and business."
    • "Any unusual behaviour, we can monitor. We have alerts set up to be sent when we receive signs of any unusual behaviour."
    • "For creating new rules, you have to be familiar with regular expressions. I feel there could be something built-in to make sure that process is easier."

    What is our primary use case?

    We use the appliance in a few of ways: monitoring network behaviour, asset discovery, and running vulnerability scans. We can monitor the availability of servers and any particular software. As we have to service several servers, we can manage them in a economical way, which is beneficial to our team and business.

    How has it helped my organization?

    We have been able to ensure the health of our servers. We can also use vulnerability scans to ensure our system is as good as it could be.

    Any unusual behaviour, we can monitor. We have alerts set up to be sent when we receive signs of any unusual behaviour. The ranking can be modified to allow us to apply a standard rule and also be customized, which suits our business needs.

    What is most valuable?

    I have used the asset discovery and the vulnerability scans the most. As a system administrator, it is important that we are prepared for any eventualities. I also like how you can use the hardware “out-of-the-box”, or using logs you can actually customise the performance to fit your environment and needs.

    What needs improvement?

    For creating new rules, you have to be familiar with regular expressions. I feel there could be something built-in to make sure that process is easier.

    For how long have I used the solution?

    One to three years.

    What do I think about the stability of the solution?

    No stability issues.

    What do I think about the scalability of the solution?

    No scalability issues.

    Which solution did I use previously and why did I switch?

    We did not have any sustainable solution, previously.

    What's my experience with pricing, setup cost, and licensing?

    Use the AlienVault team. They are helpful and the documentation that they provide is second to none.

    Which other solutions did I evaluate?

    We checked out several competitors. For what it can do and the cost, it was the best SIEM tool!

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    Network Operations Manager / Systems Engineer at a tech services company
    Real User
    Asset management of nodes has been a large help in terms of being able to track applications with more detail

    Pros and Cons

    • "Vulnerability scanning helped out shortcomings of what was not patched in the past and what needed to be patched. This assisted with fine tuning the environment for compliance."
    • "It brought our logs into one place for review and set up alarms based on changes we were missing due to lack of having one place for everything to go."
    • "The asset management of nodes has been a large help in terms of being able to track applications with more detail and have changes made being monitored into one source."
    • "Source material on the forums to be more up-to-date with the changes happening within the product. Forums being out-of-date with information due to the changes makes troubleshooting a little more difficult - specific to the HIDS agents."

    What is our primary use case?

    AlienVault is used in our infrastructure for compliance purposes. It was brought in as a replacement for use in multiple products at the time, such as Kiwi and Nexpose scanner. With the environment being new, it was the best place to start with being everything into one location for Syslog and Asset management. The vulnerability scanner also made the difference where the scans created tickets for remediation.

    How has it helped my organization?

    The all-in-one source for the needs of compliance has put everything into one location without the need of other applications and tools to accomplish the tasks. It brought our logs into one place for review and set up alarms based on changes we were missing due to lack of having one place for everything to go. Vulnerability scanning helped out shortcomings of what was not patched in the past and what needed to be patched. This assisted with fine tuning the environment for compliance. The reports also helped upper management with the ease the product was doing in its job and holes that were being filled.

    What is most valuable?

    The asset management of nodes has been a large help in terms of being able to track applications with more detail and have changes made being monitored into one source. The vulnerability scanning has also been an aide of reviewing the systems and having feedback of what is missing patches and holes in our environment that need review and remediation. The all-in-one aspect has been helpful to see items and correlate within one source rather then multiple.

    What needs improvement?

    Source material on the forums to be more up-to-date with the changes happening within the product. Forums being out-of-date with information due to the changes makes troubleshooting a little more difficult - specific to the HIDS agents. Troubleshooting connectivity is limited to very view articles with very little information. Perhaps adding templates into the HIDS agents for collection based on systems or a clickable addition of files to collect with check boxes rather than configuring the HIDS agents through text. 

    Also, more information on how specific sections relate to PCI and how to use/setup the SIEM to follow the guidelines of the areas. Some information is vague on how to accomplish specific items within PCI on help forums through AlienVault.

    For how long have I used the solution?

    Less than one year.
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    IT Systems Administrator at a financial services firm with 201-500 employees
    Real User
    It has streamlined log aggregation and analysis to meet organizational and regulatory needs

    Pros and Cons

    • "It has streamlined log aggregation and analysis to meet organizational and regulatory needs."
    • "Reporting is convoluted and difficult at times, although they claim to have hundreds of pre-built reports, very few of them are actually useful for anything but what the USM is doing."
    • "Windows log collection works with HIDS, but documentation is sparse and confusing."

    What is our primary use case?

    The primary use case for AlienVault is Log Management and SIEM functionality with the added benefit of IDS.

    How has it helped my organization?

    It has streamlined log aggregation and analysis to meet organizational and regulatory needs.

    What is most valuable?

    The most useful feature is the customization for alarms, alerts, and reports. AlienVault is situated to be adapted and changed to meet many different needs and use cases, but still being effective at most of them. 

    What needs improvement?

    Reporting and Windows log collection is the biggest drawback. Reporting is convoluted and difficult at times, although they claim to have hundreds of pre-built reports, very few of them are actually useful for anything but what the USM is doing. Windows log collection works with HIDS, but documentation is sparse and confusing. You have to trace back to how Windows Event ID ultimately correlates with AlienVault events through HID's IDs. 

    For how long have I used the solution?

    Less than one year.

    What do I think about the stability of the solution?

    Some minor issues here and there with updating/services not working, but AlienVault support is quick and easy to work with and will handle it. 

    What do I think about the scalability of the solution?

    No issues. Make sure you do size appropriately though for the level of logs you want to collect and retain. 

    How was the initial setup?

    Complex in some ways, but AlienVault is pretty easy and will help along the way. Also, taking the training class is very valuable. 

    What's my experience with pricing, setup cost, and licensing?

    Do the one month trial and try to work out the kinks during it, as it has free support and service hours. The staff is great at knowing what to do and what they can do to help. 

    Which other solutions did I evaluate?

    Yes. Our SIEM tool list, from which we were evaluating, included Splunk and LogRhythm.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    Security Administrator at a financial services firm with 501-1,000 employees
    Vendor
    It has allowed us to gain a better understanding of how data flows within our network

    Pros and Cons

    • "It allows you to define what alerts you want to see, or not to see, as well as if you want them grouped, or ungrouped."
    • "The reporting aspect could be improved. While there are a lot of different options available, there are still pieces which are missing."

    How has it helped my organization?

    It has allowed us to gain a better understanding of how data flows within our network, and has helped us think about what type of things we want to be alerted on, or not alerted on.

    What is most valuable?

    AlienVault provides you with a unified view for all aspects of what is going on in your environment. It allows you to define what alerts you want to see, or not to see, as well as if you want them grouped, or ungrouped.

    What needs improvement?

    The reporting aspect could be improved. While there are a lot of different options available, there are still pieces which are missing. The views are also very static and do not give you a lot of options on how the data is presented.

    What do I think about the stability of the solution?

    No, the product is stable.

    What do I think about the scalability of the solution?

    No, our network has stayed for the most part the same. In the future, it should be scalable with additional sensors.

    How are customer service and technical support?

    Customer Service:

    This is an area that could be improved.

    Technical Support:

    This is an area that could be improved. However, once you get a knowledgeable tech support person, they are good to work with.

    Which solution did I use previously and why did I switch?

    No, this is our first SIEM device.

    How was the initial setup?

    Both. It was simple to just get up and running. However, when you start tweaking it for your organization it gets more complex.

    What about the implementation team?

    A little bit of both. The vendor team's expertise was amazing. I highly recommend using them.

    What was our ROI?

    The time that it would take to manually investigate events versus looking at one dashboard.

    What's my experience with pricing, setup cost, and licensing?

    Definitely get professional services.

    Which other solutions did I evaluate?

    Darktrace and QRadar.

    What other advice do I have?

    Once set up, for the most part, it is a "set it and forget it" solution. There is some upkeep with making sure all the things are monitored, but other than that AlienVault provides what you need out-of-the-box.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    Security Engineer at a tech services company with 201-500 employees
    MSP
    The low cost of entry SIEM functionality has increased due to network views and network traffic

    Pros and Cons

    • "Ease of deployment across various environments."
    • "Support can be slow at times, but the quality is high. Posted knowledge base articles could use improvement."

    How has it helped my organization?

    The low cost of entry SIEM functionality has increased due to network views and network traffic.

    What is most valuable?

    • General SIEM tool functionality.
    • Ease of deployment across various environments.

    What needs improvement?

    Support can be slow at times, but the quality is high. Posted knowledge base articles could use improvement.

    What do I think about the stability of the solution?

    None, which are related to this solution.

    What do I think about the scalability of the solution?

    No.

    How are customer service and technical support?

    Customer Service:

    Seven out of ten.

    Technical Support:

    Seven out of ten.

    Which solution did I use previously and why did I switch?

    No.

    How was the initial setup?

    The initial setup was straightforward.

    What about the implementation team?

    It was a a blend. The implementation was primarily internal with support provided as needed. The vendor team had a good quality of expertise.

    What was our ROI?

    Medium-high.

    What's my experience with pricing, setup cost, and licensing?

    Research the solution heavily prior to investing.

    Setting up a bench OSSIM install should help identify possible pain points with the setup.

    Which other solutions did I evaluate?

    No.

    What other advice do I have?

    The solution is improving steadily, particularly in relation to the quality and breadth of documentation. Though some areas are still weak.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    Head of IT at a consultancy with 201-500 employees
    Consultant
    We use the HIDS to monitor our servers, which track user account locks and logon failures

    What is most valuable?

    • Network monitoring
    • SIEM

    How has it helped my organization?

    We have much greater visibility in what is happening on our network.

    What needs improvement?

    Backup, restore, and upgrade - some menu options are a bit convoluted.

    For how long have I used the solution?

    Six months.

    What was my experience with deployment of the solution?

    No.

    What do I think about the stability of the solution?

    No.

    What do I think about the scalability of the solution?

    No.

    How are customer service and technical support?

    Customer Service:

    Excellent, every contact with customer services, support, and training has been superb.

    Technical Support:

    Excellent - very good, comprehensive, and knowledgeable staff.

    Which solution did I use previously and why did I switch?

    No.

    How was the initial setup?

    Yes - simple deployment in VM, worked the first time.

    What about the implementation team?

    In-house.

    What was our ROI?

    Difficult to answer - specifically, this was a new product for us to increase and improve upon security.

    What's my experience with pricing, setup cost, and licensing?

    We did market research, web reviews, etc. We spoke to a number of vendors (LogRhythm, etc.), but we felt that AlienVault was the best value and most comprehensive for our organisation's size.

    Which other solutions did I evaluate?

    Yes, LogRhythm, and Splunk.

    What other advice do I have?

    We are very happy. The training was excellent, and the interaction with AlienVault is first rate - real leader in customer service, the OTX pulse feature is very useful.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    GP
    IT Officer with 51-200 employees
    User
    Visibility For Your Network and To Find Bottlenecks

    How has it helped my organization?

    Recently, we used the NetFlow capability to find a bottleneck in the network and the offending computer.

    What is most valuable?

    The most valuable aspect of AlienVault is the visibility into the network. You have the capability to gather logs from multiple sources and easily see what is going on in the network.

    What needs improvement?

    It is a lot of work to get the software configured and set up properly.

    What do I think about the stability of the solution?

    There were some issues with the reporting functions. AlienVault corrected that problem in a new update.

    How are customer service and technical support?

    Customer Service:

    The customer service department is very responsive to questions.

    Technical Support:

    The technical support team is very knowledgeable. It is helpful that they are able to have remote support sessions to review the problem.

    Which solution did I use previously and why did I switch?

    No.

    What about the implementation team?

    We deployed this system in-house. We are not a fan of moving things to cloud-based solutions.

    What's my experience with pricing, setup cost, and licensing?

    The engineering support that is provided by AlienVault upon first installation was excellent! They went way above and beyond what I was expecting.

    Which other solutions did I evaluate?

    We evaluated the popular SIEM tools Splunk, LogRhythm, and SolarWinds. AlienVault provided the most features for the price point.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    Security Analyst at a tech services company
    Consultant
    Quickly got insight into my environment

    How has it helped my organization?

    Quickly got insight into my environment.

    What is most valuable?

    Deployment was very easy. I got my servers and devices reporting very quickly.

    What needs improvement?

    It would be great if there was a feature to add in watch lists, like McAfee or QRadar have -- to keep track of IPs, domain, etc. that I have identified as being malicious.

    Also, being able to connect into other TAXII/STIX feeds other than OTX.

    How are customer service and technical support?

    Customer Service:

    Excellent. Customer service was very responsive.

    Technical Support:

    Excellent. Support was very responsive.

    Which solution did I use previously and why did I switch?

    Yes, McAfee ESM. Even after upgrading to Version 10, the interface was still hard to navigate through and did not work on every browser. Writing effective rules was difficult.

    How was the initial setup?

    Very straightforward.

    What about the implementation team?

    In-house.

    What's my experience with pricing, setup cost, and licensing?

    Very reasonable and for the value of the product, we couldn't ask for better pricing.

    Which other solutions did I evaluate?

    We did a SIEM solution comparison with McAfee ESM, IBM QRadar, and Fortinet.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    Infrastructure Engineer at a tech services company with 1,001-5,000 employees
    Consultant
    Holistic view of SIEM environment

    What is most valuable?

    The UI is clean and easy to use. Lots of documentation, training, and community involvement available as well.

    How has it helped my organization?

    Holistic view of SIEM environment.

    What needs improvement?

    API, ETL, or connector to support BI tools such as Tableau, Power BI, etc.

    For how long have I used the solution?

    Only for a few months. We just went live with the USM when we transitioned away from on-prem.

    What was my experience with deployment of the solution?

    Not on the AV side, pretty easy to use.

    What do I think about the stability of the solution?

    No.

    What do I think about the scalability of the solution?

    No.

    How are customer service and technical support?

    Customer Service: Very good. Technical Support: Very good.

    Which

    What is most valuable?

    The UI is clean and easy to use. Lots of documentation, training, and community involvement available as well.

    How has it helped my organization?

    Holistic view of SIEM environment.

    What needs improvement?

    API, ETL, or connector to support BI tools such as Tableau, Power BI, etc.

    For how long have I used the solution?

    Only for a few months. We just went live with the USM when we transitioned away from on-prem.

    What was my experience with deployment of the solution?

    Not on the AV side, pretty easy to use.

    What do I think about the stability of the solution?

    No.

    What do I think about the scalability of the solution?

    No.

    How are customer service and technical support?

    Customer Service:

    Very good.

    Technical Support:

    Very good.

    Which solution did I use previously and why did I switch?

    N/A.

    How was the initial setup?

    Yes.

    What about the implementation team?

    Vendor. Not the best.

    What was our ROI?

    Too soon to tell.

    What's my experience with pricing, setup cost, and licensing?

    Check logging.

    Which other solutions did I evaluate?

    N/A.

    What other advice do I have?

    No.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user695217
    IT User
    Vendor
    We haven't suffered a true breach, but it has helped identify weaknesses.

    What is most valuable?

    SIEM capabilities, vulnerability scanning, asset discovery/management features.

    How has it helped my organization?

    Increased visibility, threat detection.

    What needs improvement?

    The web UI can be clunky at times, with poor error handling. Updates need more QC before release.

