AlienVault Threat Detection
One platform for threat detection, incident response, and compliance
Advanced Threat Detection Anywhere Modern Threats Appear
Your organization’s security depends on your ability to rapidly detect and respond to emerging threats across your cloud and on-premises environments. Yet, attack methods and strategies evolve constantly, making threat detection an always-moving target.
Most organizations simply don’t have the resources or time to extensively research the global threat landscape for the latest attack vectors, nor can they spend time analyzing every indicator that an attack is happening.
AlienVault Unified Security Management (USM) is built with these organizations in mind. AlienVault USM performs advanced threat detection across your cloud and on-premises environments. It combines multiple essential security capabilities – asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, endpoint detection and response, SIEM event correlation, and log management – in one unified console. This gives you everything you need to quickly identify, analyze, and respond to emerging threats–in one cost-effective and easy-to-use solution.
In addition, the AlienVault Labs Security Research Team works on your behalf to research the latest global threats and vulnerabilities, and delivers threat intelligence updates continuously into the USM platform. That way, you get the assurance of an always-up-to-date and optimally performing security monitoring solution, even without a dedicated in-house security team.
AlienVault Labs leverages threat intelligence from the Open Threat Exchange (OTX)—the world’s largest open threat intelligence community of security experts, researchers, and IT professionals worldwide who provide global insight into the latest attack trends, bad actors, indicators of compromise, and affected industries.
Focus on the Threats That Matter Right Now
- Quickly assess threats with automated alert prioritization
- Make informed decisions with full details on every alarm, including a description of the threat, its method and strategy, and recommendations on response
Get Compete Threat Visibility with All-in-One Security Essentials
- Achieve multi-layered threat detection for your on-premises and cloud environments using the USM platform’s built-in host-, network-, and cloud-based intrusion detection systems and endpoint detection capabilities
- Easily search and analyze threats with a consolidated view of your assets, vulnerabilities, and malicious activities in your environment
- Eliminate your security blind spots by aggregating and correlating events from all your devices, servers, endpoints, and applications, as well as monitoring user and administrator activities
Stay Vigilant with Continuous Threat Intelligence Delivered
- Receive continuous, curated threat intelligence from AlienVault Labs Security Research Team, delivered automatically to the USM platform
- Leverage threat data from the world’s largest open threat intelligence community—OTX
- Stay ahead of emerging threats with correlation rules that are continually and automatically updated with the latest threat intelligence
Focus on the Threats that Matter Right Now
With the constantly evolving nature of the threat landscape, it can be difficult—especially with limited resources—to address every incident and alert that occurs in and across your on-premises and cloud environments. Instead, you must be able to cut through the clutter of alerts and false positives to effectively prioritize your threat detection and response activities.
AlienVault USM Anywhere automatically prioritizes the most severe threats facing your environment. The platform uses the Kill Chain Taxonomy to categorize threats by severity in a highly visual and instantly recognizable way, so that you can immediately know which threats to focus on first. It also provides you with contextual information to help you understand attack intent and threat severity, based on how the threats are interacting with your environment.
- System Compromise – Behavior indicating a compromised system. This is the most severe threat level.
- Exploitation & Installation – Behavior indicating a successful exploit of a vulnerability or backdoor/RAT being installed on a system.
- Delivery & Attack – Behavior indicating an attempted delivery of an exploit.
- Reconnaissance & Probing – Behavior indicating a bad actor attempting to discover information about your network.
- Environmental Awareness – Behavior indicating policy violations, vulnerable software, or suspicious communications.
Get Compete Threat Visibility with All-in-One Security Essentials
AlienVault USM provides multiple essential security capabilities to help identify, understand, and contain threats—all through a single pane of glass. With all security-related data about your assets, vulnerabilities, and intrusions centralized and easily searchable, and backed by threat intelligence from AlienVault Labs and OTX, you can investigate faster and respond sooner to risks and threats against your critical infrastructure.
