AT&T Cybersecurity (Alienvault) review and alternatives

AT&T Cybersecurity is a system security tool provider part of the AT&T conglomerate. The business has an impressive heritage in the cybersecurity field under its original name of AlienVault. The AlienVault system goes back even further because it is a commercialization of OSSIM, ground-breaking, free, open-source SIEM.

Before AT&T took it over, AlienVault invested all of its expertise in creating the USM Anywhere platform. This SaaS system expands on the original SIEM concept and offers a solution to centralizing the security monitoring of geographically dispersed endpoints.

OSSIM and SIEM

To understand AT&T Cybersecurity and its USM Anywhere platform, you need to look back to the OSSIM project, which began in 2003. OSSIM stands for Open Source Security Information Management or Open Source SIM. A SIM looks through system log messages to identify suspicious activities.

Log messages are generated when an event occurs and circulates the network. A live system monitor simply records a status for a resource in time slices and sends that record through to an accumulator that assembles a graph in the security monitoring console. Although log files are seen as a retrospective source of information, log messages are just as “live” as monitoring data. Similarly, the status samples sent to monitoring consoles can easily be channeled through the OSSIM search engine.

OSSIM also takes resource monitoring feeds, and live activity records, this type of information is commonly termed security event management (SEM). Merging SIM and SEM data into a shared pool for threat analysis creates a SIEM. OSSIM is misnamed because it takes SEM inputs and logs messages, so it is a SIEM and should be called OSSIEM.

OSSIM wasn’t categorized as a SIEM when it was created because this system predates the term. It wasn’t the original SIEM, and it pre-dated that by two years – the SIEM term was coined in 2005.

From OSSIM to USM Anywhere

OSSIM was created in Spain, and over the years, it has evolved, thanks to the voluntary contributions of programmers and cybersecurity experts worldwide. The project has disseminated new security monitoring and response techniques that have spread across the IT industry through participants forging careers in the commercial world.

OSSIM went commercial itself in 2007 with the creation of AlienVault. The OSSIM founders took on the management team of the Fortify group from Hewlett Packard and teamed up with Intel and Hewlett Packard to get hardware to produce relevant time series status reports. This liaison shows how AlienVault can proactively solve a problem when an information gap occurs.

In 2012, AlienVault returned to the open-source model to launch OTX, the Open Threat Exchange, a framework for crowdsourced threat intelligence. With this innovation, AlienVault created a global source of threat intelligence. As OTX is open source, it is available to all cybersecurity tools, and it has completed the field of shared threat intelligence. OTX records 19 million new threat indicators every day.

Although the founders of OSSIM are still based in Madrid, the corporate headquarters for AlienVault was settled in San Matteo, California. The US location made the business more attractive to venture capitalists, whose financial input helped proliferate.

AT&T Communications bought AlienVault in 2018 and renamed the company its AT&T Cybersecurity. Along with AlienVault, AT&T took over the OSSIM and OTX projects. OSSIM is still being developed independently and is still free to use. It is available for download from the AT&T website.

AlienVault USM Anywhere has been called AT&T USM Anywhere since 2019.

USM Anywhere

USM” stands for United Security Management. It is a cloud-based threat detection and response service. As the system is based remotely, it is not bound by a single network. This is why the product has “Anywhere” in its name. If the tool has to reach out to your network to gather event information, it could equally reach out to your business’s remote networks in other countries or the devices used by remote workers.

The United Security Management system unifies the security monitoring of all of your fleet of endpoints wherever they are.

Its features are:

  • Asset discovery
  • Vulnerability management
  • Intrusion detection
  • Endpoint detection and response
  • Security orchestration, automation, and response
  • Compliance auditing and reporting

You can read about each of these points in detail below.

Asset discovery

One problem with any SaaS security platform is that it can’t, or at least shouldn’t be able get through your network’s firewall. Like with malware, it is easier for external systems to access a network and its endpoints if a local agent is installed on the target system. So, asset discovery is not an automated process.

You have to enroll systems and get an agent program downloaded onto them before becoming visible to the USM Anywhere monitor. Fortunately, you don’t need to manually install an agent on every endpoint at the initial setup phase – that comes later.

In the beginning, you need to have an agent on at least one device on each network that you want to include in the monitoring service. Once that task has been completed, the monitor will explore the network with processes such as SNMP and Ping to identify each device connected to the enrolled network.

The asset discovery process will assemble an inventory, which forms the dashboard layout for the monitoring service. It will show the endpoints and network devices connected to the network. It will also include cloud resources on the Azure, AWS, and GCP systems.

After identifying each endpoint, the service will download an agent onto each device and scan it for software, creating a software inventory. At this point, USM Anywhere has all of your network, endpoints, applications, services, and user-facing software mapped.

Vulnerability management

The Vulnerability Manager in USM Anywhere scans from an internal location and within the network. It will assess all of the software, operating systems, and services and identify security weaknesses.

Vulnerability hunting is informed by Dark Web threat intelligence. This announces the scanner of newly devised attack vectors and whether the company’s specific assets are about to be targeted.