    For how long have I used the solution?

    One year.

    What was my experience with deployment of the solution?

    Deployment has always been smooth.

    What do I think about the stability of the solution?

    No, it has been quite stable.

    What do I think about the scalability of the solution?

    Nothing except for networking challenges.

    How are customer service and technical support?

    Customer Service: Seven out of 10. Technical Support: Seven out of 10. First level of support is hit…

    What is most valuable?

    SIEM capabilities, vulnerability scanning, asset discovery/management features.

    How has it helped my organization?

    Increased visibility, threat detection.

    What needs improvement?

    The web UI can be clunky at times, with poor error handling. Updates need more QC before release.

    For how long have I used the solution?

    One year.

    What was my experience with deployment of the solution?

    Deployment has always been smooth.

    What do I think about the stability of the solution?

    No, it has been quite stable.

    What do I think about the scalability of the solution?

    Nothing except for networking challenges.

    How are customer service and technical support?

    Customer Service:

    Seven out of 10.

    Technical Support:

    Seven out of 10. First level of support is hit and miss, but higher level support technicians are great.

    Which solution did I use previously and why did I switch?

    No, we started with OSSIM and then bought USM.

    How was the initial setup?

    Very straightforward if you're prepared. Just deploy the OVA template and follow the instructions and you're up in less than an hour.

    What about the implementation team?

    In-house.

    What was our ROI?

    I can't say.

    What's my experience with pricing, setup cost, and licensing?

    The asset licenses are misleading. You can have as many as you want in AV and have NIDS work on all of them. The limit is more about logs and plugins for the assets.

    Which other solutions did I evaluate?

    No.

    What other advice do I have?

    It's a good solution and has a promising future.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    Network Administrator at a tech services company
    Consultant
    The product has been very stable

    What needs improvement?

    The setup was somewhat complex.

    For how long have I used the solution?

    We have had this solution in place for about 10 months.

    What was my experience with deployment of the solution?

    There were deployment issues. At the time, it was right after USM Anywhere had been released, and not all of the documentation was posted. This made the deployment have some issues.

    What do I think about the stability of the solution?

    The product has been very stable.

    What do I think about the scalability of the solution?

    We have had no issues with scalabilty.

    How are customer service and technical support?

    Customer Service: I would give customer service a rating of four out of five. Technical Support: I would give technical support a rating of four out of…

    What needs improvement?

    The setup was somewhat complex.

    For how long have I used the solution?

    We have had this solution in place for about 10 months.

    What was my experience with deployment of the solution?

    There were deployment issues. At the time, it was right after USM Anywhere had been released, and not all of the documentation was posted. This made the deployment have some issues.

    What do I think about the stability of the solution?

    The product has been very stable.

    What do I think about the scalability of the solution?

    We have had no issues with scalabilty.

    How are customer service and technical support?

    Customer Service:

    I would give customer service a rating of four out of five.

    Technical Support:

    I would give technical support a rating of four out of five.

    Which solution did I use previously and why did I switch?

    This is the first solution like this that I have deployed.

    How was the initial setup?

    The setup was somewhat complex. One thing that was difficult was configuring log forwarding from Window systems.

    What about the implementation team?

    We implemented using an in-house team.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    Professional Services Engineer at a tech services company with 11-50 employees
    Consultant
    Meets logging requirements for PCI and HIPAA standards

    What is most valuable?

    The tool is a great way to meet logging requirements for PCI and HIPAA standards. It is very flexible and customizable.

    How has it helped my organization?

    I came into the company with USM Appliance already in place. However, from my previous experience with logging and security appliances, there have been many tasks that used to be a manual process like asset discovery, that are now automated and easy to implement through the UI.

    What needs improvement?

    Stability on certain components could be better, but for a system that is on 24/7/365 without reboots, it's fairly trouble free.

    For how long have I used the solution?

    We have used this for one year.

    What was my experience with deployment of the solution?

    There were no issues with deployment.

    What do I think about the stability of the solution?

    Stability issues were only due to issues with updates, and in extremely unusual use cases.

    What do I think about the scalability of the solution?

    There were no issues with scalability.

    How is customer service and technical support?

    Customer Service:

    They have amazing customer service. AlienVault Support takes care of all of my issues that come up.

    Technical Support:

    I would give technical support a rating of 10 out of 10.

    How was the initial setup?

    The setup was fairly straightforward. A more advanced setup is available for different use cases.

    What about the implementation team?

    We did the implementation in-house.

    What was our ROI?

    Having our logs in a single system is in itself is a huge ROI.

    What's my experience with pricing, setup cost, and licensing?

    When compared with other options, AlienVault is significantly less expensive for the amount of features that are packed into it.

    Which other solutions did I evaluate?

    I was not part of the product decision.

    What other advice do I have?

    AlienVault support is what really makes this product a great investment. They are constantly improving their product and happy to help with anything that comes up.

    Disclosure: My company has a business relationship with this vendor other than being a customer: My company utilizes USM Appliance for our own logs, but we are also an AlienVault MSSP Partner and Reseller.
    Vinod Shankar
    Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees
    Consultant
    Provides us with flexible deployment architecture

    Pros and Cons

    • "The best thing about AlienVault USM is it being a “Jack-of-All Trades” solution. It provides SIEM, HIDS/NIDS, FIM, NetFlow, Asset Management, Vulnerability Management, etc., under one USM platform. None of the commercial SIEM vendors like ArcSight, McAfee, etc., can boast of such a diverse feature set."
    • "The lack of mature functionality and expertise in any of those areas is a strong negative."

    How has it helped my organization?

    A jack-of-all trades:

    The best thing about AlienVault USM is it being a “Jack-of-All Trades” solution. It provides SIEM, HIDS/NIDS, FIM, NetFlow, Asset Management, Vulnerability Management, etc., under one USM platform. None of the commercial SIEM vendors like ArcSight, McAfee, etc., can boast of such a diverse feature set.

    • QRadar is the closest to AV USM in terms of feature diversity. While all the features are formerly isolated Open Source community projects, the USM does a good job of integrating them into a feature set. While they are not great as individual parts, they more than make up as a sum of the parts.
    • OTX – Open Threat Exchange is a wonderful community sharing platform that helps clients to share IP and URL reputation information so that all AV customers can benefit. This is true community sharing modeled on the likes of the Splunk Community (for app development). This has the potential to grow into a large source of Real World Intelligence and what AlienVault intends to do with this data remains to be seen. For now, it is being used by USM Correlation engine to provide better context and content for Security monitoring. AlienVault Labs, is also utilizing this infrastructure to constantly update Detection rules for malware vectors, vulnerability exploits etc. QRadar and ArcSight provide Intelligence, but it is commercial intelligence and not community intelligence. With community intelligence, you get more hits than misses.
    • Multi-Tenancy – While this feature may not elucidate an interest from many readers, those who have worked in an MSSP environment can understand why this is a very important feature to have. AV USM does support Multi-Tenancy out of the box. This, when combined with the Architecture flexibility provide great MSSP models to sell and operate. The key is to understand how the multi-tenancy works. Basically, a single database is used to store data of several customers using a Data isolation Logic and Permission control. The data isolation logic is based on Entities created in USM (Assets, Users, Components Assigned (Sensors) etc., are grouped together as a Single Entity) and Permissions (applied in a granular fashion to data sets related to the Entities). QRadar, ArcSight and other major SIEM products provide this as well.
    • Integration – While AV USM is known for being customization friendly, the amount of out-of-the-box plugins for Log Monitoring and Correlation is limited to the well-known products. It does not have comprehensive integration capabilities with say legacy applications, Directory services, databases, etc., that other SIEM vendors boast of. Similarly, it relies mostly on its own “pre-packaged” tools for data enrichment and hence has poor “Third Party” Integration capabilities. However, if you really are a developer of open source products, the integration challenge can be overcome. But how many are willing in the real world enterprise?
    • Correlation and Workflow – What good is a SIEM product if it cannot perform advanced Correlation and Operational workflow? AV USM has a strong foundation in Correlation using XML driven Directives and Alarms thresholds. However, when it comes Head-to-Head with the Industry leaders like ArcSight, QRadar, Splunk, etc. it falls terribly short. We particularly like the Cyber Kill Chain flow which a lot of customers are using for complete visibility, but this is not the end game in real world enterprise operations where not all the data points required for the directive are available. Same thing goes for the workflow, where the integration with external ticketing or issue tracking system is very limited, and hence acts as a deterrent in large scale deployments.

    What is most valuable?

    Flexible Deployment Architecture – This is where the Open Source roots really start to flex their muscles when it comes to AV USM. The main components of the architecture are as follows:

    • AV Sensor: AV Sensors perform Asset Discovery, Vulnerability Assessment, Threat Detection, and Behavioral Monitoring in addition to receiving raw data from event logs and helping in monitoring network traffic (including Flow). The sensors also perform normalization of the received raw events and communicates them to the AV Server for correlation and reporting.
    • AV Server: AV Server is the Central Management Console that provides USM capabilities under a single GUI. The server receives normalized data from the sensors, correlates, and prioritizes the events and generates security alerts or alarms. The server also provide a variety of reporting and dashboarding capabilities as well.
    • AV Logger: AV Logger provides the capability to archive log files for purposes of forensic analysis and to meet compliance requirements for long term retention and management.

    All the architecture components including the Sensor, the Logger, the Correlation Engine, etc., can be deployed tier-based, isolated, or in a consolidated all-in-one style. This wide variety of deployment options help customers to have flexible and open architectures. This also helps control cost depending on the budget at hand. Very rarely can products boast of such flexibility.

    What needs improvement?

    This product is jack-of-all trades, but master of none. As mentioned in the good, being a jack-of-all trades is well suited for certain organizations. However, the lack of mature functionality and expertise in any of those areas is a strong negative.

    For example, the correlation engine is nowhere close to the likes of ArcSight , QRadar, or Splunk, etc. The threat Intelligence is not as good as QRadar, McAfee, RSA, etc. When it comes to critical functionality expertise, AV USM is found lacking.

    • Database: AV USM is using MySQL for its database. All the issues related to a structured DB for log collection, storage and management come to haunt AV USM as well. All SIEM logs are stored in the MySQL database and this causes an issue in terms of scalability, especially with high log volume environments because backup and restore is time and CPU/RAM consuming. USM can hugely benefit from moving to a non-DB Log storage architecture, thereby giving more flexibility in data management. It is doubtful if AV will take that route. Based on their product direction, they are looking at Percona Server to replace MySQL. While it is a good move, it is still customized MySQL replacement. It may not add much desired scale to the product.

    What do I think about the stability of the solution?

    Product Stability: The biggest issue we have seen with the product is its poor stability. With way too many components, myriad integration, a ton of scripts, and the product is really unstable. Every version upgrade is a nightmare. Re-installation or Re-start is the most common solution for the product to start working again. In a mission critical environment, this is a complete NO-NO. One of the most common and frequently failing components is the DB. Issues like DB corruptions, access issues, disk errors, unresponsive queries, etc., really test the patience of end users on a regular basis. These are the most damning negatives about AV USM.

    How are customer service and technical support?

    One of the common issues we hear about AV technical support is that it is of inconsistent and poor quality. Most of the time, the solutions rely on re-install, re-start, or a bug-fix. There are way too many components to troubleshoot. This leaves support to resort to re-install or re-start, without thorough root cause analysis.

    Which solution did I use previously and why did I switch?

    Customization: Again, this is one point where AlienVault outshines the competition in capability of customization. We have seen several customers who are using AV USM with heavy customization to perform threat detection, Asset Discovery, Threat scoring, APT detection, etc. This flexibility is really desired by Security analysts and AV USM is making good on this promise.

    What's my experience with pricing, setup cost, and licensing?

    One of the areas where AV USM benefits is price. It is affordable while offering a whole lot of SIEM features. This turns out to be the deciding factor for small and medium enterprise segments. QRadar, ArcSight and Splunk are some of the most expensive SIEM security tools out there in the market and not everyone has the budget to buy them. In such cases, AV USM is a very cost effective alternative.

    What other advice do I have?

    Product Vision Stagnation: This may not be much of an issue for potential users of AV USM. However, it is important to note that the product has not gone through major leaps in the last four years. It had more than three major releases and 20+ minor releases, but nothing path-breaking has been brought to the market. It has still remained in the “promising products to watch” for way too long. One of the main reasons we think this is the case is because of economies of scale. Since they are priced lower and cater to the SME segment, the amount of money invested in development is less, and hence the result.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    Technical Writer at a tech services company with 11-50 employees
    Consultant
    AlienVault USM - bang for your buck.

    What is most valuable?

    I have worked with a Managed Security Team that uses AlienVault USM for the past two years. The user interface is as good as it gets. The setup is greatly simplified with intensive documentation and a great tech support.

    How has it helped my organization?

    The USM has been instrumental in the discovery and tracking down of emerging threats which has helped us instantly evaluate and resolve security incidents for our clients.

    What needs improvement?

    I would say the menus could use some tweaking and custom rule creation could be made simpler.

    For how long have I used the solution?

    2 years.

    What was my experience with deployment of the solution?

    No. I did not face any deployment issues.

    What do I think about the stability of the solution?

    No. I did not face any stability issues.

    What do I think about the scalability of the solution?

    No. I did not face any scalability issues.

    How are customer service and technical support?

    Customer Service:

    Impressive.

    Technical Support:

    Great.

    Which solution did I use previously and why did I switch?

    AlienVault was the first and only choice.

    How was the initial setup?

    Setup was straightforward and priming and fine-tuning was reasonably simple too.

    What about the implementation team?

    In-house team.

    What was our ROI?

    The product greatly reduces the need for human review and by bringing so many feature-rich capabilities under one roof, it makes it hassle-free for collecting evidence for ISO 27001 compliance.

    What's my experience with pricing, setup cost, and licensing?

    AlienVault is one of the best to consider in terms of price advantage. AV is giving tools that charge you based on EPS a run for their money. Forget about procuring licensing and setting up stand-alone detection and prevention systems and then having them all integrate for log interpretation.

    Which other solutions did I evaluate?

    Splunk Enterprise Security.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Managed Security Service Provider Partner Program.
    it_user675858
    IT Assistant at a financial services firm with 51-200 employees
    Vendor
    I can monitor less things and just read reports or alarms.

    What is most valuable?

    The customizable reports

    How has it helped my organization?

    I can monitor less things and just read reports or alarms.

    What needs improvement?

    I don't have any, as I've been pretty satisfied with the product.

    For how long have I used the solution?

    1 Year

    What was my experience with deployment of the solution?

    No, it was pretty smooth. There's a little bit of a learning curve out the gate, but they have lots of help available.

    What do I think about the stability of the solution?

    No

    What do I think about the scalability of the solution?

    Just learning the language, it's a new product, and it takes time to learn all of it's capabilities.

    How are customer service and technical support?

    Customer Service: 10, they have great customer Service…

    What is most valuable?

    The customizable reports

    How has it helped my organization?

    I can monitor less things and just read reports or alarms.

    What needs improvement?

    I don't have any, as I've been pretty satisfied with the product.

    For how long have I used the solution?

    1 Year

    What was my experience with deployment of the solution?

    No, it was pretty smooth. There's a little bit of a learning curve out the gate, but they have lots of help available.

    What do I think about the stability of the solution?

    No

    What do I think about the scalability of the solution?

    Just learning the language, it's a new product, and it takes time to learn all of it's capabilities.

    How are customer service and technical support?