- Discovery of assets across on-premises, cloud, and hybrid environments
- Identification of software & services deployed on each asset
- Ability to group assets, supporting simplified monitoring and review
- Scans for vulnerabilities across all your monitored environments
- Prioritization based on the severity of the vulnerability, so you can prioritize response
- Indication of any available patches for identified vulnerabilities
Endpoint Detection and Response
- Maintain continuous visibility of your endpoints in the cloud, on premises, and remote
- Get built-in file integrity monitoring (FIM) to monitor changes to critical files and registries as required by many regulatory compliance standards
- Proactively query endpoints for information needed for forensics investigations
- Cloud IDS (CIDS)
- Network IDS (NIDS)
- Host IDS (HIDS)
AlienVault USM delivers multi-layered IDS for your cloud, hybrid cloud, and on-premises environments threat detection needs. Built-in network intrusion detection (NIDS), host intrusion detection (HIDS), and native cloud intrusion detection (CIDS) capabilities work in concert, giving you comprehensive intrusion detection across your entire IT landscape and eliminating your security blind spots.
- Monitor cloud access and activity logs (Azure: Monitor, AWS: CloudWatch, CloudTrail, S3, ELB, VMware and Hyper-V access logs)
- Monitor user and administrator activities on systems and applications, including Okta, Active Directory, Office 365, and G Suite
- AWS VPC Flow Monitoring
Incident Response Guidance
- Review context on the threat, including details on strategy, method, and actor
- See enriched information on the incident from the Open Threat Exchange (OTX), with links to ‘pulses’ from the OTX community
- Review the affected asset, including details about what software and services are installed, and any other related vulnerabilities and alarms
- Identify the destination IP address or domain to which communications are being passed (e.g. a Command & Control Server)
- Recommended actions to take for further investigation and threat containment
SIEM & Log Management
- Event correlation by graph-based machine learning and finite-state machine (FSM) correlation engines
- Integrated threat intelligence, including updated correlation directives, from AlienVault Labs Security Team, and the AlienVault Open Threat Exchange (OTX)
- Aggregation of logs from all servers, endpoints, and applications across your on-premises, cloud, and hybrid environments
- Up to 90 days of searchable events stored within fast, Elasticsearch storage
- At least 12-months of raw log retention
Insider Threat Detection:
AlienVault Unified Security Management (USM) accelerates and simplifies insider threat detection with all the essential security capabilities you need in one easy-to-use console.
Detect and Minimize Threats from Within
In the wake of high-profile breaches where trusted employees were involved, enterprises are increasingly concerned about the threats those employees pose, such as:
- Disgruntled employees looking to damage systems or steal data
- Users engaged in corporate or state-sponsored espionage
- Unsuspecting users clicking on phishing e-mails
- Users illegally downloading torrents
Insider threat detection can be challenging because it often spans across a multitude of systems and services. The rise of cloud services complicates insider threat detection efforts because many traditional security tools are incompatible with cloud architecture, creating blind spots in your security plan. The AlienVault Unified Security Management (USM) platform provides visibility into your on-premises, private cloud, and public cloud environments, enabling you to detect insider threats across your entire critical infrastructure.
AlienVault USM delivers essential insider threat detection and management capabilities, including:
Insider Threat Visibility Across Your Critical Infrastructure
- Network Intrusion Detection (NIDS)
- Cloud Intrusion Detection
- Cloud access logs (Azure: Insights, AWS: CloudTrail, S3, ELB)
Privilege Escalation Detection
- Host Intrusion Detection System (HIDS)
- File Integrity Monitoring (FIM)
- Detect unauthorized user access attempts
- Monitor critical SaaS services like Office 365 and G Suite
- Security Information and Event Management (SIEM)
- Detect communications with malicious hosts
- Centralized dashboard that prioritizes threats the way you want to see them
Insider Threat Visibility Across Your Critical Infrastructure
Insider threat detection techniques rely on visibility into what’s happening across your critical infrastructure. However, the rise of the public cloud represents a security blind spot for many organizations because traditional security methods were not built with the cloud in mind. Effective insider threat detection requires a solution built to accommodate all the environments you need to secure.
That’s why AlienVault USM provides a unified platform to help you detect and understand activity across any combination of on-premises, private cloud, and public cloud environments, including threats that come from malicious or careless users within your organization.
On-premises, AlienVault USM’s Network Intrusion Detection (NIDS) inspects traffic between your internal devices and critical systems, giving you visibility into what’s happening inside your perimeter and detecting internal connections to external known bad actors. By deploying an agent such as the AlienVault Host Intrusion Detection (HIDS) agent, you can gain even more granular information about activity in your environments.
AlienVault USM Appliance will also alert you whenever a user inserts a device into a USB port on a system you’re monitoring, keeping you informed of potentially unauthorized activity that can lead to data theft.
