The MSSP Guide to AlienVault SOAR

The MSSP Guide to AlienVault SOAR


AlienVault SOAR is an automated cybersecurity response product. To be clear, AlienVault is a fully SaaS-driven Security Automation Orchestration and Response (SOAR) solution. AlienVault offers a single event dashboard, the ability to see threads and take action, event management, and extensive monitoring. While there are many SOAR solutions to choose from, we confidently recommend AlienVault, and implement it for clients every day. While AlienVault was recently purchased by AT&T, we haven’t noticed any changes in product quality or customer experience. Here’s a quick guide.

 

What is AlienVault SOAR?

AlienVault is a Security Automation Orchestration and Response product. AlienVault automates your company’s response to an intrusion threat. This automation makes it possible to respond to the hacker or threat faster and more effectively.

When efficiently implemented, AlienVault allows you to orchestrate your entire security architecture from a single view. And during an attack, AlienVault automatically prioritizes threats across on-premise data centers, cloud data centers, and SaaS applications.

 

What types of companies choose AlienVault?

We recommend AlienVault for companies with small IT teams, maybe 3-10 IT employees.

 

What is AlienVault pricing?

AlienVault pricing is simple with three monthly pricing plans: $1075/month, $1695/month, and $2595/month. Generally, our clients opt for the $1695 per month price. Why? Most of our clients also have legacy security tools and solutions. At this middle price point, AlienVault offers integration with Cisco Umbrella, Carbon Black, Palo Alto Networks, and other data networks.

 

What types of devices can AlienVault monitor?

AlienVault monitors a wide array of devices, accounts, and apps. Per AlienVault:

“AlienVault HIDS allows you to run integrity checking without agents installed on hosts, network devices, routers, firewalls, or switches. Agentless monitoring detects checksum changes in files or runs diffs to shows what exactly has changed.”

 

What is AlienVault SIEM Architecture?

AlienVault uses Linux-based OSSIM, per Wikipedia:

“OSSIM (Open Source Security Information Management) is an open source security information and event management system, integrating a selection of tools designed to aid network administrators in computer security, intrusion detection and prevention.”

 

AlientVault OSSIM vs USM

Both AlienVault OSSIM and USM offer the SOAR basics, including event collection, normalization, and correlation. For more advanced functionality, USM Anywhere adds monitoring of data center environments, log management, pre-configured correlation rules, and various pre-built templates. Per AlienVault:

“For organizations that are looking for a more complete solution to security monitoring, AlienVault Unified Security Management (USM) delivers additional functionality that provides everything needed for effective threat detection, incident response, and compliance management — all in a single pane of glass.”

 

What are some AlienVault requirements?

The minimum system requirements are: 2 CPU cores, 4-8GB RAM, 250GB HDD, and E1000 compatible network cards — though 8 CPU cores, 16-24GB RAM, and larger HDDs are recommended. In addition, AlienVault OSSIM “does not support paravirtualization, and requires full virtualization from network and storage.” For more complete documentation, visit the AlienVault OSSIM Installation Process.

Plus, AlienVault does have appliance hardware requirements for sufficient performance. For more complete documentation, visit the USM Appliance Deployment Requirements.

 

What is an AlienVault graylog?

Per AlienVault:

“The Graylog Extended Log Format (GELF) is a log format designed to overcome many of the limitations of standard syslog. It is a great solution for applications because it provides more robust logging support — larger payloads, compression, and chunking — and developers can leverage libraries and appenders for many programming languages and logging frameworks.

All of the USM Anywhere Sensors use the Graylog (GELF) app, which passively listens to the Graylog UDP port 12201 and collects the GELF log data for processing.”

 

Splunk and AlienVault

AlienVault and Splunk are both SIEM solutions. AlienVault is a more traditional SIEM solution that allows users to create a low-cost Security Operations Center that is compliance-friendly, and easy to manage.

Splunk is a non-traditional solution that enables forward-thinking data correlations. For example, an advanced IT team can set up their own correlations to monitor and respond to threats.

We generally recommend AlienVault to clients, but understand the appeal of Splunk for companies that are security and data “gearheads’.

 

Do I need an AlienVault SOAR consultant near me?

The most important factor is experience and effective workflow, whether in-person, on-site, virtual, or off-site. That said, we think working with a SOAR consultant near you is an advantage. This will allow your SOAR consultant to better communicate with existing IT teams, and better understand your current information architecture. A non-local SOAR consultant becomes a good option if they follow security best practices, and have an established virtual workflow. Why? Location is less significant when virtual workforce tools are effectively adopted by consultant and client, whether a small business or global enterprise. Plus, on-site specialists can become costly. Bottomline, look for a SOAR consultant who offers an excellent communication process, clear workflow, and custom security solution for your business. 

 

Have questions about finding an AlienVault consultant?
Email [email protected] or call (925) 918-6618 

 

READ MORE

The MSSP Guide to Idaptive SSO

The 5-Minute Identity and Access Management Tutorial

The Insider’s Guide to Okta Adaptive MFA Pricing

How to Get an Accurate Okta Quote

How to Migrate to Okta from Oracle Access Manager

Okta vs Idaptive: Decide in 3 Minutes

Gigya to Okta: Why You Should Migrate

 

About Sennovate

Sennovate delivers custom identity and access management solutions to businesses around the world. With global partners and a library of 1000+ integrations, we implement world-class cybersecurity solutions that save your company time and money. We offer a seamless experience with integration across all cloud applications, and a single price for product, implementation, and support. Have questions? The consultation is always free. Email [email protected] or call us at: (925) 918-6618