    Customer Service:

    10, they have great customer Service

    Technical Support:

    10

    Which solution did I use previously and why did I switch?

    We had a MARs and it was EOF.

    How was the initial setup?

    It was pretty straightforward, you take a class and then you get extra help. There wasn't any confusion.


    What about the implementation team?

    In-house.

    What was our ROI?

    N/A

    What's my experience with pricing, setup cost, and licensing?

    It's worth it!

    Which other solutions did I evaluate?

    Yes, but I wasn't apart of the research team.

    What other advice do I have?

    I'm glad we purchased it, wished we would have gone with outside monitoring instead of inhouse an there is a lot to learn. Great product though.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Karl Hart, Acse, Ceh, Chfi, Cissp
    Information Security Manager at a tech services company with 201-500 employees
    Real User
    We used to have to monitor and review logs for each device, now everything comes into AlienVault and it alerts us when we need to respond.

    Pros and Cons

    • "The USM is a work horse, no matter what devices or the number of logs we throw at it, the system processes them in real time, correlates the events, and alerts on only events that need human review."
    • "The one thing I continue to dislike about the USM is the limitation on reports."

    How has it helped my organization?

    We used to have to monitor and review logs for each device. Now, everything comes into AlienVault and it alerts us when we need to respond. We now have real-time monitoring 24x7x365 using an in-house team.

    What is most valuable?

    The ease of use and customization. The USM is a work horse, no matter what devices or the number of logs we throw at it, the system processes them in real time, correlates the events, and alerts on only events that need human review.

    What needs improvement?

    The one thing I continue to dislike about the USM is the limitation on reports. Hard to get what you need in a report and once you do, there is no control over the formatting.

    What do I think about the stability of the solution?

    There used to be some issues with database stability in versions pre 5.x but the database has since been tuned and rock solid since.

    What do I think about the scalability of the solution?

    The only issue I have run into with scalability is the 1TB limit for raw log storage. When you collect as many logs as I do you need additional space to keep logs for compliance.

    How are customer service and technical support?

    Customer Service:

    I give customer service five stars, they are always available and very helpful.

    Technical Support:

    Technical support gets 4 1/2 stars. Like any support, it varies on the person that gets your ticket.

    Which solution did I use previously and why did I switch?

    I have used many solutions with different companies but always move to AlienVault. You get so many more features for the money. AlienVault always comes in way less in price than any other solution.

    How was the initial setup?

    Initial install is easy, the complexity only comes in as you start to add logs to the system to collect. If you do not take the time to plan out your installation and get a complete list of devices to collect from you could run into issues.

    What about the implementation team?

    We implemented using our in-house team.

    What was our ROI?

    We are able to monnitor 24x7x365 with minimal staffing. Once it is tuned you only get the alerts you need to see. We used to have to monitor and review logs for each device. Now, everything comes into AlienVault and it alerts us when we need to respond.

    What's my experience with pricing, setup cost, and licensing?

    Have a look at how AlienVault does Events Per Second (EPS) compared to others. Most other products charge based on EPS, the more events the more you have to pay. This causes most companies to limit the amount of logs sent and processed. AlienVault charges by the number of devices managed. You can send anything and everything to the USM. The more logs you can process the better correlation you will have. I have found that companies that limit their logs and then have a security incident would have been able to identify the attack if they would have been monitoring all events in their logs.

    Which other solutions did I evaluate?

    Splunk, QRadar, LogRythm, etc.

    What other advice do I have?

    If you are thinking about a solution, give their free product OSSIM a try and once you see all it does you will want to upgrade to the commercial USM to get even more.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    it_user690780
    Network Administrator at a legal firm with 51-200 employees
    Vendor
    We've been able to use the scanning to identify security issues and take care of them before they become a problem.

    What is most valuable?

    The vulnerability scans and network scans and alarms.

    How has it helped my organization?

    We were able to use the product to identify two security issues already. We had one situation where the appliance identified that a workstation on our network was infected with a DNS Blackhole virus. We were able to remove the computer from the network and replace it. We've also been able to use the scanning to identify security issues and take care of them before they become a problem.

    What needs improvement?

    I would like to see it be able to run on any hardware via just an installer.

    For how long have I used the solution?

    We've had it in place for a year now.

    What was my experience with deployment of the solution?

    Not really, but we had their engineers and a consultant helping.

    What do I think about the stability of the solution?

    We have not.

    What do I think about the scalability of the solution?

    No.

    How are customer service and technical support?

    Customer Service:

    Very high. Any issues I've had they've been quick to answer and help.

    Technical Support:

    Their support is wonderful. I've had a couple of questions and had them answered very quickly.

    Which solution did I use previously and why did I switch?

    No.

    How was the initial setup?

    Very straightforward.

    What about the implementation team?

    We implemented through a vendor. When we bought the product they included hours from a vendor for the implementation.

    What was our ROI?

    Unknown.

    What's my experience with pricing, setup cost, and licensing?

    Nothing to advise.

    Which other solutions did I evaluate?

    No. We just had to decide if we wanted this or had time to work with it.

    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    ITCS user
    IT Security Analyst at a tech services company with 10,001+ employees
    Real User
    Report modules now allow us to get a visualization of the activity of the main assets.

    Pros and Cons

    • "OTX is a great module that lets staff maintain and monitor updates regarding events in the infrastructure and takes decision to improve the security perimeter."

      What is most valuable?

      OTX is a great module that lets staff maintain and monitor updates regarding events in the infrastructure and takes decision to improve the security perimeter.

      How has it helped my organization?

      Report modules now allows us to get a visualization of the activity of the main assets to continue the business and lets us take decisions to the stakeholders.

      What needs improvement?

      Report modules now lets us get a visualization of the activity of the main assets to continue to improve the business and reduce the risk of failures.

      For how long have I used the solution?

      Around 2 years ago and It allowed me to grow not only technologically but also it has helped me to improve process in attention to information security events in the company.

      What was my experience with deployment of the solution?

      Yes, but it was with integration with other devices but the AlienVault TAC did a great job to resolve the problems.

      What do I think about the stability of the solution?

      Honestly this solution was very stable and there were no problems whatsoever

      What do I think about the scalability of the solution?

      I have not had the opportunity to do an implementation of scalability, but, with the experience with 2 years ago managed the solution, I don't believe we will have problems to deploy.

      How is customer service and technical support?

      Customer Service:

      The service was excellent and always showing excellent treatment and availability.

      Technical Support:

      The service is excellent the support requested really is quick and very efficient

      How was the initial setup?

      It was way very fast and straightforward, thanks to the great supported gave fot the AlienVault TAC

      What about the implementation team?

      This integration was made with both teams, and I think the deploy was very easy due the great knowledge of vendor team, them gave us a great explanation about of the all modules and the best practice to deploy the solutions.

      What was our ROI?

      It has not yet been measured.

      What's my experience with pricing, setup cost, and licensing?

      Considering the scalability with the other solutions in the market, I think this solution really have a great price to all size of medium and big enterprise.

      Which other solutions did I evaluate?

      Yes, I did, the solution considered was HPE and Splunk

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      it_user339099
      IS Manager at a financial services firm with 501-1,000 employees
      Vendor
      It has allowed us to centralize our logging. We had used previous products and found AlienVault centralized the logging for our security.

      Pros and Cons

      • "We had used previous products and found AlienVault centralized the logging for our security."
      • "There are many reports included but would be nice to have better access to the data."

      How has it helped my organization?

      It has allowed us to centralize our logging. We had used previous products and found AlienVault centralized the logging for our security. Additionally, we are better able to meet our compliance needs.

      What is most valuable?

      We use several features extensively. Logging, vulnerability scanning, file integrity monitoring, and threat information.

      What needs improvement?

      I would like to see some better ways to report on the information. There are many reports included but would be nice to have better access to the data. Customizations are possible but don't always allow us to report on what we need.

      What do I think about the stability of the solution?

      We have a new remote sensor sending a large amount of data. We have seen some slowness but the sensor is new and we tracked down the slowness to network connectivity. The server has handled all we could throw at it.

      What do I think about the scalability of the solution?

      Working well with everything we have sent to it.

      How are customer service and technical support?

      Customer Service:

      I have enjoyed working with the client support folks. I have had really good experiences with them even having them help with plugins when they weren't working.

      Technical Support:

      Very good.

      Which solution did I use previously and why did I switch?

      ManageEngine Event Log Analyzer

      How was the initial setup?

      The wizard setup was great and helped deployment go well.

      What about the implementation team?

      Received training and did in-house. Also had some follow-up consulting that helped to do a health check on the system that was very valuable. Consultants did a great job of helping us become more comfortable.

      What was our ROI?

      Not measured.

      What's my experience with pricing, setup cost, and licensing?

      Look at other products and AlienVault will have you coming back as it did us.

      Which other solutions did I evaluate?

      Yes, many other vendors - its been a while so I don't remember them all.

      What other advice do I have?

      No, good solid product

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      ITCS user
      Information Technology Security Administrator at a healthcare company with 1,001-5,000 employees
      Vendor
      We use policies as alerts on many compliance requirements and concerns.

      What is most valuable?

      Policies have been very valuable. We use them as alerts on many compliance requirements and concerns.

      How has it helped my organization?

      Identifying the sending of clear text account information Identifying and fixing vulnerabilities that we were not aware of

      For how long have I used the solution?

      We have been using AlienvVault for the past two years.

      What was my experience with deployment of the solution?

      There was an issue in setting up the log storage location.

      What do I think about the stability of the solution?

      I did not encounter any issues with stability.

      What do I think about the scalability of the solution?

      I did not encounter any issues with scalability.

      How are customer service and technical support?

      Customer Service: There is…

      What is most valuable?

      Policies have been very valuable. We use them as alerts on many compliance requirements and concerns.

      How has it helped my organization?

      • Identifying the sending of clear text account information
      • Identifying and fixing vulnerabilities that we were not aware of

      For how long have I used the solution?

      We have been using AlienvVault for the past two years.

      What was my experience with deployment of the solution?

      There was an issue in setting up the log storage location.

      What do I think about the stability of the solution?

      I did not encounter any issues with stability.

      What do I think about the scalability of the solution?

      I did not encounter any issues with scalability.

      How are customer service and technical support?

      Customer Service:

      There is excellent customer service and we have never had a complaint.

      Technical Support:

      Technical support has a very knowledgeable support staff. Everyone we have worked with has really displayed great knowledge of this product.

      Which solution did I use previously and why did I switch?

      We used different solutions. Pricing was an issue and support was limited.

      How was the initial setup?

      We had the installation done by support when we purchased the solution.

      What about the implementation team?

      The implementation was though the vendor and they were great to work with. They were able to answer any questions that we had.

      What's my experience with pricing, setup cost, and licensing?

      The pricing was great and we were not disappointed.

      Which other solutions did I evaluate?

      We did not evaluate other solutions.

      What other advice do I have?

      Thank you for the great solution that you provided for us.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      ITCS user
      IT Security Engineer II at a retailer with 5,001-10,000 employees
      Vendor
      Provides a single pane of glass that shows threats that are in the environment.

      What is most valuable?

      The dashboard.

      How has it helped my organization?

      The single pane of glass that shows threats that are in the environment.

      What needs improvement?

      Sub menus: Sometimes you really have to drill down to get to where you want to go.

      For how long have I used the solution?

      We have been using this solution for three years.

      What was my experience with deployment of the solution?

      I did not encounter any issues with deployment.

      What do I think about the stability of the solution?

      There were stability issues due to lack of memory.

      What do I think about the scalability of the solution?

      I did not encounter any issues with scalability.

      How are customer service and technical support?

      Customer Service: I would rate customer service as excellent.…

      What is most valuable?

      The dashboard.

      How has it helped my organization?

      The single pane of glass that shows threats that are in the environment.

      What needs improvement?

      Sub menus: Sometimes you really have to drill down to get to where you want to go.

      For how long have I used the solution?

      We have been using this solution for three years.

      What was my experience with deployment of the solution?

      I did not encounter any issues with deployment.

      What do I think about the stability of the solution?

      There were stability issues due to lack of memory.

      What do I think about the scalability of the solution?

      I did not encounter any issues with scalability.

      How are customer service and technical support?

      Customer Service:

      I would rate customer service as excellent.

      Technical Support:

      I would rate technical support as excellent.

      Which solution did I use previously and why did I switch?

      We did not use a previous solution.

      How was the initial setup?

      The setup was straightforward.

      What about the implementation team?

      We did the implementation in-house.

      What was our ROI?

      The ROI was priceless.

      What's my experience with pricing, setup cost, and licensing?

      N/A.

      Which other solutions did I evaluate?

      We used other solutions, but they couldn't compare: QRadar, Splunk, ArcSight and LogRhythm. All were way too expensive compared to AlienVault USM.

      What other advice do I have?

      All companies should buy an AlienVault SIEM. It is well worth the investment

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      BG
      Systems Engineer at a university with 201-500 employees
      Real User
      Some of the valuable features are real-time email alerts, event correlations, and log management.

      What is most valuable?

      • Real-time email alerts
      • Event correlations
      • Log management
      • System monitoring
      • Network monitoring
      • Up-time monitoring
      • OTX threat intelligence
      • Vulnerability scanning reporting

      There are too many to list.

      How has it helped my organization?

      It has given us insight into our network:

      • What is on it
      • What traffic is on it
      • What is happening on our servers

      It is one location to view many things.

      What needs improvement?

      The menu system can be a little confusing, until you use it for a while. Such as at the top right there is a “settings” menu. Which is more of a user profile menu. I would like that to say what it is “My Profile.” Under the “Settings” menu I had rather see true system settings. Such as User Accounts, Configuration Backups/Restore, SMTP server Setting, AD (LDAP) settings, Password Policies, and other true System Settings. There is also a large button at the right called “Configuration.” I would change that to something like “Deployment Settings”. Under this menu I would have settings specifically related to “this deployment of AlienVault”. Such as Plugins, Sensors, Remote Locations, and Services Running on this deployment (with the ability to Enable/Disable these and Start/Stop these). Also here I would have a sub-menu called “System Performance” with metrics (CPU usage, Swap, Ram, database health (with cleanup and compress options), Network Traffic In/Out performance for each NIC, and etc. Currently Threat Intelligence items are also under Configuration. I would make a separate “Threat Intelligence” menu and expand upon it to cover more items. Just my thoughts.

      I guess it comes down to my being old school and would like traditional menus. Such as text-style drop-down menus from the top and not the huge big button menus. Like File, Analysis, Environment, Reports, Settings, Deployment Settings, Preferences, help, and etc. The text-type tend to be much more explanatory as to what is in them below. I know a lot of software has gone to the big button/ribbon style menus (MS Office). I assume that is to make things mobile friendly. To me it makes navigation less easy and more confusing and the big buttons take up too much screen real estate that I have rather see for other things such as alarms and real-time system activities.

      For how long have I used the solution?

      We have been using this solution for just over one year.

      What was my experience with deployment of the solution?

      There have been no major deployment issues.

      What do I think about the stability of the solution?

      There have been no major stability issues.

      What do I think about the scalability of the solution?

      There have been no scalability issues. We recently moved from 150 asset licenses to unlimited and the process was very easy.

      How are customer service and technical support?

      Customer Service:

      Customer support is excellent. Support has been good for simple config issues and for alert questions. They have a great forum base as well as live support.

      Technical Support:

      I would rate technical support as very good.

      Which solution did I use previously and why did I switch?

