AlienVault OSSIM was an open source Security Information and Event Management (SIEM). AlienVault was acquired by AT&T Cybersecurity, now LevelBlue, and OSSIM is no longer available for sale.
N/A
Elasticsearch
Score 8.7 out of 10
N/A
Elasticsearch is an enterprise search tool from Elastic in Mountain View, California.
$16
per month
Pricing
AlienVault OSSIM (discontinued)
Elasticsearch
Editions & Modules
No answers on this topic
Standard
$16.00
per month
Gold
$19.00
per month
Platinum
$22.00
per month
Enterprise
Contact Sales
Offerings
Pricing Offerings
AlienVault OSSIM (discontinued)
Elasticsearch
Free Trial
No
No
Free/Freemium Version
No
No
Premium Consulting/Integration Services
No
No
Entry-level Setup Fee
No setup fee
No setup fee
Additional Details
—
—
More Pricing Information
Community Pulse
AlienVault OSSIM (discontinued)
Elasticsearch
Features
AlienVault OSSIM (discontinued)
Elasticsearch
Security Information and Event Management (SIEM)
Comparison of Security Information and Event Management (SIEM) features of Product A and Product B
AlienVault OSSIM (discontinued)
7.5
Ratings
4% below category average
Elasticsearch
-
Ratings
Centralized event and log data collection
9.40 Ratings
00 Ratings
Correlation
6.90 Ratings
00 Ratings
Event and log normalization/management
8.10 Ratings
00 Ratings
Deployment flexibility
8.20 Ratings
00 Ratings
Integration with Identity and Access Management Tools
The most obvious scenario in which OSSIM is well suited is in a single office/home office (SOHO) or small business, in which budget is reduced but asset discovery and vulnerability management are greatly needed and appreciated. OSSIM is lightweight and free, so the real challenge to face is to hire or assign an administrator to manage and operate it, instead of any investment on an expensive appliance. Also, as resellers, promoting usage of OSSIM to customers charging for professional services for installation, administration, and maintenance (remember that OSSIM doesn't have official support from AlienVault) is a great asset for the organization.
Elasticsearch is really well suited for searching text (Natural Language Processing) and you can fine tune the searches and scoring very well. I like the ability to find Significant Terms in the Index, where you can find aggregations that are really relevant to a specific search. It also allows for queries to lead to new queries via aggregations which is great for navigating your data. It is less suited to doing more complex aggregations where slices of data are required to be processing using guassian normalizations. And doing searches which join different documents is very very hard, and requires serious thought on how to denormalize data.
Setting Java memory thresholds can be a pain for those not accustomed to things like Eden Space & Old Generation which can lead to over allocation, or more likely, under allocation. Apache Solr had a similar issue. It would be nice if the program would take an extra step and dogfood it's own advice by analyzing the system & processes to return a solid recommendation for that configuration. The proper configuration information is outlined in the documentation, it would be nice if that was automated.
The only health check that ElasticSearch reports back is a "red" status without any real solid information about what is going on, though its usually memory thresholds or disk I/O. I am currently on ElasticSearch 1.5 so that may have changed for newer versions. When the status goes "red", I as the administrator of the software, feel like I lose control of whats going on which should rarely happen. Something more verbose would eliminate that.
This is more of a critique of the ElasticStack in general. The whole top to bottom stack is starting to get feature creep with things that are better suited in other software and increasing the barrier for entry for people to get started with setting up a robust logging infrastructure. ElasticSearch as a storage search engine, is pretty streamlined, but I can see that the tools that comprise the ELK Stack are going to require a certification with constant study at some point. During major release for Logstash a while back, it literally took a month to learn a new language because Elastic completely changed the syntax. For a medium sized organization of only a couple of admins, that is a pretty high bar where time is money. They really should work on refining/automating the tools & search engine they have, instead of shoehorning/changing things on to an already rock solid foundation.
AlienVault OSSIM is far easy to use and manage - provided you know what you're doing. As any SIEM application, there is some background knowledge required in order to take advantage of the product's functionalities, such as the log correlation and analysis. Other than that, the application is quite usable and robust.
To get started with Elasticsearch, you don't have to get very involved in configuring what really is an incredibly complex system under the hood. You simply install the package, run the service, and you're immediately able to begin using it. You don't need to learn any sort of query language to add data to Elasticsearch or perform some basic searching. If you're used to any sort of RESTful API, getting started with Elasticsearch is a breeze. If you've never interacted with a RESTful API directly, the journey may be a little more bumpy. Overall, though, it's incredibly simple to use for what it's doing under the covers.
Everything is done through MSSP and installation pro services. Once those hours are burned up, then you're on your own without a lot of help. Typically the pro services hours aren't enough to get past 60 days and MSSP are hit and miss. We had a miss for installation helpers.
We've only used it as an opensource tooling. We did not purchase any additional support to roll out the elasticsearch software. When rolling out the application on our platform we've used the documentation which was available online. During our test phases we did not experience any bugs or issues so we did not rely on support at all.
AlienVault OSSIM as the first experience with a SIEM is very fine, especially if your company is an SMB. Every SIEM shares some features in common with other products, features such as log retrieval and normalization. So if you stick with principles, you can learn other SIEM products as well. If your environment is not of a minimum size, LogRhythm might be overkill for your network, same with McAfee Enterprise Security Manager.
Elasticsearch is the most well-known and supported free data platform that we identified. We are taking advantage of community knowledge and practices. In terms of flexibility and breadth of use cases no other competitor came close to Elasticsearch. We've tried Solr in the past be we encountered issues which were deal-breaking for us. MongoDB - it just did not pass our evaluation parameters as a main data platform. We still use it for smaller purposes, though.
OSSIM and the installers didn't really help us optimize at installation. OSSIM went without optimization for almost two years before that fact was noticed. I think this decreased ROI.
Finding and researching incidents is much faster with all data available. Sometimes too much data, though.
I am not in finance and I suspect even if I was this would be hard to measure. But for sure, Elasticsearch has enabled us to have the most flexible data model in the industry for our customer's data, and in doing so we have attracted many many technical customers and got much of their $$$.
One problem with Elasticsearch is that because it runs on the JVM, there can be some stop-the-world JVM garbage collections happening that can take down nodes and reduce indexing speed. The solution for that tends to be "let's just upgrade the CPU on that machine". And before you know it you are paying $$$ because this'll happen with 40+ machines.
On the other hand, I do think that ES is more efficient than other systems and so it requires fewer nodes to keep it highly tolerant and available, so we probably saved some money that way.