AlienVault Unified Security Management v4.4
Strengths: Flexible deployment model, dashboard is easy to read and modify, OTX network is a pleasing approach to collaborative security.
Weaknesses: Numerous documentation gaps, and documentation in general can be difficult to find or follow.
Verdict: While a subscription to the standard support option is virtually required, the product itself is quite solid.
Targeted toward organizations with smaller security budgets, AlienVault's Unified Security Management product is an excellent introductory SIEM appliance. It packs numerous features into a flexible deployment model, and grants smaller organizations the same sophisticated view into their computing environments that some of the larger SIEM players give.
As the product came to us as a rackable hardware appliance, setup was quite easy. After making the appropriate physical connections, we powered up the device and configured our basic network settings using a simple ASCII menu. We then browsed to the management web interface, where we registered the device and set up an admin user.
Running on a Debian Linux core, the solution has a number of deployment options. It is available as a hardware appliance, VMware virtual machine, or it can be deployed within the Amazon EC2 cloud. Each deployment mode is fully compatible with the others. Further, it is composed of three core components. The Sensor component is the workhorse. It performs all log collection and event detection and includes host-, network- and wireless-based intrusion detection systems, netflow data capture, Windows event collection, syslog data capture, and others. The file integrity monitor service is hosted here as well. It works as one would expect. It also performs log normalization and SIEM event correlation functions.
The Logger component provides archival services, storing log data in a forensically sound manner to facilitate investigations and compliance requirements. Finally, the Server component performs event aggregation and correlation from data provided by all sensors, provides real-time alerts to kick off incident response procedures, and hosts the management interface and reporting dashboard. We found the dashboard, in particular, to be well built. It is easy to reorganize and modify with simple drag-and drop UI functionality.
The all-in-one appliance we were provided combines all three components onto a single piece of hardware. However, each component can be deployed individually.
AlienVault's documentation was a little spotty. While the material provided was good, it was divided into multiple documents and videos each explaining a specific feature or configuration step. We couldn't find anywhere, for example, a start-to-finish deployment guide for the hardware appliance. We found ourselves swapping between the company's user support forums and its documentation portal, reading forum posts, online PDFs and watching videos in order to complete the deployment.
AlienVault has two support tiers. Its no-cost support is available via use of community web forums. The standard support package, available for a fee, provides eight-hours-a-day/five-days-a-week phone and email assistance, as well as access to the company's web portal.
AlienVault Unified Security Management has a base price of $17,700 for the hardware appliance. The standard support option is priced at $3,540.