      We used hardware based as well as open source solutions before. We still use some of them, but AlienVault allowed us to consolidate a lot of services into one.

      How was the initial setup?

      The installation was straightforward. We use the VMware base All-In-One USM. It was quite straightforward. It required a little customization, but it was not too difficult to sort through.

      What about the implementation team?

      It was a joint collaboration.

      What was our ROI?

      We saw a positive ROI within six months, especially in terms of manpower.

      What's my experience with pricing, setup cost, and licensing?

      Just give them a call. They can work with you in many ways to help you get what you need.

      Which other solutions did I evaluate?

      We looked at several options. And we were already using several of them, both paid and open source. AlienVault allowed us to combine several solutions into one.

      What other advice do I have?

      If you are interested, sign up for some of their webinars, download the free trial or open source versions, and play with it.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      ITCS user
      Security Expert at a tech services company
      Consultant
      Provides threat detection powered by signatures and advanced correlation rules.

      What is most valuable?

      Threat detection powered by signatures and advanced correlation rules.

      How has it helped my organization?

      It helps to identify external and internal security threats to the organization, on time.

      What needs improvement?

      Accuracy of threat detection Advance reporting Reliable asset and vulnerability management feature

      For how long have I used the solution?

      We have been using this solution for three years.

      What was my experience with deployment of the solution?

      I did not encounter any issues with deployment.

      What do I think about the stability of the solution?

      I did not encounter any issues with stability.

      What do I think about the scalability of the solution?

      I did not encounter any issues with scalability.

      How are customer service and

      What is most valuable?

      Threat detection powered by signatures and advanced correlation rules.

      How has it helped my organization?

      It helps to identify external and internal security threats to the organization, on time.

      What needs improvement?

      • Accuracy of threat detection
      • Advance reporting
      • Reliable asset and vulnerability management feature

      For how long have I used the solution?

      We have been using this solution for three years.

      What was my experience with deployment of the solution?

      I did not encounter any issues with deployment.

      What do I think about the stability of the solution?

      I did not encounter any issues with stability.

      What do I think about the scalability of the solution?

      I did not encounter any issues with scalability.

      How are customer service and technical support?

      Customer Service:

      Excellent.

      Technical Support:

      We received average support. As observed, the support engineers take a long time for issue resolution.

      Which solution did I use previously and why did I switch?

      I have not used any other solutions before.

      How was the initial setup?

      The setup was simple and straightforward.

      What about the implementation team?

      We had an in-house implementation.

      What was our ROI?

      It has not yet been measured.

      What's my experience with pricing, setup cost, and licensing?

      The pricing and licensing are at its best in the market when compared with other vendor's SIEM products.

      Which other solutions did I evaluate?

      We evaluated ArcSight, RSA Security Analytics, and Splunk.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      ITCS user
      Delivery Manager at a tech services company with 11-50 employees
      Consultant
      Provides vulnerability scanning and OTX for threat intelligence.

      What is most valuable?

      • Vulnerability scanning
      • Cross co-relation
      • Reports in a grouped manner
      • OTX for threat intelligence

      How has it helped my organization?

      It helps to monitor the entire office in in a single point.

      What needs improvement?

      The report section needs to be improved. Most of the correlation rules are based on the NIDS event, which needs to be improved. In other words, we have to use the device logs also.

      For how long have I used the solution?

      We have been using this solution for almost two years.

      What was my experience with deployment of the solution?

      I did not encounter any issues with deployment.

      What do I think about the stability of the solution?

      I did not encounter any issues with scalability.

      What do I think about the scalability of the solution?

      I did not encounter any issues with scalability.

      How are customer service and technical support?

      Customer Service:

      Customer service is available 8 to 5 EDT. In emergency cases, it is difficult to reach them. Response-wise, it is good. I would give customer service a rating of 7/10.

      Technical Support:

      I would give technical support a rating of 7/10.

      Which solution did I use previously and why did I switch?

      We did not use a previous solution.

      How was the initial setup?

      The setup was very straightforward.

      What about the implementation team?

      We did it in-house.

      What was our ROI?

      N/A/

      What's my experience with pricing, setup cost, and licensing?

      I feel that the license cost was a bit high, but compared to others, it is less. For mid-range companies, they feel that the cost is high, but that it is worth it.

      Which other solutions did I evaluate?

      We did not evaluation any other options.

      What other advice do I have?

      I do not have any additional comments.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      it_user672663
      Information Security Analyst at a insurance company
      Vendor
      Some of the valuable features are log aggregation, correlation, and threat intel.

      What is most valuable?

      Log aggregation, correlation, and threat intel.

      How has it helped my organization?

      AlienVault has streamlined our security functions by combining several different functions into one package.

      What needs improvement?

      I think expanding their vendor-specific plugins would beneficial.

      For how long have I used the solution?

      We have been using this solution for one year.

      What was my experience with deployment of the solution?

      I did not encounter any issues with deployment.

      What do I think about the stability of the solution?

      I did not encounter any issues with stability.

      What do I think about the scalability of the solution?

      I did not encounter any issues with scalability.

      How are customer service and technical support?

      Customer Service: Their…

      What is most valuable?

      Log aggregation, correlation, and threat intel.

      How has it helped my organization?

      AlienVault has streamlined our security functions by combining several different functions into one package.

      What needs improvement?

      I think expanding their vendor-specific plugins would beneficial.

      For how long have I used the solution?

      We have been using this solution for one year.

      What was my experience with deployment of the solution?

      I did not encounter any issues with deployment.

      What do I think about the stability of the solution?

      I did not encounter any issues with stability.

      What do I think about the scalability of the solution?

      I did not encounter any issues with scalability.

      How are customer service and technical support?

      Customer Service:

      Their support is good and their response time is prompt.

      Technical Support:

      I would rate them as very knowledgeable.

      Which solution did I use previously and why did I switch?

      We did not use a previous solution.

      How was the initial setup?

      It was very straightforward. The setup was basically install the VM, setup network monitoring/syslog, and watch the data flow.

      What about the implementation team?

      Our implementation was in-house.

      What was our ROI?

      It's hard to calculate ROI on a prevention mechanism, as the variables of a prevented incident are unknown.

      What's my experience with pricing, setup cost, and licensing?

      They are very affordable and flexible in their licensing model.

      Which other solutions did I evaluate?

      We evaluated HPE ArcSight, IBM QRadar, LogRhythm, Splunk, and SolarWinds.

      What other advice do I have?

      I would highly recommend the customer training courses. They are very helpful.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      it_user671703
      Sr. Networking & EMS Analyst
      Vendor
      Provides a good platform to start looking at the traffic on your network.

      What is most valuable?

      Event monitoring and vulnerability scanning have been a huge benefit to us.

      How has it helped my organization?

      It provides a good platform to start looking at the traffic on your network.

      What needs improvement?

      Most of the troubleshooting requires going through the Linux command line and bypassing the GUI. We have a wide variety of users with different technical expertise. For some, any amount of command line troubleshooting scares them away from products.

      For how long have I used the solution?

      We have been using this solution for a year.

      What was my experience with deployment of the solution?

      Our deployment was rather unique and is pushing the limitations of the architecture that we chose. Given from what I have learned, if you have large deployments of the separate networks, then do not attempt to use remote sensors on those network segments.

      What do I think about the stability of the solution?

      Many of the patches typically have some bugs that we end up finding. We ended up implementing a deployment in our lab so as to fully test it internally, before patching.

      What do I think about the scalability of the solution?

      The system is quite scalable however, it is best to understand the limitations of the different architectures offered.

      How are customer service and technical support?

      Customer Service:

      The customer service is excellent, we have quick and knowledgeable help on all our calls.

      Technical Support:

      The support team is also excellent with very knowledgeable engineers.

      Which solution did I use previously and why did I switch?

      This was our first solution for this type of security appliance.

      How was the initial setup?

      The initial setup was straightforward, but adding in more sensors made it a bit more complex.

      What about the implementation team?

      We had vendor help for the initial setup, however, the additional sensor expansion was in-house.

      What was our ROI?

      We quickly found some issues after deploying and have used the vulnerability scanner to verify patches are properly applied in the environment.

      What's my experience with pricing, setup cost, and licensing?

      If you expect to have a significant amount of devices on a sensor, then look at the cost/performance of going to a full server.

      Which other solutions did I evaluate?

      We evaluated LogRhythm and QRadar.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      Brett Carson
      Director Of Information Technology at a tech services company with 201-500 employees
      Real User
      Allows us to roll out log management on clients and servers, host-based IDS, and network-based IDS.

      Pros and Cons

      • "The best feature of this product is the ease of use. It is extremely easy to set up and get going. This is a very useful tool for a small organization."
      • "I feel that some areas of improvement would be vulnerability scanning. We use a separate product that seems to do a much better job."

      How has it helped my organization?

      This has helped improve our overall IT security by allowing us to implement a full suite of security tools that allows us to roll out log management on clients and servers, host-based IDS, and network-based IDS. It also provides vulnerability scanning; however, we use a separate product for that.

      What is most valuable?

      The best feature of this product is the ease of use. It is extremely easy to set up and get going. This is a very useful tool for a small organization.

      What needs improvement?

      I feel that some areas of improvement would be vulnerability scanning. We use a separate product that seems to do a much better job.

      What do I think about the stability of the solution?

      We have not encountered any stability issues.

      What do I think about the scalability of the solution?

      We have not encountered any scalability issues; the product scales very easy.

      How are customer service and technical support?

      Customer Service:

      I would rate customer service an 8/10. I've received calls from customer service a few times a month and it gets a little overbearing, especially when you are busy, as IT professionals are.

      Technical Support:

      I would rate technical support a 9/10.

      Which solution did I use previously and why did I switch?

      This was our first solution for HIDS, NIDS, and log management.

      How was the initial setup?

      The initial setup was straightforward. I simply followed the steps in the setup wizard and the steps provided by technical support, and I had a trial version (later converted to paid version with additional steps) set up in about an hour or less.

      What about the implementation team?

      This was set up in-house.

      What was our ROI?

      It is really hard to put a number on ROI but I will say that AlienVault has allowed us to close the gap on security alert timing and we can respond to incidents in a much more timely fashion which, to me, is much more valuable than a number.

      What's my experience with pricing, setup cost, and licensing?

      AlienVault is flexible on their pricing for unlimited licenses.

      Which other solutions did I evaluate?

      We evaluated Splunk as well. AlienVault was a much cheaper solution and required less time to be rolled out. Splunk is a much more difficult product to work with and almost requires a dedicated employee to manage.

      What other advice do I have?

      I highly recommend AlienVault USM for anybody that is seeking a SIEM solution that is easy to implement and easy to manage. It works very well for small- and medium-size businesses.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      ITCS user
      IT Security Analyst at a financial services firm with 201-500 employees
      Vendor
      You can customize the "Overview" dashboard to you or your company's needs.

      What is most valuable?

      AlienVault's "Overview" dashboard makes it very easy to see everything going on in your network that needs your immediate attention. You can easily customize the dashboard to you or your company's needs.

      How has it helped my organization?

      I now have the ability to report all vulnerabilities and threats hitting our network to upper management in an easy-to-understand format.

      What needs improvement?

      Offer solutions based on a PoC (Proof of Concept) to fit each company's specific needs, rather than letting the company guess or piece together the solution they need.

      For how long have I used the solution?

      I have used it for six months.

      What was my experience with deployment of the solution?

      We have not encountered any deployment issues; the setup was very easy and support was by my side to assist me with any issues that arose.

      What do I think about the stability of the solution?

      We have encountered stability issues; we have a high volume of logs passing through our SIEM and the default configuration couldn't handle all the data. Working with support, we were able to remediate all the crashes we were having.

      What do I think about the scalability of the solution?

      We have encountered scalability issues. We had to keep changing our configuration or updating our storage capabilities as we added more logs.

      How are customer service and technical support?

      Customer Service:

      Customer service is 8/10.

      Technical Support:

      Technical support is 9/10. Engineers are very knowledgeable about their product!

      Which solution did I use previously and why did I switch?

      We did not previously use a different solution.

      How was the initial setup?

      The setup was very straightforward. AlienVault provides simple, step-by-step instructions for each of their products!

      What about the implementation team?

      As a single Analyst, I was able to implement this product very easily.

      What was our ROI?

      At this time, it is too early to tell ROI.

      What's my experience with pricing, setup cost, and licensing?

      Know your capabilities and storage needs before negotiating a price! Make sure you ask about log storage options before purchase.

      Which other solutions did I evaluate?

      Before choosing, we evaluated other options. We were looking at Splunk and Rapid7.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      ITCS user
      Professor at a university with 201-500 employees
      Vendor
      It is set up as a dashboard in the security lab. Students can view and analyze the monitoring techniques of the product.

      What is most valuable?

      AlienVault is used in a classroom setting at Pittsburgh Technical College, which brings industry tools from the college classroom back into the field. We have several employers in the area that use AV so student acclimation to the product is key. AV is set up as a dashboard in the security lab where students can view and analyze the monitoring techniques of the product. If an event happens, they can process an analytical step to provide remediation.

      How has it helped my organization?

      Students becoming acclimated to the product can go out into the field and have first-hand knowledge on how to use a USM or SIEM product. This is a win-win solution for the vendor and future employers.

      For how long have I used the solution?

      The school has used the product for over a year.

      What was my experience with deployment of the solution?

      We were attempting to push HIDS on the domain controllers, and ran into an initial problem. This problem was immediately solved by the AV service technician that was able to remote in and fix the problem.

      What do I think about the stability of the solution?

      One of the problems we had with stability was a problem of our own. We were running AV on a VLAN that students were able to run DHCP servers, which caused our own problems.

      How are customer service and technical support?

      Customer Service:

      We have had several tickets open with AV and they are prompt in their service time.

      Technical Support:

      Technical support is prompt in acknowledging your needs and reply with a message that a service technician will be with you shortly. They make every attempt possible to work with your schedule.

      Which solution did I use previously and why did I switch?

      A direct competitor to AV is IBM QRadar, which is also used in the classroom environment.

      How was the initial setup?

      The setup was straightforward. We installed AV to vSphere ESXi as a virtual appliance deployed as an OVA template.

      What was our ROI?

      The ROI is unmeasured since we are an academic partner; there is no way of knowing how much positive impact the product will attain from students getting first-hand knowledge of an industry product before they go out into the field upon graduation.

      Disclosure: My company has a business relationship with this vendor other than being a customer: We are an academic partner.
      ITCS user
      System Administrator at a financial services firm with 201-500 employees
      Vendor
      The alarms dashboard shows any threats that may need further investigation.

      Pros and Cons

      • "The vulnerability scanning is helpful to identify the areas that need patching or fixes installed."
      • "The vulnerability reporting needs to have options to be able to sort or customize the output."

      How has it helped my organization?

      AlienVault has brought more awareness to the activity on our network. Security risks are identified and addressed to reduce any possible security breach.

      What is most valuable?

      Alarms dashboard shows immediately any threats that may need further investigation. The vulnerability scanning is helpful to identify the areas that need patching or fixes installed.

      What needs improvement?

      The vulnerability reporting needs to have options to be able to sort or customize the output. It is helpful to look at the vulnerability and how many hosts have it, in addition to being able to look at an individual host to see what vulnerabilities it has.

      What do I think about the stability of the solution?

      We did not encounter any stability issues. AlienVault seems to be pretty solid and we have not had any issues with it being unavailable.

      What do I think about the scalability of the solution?

      We have not encountered any scalability issues. We have a fairly simple deployment with only one sensor, so it was straightforward.