Cloud environments pose a unique challenge to insider threat detection efforts, both because traditional network security methods aren’t compatible with cloud infrastructure and because of the amount of damage a single user can inflict. (Imagine your root access keys getting into the wrong hands.)
AlienVault USM Anywhere provides full visibility into your cloud environments, using purpose-built sensors with direct hooks into cloud APIs to leverage the extensive controls service providers have built into cloud architecture.
In addition to enabling cloud intrusion detection capabilities for AWS and Azure, the USM Anywhere sensors support insider threat detection with detailed information about who logs into the management plane and what actions they take. For example, you can tell if someone has created or destroyed virtual machines, created new services, or changed the configurations of your virtual machines (say, from eight to sixteen gigabytes, or from one process to multiple).
You can use this data to detect insider threats such as careless or malicious use of your root access keys—before it causes your bill to skyrocket.
Most companies track the activities of privileged users as an essential security practice. To bypass this, insiders will seek to escalate privileges in order to gain access to information, subvert controls, damage systems, or facilitate exfiltration of sensitive data—all while flying under the radar.
AlienVault USM provides the capabilities you need to identify privilege escalation and respond to it quickly, limiting the scope of a malicious insider’s impact on your organization.
You can use AlienVault USM to detect and alert on privilege escalation that doesn’t have a corresponding change request by deploying an agent to your systems, allowing you to collect critical information from your endpoint servers and workstations.
Events from the agent are forwarded to your USM deployment, allowing you to monitor admin groups for new users and take action if users are being added to groups inappropriately. You can also use file integrity monitoring (FIM) to track changes to your assets.
In addition, USM correlates suspicious events to detect when a user’s access to critical systems and applications may be malicious. This allows you to detect, respond, and neutralize the insider threat posed by employees trying to bypass security controls by escalating their rights, or by employees hijacking user credentials for malicious purposes.
If your organization uses Office 365, you can use USM Anywhere to monitor privilege escalation by auditing changes to roles or groups within Exchange Online. You can also keep track of activities like user access and mailbox management.
Because Office 365 users sometimes escalate privileges by delegating inbox access to another user (say, to an administrative assistant), it’s important to have forensic records in case an email gets into the wrong hands. With USM Anywhere, you can easily investigate who accessed the inbox or sent email messages.
Humans, unlike computers, are often unpredictable in nature. As such, insider threat detection usually requires the ability to correlate seemingly benign events to detect insider threats that take place across various systems. Insiders will often account for existing security controls and attempt to keep their activity ‘low and slow’ to avoid triggering any alarms.
AlienVault USM can link disparate events across your on-premises, private cloud, and public cloud environments and correlate events related to malicious insiders. USM’s strong correlation engine uses built-in correlation rules to detect relationships between different types of events occurring in one or more monitored assets to identify suspicious activity. This eliminates the need for IT teams to create their own correlation rules, so they can spend their time mitigating threats rather than researching them.
That’s where the threat intelligence produced by the AlienVault Labs Security Research Team steps in to assist. Think of it as an extension to your IT team – they are constantly performing advanced research on current threats and developing updates to AlienVault USM’s threat intelligence. In addition to the vulnerability signatures, you receive continuous updates to SIEM correlation rules, IDS signatures, knowledgebase articles, and more.
Updating the AlienVault USM platform is extremely easy, designed to minimize downtime, and just requires a couple of mouse clicks. This ensures that AlienVault USM is conducting regular vulnerability scans for the latest threats without requiring in-house research or development of vulnerability data. This allows you to allocate your time and resources to other responsibilities and do more with a smaller team.
Accelerate ransomware detection and response with AlienVault Unified Security Management (USM)—an all-in-one security essentials solution with integrated threat intelligence that helps you to detect ransomware sooner to minimize the spread of infection.
Stop Ransomware in Its Tracks with Advanced Threat Detection
Ransomware is a top security concern for organizations today. Malicious actors continue to develop new techniques and strategies to trick victims into downloading and installing ransomware on their systems, and many IT teams are ill-equipped to respond.
Ransomware is a type of malware that encrypts files on a system, making them inaccessible until you pay a ransom (usually in the form of a cryptocurrency like bitcoin or prepaid cash cards) in exchange for the decryption key. Given the complexity and variety of new ransomware threats emerging daily, it can be difficult for IT teams of any size to figure out how to detect ransomware and respond to it while managing the rest of their cybersecurity needs.
