AlienVault Unified SIEM Bundles Security Tools For MSPs And Enterprises

AlienVault Unified SIEM 3.0 is an integrated package of tools presented as an attractive way for managed service providers to extend their security capabilities, including a full enterprise security information and event management offering. The latest version of Unified SIEM, announced at the RSA Conference, provides tight integration of the company's Open Source SIEM (OSSIM) with a fistful of security tools available for deployment, making it well-suited for MSPs.

Unified SIEM 3.0 is also promoted as a multitenanted MSSP architecture, and AlienVault is pitching it to that market as well as to enterprises. SIEM is a $1billion-plus market. SIEM services can take a variety of forms, starting with essential log management for compliance, probably the most common use case, to around-the-clock monitoring, analysis and incident management.

There are several potential deployment models. If the customer already owns the SIEM product, it may choose to outsource some or all of the management, easing staffing issues. Increasingly, the MSSP often owns the appliance and deploys it on-premise as part of the service. This relieves customers of capital expenses and allows them to implement SIEM as a managed service funded as an operating expense, which is generally easier to budget and offers a more flexible long-term commitment. Unified SIEM is also a cost-effective way for companies to deploy SIEM and other key security tools, including vulnerability assessment and host- and network-based intrusion detection.

Brian Cao, system programmer for the City of Los Angeles, is one of an IT department of two, knocked down from a half-dozen when it was formed several years ago to help city agencies meet Payment Card Industry Data Security Standards (PCI DSS) and local and state privacy requirements, as well as comply with ISO standards.

"We deployed ArcSight for security management, but because of budget constraints, we couldn't cover all the devices we needed to monitor. We started to look for a less expensive option." Cao says he began using OSSIM as a cheap alternative, but found that it didn't scale to meet his requirements."We were not able to analyze traffic at even 50 or 100 events per second," he says. He began migrating to the enterprise-grade Unified SIEM, which he says can analyze 10,000 to 15,000 events per second and enabled him to collect and store heavy log volume.

Unified SIEM has three components: the OSSIM-based SIEM, Sensor and Logger. The Sensor collects logs, event and flow data from network and security devices, as well as from applications. The Sensor can also provide asset discovery and identification, vulnerability assessment scanning using either Nessus or OpenVAS, and intrusion detection system (IDS) capabilities. It can even act as a wireless IDS to detect attack traffic and rogue access points.

The Logger provides high-performance encrypted transport of log data, forensic audit and analysis tools, and "military grade" data destruction. The SIEM provides numerous audit and compliance reports, as well as a reporting wizard for customization.

"The subscription provides a lot of reports and more effective correlation rules out of the box,'" he says, "which is important because we don't have a lot of people to help us." Cao says bundled VA and IDS capabilities save the city money that would otherwise be spent on additional products.

See more on this topic by subscribing to Network Computing Pro Reports Security: Wicked Innovation (subscription required).