      How are customer service and technical support?

      Customer Service:

      Customer service is very good.

      Technical Support:

      Technical support is very good. They have always been prompt to address an issue and stuck with it until resolution.

      Which solution did I use previously and why did I switch?

      We did not previously use a different solution.

      How was the initial setup?

      Initial setup was very straightforward; few configuration settings and it was pulling in logs.

      What about the implementation team?

      An in-house team implemented it.

      What was our ROI?

      ROI is a difficult one to measure for this. It helps us cover a compliance need as well as provides us a means to be aware of any possible threats and vulnerabilities.

      What's my experience with pricing, setup cost, and licensing?

      Pricing is very competitive with other products and you get much more functionality from AlienVault. The vulnerability scanning and threat intelligence offers additional tools that others don't have.

      Which other solutions did I evaluate?

      We looked at a couple of other products before choosing AlienVault. We looked at LogRhythm and EventTracker.

      What other advice do I have?

      If you take the training virtually, make sure you can dedicate the week with uninterrupted time. The training is quite in-depth and you want to have your undivided attention on it.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      ITCS user
      Tech Support Engineer at a tech services company with 501-1,000 employees
      MSP
      Offers an Open Threat Exchange for IP reputation and vulnerability scanning.

      What is most valuable?

      • Open Threat Exchange (for IP reputation)
      • Vulnerability scanning
      • Quick APT phishing-related threat detection

      How has it helped my organization?

      • Phishing sites were detected and it secured the environment from the upcoming threat.
      • Vulnerability scanner OpenVas is very useful for knowing current vulnerabilities present in system and taking preventive action.

      What needs improvement?

      • IPv6 not supported
      • Correlate with external logs from other sources makes little bit difficult to work

      For how long have I used the solution?

      I have been using it for one year.

      What was my experience with deployment of the solution?

      It works well when you have minimum required setup as per AlienVault documentation.

      What do I think about the stability of the solution?

      Stability issues happen only when you do not have sufficient hardware as the primary requirement.

      What do I think about the scalability of the solution?

      It scales well.

      How are customer service and technical support?

      Customer Service:

      Customer service is 7 out of 10.

      Technical Support:

      Technical support is 10 out of 10.

      Which solution did I use previously and why did I switch?

      We did not previously use a different solution.

      How was the initial setup?

      Initial setup was straightforward and simple.

      What about the implementation team?

      An in-house team implemented it.

      What was our ROI?

      It is providing good ROI.

      What's my experience with pricing, setup cost, and licensing?

      It is cheaper and more valuable compared to other reputable SIEMs.

      Which other solutions did I evaluate?

      Before choosing this product, we did not evaluate other options.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      it_user604401
      AVP & Information Security Officer at a financial services firm with 501-1,000 employees
      Real User
      Automated alarms help identify what is happening on your network that should be investigated.

      What is most valuable?

      The automated alarms have been very helpful in identifying what is happening on your network that should be investigated.

      How has it helped my organization?

      It has helped us keep an eye on Admin activity on the network and in our directory.

      What needs improvement?

      The way it identifies systems can use some improvement. It has a hard time differentiating between versions of Windows.

      For how long have I used the solution?

      I have used it for two years.

      What was my experience with deployment of the solution?

      Deployment was extremely smooth.

      What do I think about the stability of the solution?

      The system has been very stable.

      What do I think about the scalability of the solution?

      We have a small network. So far, we have had no issues with scale.

      How are customer service and technical support?

      Customer Service:

      Customer service is excellent, very responsive, and they know their product.

      Technical Support:

      Technical support is excellent so far.

      Which solution did I use previously and why did I switch?

      This was the solution selected after evaluating several competing products; no SIEM prior to this deployment.

      How was the initial setup?

      Initial setup was very straightforward.

      What about the implementation team?

      We did the initial implementation and then had a vendor fine tune it with us. The vendor was very well qualified.

      What's my experience with pricing, setup cost, and licensing?

      Licensing and pricing was one of the primary reasons for selecting this solution. Since no one has an unlimited budget, consider your needs and get the most bang for your buck.

      Which other solutions did I evaluate?

      Before choosing this product, we evaluated other options. We were leaning heavily towards AccelOps but had worries about their viability as a business.

      What other advice do I have?

      If you are considering this solution, I highly recommend that you have someone in-house who is familiar with Unix/Linux. The underpinnings of this solution is *nix. It will make deployment and ongoing maintenance much easier.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      ITCS user
      Security Architecture and Operations Lead at a university with 1,001-5,000 employees
      Vendor
      AlienVault helped take us from semi-Pro to Pro

      What is most valuable?

      The NIDS/HIDS features have probably been the best features for us in our environment. We've had some open-source options and, while they work, it isn't the same as having commercial support. SIEM is the second-most useful feature.

      How has it helped my organization?

      We've been able to professionally generate alerts for IDS, SIEM and vulnerabilities where we didn't have those capabilities before.

      What needs improvement?

      Reporting still needs a lot of work, especially on the vulnerability side. Vulnerability management UI could be improved as well.

      Vulnerability reports are clunky and difficult to manage. The layout is not really professional or intuitive and takes some time to understand how to navigate it. In general, while there are some customization options with reporting features as far a look and feel, reports still have an “open source” feeling. In general, the look is not as clean and professional as what one is used to seeing in other, similar products.

      For how long have I used the solution?

      I have used it for 16 months.

      What was my experience with deployment of the solution?

      We have not encountered any deployment issues.

      What do I think about the stability of the solution?

      We encountered one stability issue. With the amount of log data we were sending, our sensor drives were filling up within a day or two. We had to create some cron jobs to ensure logs were rotated more frequently.

      What do I think about the scalability of the solution?

      We have not encountered any scalability issues. You just add another sensor; pretty easy.

      How are customer service and technical support?

      Customer Service:

      Customer service is excellent! Always very responsive.

      Technical Support:

      Technical support is excellent! Always very responsive.

      Which solution did I use previously and why did I switch?

      We used Nexpose for vulnerability management and moving away from that was the primary reason we went with AlienVault.

      How was the initial setup?

      Initial setup was very easy for the most part. We were paired with a third-party vendor for onboarding. We didn't work well with this group, but AlienVault happily transferred our service hours to another group and that relationship worked much better for us.

      What about the implementation team?

      An in-house team implemented it.

      Which other solutions did I evaluate?

      Before choosing this product, we did not evaluate other options., we looked at Nessus SecurityCenter with Log Management.

      What other advice do I have?

      We've been very happy with the purchase. While the list of supported vendors in the SIEM continues to grow, I do wish that creating plugins was a little easier.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      it_user557325
      InfoSec at a tech services company with 1,001-5,000 employees
      Consultant
      Cost effective solution.
      AlienVault is a full featured cost effective SIEM that provides quality threat intelligence for a lot less than the competition. I knocked off a point [from my rating] for the learning curve compared to some of the competition and another point for the lack of native user behavior analytics but for the money you really can't do any better. 

      AlienVault is a full featured cost effective SIEM that provides quality threat intelligence for a lot less than the competition. I knocked off a point [from my rating] for the learning curve compared to some of the competition and another point for the lack of native user behavior analytics but for the money you really can't do any better. 

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      ITCS user
      SOC Lead / Sr. SOC Analyst at a tech services company with 501-1,000 employees
      MSP
      Out of the box features for easy asset discovery, vulnerability scans, IDS setup are all beneficial.

      What is most valuable?

      AlienVault out of the box features for easy asset discovery, vulnerability scans, IDS setup are all beneficial, but the best feature we find most valuable is the main dashboard for how the information is bubbled up and presented to us.

      How has it helped my organization?

      With AlienVault we have been able to reduce lag times by not having to invest into specialized research for which we rely on AlienVault Security Labs and OTX (Open Threat Exchange).

      What needs improvement?

      With all the great features AlienVault has to offer, it would be nice to see improved search query functionality, similar to ELK stack.

      For how long have I used the solution?

      18 months+

      What was my experience with deployment of the solution?

      Easy setup out of the box as it comes as a virtual appliance. 

      What do I think about the stability of the solution?

      Solid platform built on debian system.

      What do I think about the scalability of the solution?

      Haven't been able to break it yet.

      How is customer service and technical support?

      5 Stars

      Disclosure: My company has a business relationship with this vendor other than being a customer: We are a part of the MSSP program.
      it_user465876
      Information Systems Network Technician at a local government with 501-1,000 employees
      Vendor
      Allows for log management, vulnerability scanning, and file integrity monitoring.​

      What is most valuable?

      It's a single solution that is meeting the needs of multiple of my PCI compliance objectives.

      How has it helped my organization?

      I was able to replace our log management solution with this product. A single server that allows for log management, vulnerability scanning, and file integrity monitoring.

      What needs improvement?

      The alarms section of the USM is very robust, yet I still find myself having to look back through the events to find more details. It would be nice if I could navigate straight to the event from the alarm.

      For how long have I used the solution?

      I've been using it for six months.

      What do I think about the stability of the solution?

      I had a renegade plugin that was installed by the company who helped me with the initial setup. The plugin was missing a command to rotate logs and would fill my hard drives capacity to full quickly. Fortunately AlienVault support identified the problem and reported the issue to the designers. I opted to not run that plugin anymore, and probably still will not trust it even after the rotate function is fixed.

      What do I think about the scalability of the solution?

      I have the ability to scale out further from where I am if necessary, so I have not had any scalability problems.

      How are customer service and technical support?

      10/10

      Which solution did I use previously and why did I switch?

      We did not previously have many of the systems that AlienVault offers. We switched to get a robust single solution.

      How was the initial setup?

      The initial setup is both straightforward and complex. You can get the system up and running without any outside help but you will be missing out on many of the finer detailed features if you go that route. I appreciated getting professional setup help as I do not have enough time to dedicate to just learning USM. I also attended the five day training which was very valuable.

      What's my experience with pricing, setup cost, and licensing?

      Speak with a rep to get the correct design. AlienVault will scale depending on the size of your environment but the licensing gets tricky when you get away from the single unified console.

      Which other solutions did I evaluate?

      I was not able to find any other tool that was able to meet as many needs as I the AlienVault USM. I spent the entire trial testing AlienVault to make sure it would suit my needs.

      What other advice do I have?

      Use AlienVault's free trial of the USM. They will help you get the system installed which is very helpful to make sure you get test best test possible.

      Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      it_user484698
      Security Consultant at a tech consulting company with 51-200 employees
      Consultant
      We run this product on our network 24/7 and it has helped identify important events.

      How has it helped my organization?

      We run this product on our network 24/7 and it has helped identify many important events. We take the security of our network very seriously, and this helps to quickly identify and lock down any potential vulnerabilities or events that could escalate.

      What is most valuable?

      As an information security consultant that works across many diverse networks, these features offer by far the most critical information when analysing a client’s environment for issues that need to be addressed:

      What needs improvement?

      My biggest challenge has always been the fine tuning that is sometimes required for some networks. It requires a solid understanding of Linux and databases and how networks work. So a non-technical user may become frustrated, or not configure the product to work at its best, and therefore miss important events. So I see room for improvement in the following -

      • Easy of deployment and configuration
      • Easier way of testing if features are working as designed, e.g. Packet analysis
      • Troubleshooting features that are not working as designed

      What do I think about the scalability of the solution?

      I have not yet run into any issues regarding scalability, however I have not yet deployed this on a very large network yet (1000+ devices).

      How is customer service and technical support?

      Excellent! Every time I have had an issue, the customer and technical support has been outstanding. The support desk is always very helpful, and goes out of their way to make sure the issues are resolved whenever possible.

      How was the initial setup?

      The initial setup is not difficult at all, and can be done by someone with almost no technical knowledge. However, getting optimal performance from the features in AlienVault may not always be as easy.

      What about the implementation team?

      We deployed using our own in-house team, led by myself. Depending on what you want from the product, be prepared to do some research and tinkering in the background. What you see on the surface is actually a very small part of what you can really do with AlienVault. If you are serious about getting the best out of AlienVault, use a vendor that is well versed in deploying AlienVault (like an MSSP) as they should have the experience needed to optimise a deployment, as well as having quick and easy access to the AlienVault support. Use the 30-day trial to get a good feel for what it can do, but remember there is a lot more.

      What's my experience with pricing, setup cost, and licensing?

      As this product is still relatively new in South Africa, people are still learning about it, but thus far we have been able to show affordability and feasibility is every network we have deployed it on. Speak to an MSSP about a package that is affordable for your company. The product is easy to scale as your affordability improves.

      Which other solutions did I evaluate?

      I have actually looked at a few other products, however we decided on this product as the cost versus what you get, far outweighed any other product we looked at. Many companies can’t afford to deploy a SIEM solution from some of the top companies on the market, however no company should be without a SIEM on their network with the risks companies face today. AlienVault provided the best bang for buck.

      What other advice do I have?

      Remember, there are many good products on the market, however affordability is usually a key factor. Sit down and properly analyse your network, and list expectation from whatever product you are considering. Identify what are your most critical assets, your “Crown Jewels”, and know how it needs to be protected. Then look at solutions within your budget, remembering that the most expensive is no necessarily always the best. There are many world class products out there, you need to find one that will fulfil your needs, within your budget.

      Also, remember running a system like this means dedicating resources to monitoring it, you can’t deploy SIEM tools and think it’s going to run itself. Don’t expect your system administrator to have time to do this as InfoSec is a full time job. Either get a skilled resource, or consider an MSSP offering.

      The product is very powerful and very flexible. However certain aspects can be very challenging to setup and configure for users that don’t have in-depth technical background. The default configuration would work well for a normal office network, however for more complex networks there is a lot more configuration required for optimal performance. The product is still under very active development, and the vendor is always receptive to feedback regarding feature requests or bugs.

      Disclosure: My company has a business relationship with this vendor other than being a customer: We are an MSSP provider using this product, so we work closely with AlienVault themselves on a regular basis.
      it_user484701
      SOC Intrusion Analyst at a tech services company with 51-200 employees
      Consultant
      Once we placed AlienVault into the product we have now, the time it takes to find and respond to real anomalies dropped. Creating directives is a pain.

      Valuable Features

      • Raw logs
      • Alarm section
      • Security events

      Improvements to My Organization

      Once we placed AlienVault in the product we have now, the time it takes to find and respond to real anomalies has dropped from hours to minutes, it has so much potential to be an amazing product despite it's many issues. After working with so many other SIEMs, AlienVault is among my top three favorites, and I believe it has earned that spot well.

      Room for Improvement

      Directives and searches within security events. So many issues with directives. Creating directives is a pain on it's own, but editing them can be a nightmare filled with tedious unnecessary steps. You do not have an option to whitelist or blacklist specific traffic flows to trigger alarms (eg. Specific IP to specific IP) if your directive contains multiple alarms. A simple fix would be to allow the engineer to give "and" and "or" statements so you could get something along the lines of (SRC IP: 192.168.0.20, DST IP: 10.10.1.12 OR 10.10.1.13) AND (SRC IP: 192.168.10.5, DST IP: 10.10.2.5). Instead you have a list of source IPs and a list of destination IPs and no matter if the traffic you need to blacklist is specific, anything communicating from the source list to the destination list triggers an alarm, which is not always what you want.

