AlienVault USM Appliance Overview
AlienVault has moved up from a Niche Player to a Visionary in Gartner’s SIEM Magic Quadrant. AlienVault offers a low-cost entry with more capabilities than most competitors. But Gartner notes that its enterprise-oriented features lag behind its rivals in areas such as role-based workflow, ticketing integrations, support for multiple threat intelligence feeds, and advanced analytics capabilities. As such, it is probably best for small and mid-sized organizations.
AlienVault, an AT&T company, develops commercial and open source cybersecurity tools. Its Open Threat Exchange (OTX) is a crowd-sourced computer-security platform with more than 80,000 participants in 140 countries.
AlienVault Unified Security Management (USM) provides SIEM, vulnerability assessment, asset discovery, network and host intrusion detection, endpoint detection and response (EDR), flow and packet capture, and file integrity monitoring (FIM), as well as centralized configuration and management. An AWS-native version is also available. Open-source components are part of USM buyers. It recently expanded USM Anywhere to include EDR capabilities.
SIEM Features Rated
Threats blocked: Very good. USM Anywhere detects a broad range of threats, such as:
- Data breaches
- Advanced malware
- Advanced persistent threats (APT)
- Remote access trojans (RAT)
- Insider threats
- Phishing attacks
- DDoS and other threats
USM Anywhere also detects indicators of a threat/attack, such as:
- Unusual privilege escalation within an AWS or Azure account
- Suspicious user downloads from Office 365 or G Suite
- Bitcoin miners running on endpoints
- Changes to critical server files or registry
- Stolen user credentials trafficked on the dark web
- Signs of lateral movement within a network
- Communications with a ransomware C&C server
One customer, the IT director of a healthcare company, said that “Threat detection has gone down to minutes. There’s this constant real-time information from Amazon. AlienVault pulls that information and parses it. If it hits one of our triggers, or one of theirs, we get an alert within minutes.”
Sources Ingested: Very good. AlienVault Labs Security Research Team leverages the Open Threat Exchange (OTX) threat intelligence community of security researchers and IT professionals who collaborate and share millions of threat artifacts as they emerge.
Performance: Very good. AlienVault USM can deal with EPS rates of up to 15,000 depending on the product. Throughput rates top out at 5,000 Mbps.
Value: Best in class. Forrester interviews with two direct customers and found benefits of $1,337,048 over three years versus costs of $192,729, adding up to a net present value (NPV) of $1,144,319 and a 6x return on investment (ROI).
Implementation: Very good. The cloud version can be deployed in less than an hour. The on-premises version takes a little longer but is still relatively fast to implement.
Management: Good. Since USM Anywhere delivers multiple security capabilities in a single SaaS solution that are automated and orchestrated, users can manage threat detection, incident response, and compliance from a single pane of glass. For complex environments,?there is a network of more than 500 certified Managed Security Service Provider (MSSP) partners that deliver managed security and compliance services using AlienVault USM.
Support: Good. Some complaints about support, but no more than other vendors.
Scalability: Very good. A USM appliance can be deployed as a single appliance or distributed across multiple servers (either virtual or hardware) to provide additional scalability and availability.
PCI DSS, HIPAA, SOx and Common Criteria.
AlienVault USM is available as both a virtual and hardware appliance, as well as in the cloud. The sensor, logger and server components of USM can be deployed combined in one system (all-in-one architecture), or as separate servers in horizontal and vertical tiers to scale to diverse customer environments.
A lightweight agent runs on each monitored host, tracking any changes made to critical system files, configuration files, log files, registry settings, and even important content files. The agent collects this information and sends it to USM for evaluation and correlation with other environmental data and threat intelligence.
The pricing model for the USM Appliance is based on the number of appliances required, available as a perpetual license or monthly subscription. USM Anywhere is sold as a monthly subscription, priced by the volume of data consumed. Example: In one case, costs amounted to annual subscription costs of $65,000 to $80,000. AlienVault license and support costs are based on monthly consumption (GB) and the number of sensors deployed across an organization’s environment, plus $7,000 in implementation and training costs. The initial effort involved in the integration and setup of AlienVault USM Anywhere is five hours and could be done in less than a day. Additionally, security staff receive two two-day training sessions.
For more analysis of AlienVault, see AlienVault vs Splunk: Top SIEM Solutions Compared.