AlienVault can help. Unlike alternatives, AlienVault Unified Security Management (USM) simplifies and accelerates threat detection so that IT teams can quickly respond to ransomware threats and contain outbreaks with targeted, automated, and orchestrated defense. AlienVault USM empowers IT teams with complete visibility into their entire risk surface by unifying security monitoring across cloud, on-premises, and hybrid environments.
As ransomware activity patterns evolve, the AlienVault Labs Security Research Team and the Open Threat Exchange (OTX) keep the USM platform up to date with continuous and automatic threat intelligence updates. This threat intelligence includes the latest threat indicators, vulnerabilities, and response guidance. It is fully operational and ready to use, so organizations of all sizes can quickly detect and contain ransomware activity without having to spend time researching emerging threats or writing correlation rules.
In addition, AlienVault USM delivers advanced security orchestration and automation capabilities, as well as out-of-the-box integration with leading third-party security tools like Palo Alto Networks, Carbon Black, and Cisco Umbrella. So, you can plan and execute your ransomware response activities directly from AlienVault USM, saving you precious time and effort.
AlienVault USM delivers the essential security capabilities needed for ransomware detection:
Detect and Respond to Ransomware Threats Quickly with Unified Security Management
- Real-time threat detection with built-in essential security capabilities
- Coordinated incident response with integrated analysis and reporting
Monitor Every Environment with Comprehensive Intrusion Detection
- Unified security monitoring of Office 365 and other cloud apps to detect ransomware threats early on
- Cloud Intrusion Detection (AWS and Azure) – alert on critical events within your AWS and Azure environments consistent with ransomware indicators.
- Network Intrusion Detection – alert on known ransomware communication activity based on continuous updates from the AlienVault Labs Security Research Team
- Host Intrusion Detection – alert on known ransomware attack activity detected on the critical servers across all your environments
Reduce the Time between Detection and Response with Security Orchestration & Automation
- Integrated threat intelligence delivered by the AlienVault Labs Security Research Team provides early notice of ransomware attack indicators and activity in the wild
- Automated incident response triggered through tight integration with third-party security tools like Cisco Umbrella, Palo Alto Networks, and Carbon Black
Detect and Respond to Threats Quickly with Unified Security Management
Threat detection or threat monitoring tools provide a critical layer of defense against ransomware attacks. Real-time detection and rapid response are crucial to your ability to contain a ransomware outbreak and to limit its impact. This extends to everywhere you’ve deployed assets, whether in on-premises physical or virtualized infrastructure, in public clouds such as Microsoft Azure or Amazon Web Services, as well as cloud applications like Microsoft Office 365 and Google G Suite.
AlienVault USM centralizes threat detection of your critical environments and cloud apps, making ransomware detection and response both fast and easy. AlienVault USM delivers multiple layers of ransomware detection and correlates events from across your data sources, giving you complete visibility of your security posture at all times. Once a threat has been detected, AlienVault USM alerts you and gives detailed information about the threat, attack method, and affected asset(s), as well as guidance about how to respond, so you can react quickly and effectively.
Monitors your on-premises and cloud environments for new assets, identifying new systems and devices that need to be monitored and assessed for vulnerabilities that ransomware could exploit. Because ransomware downloaded by a single user can easily spread across your entire environment, it’s important to have visibility into all of the assets in your critical infrastructure.
AlienVault USM continually scans your environments to detect vulnerabilities that attackers could exploit in a ransomware attack. The USM platform ranks vulnerabilities by severity so that you can prioritize your remediation efforts.
Network Intrusion Detection Systems (IDS)
Analyzes the network traffic to detect signatures of known ransomware and communications with known malicious servers. Using field-proven IDS technologies, AlienVault USM identifies attacks, malware, policy violations, and port scans that could be indicators of malicious activity throughout your environments.
Host Intrusion Detection (HIDS) and File Integrity Monitoring (FIM)
Analyzes system behavior and configuration status to identify suspicious activity and potential exposure. This includes the ability to identify changes to critical system and application files, as well as modifications to the Windows Registry, that could be made to initiate the ransomware’s encryption engine.
SIEM Event Correlation
Using machine learning and state-based correlation, the USM platform analyzes a large number of seemingly unrelated events across disparate systems to pinpoint the few events that are truly important. The AlienVault Labs Security Research Team regularly updates the USM platform with ransomware-specific correlation rules that identify a range of behaviors indicative of a ransomware infection, including downloading the ransomware file, systems attempting to connect with a C&C server and post data, multiple failed connections from a system attempting to connect to a domain (or multiple domains) within a narrow time window, and more.
