To get more of a practitioner’s view of AlienVault, I recently reached out to Karl Hart, IT Security Analyst and AlienVault user. Karl works at a privately-held financial institution in Ohio, and he is involved in every aspect of IT security. This includes incident response, vulnerability assessment, policies, procedures, and penetration testing. Since his company is privately held, there is less mandatory focus on compliance audits – instead, Karl is able to make real security results the focus of his attention.
Karl started using OSSIM a long time ago – when it was version 2. He was pleasantly surprised when his current company purchased AlienVault Unified Security Management (USM), which matched his skill set and OSSIM experience quite well. Karl was originally “the only security guy” at the company, but now he is part of a team of three. All team members use USM on an ongoing basis. Karl keeps the USM console up all day but relies on emails and SMS to alert him of situations USM finds that he needs to quickly address.
Karl and the team use the integrated Open Threat Exchange (OTX) crowd-sourced threat intelligence capability within USM to “to quickly classify and process threats faster.” He sees great value in OTX and uses it on a daily basis – finding it particularly handy to finding the occasional user who’s become infected with a bot that is seeking to connect with a command and control server – which he can quickly stop.
Karl figures he spends 40% of his time on incident response, 10-15% on vulnerability assessment, and the rest on policy and process determination and penetration testing.
I asked Karl how he felt about using USM after having been an OSSIM user. He felt that while OSSIM is a good fit for a small environment, it isn’t good for a larger environment with greater loads of log files to be processed. He tells people the big difference with USM is performance and suggests that anyone interested should do a 30 day trial of the commercial version to really understand the product.
Karl mainly uses USM for SIEM, but he also uses the built-in Host Intrusion Detection System (HIDS), which is OSSEC in USM, on his servers. He's used the vulnerability assessment capabilities of USM regularly and plans to do so in the future. He stressed that when he speaks to colleagues about vulnerability assessment in USM, he points out that it can be configured to do very in-depth assessment with a little tweaking.
They have a Sourcefire IPS appliance in place, which they use for IDS/IPS, rather than the built-in Snort or Suricata IDS capabilities available in USM. This is because the IPS was there and implemented and there is no reason to force using the USM IDS capabilities – it works fine and integrates easily, so the events generated by the Sourcefire IPS are easily used by the USM SIEM.
Karl has used other SIEM products, including ArcSight and LogRhythm, and he sees the functionality to be pretty similar. The big difference, according to Karl, is the “openness of USM – you can tweak it to be the way you want it. You can write your own plugins, rather than waiting for another company to do them. You can use your own scripts for productivity and automation.”
There are some interesting SIEM use cases, such as SQL injection, malware identification, privileged user monitoring, validation of IDS/IPS alerts and more.
It is always great to hear from security practitioners. While practitioners may use different capabilities within the product, the consistent theme we hear about the product tends to center around openness, flexibility, and usability. Are you a security practitioner who wants to share your AlienVault stories? If so, please let me know – I’d love to have a conversation with you and maybe write a blog about you!