Is SO Enough or do I also need Alienvault?

[JB]

Is SO enough to handle IDS or should Alienvault be added as well?
Is there any benefit to using both? Thanks

[Doug Burks]

Hi JB,

In my opinion, if you're running Security Onion, you don't need
Alienvault. But I may be biased! :)

On Mon, Jan 19, 2015 at 5:51 PM, JB <jonbrown...@gmail.com> wrote:
> Is SO enough to handle IDS or should Alienvault be added as well?
> Is there any benefit to using both? Thanks
>

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com

[Brian Kellogg]

I looked at both and SO was the better choice for us. SO is agile and very flexible; a highly and easily distributed solution. I could not recommend it more. Worth the time to invest in it. Learning to form its tools around your needs will pay dividends in many other security areas. I still have much to learn from it.

[Channing Jones]

On Monday, January 19, 2015 at 5:51:24 PM UTC-5, JB wrote:
> Is SO enough to handle IDS or should Alienvault be added as well?
> Is there any benefit to using both? Thanks

I use them both (AV and SO) in parallel, and while they are similar in many respects they both have different strengths.

AlienVault centrally captures and logs a lot of different data from many different data sources: syslog from devices, Windows Event Logs, vulnerability scan results, Snort/Surricata, etc. This itself is not too different from SO, but AV then correlates and cross correlates multiple events and sources as well as data from their Open Threat Exchange (threat intelligence data) to allow things to bubble up into alarms based on risk score calculated through the process of correlation. In effect AlienVault is extremely effective at separating the needles from the haystack of all that data from all those sources.

When it comes to maintaining daily visibility into my network investigating alarms, Security Onion has the tools of choice for me.

I have tuned Snort/Snorby to filter out a lot of noisy and common stuff like exe downloads and timing window errors such that it will show me the kind of events that I want to see that might not make it to Alarm status in AV such as RDP connections. I use ratop/Argus to keep daily track of top talkers and where they are talking. I love http_agent and Squert for tracking down what people were doing leading up to an event/alarm. And Sguil with Network Miner and some of the other connected tools is just plain awesome.

AV and SO share many of the same components, but AV also has a built in vulnerability scanning, and some pretty good asset tracking, although I hope to see improvement there.

AV signs&logs everything but does not keep packet capture like SO does.

AV has great reporting if you need that.

Conclusion: AV really doesn't replace SO, and neither does SO replace AV. They are extremely similar at their core, but the end results are very different and they compliment each other very well

[Channing Jones]

On Monday, January 19, 2015 at 5:51:24 PM UTC-5, JB wrote:

> Is SO enough to handle IDS or should Alienvault be added as well?
> Is there any benefit to using both? Thanks

One more thing that bears mention:
While AlienVailt is pretty seamless and installs quickly, it also costs a fair amount. SecurityOnion is free, and Doug has done a really outstanding job of packaging it all up into a single product that is just about as seamless and simple as (if not more than) a very expensive commercial product. That alone makes SO stand out.