      A workaround for that is to split the alarm directive into separate directives for any specific flows you are looking for. Searching in security events comes with it's own minor inconvenience that isn't a deal breaker, however, a simple improvement could make things orders of magnitude better: Allow the analyst to decide everything he wants to search for and trigger the search themselves. Right now, if you want to search something by signature, time range, and port - for example - you have to do each individually and each search forces the query to reload before you get the information set you want. E.g.: I want to search for Admin Activity Events, surrounding a specific Admin, over the last week. I need to first search for Admin activity events, which reloads the whole set of data, then search for the username, reloading the whole set of data again, then choose the last week time range, reloading again. It would make more sense to be able to package the queries I intend to use, then click something along the lines of submit. AlienVault does offer predefined searches, which is a great tool, but I think fixing the search function of the SIEM would be great.

      Use of Solution

      I've used it for two years.

      Stability Issues

      Stability issues have been around, but I feel like AlienVault does a stand up job at responding to and fixing them.

      Scalability Issues

      I personally haven't seen any scalability issues, though that falls out of my purview.

      Customer Service and Technical Support

      10/10 - the AlienVault team is great, and the community is very active.

      Initial Setup

      Straightforward. The guidance given in documentation sets you up for success, and the ease of adding agents to machines is phenomenal.

      Implementation Team

      It was done in house. Be patient, focus on getting your firewalls connected to the SIEM.

      Other Solutions Considered

      I have used several SIEMs, but stick with ArcSight, Splunk, and AlienVault. It is more client dependent. I big pro for AlienVault is it's price point and resource requirements. Though I feel like AlienVault is best suited for small to mid sized business.

      Other Advice

      Take advantage of the support team at AlienVault, and read through the documentation. If you get lost, their is a good chance the information is in there. Also, you will quickly discover the limitations of AlienVault, so you should take your time to figure out workarounds for your issues.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      it_user484695
      Information Security Consultant at Securepoint Nederland B.V.
      Consultant
      There is no complex alerting or code reviewing, just click and go.

      Valuable Features

      Vulnerability scanning and OTX are powerful. The alerting and security intelligence is the engine of the product. Looking at the cockpit and monitoring your IT environment is now almost a one man job. There is no complex alerting or code review, just click and go.

      Improvements to My Organization

      AlienVault does not stop a security breach, but it detects and notifies the responsible people and they can immediately interact and take the necessary actions. Identifying security risks and minimizing downtime is the added value.

      Room for Improvement

      The next release will include cloud security and it will support a hybrid IT environment, furthermore the OTX has a great added value but it will help when there is more OTX information in the database. Future releases will definitely need to improve on these items and it will position the product in a more enterprise ready strategic position.

      Use of Solution

      As a professional user and reseller we've used this product for almost five years, starting with the free OSSIM level for home and development use, and the all-in-one unlimited version or a small 50 asset version for our customers. Scalability is also key, starting at 25 assets for small companies and supporting enterprise companies with a separate server, sensor and logger.

      Deployment Issues

      It has great scalability options. The installation is almost click and go, but be aware when implementing AlienVault in a big environment with a separate sensor, logger and server, it's useful to have the necessary skills and IT knowledge. Also, in-depth knowledge of your own IT is key, knowing where to position the sensors and where to pace the server is key since wrong architecture will impact performance. AlienVault can offer direct support or you can contact your local partner to assist during this process.

      Stability Issues

      It has great scalability options. The installation is almost click and go, but be aware, when implementing AlienVault in a big environment with a separate sensor, logger and server, it would be useful to have the necessary skills and IT knowledge. Also in-depth knowledge of your own IT is key, knowing where to position the sensors and where to pace the server is key, wrong architecture will impact performance. AlienVault can offer direct support or you can contact your local partner to assist during this process.

      Customer Service and Technical Support

      When issues arise and the going gets tough, you can contact AlienVault directly via phone, email or web. Support is covered via the license and in our experience the technical guys (and girls) know their stuff. Real serious problems are solved via a remote VPN connection (build in the software), and the product has really improved regarding stability.

      Initial Setup

      The installation is pretty straightforward. Just keep in mind to better plan a good architecture then to rebuild the system(s) until it works performance wise.

      Implementation Team

      We performed the implementation, and the training was done by AlienVault trainers. Just know your stuff and do not hesitate to contact AlienVault or a reseller.

      Other Solutions Considered

      Other SIEM/USM products that we use are Splunk, LogRhythm and the free OSSIM version. The first two have a different cost model and compared to AlienVault they have (or lack) the real Swiss army knife approach. Furthermore there is a big difference in costs, this is why in the end AlienVault takes the lead.

      Other Advice

      The price is the unique selling point for AlienVault. The product is now stable and it is a Swiss army knife packed with lot of tools. All other professional products that compare to AlienVault are somewhat different but deliver the same result, but it is the price that tips the balance in favor of AlienVault.

      Check the latest Gartner report on SIEM/USM 2016, and test the other products. Do not stick to one product for testing, but when you do not have the time to test all products (who does have the time), choose only two or three products to check out. Compare the prices and always ask for a demo.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      it_user484692
      Security Consultant at a tech consulting company with 51-200 employees
      Consultant
      We have noticed outdated Java and Flash versions due to the snort rules included in the appliance.

      Valuable Features

      AlienVault provides excellent visibility into your network by combining centralized logging, host-based IDS and network IDS. This enables me to detect quite a lot of potential issues that have gone through AlienVault's correlation engine and our own policies.

      Improvements to My Organization

      On several occasions we have detected attacks (DDoS) just as they are starting and have been able to rapidly mitigate them. We have also noticed outdated Java and Flash versions due to the snort rules included in the appliance.

      Room for Improvement

      The biggest improvement they could do is to provide full support for IPv6 addressing. It currently has quite lightweight support for IPv6 addresses in the sense that it will record the source/destination addresses in all cases, but currently trying to search with IPv6 addresses is not possible and thus makes our lives harder.

      Use of Solution

      Including my experience with the previous version (v4) I have two years of professional experience with AlienVault.

      Deployment Issues

      We have not faced any large issues with the deployment.

      Stability Issues

      We have not faced any large issues with the stability.

      Scalability Issues

      The only issues is related to the volume of alarms in a system - the UI/UX for working with a large mass - starting with several hundred alarms is suboptimal. I am hesitant to mention this as it is easily solved in the future by small UI changes.

      Customer Service and Technical Support

      All of the bug reports have been sent to AlienVault and have been handled with skill. At least once we got to talk to their experts who worked with us to debug the cases in our environment.

      Initial Setup

      There are many steps, but the steps are not complex. The biggest hurdle in the deployment/setup phase is usually gathering the actual information (assets details, services, policies) about the environment, not the installation itself.

      Implementation Team

      Our team did the implementation. If you have experience implementing a SIEM solution then you can implement this yourselves, otherwise you should get an external team do it. The issue is not with the technical skills needed for the actual implementation, but the knowledge needed to know what to include, what policies to write, and what not to include.

      Pricing, Setup Cost and Licensing

      For licensing you will need to contact an AlienVault reseller as it is comprised of (roughly) how many events per second you are processing, how many assets you are adding, and in how many physical locations.

      Other Solutions Considered

      I was not part of the process. I have heard that our team had tried other products, but mostly the cost was prohibitive in those alternatives.

      Other Advice

      As this is a product that will give you a lot of visibility into everything you can throw at it, it is good to note that you should have good working relations with the *people* in charge of the assets you have visibility over (e.g. with network mirroring).

      You will get alarms about a plethora of things you couldn't have imagined, things that people have forgotten, that have been misconfigured and that are under attack. You will need to explain the remedies and mitigations to people. And that is possibly the biggest hurdle. This product will not help you if you cannot fix the problems it finds.

      It may not have the same abilities as most tools off-the-shelf but it has the best bang for buck. Unless you already have a high-quality SOC operation running, you will be able to handle probably all of your SIEM needs with AlienVault for a few years with a fraction of the price of other more complete solutions.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      ITCS user
      Senior Network and Security Consultant SI at a tech services company
      Consultant
      We can gather all data from different devices, analyze theme and extract the correct information.​

      What is most valuable?

      SIEM, Event Correlation and the Vulnerability Scanner.

      How has it helped my organization?

      Reduced the number of the false alarms generated by other devices. With AlienVault we can gather all data from different devices, analyze theme and extract the correct information.

      What needs improvement?

      Plugins: most plugins are not up to date with the newer versions of products.

      For how long have I used the solution?

      Since 2013

      How are customer service and technical support?

      We had problems with the MySQL database, but the technical support is very helpful. I'd give them a 9/10.

      Which solution did I use previously and why did I switch?

      Yes, But AlienVault is the more appropriate solution, it's flexible, Linux based, and contains a large number of open source solutions.

      How was the initial setup?

      Simple.

      What about the implementation team?

      A vendor team, don't install the solution in a virtual platform except VMware ESXi. We had a long story with AlienVault with a Proxmox Virtual Environment.

      What other advice do I have?

      It's a powerfull solution and contain more features than other products.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      it_user479484
      Network Security Administrator at a comms service provider with 501-1,000 employees
      Vendor
      The most important part of the product is the event correlation and alerting. The ability to authenticated users across multiple domains would be useful, but is not critical.

      What is most valuable?

      The most important part of the product is the event correlation and alerting that it provides. Sifting through tens of millions of logs a day looking for the proverbial needle in a haystack is impossible for a single person or even a team without automation

      How has it helped my organization?

      Being able to identify security issues as they occur at near real time. Being able to then respond to them as soon as they occur is priceless.

      What needs improvement?

      We have a relatively large deployment that spans multiple locations and domains. Having the ability to authenticated users across multiple domains would be useful, but is not critical. The log query capability is pretty restrictive and I find myself searching through raw logs via command line more often than the GUI. Full logging is not supported out of the box, you will need to modify configurations to store all logs if that is your concern or a requirement of your organization, AlienVault by default only stores alert logs, this can and will bite you at some point. The IDS Rules need better oversight when updated. The vulnerability scanner needs to have a power user mode that gives you a more complete interface to the vulnerability scanner (OpenVas).

      For how long have I used the solution?

      3 years

      What was my experience with deployment of the solution?

      Most problems were due to our environment and having to utilize the built-in VPN capabilities. Once a few sensors have been added via the VPN it is pretty simple to remember how to do it.

      How are customer service and technical support?

      All interactions with customer service and technical support have been great. The engineering group is based in Spain and occasionally you may have timing issues with their team and yourself.

      Which solution did I use previously and why did I switch?

      Another group in our company used QRadar before they were bought out. The buyout created a bad enough situation that the group refused to renew with QRadar, especially when they decided after 18 months that they did not want to support the hardware that their predecessors had sold. We also trialed LogRhythm which was a more mature product, but had its own quirks and annoyances. The largest issue I found the LogRhythm was the excessive amount of time to spend to deploy a single agent, much less repeating that process 390 times for our environment.   

      How was the initial setup?

      We had a pretty large deployment most of our locations were straightforward some were more complex due having to route them through a MPLS connection with only limited connections to the main locations.

      What about the implementation team?

      We integrated through a third party vendor recommended group, they caused many issues on their own some that were not discovered for over a year. Be wary of any third party that wants to do anything with the database.

      What was our ROI?

      ROI for AlienVault will probably not be about the money. The return is the time saved and the intelligence that you are able to gather about your environment that you did not have before.

      What other advice do I have?

      Do your research in SIEM solutions and realize that it is not going to be a set and forget product. For 10 sensors like what we run there are weeks that it requires logging in and closing tickets and there are weeks where you will spend 10+ hours working on the deployment.

      There are some things that are great and some that are annoying, this is not a perfect product. Most security products are never perfect especially based on different organizations that will run them.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      it_user466953
      Security Analyst at a legal firm with 501-1,000 employees
      Vendor
      It has a lot of capabilities, but make sure there’s someone that can devote daily time to it.

      What is most valuable?

      • Correlation
      • Customization

      How has it helped my organization?

      No, but that’s not really their fault, rather ours. I think this has a lot of valuable functions that really could be leveraged quite nicely.

      What needs improvement?

      They have the advantage of having a large community that uses the free version, and they really could use this as a sort of beta testing population for new releases. Yet, a lot of the releases break things that are used. I think they need to do more QA before releases. For example, I have custom rules written for the Suricata function. Some releases ago, there was a code change and now every single update requires that I reinstall the custom rules, and I am still waiting for the fix. They need to either stop allowing customization (which would be a mistake) or they need to embrace that a majority of their customer base does this and put in safe guards. I understand putting in limits to what’s supported, but simple things like this are part of the appeal of the product. Another example is that a few releases back, they broke the Nagios availability monitoring portion. All the functionality to watch your systems is there, and of course, I used it. When it broke, support told me it was really only meant to watch the AlienVault system itself, yet the entire interface is there, the options to enable the monitoring on hosts is there. I believe, first of all, that what I was told was wrong as availability monitoring is one of the core functions AlienVault touts, and secondly, that they need to be more careful with testing before releasing updates. It took like twp more updates before the functionality was restored.

      For how long have I used the solution?

      I've used it for three years.

      What do I think about the stability of the solution?

      Some, but they are hard to pin down. This is a system that has a lot of things that can stop working, and unless you are paying close attention, to the background processes, you would never realize it.

      How are customer service and technical support?

      Some people are excellent, and others not so much. They also seem to sometimes have conflicting information. I often rely more on the community for answers than I do on support, depending on the issue.

      Which solution did I use previously and why did I switch?

      We didn't have anything in place previously.

      How was the initial setup?

      We had a consultant that was provided by AlienVault, which was great. Otherwise, it would have been a little confusing and though they have made improvements in the documentation, it was horrible initially.

      What's my experience with pricing, setup cost, and licensing?

      Fair for all of the capabilities it has.

      Which other solutions did I evaluate?

      We looked at some but I can't remember which ones.

      What other advice do I have?

      It has a lot of capabilities, but make sure there’s someone that can devote daily time to it and that there is buy in from all segments, or a majority of the capabilities become pointless.

      Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      it_user479445
      Chief Information Security Officer at a tech services company with 51-200 employees
      Consultant
      It's based on an open source product and therefore fully customizable.

      What is most valuable?

      Flexibility. As the source of AlienVault is based on an Open Source product, it is possible to implement nearly everything including fully customized plugins, scripts, etc. We haven't yet found any limitations.

      How has it helped my organization?

      We are now able to track any kind of threat including external (malware) or internal (people trying to bypass restrictions, USB keys etc.).

      We are able to track changes in the authentication integrity (new user created, domain admin elevation, etc.) and get mail or tickets in cases of suspicious behavior.

      It helps us with our ISO27001 compliance.

      What needs improvement?

      The search capabilities are not optimal and are going to be optimized in the next versions. For example, it is possible to search both username and IPs but not usernames and specific fields (aka user data) at the same time.

      Documentation needs to be improved, especially due to the fact that AlienVault gets improved often with new features.

      Vulnerability scanning does not support Nessus (after version 5) which is a leader in the market. The default vulnerability scanner is OpenVAS, it does the job but the report are not the same quality as Nessus.

      For how long have I used the solution?

      3+ years

      What do I think about the stability of the solution?

      No stability issues were encountered.

      What do I think about the scalability of the solution?

      No scalability issues as the product is highly scalable. You have to take care of what you want to integrate and think of use-cases instead of global log collection. In our opinion this is the key of success as you will scale your infrastructure with what you really need.

      How are customer service and technical support?

      Customer Service:

      Customer service can be a great help depending on the kind of project. They are very reactive for commercial offers.

      Technical Support:

      Technical support is good and reactive but you should also pass the training to have better knowledge of the solution.

