Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

AlienVault OSSIM: SIEM Product overview

Expert Karen Scarfone checks out AlienVault's Open Source SIEM and Unified Security Management products for collecting event data from various security logs within an organization.

AlienVault OSSIM (Open Source Security Information and Event Management) is an open source security information and event management (SIEM) product. A SIEM collects event data from various security logs within the organization, such as those for enterprise security controls, operating systems and applications. The SIEM converts the event data into a format it understands, analyzes it, generates alerts for any suspicious events, and creates reports on the events.

Product versions

AlienVault OSSIM is only available as server-based software; there is a single version of AlienVault OSSIM.

AlienVault also offers an AlienVault Unified Security Management (USM) product, which is a commercial SIEM product. AlienVault USM has substantially more robust capabilities than AlienVault OSSIM; a comparison done by AlienVault of the products' capabilities is posted here.

AlienVault USM is available as a virtual appliance, a hardware appliance and a cloud-based service (for Amazon Web Services only). It is intended for small organizations with three integrated models (25A, 75A and 150A) that monitor up to 25, 75 and 150 assets, respectively, and an integrated model called the UA that can monitor larger numbers of assets.

Additional security capabilities

Both the AlienVault OSSIM and USM products offer capabilities involving the use of threat intelligence. Threat intelligence feeds are community-supported for OSSIM and vendor-provided for USM. Neither OSSIM nor USM offers forensic capabilities, supplementation of existing logging capabilities or other additional security features.

Reporting capabilities

AlienVault OSSIM doesn't have any built-in reporting support for compliance initiatives. It offers three reporting templates, but nothing specific to compliance reporting. By contrast, AlienVault USM offers over 150 customizable reports, including compliance reports for the Payment Card Industry Data Security Standard, HIPAA and SOX.

Licensing and pricing

AlienVault OSSIM is open source, so its latest version is available for free download here. A link to download the source code and documentation is also available from the same URL.

AlienVault USM is a commercial product. A 30-day free trial is available for download here. Pricing information for AlienVault USM virtual appliances for small organizations is posted here, as is the cloud service hourly rate. AlienVault must be contacted directly for pricing on other AlienVault USM models.

AlienVault OSSIM, USM overview

AlienVault OSSIM has limited capabilities compared to its commercial counterparts, including the AlienVault USM product. AlienVault OSSIM is best suited for organizations without a SIEM that want to experiment with basic SIEM capabilities or that want to modify a SIEM to meet unusual organization-specific requirements. Small organizations looking for a more robust off-the-shelf SIEM product should consider evaluating AlienVault USM products.

Next Steps

In part one of this series, learn about the basics of SIEM products in the enterprise

In part two of this series, find out about the enterprise benefits of SIEM products

In part three of this series, read about the seven questions to ask before buying a SIEM product

In part four of this series, compare the best SIEM systems in the industry

This was last published in November 2015

Dig Deeper on SIEM, log management and big data security analytics

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Has your organization ever used or tested an AlienVault Open Source SIEM tool?
Thanks for the quick overview of AlienVault, it's nice to see the USM product getting some additional traction in the press.

I would like to point out that the Unified Security Management (USM) product does offer some forensic capability in the form of a traffic capture feature that can save results for analysis by a packet analyzer (e.g. Wireshark). AlienVault USM also has a Network Intrusion Detection System (NIDS) agent that runs in promiscuous mode to gathers network traffic and compare it to the AlienVault signature database in order to detect anomalies. The AlienVault signature database is comprised of signatures from Emerging Threats, Emerging Threats Pro, and Open Threat Exchange (OTX) as well as AlienVault Labs (run by AlienVault itself). Additionally, AlienVault USM goes beyond simply logging and event noification by also performing scheduled vulnerability scanning in both authenticated and unauthenticated modes, in order to mimic both outside and inside attackers. Lastly, the AlienVault USM architecture is scalable, allowing one to monitor multiple networks and thousands of devices with multiple sensors and servers.

Again I think you for this look at AlienVault and I look forward to seeing more in-depth reviews of AlienVault from you in the future.