Network Security Monitoring
AlienVault Unified Security Management
Get all of the essential security capabilities you need in one Unified Security Management™ platform, coordinated to work together “out of the box.” It’s the fastest, easiest way to get a complete picture of your network’s security status, with actionable threat intelligence to respond to threats and vulnerabilities quickly.
Discover, inventory, and start monitoring your network in minutes
In order to secure your network, first you need to know what you have to protect. You need a simple, reliable way to know what’s connected to your network and the information required to make sense of the activities occurring on, and from, your assets suspected to be compromised.
AlienVault USM provides built-in asset discovery to:
- Determine what’s on your network at any given time
- Know when new servers and endpoints are attached
- Be certain of how your devices are configured
- Correlate asset info with threat and vulnerability data
- Accelerate investigations of impacted assets
With USM, you get three core discovery and inventory technologies for full visibility into the devices that show up on your network.
Find, verify, prioritize, and fix your network security risk quickly
The more you remove known vulnerabilities the more work attackers have to expend to successfully breach it. Save time improving your security posture by having AlienVault USM kick off scans, report, and contain all the information you need to assess and remediate vulnerabilities quickly.
AlienVault USM provides built-in vulnerability assessment to:
- Correlate asset info with vulnerabilities and threats
- Prioritize vulnerabilities based on risk severity
- Conduct false-positive analysis
- See vulnerability info and how to remediate it
- Keep your scans up to date on new vulnerabilities
With USM, you get a fast, effective way to expose your network’s vulnerabilities now and the means for continuously identifying insecure configurations, along with unpatched and unsupported software over time. You can mix and match the following features as needed.
Catch threats anywhere within your network
Attacks aren’t all or nothing – they happen in multiple steps, so you want to detect them early and stop attackers in their tracks. Catching and responding to threats early requires that you gather a variety of threat vectors to know who, what, where, when and how of attacks.
AlienVault USM provides built-in intrusion detection to:
- Provide network and host-based IDS
- Correlate threat data with vulnerability and asset info
- Determine and investigate impacted systems
- Detect network activity with known malicious hosts
- Catch new threats with continuous threat intelligence
With USM, you get asset discovery and vulnerability assessment, intrusion detection, behavioral monitoring, and SIEM (log management, event correlation, analysis and reporting) to get the complete view you need to effectively monitor the security of your network. Combining these different views, allows you to cut through the noise and see the information that really matters.
Baseline network behavior and spot suspicious activity
In order to catch the latest threats, you need a way to identify anomalies and other patterns that may signal new, unknown behavior. Behavioral monitoring enables you to spot and investigate suspicious network activity, as well as provides the traffic data required to reveal the events that occurred in a potential security breach.
AlienVault USM provides built-in behavioral monitoring to:
- Identify protocols and baseline “normal behavior”
- Spot anomalies, policy violations, and suspicious activity
- Monitor system services and detect unexpected outages
- Conduct full protocol analysis on network traffic
With AlienVault USM, you get multi-layered network security monitoring to detect known threats, catch network activity with known malicious hosts, and spot suspicious activity that could signal a new, unknown threat.
Automate correlation, get threat context, and know what to do next
During security incidents and investigations, you need to get to “whodunit” as quickly as possible. This can be complicated when mountains of security-relevant data are continuously being produced. By automating the correlation of real-time events you can gather all of the puzzle pieces in a single view.
AlienVault USM provides built-in SIEM to:
- Offer 2,000 correlation directives out of the box
- Cross-correlate asset, threat, and vulnerability data
- Calculate security risk and prioritize investigation
- Use a single pane of glass for investigations
- Determine appropriate response for every alarm
With USM, you get the complete picture for every incident and built-in guidance provided by the AlienVault Labs security research team. When you’re network is under attack you’ll have all the security-related information you need in one place to see what happened and what to do about it.
SIEM in Action (an example):
- A port scan is detected by your firewall and an alarm is generated in the USM console.
- In the USM console, the source address of the scan is correlated with the destination address of an SSH session from an internal host. A lookup in USM’s asset inventory automatically identifies the risk profile of the internal host and determines that the host is critical to business operations. This identifies it as a critical security incident.
- From within the USM console, the compromised host is scanned for other vulnerabilities and it is found to be missing a critical security patch.
- A ticket is generated within the USM console to patch the compromised host. The compromised host is patched and returned to service.
- A complete forensic analysis for the past 30 days is run for the compromised host from the USM console to determine if additional corrective action is required.
- The incident is automatically reported to the AlienVault Open Threat Exchange which is monitored by AlienVault Labs so that it can be synthesized and reported to other AlienVault installations. The entire community is then aware and protected from a similar exploit. Note: this step is optional, as you must opt-in to join the Open Threat Exchange.
Cross-Correlation in Action
For IDS-generated events, which by themselves can be quite noisy, USM does a lookup from the console to see what vulnerabilities that attack needs for the exploit to be successful. Then USM does an asset lookup to see if the asset is actually vulnerable and to determine the risk profile of the asset. All of this data is then correlated so that you are able to focus in on the information that really matters most.
Incident Response Guidance in Action
An alert might identify that a host on your internal network is attempting to connect to a malicious external host. The dynamic incident response guidance would include details about:
- The internal host such as owner, network segment, and software that is installed
- The network protocol in use and specific risks associated with it
- The external host and what exploits it has executed in the past
- The importance of identifying potential C&C (command and control) traffic
- Specific actions to take for further investigation and threat containment – and why you should take them