      Which solution did I use previously and why did I switch?

      We chose this product because of:

      • Pricing model
      • Flexibility of the solution
      • Multi-tier architecture/scalability

      How was the initial setup?

      Yes, when you don’t have experience with the product you have to learn and understand all the “concepts”. In this case AlienVault generally provide “free” technical service with third party companies to be able to operate something quickly.

      What about the implementation team?

      We started with the free technical support provided for the test time. Then we quickly take the product in our hands, got certified on it and became independent.

      What was our ROI?

      The ROI is very good if you evaluate all the services which AlienVault can help you with: detection of Malware, bad activities, suspicious behavior, etc. All these threats can create high financial lose and a big part of them could be prevented using the SIEM.

      What other advice do I have?

      If you don’t want to overpay, and want to have something working, you have to make an assessment based on:

      - what are your assets?
      - what is the criticality of each one?
      - what use cases do you want to implement?

      From there create a plan on how to implement them to limit the number of collection to the minimum to avoid flooding of data/high costs due to over-sized infrastructure.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      it_user479427
      Director of Information Technology at a healthcare company with 51-200 employees
      Vendor
      ​Simplified log analysis and log management​.

      Valuable Features

      Alerts derived from logs.

      Improvements to My Organization

      Simplified log analysis and log management.

      Room for Improvement

      More information about what the alerts mean and how they are derived would be useful when determining their significance. Support is good to provide this information though.

      Use of Solution

      >12 months

      Stability Issues

      No.

      Customer Service and Technical Support

      Excellent.

      Initial Setup

      Fairly straightforward. It does take some time to tune the system to your environment – to prevent getting alerts on activity your find acceptable in your environment.

      Pricing, Setup Cost and Licensing

      They do give discounts towards the end of quarters if your renewal is due.

      Other Advice

      You will wonder how you lived without it.

      Valuable Features

      Alerts derived from logs.

      Improvements to My Organization

      Simplified log analysis and log management.

      Room for Improvement

      More information about what the alerts mean and how they are derived would be useful when determining their significance. Support is good to provide this information though.

      Use of Solution

      >12 months

      Stability Issues

      No.

      Customer Service and Technical Support

      Excellent.

      Initial Setup

      Fairly straightforward. It does take some time to tune the system to your environment – to prevent getting alerts on activity your find acceptable in your environment.

      Pricing, Setup Cost and Licensing

      They do give discounts towards the end of quarters if your renewal is due.

      Other Advice

      You will wonder how you lived without it.

      Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      it_user123747
      Chief Security Officer at a financial services firm with 501-1,000 employees
      Vendor
      ​The integration of IDS and OSSEC is valuable as it enables correlation between Network IDS events and host system event logs

      What is most valuable?

      The integration of IDS and OSSEC is valuable as it enables correlation between Network IDS events and host system event logs.

      How has it helped my organization?

      AlienVault USM has improved how we manage events and incidents in our infrastructure. With AlienVault we are able to respond to incidents and take necessary action faster than we could before without the solution in place.

      What needs improvement?

      Some customizations with the integration between AlienVault components have room for improvement and enabling users with WebUI interfaces instead of having to edit configuration files on the system to achieve certain actions would be a good improvement.

      For how long have I used the solution?

      Three years.

      What do I think about the stability of the solution?

      No issues with instability has been encountered in our environment.

      What do I think about the scalability of the solution?

      No issues with scalability has been encountered in our environment.

      How are customer service and technical support?

      The AlienVault Technical support is good and has helped out several time with some really specific configurations in our environment.

      Which solution did I use previously and why did I switch?

      We used an outsourced MSSP solution but we needed to get the solution in-house in order to better integrate with our datacenters and systems and comply with financial regulatory and PCI-DSS requirements.

      How was the initial setup?

      The initial setup was straightforward and quite easy to setup. Requires Linux knowledge to manage but given that we use Linux for our critical infrastructure services it was no problem for us.

      What's my experience with pricing, setup cost, and licensing?

      We chose AlienVault partly do the the many features and functionalities that was bundled with the product to the pricing and licensing models that was offered. Many other solutions did not have the full spectrum of features but was significantly more expensive so we would have been forced to get additional solutions to cover all our requirements. With AlienVault we got a all-in-one solution that covered our needs.

      Which other solutions did I evaluate?

      We had a look at the current offerings at that time, including Tripwire, McAfee, SourceFire, etc., but concluded that we would get the best-bang-for-the-bucks with AlienVault solution

      What other advice do I have?

      As with any Security solution, you still need to have knowledgeable people to manage the solution and the solution is not a silver-bullet that takes care of all your issues without being properly managed. Make sure you have the necessary knowledge and headcount to use the solution before implementing this or any other solution. With Security, the most of the cost is in OPEX, not CAPEX, so make sure you have the necessary expertise to operate the solution as efficiently as possible.

      Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      it_user479376
      Information Security Officer at a healthcare company with 1,001-5,000 employees
      Vendor
      Valuable features include integrated vulnerability assessment, intrusion/anomaly detection and monitoring, with a simple management interface.

      What is most valuable?

      Integrated vulnerability assessment, intrusion/anomaly detection and monitoring, with a simple management interface.

      How has it helped my organization?

      AlienVault provided improved visibility into the environment as well as the ability to report on the organization’s security posture.

      What needs improvement?

      Asset scanning and inventory (stale assets, scheduling scans) and correlation (false positives).

      For how long have I used the solution?

      2 years

      What do I think about the stability of the solution?

      No.

      What do I think about the scalability of the solution?

      Yes. Upgrading the network cards (from 1GB to 10GB) was not “supported” on the appliance, so we had to purchase a second one as a sensor. The secondary appliance with the 10GBs NICs is the same as the primary appliance, so this was disappointing.

      How are customer service and technical support?

      High (seldom used).

      Which solution did I use previously and why did I switch?

      No.

      How was the initial setup?

      Simple and straightforward. The bulk of the work is understanding your own environment and tuning events (syslog, scans, alarm).

      What's my experience with pricing, setup cost, and licensing?

      Pricing was a very important consideration and lower than the other SIEM solutions evaluated. The price point makes it accessible for SMB organizations that may be constrained of resources (budget and people/skills) so deployment can be gradual while still deriving value out of the solution.

      Which other solutions did I evaluate?

      SolarWinds, Splunk, LogRhythm.

      What other advice do I have?

      As with any SIEM, it is not a “turn-key” or “set it and forget it” solution. It requires resources and skills to deploy, although this can be done in stages. Appropriate resources for maintenance is also key so the information is accurate, relevant and timely. Otherwise it becomes a repository of stale ignored events and alarms.

      Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      ITCS user
      Manager, Information Security at a retailer with 5,001-10,000 employees
      Vendor
      I'm able to scan for vulnerabilities quickly on existing devices and also for new devices being deployed.

      What is most valuable?

      The fact that I am a very small security team and AlienVault allows me to have a SIEM, FIM and Vulnerability scanner all in one.

      How has it helped my organization?

      I am able to scan for vulnerabilities quickly on existing devices and also for new devices being deployed. Since I don’t have a lot of time to learn new and complicated tools, being an e-commerce company, this allows me to increase the security posture of the overall organization and also to help pass PCI compliance.

      What needs improvement?

      With all these products there is always room for improvement. Whether it’s making the filtering of anomalies better, making setup and deployment faster, streamlining more of the functional aspects of the product, etc. There is really not one thing that stands out in particular.

      For how long have I used the solution?

      About one year

      What do I think about the stability of the solution?

      I had some initial issues with some of the upgrades in version, but with the help of their support team, we were able to resolve all of them.

      What do I think about the scalability of the solution?

      No, not yet. We are growing at a rapid pace and eventually will need more sensors, but I believe that will be a painless upgrade.

      How are customer service and technical support?

      Tech support is great. Very knowledgeable, reliable, and have resolved all problems, escalated when necessary, and handled all my cases very professionally.

      Which solution did I use previously and why did I switch?

      I have used different solutions at previous jobs. AlienVault was a new purchase and install. When asked for my opinion, I did recommend AlienVault as the solution since my comparison of all products came down to AlienVault being the best for our particular environment.

      How was the initial setup?

      It was very straightforward. I had made a couple of little mistakes that most likely would have been avoided if I had not rushed a few aspects of the install, but tech support was able to get me back on the right track.

      What's my experience with pricing, setup cost, and licensing?

      The pricing for this solution with the 3 major components: SIEM, FIM, and vulnerability scanning, can’t be beat. There are other systems that are way more robust, but way more complicates and way more expensive. This solution was perfect for us.

      Which other solutions did I evaluate?

      I had eliminated others prior to evaluating AlienVault based on prior experience. Tripwire for FIM, QRadar for SIM, eEye Digital for vulnerability scans. All of which are great tools, but much more pricey. We briefly looked at LogRhythm, Tenable, and Splunk as well.

      What other advice do I have?

      I would say to implement it. It has all the components needed to help secure your environment as long as you have someone who can dedicate some time to it. But even if you don’t, like in my case, it is a much better solution that the others.

      Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      it_user467397
      IT Security Administrator at a local government with 501-1,000 employees
      Vendor
      The basic setup was straightforward. I'd like to see built in support to detect more security incidents.

      What is most valuable?

      Security alarms Log collection

      How has it helped my organization?

      We now get a better view into what is happening on our network and to the servers than previously.

      What needs improvement?

      I'd like to see built in support to detect more security incidents.

      For how long have I used the solution?

      I've been using it for 10 months.

      What do I think about the stability of the solution?

      We had no issues with the stability.

      What do I think about the scalability of the solution?

      It's been able to scale for our needs.

      How are customer service and technical support?

      They're very good.

      Which solution did I use previously and why did I switch?

      This is the first time we've used a solution of this type.

      How was the initial setup?

      The basic setup…

      What is most valuable?

      • Security alarms
      • Log collection

      How has it helped my organization?

      We now get a better view into what is happening on our network and to the servers than previously.

      What needs improvement?

      I'd like to see built in support to detect more security incidents.

      For how long have I used the solution?

      I've been using it for 10 months.

      What do I think about the stability of the solution?

      We had no issues with the stability.

      What do I think about the scalability of the solution?

      It's been able to scale for our needs.

      How are customer service and technical support?

      They're very good.

      Which solution did I use previously and why did I switch?

      This is the first time we've used a solution of this type.

      How was the initial setup?

      The basic setup was straightforward, but it would have been nice if I could have had more information on a full setup and the advanced features.

      What's my experience with pricing, setup cost, and licensing?

      You should license it for all your devices including endpoints, as this will make it more valuable to you.

      Which other solutions did I evaluate?

      We did compare it to some others solutions, but I don't remember which.

      What other advice do I have?

      Try it first as you get a free evaluation.

      Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      it_user466518
      IT Security Architect at a healthcare company with 1,001-5,000 employees
      Vendor
      I can see all HIDS and IDS events in one place. Setup is complex when playing with custom plugins.

      What is most valuable?

      The SIEM part where I can see all HIDS and IDS events in one place alongwith the correlation directives.

      How has it helped my organization?

      We have a better detection rate for malware and other cyber-attacks. Really helps when USM integrated in the incident response plan.

      What needs improvement?

      • Database query speed when dealing with millions of events per day
      • Reports customization and types
      • Dashboards TV modes (SOC surveillance monitors)

      For how long have I used the solution?

      I've been using it for three years.

      What do I think about the stability of the solution?

      I've experienced frequent slowness, and we had to downgrade to filter out many logs.

      What do I think about the scalability of the solution?

      The AIO is not fast enough for a network over 100 EPS, so you have to go with a dedicated server option for better speed.

      How are customer service and technical support?

      7/10

      Which solution did I use previously and why did I switch?

      We had nothing in place prior to this.

      How was the initial setup?

      It's complex when playing with custom plugins.

      What's my experience with pricing, setup cost, and licensing?

      The price is low, and it's good quality but require effort.

      Which other solutions did I evaluate?

      There were no other options looked at.

      What other advice do I have?

      To take full advantage of the product you have to work under the hood.

      Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      it_user466902
      IT Engineer at a energy/utilities company with 501-1,000 employees
      Vendor
      Due to the logger feature, everything is centralized on the AlientVault Server.

      Valuable Features:

      Event Correlation is the most valuable feature for every SIEM. AlienVault has ISO 27001 compliance which is very helpful for the companies looking to have the ISO 27001 certification.

      Improvements to My Organization:

      As it includes a logger feature for gathering all logs from all devices (network devices, servers, hosts etc.) it has basically become the only software that we look at when we have a problem. We don’t need to search from one device to another as it’s all centralized on the same AlienVault Server which enables us to save time and become more efficient at work.

      Room for Improvement:

      As it includes multiple security softwares, the installation and configuration takes a lot of time. It would be good if they could work on that but the time is understandable given all the features AlienVault offers.

      Other Advice:

      It’s a very good SIEM with plenty of functionalities which helped improve our KPI.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      it_user466506
      Group Information Security Officer at a consumer goods company with 1,001-5,000 employees
      Vendor
      Before AlientVault we had no visibility of our vulnerabilities without looking up WSUS and matching this against the Windows bulletins.

      What is most valuable?

      The correlation from the Host Based Intrusion to Network Intrusion against the vulnerabilities in my network.

      How has it helped my organization?

      We had no visibility of our vulnerabilities without looking up WSUS and matching this against the Windows bulletins. This completely missed the mark when it came to third party patches and poor configuration and waster hours upon hours for half a story. Not to mention we have a much better understanding of how and when we are being attacked.

      What needs improvement?

      The reporting could do with some improvements for example the vulnerability report only tells you what vulnerabilities are open and lists them but there is no indication of how old they are at a glance and what vulnerabilities have been closed since the previous scans. I would also like to see the ability to scan my devices for compliance against the CIS Benchmarks.

      For how long have I used the solution?

      I have had this solution in place for just over a year now.

      What do I think about the stability of the solution?

      I've not experienced any issues with this yet.

      What do I think about the scalability of the solution?

      I've not experienced any issues with this yet.

      How are customer service and technical support?

      The tech support guys have been very friendly and helped as soon as there has been any issue. I cannot fault their technical support.

      Which solution did I use previously and why did I switch?

      I used multiple products to try and get someway towards the level of visibility afforded by AlienVault. ManageEngine SIEM, Qualys, vulnerability management, and Norton for HIDS. Having this all in one interface made more sense which swayed the decision to go with Alienvault.

      How was the initial setup?

      Very easy for initial set-up. My system was up and running within two hours. When you start to get into it more, then you need a better technical understanding.

      What's my experience with pricing, setup cost, and licensing?

      This is much cheaper than some of the big names it is very affordable and scalable.

      Which other solutions did I evaluate?

      We looked at managed services from Dell SecureWorks as well as Qualys & Nessus.

      What other advice do I have?

      Being the only Security professional in an organisation of well over 1000 people AlienVault lets me keep a watchful eye whilst getting on with my day job. This is a very good product with excellent support. Personally I would have preferred to go on the AlienVault System Engineers course as I believe this would help in fine tuning the system.

      Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      it_user466923
      Information Security Administrator at a government with 1,001-5,000 employees
      Vendor
      It provides greater visibility of host based and network activity through its HIDS and NIDS functionality. They should simplify the HIDS agent reporting/custom rule creation.

      What is most valuable?

      • Central log aggregation
      • Security correlation

      How has it helped my organization?

      It provides greater visibility of host-based and network activity through its HIDS and NIDS functionality.

      What needs improvement?

