One year later: AlienVault USM Appliance
One year later: AlienVault USM Appliance

The AlienVault appliance is not, strictly speaking, a SIEM although in the Labs we often use it similarly to the way we use our SIEM. More correctly, the tool is a USM – unified security manager. The main difference, generally, is that a SIEM requires log input from other sources, such as Windows event logs, to give results. A USM, or UTM, gathers its own data by sniffing the network. However, in the case of the AlienVault tool, there are SIEM-like characteristics in that the tool can take data from multiple sources. In fact, one of its strengths is its ability to discover the network.

In addition to network sources, the USM can consume threat intelligence data, most notably from the AlienVault Open Threat Exchange (OTX).  This is huge collection (nearly 2 million indicators following 100 adversaries with contributions from at least 40 thousand users) and the USM not only consumes OTX data, it feeds it so you have the advantage of events from AlienVault USMs from all over the world.

In the Labs, we have our AlienVault set up to monitor our perimeter so, as one might expect, we have a huge amount of traffic. On our perimeter we host a honeypot, a Tor exit node and a sinkhole. That means that there is a lot of traffic, most of it malicious, for our SIEM and our USM to examine. For example, looking at our overall database we find that we have collected over a million events. Looking at events that are dated prior to a specified date, we find several high-risk events. The top one of these is a phishing attempt. The USM gives us the source and target. A little digging and we find the details, at the packet level, of the event. Which was a phishing attempt against one of our servers in our honeynet.

When we log into the USM we enter via the executive dashboard which gives us an overview of the top five alarms, the top ten event categories from the SIEM, the top OTX activity in our environment, the top ten hosts with multiple events and nice RADAR display of events by sensor or data source. This last display tells us what types of attacks and probes are present.

We can drill down to get details.  For example, we drilled down to see details on the 37 malware events that the USM was reporting. The drilldown gives us packet-level details of the attack and we can download a pcap of the event. The analysis tab takes us to a variety of analytical functions including access to raw logs. Looking at the trends graph for the past year we see that June was our busies month. Then we can break June down by day and then by hour.  Within the hour we see details about activities that occurred during that time slice. This can help correlate activity that shows up elsewhere but without equal detail.  It also can help tracking the timeline of an event.

In addition to tracking threat, the USM can track vulnerabilities. Taken together, threats and vulnerabilities give risk. Additional drilling down lets the analyst craft a set of queries that can help chase down a potential intruder and, in fact, see if an intruder still is active in your enterprise.

While we use the tool here for research – meaning that we are not interested in alerts when an event starts.  We let it run to completion and then analyze it. Devices can be monitored with or without agents.

Over the past year we have had numerous occasions to use the AlienVault USM alongside our SIEM workhorse and we always have found that it has its own niche, and a useful niche at that. Just as with forensic tools – of which, arguably, this is one – it is not a good idea to depend upon a single tool.  Having the AlienVault USM which overlaps but does not completely duplicate our other tools broadens our research scope. It gives us another – and, sometimes, better – view of the environment, especially when the environment is under attack. The tool is easy to use and setup and we especially like having direct access to the OTX.  That allows us to benefit from the massive number of IoCs in the OTX collection.

The price on this device is very reasonable, in fact, it is affordable and very useful for any size organization, but particularly for mid-sized companies. Support is excellent and the web site is complete with a lot more than marketing information on it.

For its solid usefulness in the Labs we make the USM Lab Approved for another year.


Product:   AlienVault USM Appliance

Company:  AlienVault

Price:          Starting at $5,595

What it does: Unified Security Manager – mix of UTM and SIEM in a single easy-to-use appliance

What we liked: We have found this tool to be invaluable over the past year for its ability to help us characterize the types of attacks against our honeynet.

The bottom line:  Even if you currently have a SIEM, the USM will add a lot of value to your security/analytics stack and the price is so reasonable that it pays dividends to add it.