Advanced Persistent Threat Detection

Detect Advanced Persistent Threats (APTs) and minimize damage caused by them with all the essential security capabilities you need in a single console.

Data breaches attributed to Advanced Persistent Threats (APTs) continue to make headlines when they involve large, well-known entities (large corporations, governments, etc.) and/or result in the exfiltration of sensitive data. However, APTs also frequently target the valuable data found in smaller networks. Often this is because smaller organizations tend to lack the technologies and security expertise to detect these types of attacks.

You Can’t Prevent a Breach
It’s impossible to prevent a dedicated, patient attacker from breaching your network, regardless of the amount you invest in preventive technologies like UTM, Next Gen Firewalls or Sandboxing technologies.

You can, however, arm yourself with AlienVault USM’s best-in-breed technologies to detect APTs at every stage of the attack. This, coupled with an intuitive platform, provides you with the security expertise needed to minimize the damage to your environment.

AlienVault Unified Security Management™ (USM™) gives you essential APT detection capabilities for each stage of an APT attack:

Identify Vulnerable Systems Being Targeted by APTs

  • Asset discovery will identify all systems on your network
  • Vulnerability assessment will prioritize the vulnerabilities that APTs exploit
  • Network IDS detects malicious traffic targeting vulnerable systems for initial compromise

Detect Communication with C&C Servers and Monitor Systems & Applications for Privilege Escalation and File Changes

  • OTX data alerts on inbound or outbound communication used for initial compromise of systems in your network, expansion to other systems, and exfiltration of data
  • Host IDS will detect privilege escalation on systems
  • Close monitoring will identify any malicious processes that are running or any critical services that have been disabled
  • File Integrity Monitoring (FIM) will detect changes to critical files

Get Alerted to Compromised Systems Before Exfiltration of Data

  • SIEM correlates alerts from all data sources to tell you who, what, where, when, and how you’re being attacked
  • Threat Intelligence from AlienVault Labs presents alarms in Kill Chain Taxonomy to tell you of the highest priority threats
  • Integrated response guidance tells you how to respond to APTs before data harvesting and exfiltration

Identify Vulnerable Systems Being Targeted by APTs

A patient, determined attacker can compromise any network. The first step in any defense against APTs is to know what systems are on your network, and what vulnerabilities exist on those systems. Attackers target unpatched and misconfigured systems to gain the foothold necessary to eventually exfiltrate regulated or confidential data.

AlienVault USM scans your network for devices and determines what vulnerabilities exist through both passive and active scanning techniques, depending on your policies and preferences. It then prioritizes the vulnerability data, telling you what are the highest priority vulnerabilities to address

AlienVault USM’s built-in network IDS technology also detects malicious traffic attempting to exploit vulnerabilities on the targeted systems. Common malware delivery methods include email attachments disguised as everyday documents (word files, pictures, PDFs), links to websites hosting malware or code designed to exploit common vulnerabilities.

Preventive tools like antimalware, antispam, and web content filters can’t keep up with every new malware variant associated with today’s APT campaigns. This means that you need the ability to detect the attacker’s initial compromise of your network. AlienVault USM provides this level of insight with cross correlation of contextual data, driven by AlienVault Labs Threat Intelligence.


Detect Communication with C&C Servers and Monitor Systems & Applications for Privilege Escalation and File Changes

During an advanced persistent threat attack, a common first move is to compromise one of your systems to use as a base of operations for deeper infiltration into your network. Following that, increased access to additional systems will be attempted by gaining root or administrative privileges through exploits, social engineering, or brute-force password cracking.

With threat data from OTX (Open Threat Exchange) integrated into AlienVault USM, you’ll get alerted to a wide range of Indicators of Compromise (IoCs) in any inbound or outbound communication. Due to their previous association with known threats, these IoCs are evidence of potentially malicious activity in your network (ranging from initial compromise to expansion to other systems, and ultimately exfiltration of your sensitive data).

In addition, Host IDS agents deployed on critical systems that store valuable data will detect the privilege escalation attempts as the attacker attempts to gain root or admin privileges. Once the attacker has admin access, he will stop security-related services running on the compromised systems, or start unwanted services in order to facilitate his malicious activities.

AlienVault USM’s built-in File Integrity Monitoring (FIM) capability will monitor essential files to detect changes to critical application configurations, or data files. It will also detect the modification of log files, which is a common technique attackers use to cover their tracks and evade detection.


Get Alerted to Compromised Systems Before Exfiltration of Data

One challenge IT teams of all sizes face is how to sift through their mountains of log data to detect signs of an APT campaign before data exfiltration occurs. AlienVault USM’s built-in SIEM capability aggregates and correlates event data from all of the platform’s data sources, as well as third party tools, into one management console.

The integrated Threat Intelligence from AlienVault Labs correlates the events from disparate sources to alert you to the highest priority threats facing your network today, including those related to Advanced Persistent Threats. With over 2,000 correlation rules pre-built into the AlienVault USM platform, you can spend your time responding to specific threats, instead of trying to research the significance of a particular event. Additionally, the Kill Chain Taxonomy makes it very easy for you to focus your response efforts on the most critical threats, showing you who, what, where, when, and how you’re being attacked, as well as the attacker’s intent to help you combat APTs at every stage.