      They should simplify the HIDS agent reporting/custom rule creation.

      For how long have I used the solution?

      I've used it for one year.

      What do I think about the stability of the solution?

      We had issues but this was due to us receiving improper training from a third party and not necessarily due to the product.

      What do I think about the scalability of the solution?

      Servers/sensors cap at 2048 host based agent deployments, but servers and sensors are easily scalable for a medium sized business.

      How are customer service and technical support?

      10/10

      Which solution did I use previously and why did I switch?

      I haven't used anything similar.

      What's my experience with pricing, setup cost, and licensing?

      AlienVault is willing to offer flexible and competitive pricing.

      Which other solutions did I evaluate?

      We also looked at AccelOps, LogRhythm, and IBM QRadar.

      What other advice do I have?

      If you have any questions, AlienVault's support team is more than willing to help with your installation, implementation, and integration.

      Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      ITCS user
      Network Engineer II at a healthcare company
      Vendor
      We now can find the source of where Windows account lockouts are occurring.

      What is most valuable?

      We now have the ability to see what is happening in the environment.

      How has it helped my organization?

      We now can find the source of where Windows account lockouts are occurring.

      What needs improvement?

      It needs to be easier to deploy switch monitoring.

      For how long have I used the solution?

      We've been using it for four months.

      What do I think about the stability of the solution?

      We've had no issues so far.

      What do I think about the scalability of the solution?

      We've been able to scale it for our needs without issues.

      How are customer service and technical support?

      I've not had to contact them yet.

      Which solution did I use previously and why did I switch?

      We switched because our previous solution wasn't scalable.

      How was the initial setup?

      It was pretty straightforward.

      What's my experience with pricing, setup cost, and licensing?

      It was a reasonably priced solution.

      Which other solutions did I evaluate?

      We didn't look at any other solutions.

      What other advice do I have?

      It’s pretty easy to setup but to really take advantage you should have a dedicated person who will devote their time, to customizing and utilizing the power this solution has.

      Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      it_user467313
      IT Field Support Manager at a consumer goods company with 1,001-5,000 employees
      Vendor
      We already used a lot of the open source products in this suite. This brought them all under one roof and allowed one person do all the work.

      What is most valuable?

      The SIEM and intrusion detection.

      How has it helped my organization?

      We already used a lot of the open source products in this suite but they were too cumbersome for our IT team to handle. This brought them all under one roof and allowed one person to do what 10 could not in a few hours a day.

      What needs improvement?

      They need to be faster in developing custom plugins.

      For how long have I used the solution?

      We've been using it for six months.

      What do I think about the stability of the solution?

      We've had no issues so far and the product works great.

      What do I think about the scalability of the solution?

      We have not scaled it yet but it handles our entire environment without a problem.

      How are customer service and technical support?

      4/10 - they need to provide faster responses to emails.

      Which solution did I use previously and why did I switch?

      We previously used Splunk for SIEM.

      How was the initial setup?

      It is a complex product, but a lot less complex than the products it's built on like Snort and Splunk.

      What's my experience with pricing, setup cost, and licensing?

      Get the Virtual Appliance and build the unit yourself. The software is the valuable piece as AlienVault is not a hardware builder and the machine they sell is fine but you could build better yourself for much less.

      Which other solutions did I evaluate?

      We also looked at Solarwinds SIEM and network monitoring.

      What other advice do I have?

      Go slow and get everything into your SIEM so you can do some really neat correlations and alerts.

      Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      it_user466524
      Senior Infrastructure Analyst at a pharma/biotech company with 1,001-5,000 employees
      Vendor
      Provides a single way to analyze traffic and threats on our network.

      What is most valuable?

      Enabling visibility of traffic on our network, merging of multiple systems reporting and analysis and clear method to highlight potential issues.

      How has it helped my organization?

      Previously we had no single way to analyze traffic and threats on our network, relying instead on multiple, independent systems. We can now correlate reported threats and anomalies to better determine what threats we face.

      What needs improvement?

      The configuration is somewhat complex and the interface a bit non-intuitive. Whilst very useful for reporting, interpretation of the results can be difficult: improved features to help with this would be welcome.

      For how long have I used the solution?

      I've been using it for six months.

      What do I think about the stability of the solution?

      We’ve had 100% uptime since installation.

      What do I think about the scalability of the solution?

      We have not had any requirements to change the scope of the installation since first deployment.

      How are customer service and technical support?

      Good. Initial help with deployment was excellent, and the facility to create a tunnel for tech support personnel to troubleshoot system is very useful.

      Which solution did I use previously and why did I switch?

      We didn't have anything like AlienVault previously.

      How was the initial setup?

      It's fairly complex. There is quite a bit of additional config required in order to get the most from the system. A base config allows for monitoring, but to get the most, you need to add plugins for various systems on your network: this config is somewhat complex and requires a good knowledge of how AV works.

      What's my experience with pricing, setup cost, and licensing?

      Unless you have a small network, you really need the unlimited endpoint license, which is the most expensive option. Best to negotiate to get this version, otherwise scalability will be an issue (unless your total number of endpoints in under approx. 100).

      Which other solutions did I evaluate?

      We also looked at Tripwire.

      What other advice do I have?

      The initial onboarding during the trial period, including assisted setup, was most useful. Ensure you get the most from this, as if you require further setup assistance, it comes under (paid-for) professional services. AV is a very useful tool, but must be configured correctly in order to get the most out of it.

      Disclosure: IT Central Station contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
      Vinod Shankar
      Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees
      Consultant
      Cost effective, quick and easy SIEM solution which still needs to be improved to better compete with other solutions.
      At Infosecnirvana, we did a post on SIEM Comparison – 101 and a lot of readers were interested in evaluating AlienVault SIEM and how it stacks up against the usual suspects like ArcSight, QRadar, McAfee Nitro, Splunk etc. Well, we listened and this post is about our take on AlienVault SIEM, its strengths, weakness and many more. Introduction: AlienVault is the enterprise avatar of Open Source SIM (OSSIM). AlienVault has a number of software components, which when put together provides what is now called a Unified Security Management tool or USM in short. The components are: Arpwatch, used for MAC address anomaly detection. P0f, used for passive OS detection and OS change analysis. PADS – Passive Asset Detection System, used for service anomaly detection.…

      At Infosecnirvana, we did a post on SIEM Comparison – 101 and a lot of readers were interested in evaluating AlienVault SIEM and how it stacks up against the usual suspects like ArcSight, QRadar, McAfee Nitro, Splunk etc. Well, we listened and this post is about our take on AlienVault SIEM, its strengths, weakness and many more.

      Introduction:

      AlienVault is the enterprise avatar of Open Source SIM (OSSIM). AlienVault has a number of software components, which when put together provides what is now called a Unified Security Management tool or USM in short. The components are:

      • Arpwatch, used for MAC address anomaly detection.
      • P0f, used for passive OS detection and OS change analysis.
      • PADS – Passive Asset Detection System, used for service anomaly detection.
      • OpenVAS, used for vulnerability assessment and for cross correlation of (Intrusion detection system (IDS) alerts vs. Vulnerability Scanner) information.
      • Snort, or Suricata used as an Intrusion detection system (IDS), and also used for cross correlation with Nessus.
      • Tcptrack, used for session data information which can grant useful information for attack correlation.
      • Ntop, for recording traffic patterns between hosts and host groups, and statistics on protocol usage. .
      • Nagios, used to monitor host and service availability information based on a host asset database.
      • OSSEC, a Host-based intrusion detection system (HIDS).
      • Munin, for traffic analysis and service watchdogging.
      • NFSen/NFDump, used to collect and analyze NetFlow information.
      • FProbe, used to generate NetFlow data from captured traffic.
      • AlienVault also includes lot of proprietary tools, the most important being a powerful correlation engine.

      The combinations of all these tools have been seamlessly put together in AlienVault USM and is really a winner in the SME segment of the market. They have a nice feature set, and with the entire re-organization, additional funding, infusing new leadership etc. had made AlienVault a serious contender in the SIEM space. They are the sole contender in the Visionaries Quadrant in the 2014 Gartner Report. In short, it is like the UTM of SIEM technology. Now, is that good? Or is that bad?

      Lets see!!!

      What is good?

      • Flexible Deployment Architecture – This is where the Open Source roots really start to flex their muscles when it comes to AV USM. The 3 main components of the Architecture are as follows:
        1. AV Sensor – AV Sensors perform Asset Discovery,
          Vulnerability Assessment, Threat Detection, and Behavioral Monitoring in addition to receiving raw data from event
          logs and helping in monitoring network traffic (including Flow). The sensors also perform Normalization of the received raw events and communicates them to the AV Server for correlation and reporting.
        2. AV Server – AV Server is the Central management console that provides USM capabilities under a single GUI. The Server receives normalized data from the sensors, correlates and prioritizes the events and generates Security Alerts or Alarms. The server also provide a variety of reporting and dash-boarding capabilities as well.
        3. AV Logger – AV Logger provides the capability to archive log files for purposes of forensic analysis and to meet compliance requirements for long term retention and management.

      All the architecture components including the Sensor, the Logger, the Correlation Engine etc, can be deployed tier based, isolated or in a consolidated All-in-One style. This wide variety of deployment options help customers to have flexible and open architectures. This also in a way helps control cost depending on the budget at hand. Very rarely can products boast of such flexibility.

      • A Jack of All… - The best thing about AlienVault USM is being a “Jack of All” solution. They provide SIEM, HIDS/NIDS, FIM, NetFlow, Asset management, Vulnerability Management etc. under one USM platform. None of the commercial SIEM vendors like ArcSight, McAfee, etc. can boast of such diverse feature set. QRadar in my opinion is the closest to AV USM in terms of feature diversity. While all the features are formerly isolated Open Source community projects, the USM does a good job of integrating them in to a feature set. While they are not great as individual parts, they more than make up as a sum of the parts.
      • OTX - Open Threat Exchange is a wonderful community sharing platform that helps clients to share IP and URL reputation information so that all AV customers can benefit. This is true community sharing modeled on the likes of the Splunk Community (for app development). This has the potential to grow into a large source of Real World Intelligence and what AlienVault intends to do with this data remains to be seen. For now, it is being used by USM Correlation engine to provide better context and content for Security monitoring. AlienVault Labs, is also utilizing this infrastructure to constantly update Detection rules for malware vectors, vulnerability exploits etc. QRadar and ArcSight provide Intelligence, but it is commercial intelligence and not community intelligence. With community intelligence, you get more hits than misses.
      • Multi-Tenancy – While this feature may not elucidate an interest from many readers, those who have worked in an MSSP environment can understand why this is a very important feature to have. AV USM does support Multi-Tenancy out of the box. This, when combined with the Architecture flexibility provide great MSSP models to sell and operate. The key is to understand how the multi-tenancy works. Basically, a single database is used to store data of several customers using a Data isolation Logic and Permission control. The data isolation logic is based on Entities created in USM (Assets, Users, Components Assigned (Sensors) etc. are grouped together as a Single Entity) and Permissions (applied in a granular fashion to data sets related to the Entities). QRadar, ArcSight and other major SIEM products provide this as well.
      • Price: One of the areas where AV USM benefits is Price. They are affordable while offering a whole lot of SIEM features. Mostly, this turns out to be the deciding factor for Small and Medium Enterprise segments. QRadar, ArcSight and Splunk are some of the most expensive SIEM products out there in the market and not everyone has the budge to buy them. In such cases, AV USM is a very cost effective alternative.
      • Customization: Again, this is one point where AlienVault outshines the competition in capability of customization. We have seen several customers who are using AV USM with heavy customization to perform threat detection, Asset Discovery, Threat scoring, APT detection etc. This flexibility is really desired by Security analysts and AV USM is making good on this promise.

      What is bad?

      • But King of None… – As mentioned in the good, being a jack of all is well suited for certain organizations, but without a mature functionality and expertise in any of those areas is a strong negative. For example, the correlation engine is no where close to the likes of ArcSight , QRadar or Splunk etc. The threat Intelligence is not as good as QRadar, McAfee, RSA etc. And so on and so forth. So when it comes to critical functionality expertise, AV USM is found lacking.
      • Database: – AV USM is using MySQL for its database. All the issues related to a structured DB for log collection, storage and management come to haunt AV USM as well. All SIEM logs are stored in the MySQL database and this causes an issue in terms of scalability, especially with High log volume environments because backup and restore is time and CPU/RAM consuming. USM can hugely benefit from moving to a Non-DB Log storage architecture, thereby giving more flexibility in data management, but will AV take that route is doubtful. Based on their product direction, they are looking at Percona Server to replace MySQL. While it is a good move, it is still customized MySQL replacement, and may not add much desired scale to the product.
      • Product Stability: - The biggest issue, we have seen with the product is its poor stability. With way too many components, myriad integration, a ton of scripts, the product is really unstable. Every version upgrade is a nightmare. Re-installation or Re-start is the most common solution for the product to start working again. In a mission critical environment, this is a complete NO-NO. One of the most common and frequently failing component is the DB. Issues like DB corruptions, Access issues, disk errors, unresponsive queries etc. really test the patience of end users on a regular basis. This in our opinion is the most damning negatives about AV USM.
      • Integration: - While AV USM is known for being customization friendly, the amount of Out-of-the-box plugins for Log Monitoring and Correlation is limited to the well known products. It does not have comprehensive integration capabilities with say legacy applications, Directory services, databases etc that other SIEM vendors boast of. Similarly, it relies mostly on its own “pre-packaged” tools for data enrichment and hence has poor “Third Party” Integration capabilities. However, if you really are a developer of open source products, the integration challenge can be overcome. But how many are willing in the real world enterprise?
      • Correlation & Workflow: – What good is a SIEM product if it cannot perform advanced Correlation and Operational workflow? AV USM has a strong foundation in Correlation using XML driven Directives and Alarms thresholds. However, when it comes Head-to-Head with the Industry leaders like ArcSight, QRadar, Splunk etc. it falls terribly short. We particularly like the Cyber Kill Chain flow which a lot of customers are using for complete visibility, but this is not the end game in real world enterprise operations where not always all the data points required for the directive is available. Same thing goes for the workflow, where the integration with external ticketing or issue tracking system is very limited and hence acts as a deterrent in large scale deployments.
      • Technical Support: – One of the common issues we hear about AV support is that it is of inconsistent and poor quality. Most of the times, the solutions rely on re-install or re-start or a bug-fix, because there are way too many components to troubleshoot and this leaves support to resort to re-install or re-start, without thorough root cause analysis.
      • Product Vision Stagnation: – This may not be much of an issue for potential users of AV USM, however it is important to note that the product has not gone through major leaps in the last 4 years. It had more than 3 major releases and 20+ minor releases, but nothing path breaking has been brought to the market. It has still remained in the “promising products to watch” for way too long. One of the main reasons we think is because of economies of scale. Since they are priced lower and cater to SME segment, the amount of money invested in development is less and hence the result.

      Conclusion:

      In short, we we would like to conclude saying that AV USM is definitely a great addition to organizations who want cost effective, quick and easy SIEM solutions. However, it still has to go a long way in competing with the big guns out there for it lacks both in firepower as well as range. So what do you think about AlienVault? Feel free to post your comments below.

      My review is based on my own experience and opinion after I tested a trial version of the product for a 30-day period.

      Disclosure: I am a real user, and this review is based on my own experience and opinions.
      Buyer's Guide
      Download our free AT&T AlienVault USM Report and get advice and tips from experienced pros sharing their opinions.