AlienVault Unified Security Management (USM) for AWS Control Node
AlienVault | 2.0Linux/Unix, Ubuntu 14.04 LTS - 64-bit Amazon Machine Image (AMI)
Good product
Install was pain free using cloudformation - was up and running inside the promised 15 minutes. Cloudformation logs were captured immediatly and actionable security intelligence was available from the start and it was able to parse all of our AWS assets automatically, a critical point as we are a highly elastic environment. Very pleased with the product - it makes the otherwise incomprehensible AWS log data simple and makes smart choices on alerts. I am eagerly looking forward to seeing how the product develops over time.
- Leave a Comment |
- Mark review as helpful
Path of Least Resistance
Getting manageable security infrastructure up and running in the cloud can be painful. There are a lot of intricacies, details, and work-arounds that drastically slow down a secure deployment. Security infrastructure that seems fairly basic in a physical data center, can get tricky within AWS. Fortunately, AlienVault takes care of a lot of the pain and heavy lifting. I was admittedly skeptical of how easy it would be to get AlienVault up and going, but I quickly got AlienVault up and going in a little more than 5 minutes. Afterwards, I was able to dive right in and immediately have log aggregation *and* start scans within my VPC. Is AlienVault perfect and will solve all of your security problems, no? But there are no perfect security tools. All of them require some bit of tuning and administration. AlienVault, however, greatly reduced my time to get up and running and I'd definitely recommend those running in AWS to also take it for a spin.
Zero to working in 15 minutes
Within 15 minutes I was seeing useful information about my environment.
Installation
Because CloudFormation is used all I did was answer a couple of question and hit create. One thing you should do is enable CloudTrail logging before you begin. The instructions mention the ip address would be in the output tab but it wasn't. It was easy to find however looking at the list of EC2 systems running. There is a slight delay for the system to come up so if you don't see the login screen just wait another minute or two.
Configuration
There really isn't none. All the heavy lifting is done through AWS APIs. Getting application logs into the system means getting them into S3 or CloudWatch.
Vulnerability Scanning
Once your list of assets is discovered you can easily do per host scanning. One thing is the credentials for scanning are not stored so you have to add them each time and right now you can't schedule scans. Talking with AlienVault revealed both of these features is coming in the next update.
Reporting
Right now there isn't a reporting feature. You can just print to PDF the different screens but it would be nice to have some standard canned reports available. Again talking to AlienVault revealed they are working on this for the future.
All in all I was really impressed how easy it was to setup and how quickly I was seeing real and *actionable information. A really solid piece of software for being a new product.
I am excited for the future of the product and am loving the visibility I now have.
*The vulnerability scanning detected a dpkg cve and that my Bamboo cloud build system had RDP open to the world.
Brilliantly simple and intuitive to install!
USM for AWS was easy to install - I just used the provided CloudFormation template. Then immediately after I signed in I was already seeing alerts and events related to CloudTrail - didn’t have to configure anything. Great product! Easy to install and provides much needed insight into my environment.
A must have for securing AWS Deployments.
One of the most difficult tasks with securing a deployment in AWS is full visibility of the environment. Most SIEM products I have tried to use previous to the AlienVault AWS USM were not AWS aware, e.g. handle CloudTrail logging etc. Having a centralized SIEM that can handle AWS console security while providing standard AlienVault USM SIEM functionality is a huge plus.
Installation:
Contrary to the other reviewer's comments, the installation of the AlienVault AWS USM went smooth, especially when you reach out to AlienVault support if you run into any issues. Since the AWS USM uses CloudFormation for deployment, when asked AlienVault quickly made changes to the template we used to deploy our instance so it would work with our existing VPC environment. Once this was done, launching and getting the AWS USM up and running was a piece of cake and took little effort on our part.
Post Installation:
Because we had turned on CloudTrail prior to deploying the AWS USM we had a lot of existing log data. It took some time for the AWS USM to ingest all of the logs however considering it was a large amount of data, it was expected.
Once the logs were parsed by the AWS I was presented with a slew of useful and very actionable information about our AWS environment. So much so I wished that the AWS USM had been available sooner.
AlientVault's USM SIEM was great, this new AWS USM is even better.
Abandoned
Was using this because updating of related product broke,
On installation no web interface was enabled, and documentation such as it was, was out of date.
Eventually abandoned the install.