The Vulnerability Manager assesses all devices and software configurations and settings and recommends adjustments to improve system resilience. It will also identify out-of-date software that needs patching.

This service runs automatically on a cycle, so you don’t have to trigger it manually.

Intrusion detection

The core of USM Anywhere derives from the original OSSIM system, which is a SIEM. The SIM and SEM elements of SIEM can also be expressed in terms of intrusion detection systems. A SIM is a host-based intrusion detection system (HIDS), and an SEM is a network-based intrusion detection system (NIDS). The intrusion detection system also operates on AWS, Azure, and GCP.

Endpoint detection and response

The detection system requires that an agent is active on each device, and then it will implement endpoint detection and response (EDR) for added protection. This service operates through security orchestration, automation, and response (SOAR), described below.

Security orchestration, automation, and response

The endpoint agents that the USM Anywhere system installs gather log messages and system activity reports. This information is automatically generated by the operating system and all software running on the device. Then, the agents send that data to the USM Anywhere cloud server.

When the SIEM system identifies a threat, it sends instructions back to the agent on the affected endpoint to implement remediation actions. For example, this could involve sending instructions to an access rights manager to suspend a compromised account or updating firewall rules to block a malicious IP address access. The service can also kill processes and delete files.

Each detected threat will notify staff through your Service Desk ticketing system. In addition, you can pre-define how many of the response workflows are automated. Integrations, called AlienApps, facilitate interaction with third-party tools for data collection and response implementation.

Compliance auditing and reporting

The SIEM mines log messages for activity information. Logs are produced in different formats by different systems, so USM Anywhere first has to convert them into a standard layout. This is called “consolidation.” The system then files the log messages and keeps them available on the cloud platform for 90 days. You can load messages into a data analyzer in the USM Anywhere dashboard during that period. After that period, log files are stored to be made available for external compliance auditors.

The USM anywhere dashboard also includes a compliance reporting system with pre-written report formats that automatically draw in data from the log management system.

USM Anywhere prices

USM Anywhere is available in a series of plans that cater to businesses of all sizes. The platform represents a full range of cyber security services, including log management, vulnerability management, SIEM, and endpoint detection and response. Therefore, its price has to be assessed by comparing it to a bundle of other products that fulfill these functions. The three plans for USM Anywhere are:

  • Essentials – from $1,075 per month:
  • Standard – from $1,695 per month
  • Premium – from $2,595 per month

You can get a 14-day free trial of USM Anywhere.

USM Anywhere strengths and weaknesses

We have assessed AT&T Cybersecurity’s USM Anywhere and identified several strengths and weaknesses to the system.

Pros:

  • Unified security protection for assets no matter where they are located
  • A comprehensive package of security systems
  • Coordination with third-party tools for data collection and threat remediation
  • Log file management and log storage
  • Compliance reporting

Cons:

  • High price
  • Not everyone would want all of the tools in the package

Alternatives to AT&T Cybersecurity

USM Anywhere from AT&T Cybersecurity is an awe-inspiring package. Not only does it include a long list of security tools, but it is built on a very long-established experience from a heritage that dates back 18 years.

It is always a good idea to compare several options before buying any software or service, and we have identified several systems that you should consider.

Here is our list of the best alternatives to AT&T Cybersecurity USM Anywhere:

  1. SolarWinds Security Event Manager (FREE TRIAL) This option is attractive if you don’t want to use cloud-based cyber security services but prefer on-premises software. The Security Event Manager includes a log manager, and it has a built-in compliance reporting system. It won’t give you a vulnerability manager, though. This package runs on Windows Server, and you can get it on a 30-day free trial.
  2. Rapid7 Insight This is a cloud platform that offers all of the elements contained in the USM Anywhere service. However, with Rapid7, all of the modules are charged individually. The SIEM system in Insight is called InsightIDR, and the vulnerability manager is called InsightVM. InsightIDR collects logs and stores them, and the system implements responses through SOAR. The InsightVM service rolls on to an automated patch manager and will also recommend changes to settings for system hardening. In addition, insight IDR has extra features that aren’t available in USM Anywhere. These include file integrity monitoring and deception technology to trap intruders. InsightIDR is available for a 30-day free trial.
  3. Datadog Cloud Security Platform This cloud service offers both a SIEM system and a vulnerability manager as separate modules that can be operated through a standard dashboard. The platform also offers an extended log management service. In addition, there are other services available that tailor the security system to DevOps environments. All of the services on this platform can be accessed on a 14-day free trial.
  4. Splunk Enterprise Security This security package will run on Windows or Linux. With this system, you get log management that supplies compliance reporting and organizes log files for compliance reporting. The package includes a SIEM, which is also based on a network traffic monitoring module. Vulnerability scanning can be added on from a library of community-supplied plugins. An associated SOAR module is also available. You can try Splunk Enterprise on a 60-day free trial.
  5. OSSIM This is the original product from which USM Anywhere was developed. It is still available, and it is still free. The development of OSSIM has continued as an open-source project while USM Anywhere was evolved commercially. With this package, you get a SIEM and a vulnerability manager, and it can also take the OTX feed for threat intelligence. The software runs on VMWare or Hyper-V.