SIEM Log Management & Reporting
The USM platform provides the ability to automate the centralized collection and normalization of events and logs from devices, servers, applications and more from across your on-premises and cloud environments, as well as from your cloud applications like Office 365. This data is centrally retained for at least one year, helping support compliance requirements and forensic investigations into attacks recently discovered, and yet require investigation of more historic data. Centralized collection also fuels automatic attack analysis by enabling analysts to perform search queries on collected data. Analysts can also run any of the built-in and customizable reports, such as to demonstrate compliance with standards like PCI DSS, or for regular review of security events and activities.
Monitor Every Environment with Comprehensive Intrusion Detection
Early ransomware, like Reveton and Citadel, simply locked you out of a system and displayed a page demanding payment. In contrast, today’s sophisticated strands of ransomware quietly encrypt your sensitive data without interrupting your normal computer usage, so you’re less likely to notice a problem until after your files have been affected. While it’s difficult to identify and halt an encryption process in progress, the sooner you detect ransomware in your environment, the better chance you have at isolating the compromised system from your environment and protecting your data (all without paying out ransoms to cyber-criminals
If your users are accessing corporate data in SaaS-delivered cloud apps like Office 365 and G Suite, it’s essential to monitor these environments to catch ransomware threats early on (e.g. phishing emails). AlienVault USM provides multi-layered intrusion detection capabilities so that you can quickly detect ransomware across your cloud and on-premises environments. In addition to security monitoring for commonly used SaaS apps, AlienVault USM delivers cloud intrusion detection for your public AWS and Azure cloud environments, as well as built-in network intrusion detection (NIDS), and host-based intrusion detection (HIDS) for your critical on-premises infrastructure. You can even integrate data from your existing IDS/IPS into AlienVault USM, allowing you to collect, correlate, and track events from a single place.
Security Monitoring within Office 365 for Advanced Ransomware Detection
AlienVault collects, analyzes, and centralizes event data from every app, system, and environment that’s critical to your business. Because users commonly access corporate data through SaaS apps like Office 365, it becomes essential to monitor these apps to detect the early warning signs of ransomware attacks, such as a phishing email attempt. Continuous threat intelligence updates from the AlienVault Labs Security Research Team arm your defenses with advanced warning of the latest ransomware indicators.
Cloud Intrusion Detection (CIDS)
AlienVault offers native cloud IDS capabilities to keep your AWS and Azure environments secure. USM Anywhere uses purpose-built sensors to monitor your cloud environments from the management plane, giving you visibility into your organization’s cloud-based activities.
Network Intrusion Detection Systems (NIDS)
On premises, network IDS sensors are deployed on the network using a tap or network span and use signature-based detection to identify ransomware and other threats to your critical systems.
Host Intrusion Detection Systems (HIDS)
With File Integrity Monitoring (FIM) built into the Host-based IDS (HIDS), AlienVault USM keeps a close watch on the files and registries of your sensitive assets and critical systems to detect when anomalous activities and file or registry changes occur.
Reduce the Time between Detection and Response with Security Orchestration & Automation
A ransomware attack can spread rapidly across your systems and quickly render them unusable. Time is of the essence. As soon as ransomware is detected in your environment, you must move swiftly to contain the threat and to prevent it from proliferating across your environment. If done manually or done across many disparate systems, or if the attack happens outside of typical working hours, your response effort may be delayed or too slow to contain the attack.
AlienVault USM has advanced security orchestration and automation capabilities that help you respond quickly and efficiently to threats affecting your environments, including response actions that work in alignment with third-party security tools like Cisco Umbrella, Palo Alto Networks, and Carbon Black. For example, if the USM platform detects evidence of ransomware on one of your assets, you can easily orchestrate the isolation of that system from your network through the built-in integration with Carbon Black, helping to prevent further spread of the ransomware.
The security orchestration responses available within AlienVault USM can also be automated, making your response faster and more efficient. For example, if AlienVault USM detects communication with a DGA-generated domain known to be malicious, such as ransomware communicating with its ‘Command & Control’ server, you can orchestrate a response action that passes the malicious domain details to Cisco Umbrella, which then blocks traffic between that domain and your employees and assets.