AlienVault Unified Security Management v4.1
Strengths: Flexibility, quality and ease of use
Weaknesses: Appliance setup can be a little challenging and the documentation could be better
Verdict: Very good product
AlienVault Unified Security Management (AV-USM) combines open source technologies for asset discovery/inventory, vulnerability assessment, threat detection, behavioural monitoring and security intelligence/event correlation.
This 'all-in-one' appliance includes sensor log collection and event detection from various host, network and wireless intrusion detection systems (IDS), NetFlow information, Microsoft Windows events, and more. Another component, the AlienVault Logger, provides forensic storage, while the USM Server/SIEM engine provides aggregation, correlation and real-time alerts for incident response, along with dashboards and reporting.
For more distributed and complex environments, the appliance can be remotely upgraded via licence code to support up to five remote sensors. Any one of these components can be configured on dedicated hardware appliances for scalability and deployment flexibility. In addition to the built-in asset discovery, vulnerability assessment, behavioural monitoring and threat detection, AlienVault offers an open API to integrate additional data sources and vendor devices.
During our initial attempt to access the AlienVault hardware appliance the hardware failed. The support staff worked to identify the situation and then AlienVault shipped a replacement in less than 18 hours. It provided a copy of its standard contract, a document that detailed the appliance configuration, and a CD-ROM that included a quick-start guide and a copy of the end-user licence agreement.
AV-USM is based on a number of well-respected open source products. These include, but are not limited to, Snort, Nessus, Nmap, Nagios, OTX (Open Threat Exchange) and OSSIM (Open Source Security Information Management).
This solution contains approximately 15,000 signatures to identify risk. The case management workflow is relatively simple: incidents are identified and then a ticket is opened and sent to an investigator or an analyst. The list-supported system is impressive. AlienVault was the first product that auto-generated an incident ticket during the start-up phase of initialising it. The dashboard layout postured the incident tickets in the same dropdown as the alerts and the knowledgebase. This made researching the issue very fast. The rest of the dropdown functions followed the same pattern. The Cross Correlation allowed the selection of many sources, making the correlation efforts much more flexible, in addition to opening the system up to more than just the actual log events contained within a finite set of resources.
The reporting function provides an interesting feature. When a report is being generated, the user is presented with a number of options regarding the format of the document. No cryptic formatting language is required. The dropdowns and radio button selections allow a lucid report to be created, all in a few seconds. The situational awareness function allows graphic representations of the assets, including graphic views of systems up/down status.
Fee-based support offerings are available and include eight-hours-a-day/five-days-a-week phone and email and 24/7/365 assistance. AlienVault provides other help functions as well, including a knowledgebase containing video tutorials; product documentation; an online forum; and FAQs documents.
We found AV-USM to be good value for the price versus performance, functionality and presentation.