Watch 3-minute video tour

Take Your Open Source Security Tools to the Next Level

AlienVault Unified Security Management™ (USM) brings together the most popular open source security tools into one fully integrated, fully supported solution, starting at only $3600.

Powerful security tools, fully integrated for you

AlienVault Unified Security Management (USM) brings together essential security capabilities including asset discovery, vulnerability assessment, host-based IDS, file integrity monitoring, network IDS, wireless IDS, SIEM/event correlation, log management, netflow analysis and behavioral analysis, in a single, easy-to-deploy solution. Explore these powerful, integrated capabilities.

Asset Discovery:

  • Passive Realtime Asset Detection System (PRADS) - monitors IP headers to identify operating systems and running software packages
  • NMap - a network scanner that can identify hosts, the operating system as well as services
  • OCS Inventory NG - a lightweight agent with a server-based management interface that provides full enumeration of installed software packes

Vulnerability Assessment:

  • OpenVAS - a framework of several tools and services allowing for comprehensive vulnerability analysis
  • Nikto - web application vulnerability scanner

Threat Detection:

  • OSSEC - host-based intrusion detection that provides FIM, rootkit detection, and policy monitoring
  • Snort - a network intrusion detection / intrusion prevention system that can perform signature, anomaly, and protocol analysis to detect malicious activityUser and resource access reporting
  • Suricata - a network intrusion detection / intrusion prevention system based on threat signatures with very advanced processing of HTTP streams
  • Kismet - a wireless intrusion detection system capable of determining encryption method and detection scanners that are trying to break in to wireless networks

Security Information and Event Management:

  • OSSIM - provides the framework for defining custom correlation rules in addition to numerous built-in correlation directives

Behavioral Analysis:

  • Nagios - a lightweight monitoring tool which provides continuous monitoring of operating systems and services
  • Tcpdump - for network protocol analysis / and high-speed continuous full packet capture and storage
  • Fprobe - generates network flow data
  • NFDump / NFSens - a network flow tool that captures the summary information necessary to do network flow analysis
  • nTop - a lightweight network probe that provides network usage statistics and protocol detection

Threat Intelligence:

  • Open Threat Exchange (OTX) - USM includes real-time threat intelligence provided by AlienVault OTX, the world's largest collaborative threat intelligence system

AlienVault Labs

Plus, Get Emerging Threat Intelligence

Cyber criminals and attackers are constantly evolving their methods, that's why your AlienVault USM implementation is fueled with emerging threat intelligence from AlienVault Labs, a team of security experts that curates raw threat data from more than 9,500 global collection points across 140 countries.

Unified Security Management – In Detail
All the essential security capabilities you need...without the integration pains.

Asset Discovery

Before you can detect threats, it is essential to understand the layout of the environment and where critical assets are located. Often such an inventory is either manually maintained or managed in an arcane system. It is essential for security teams to have an accurate, up-to-the-minute view of the assets and software operating within a network. The discovery capabilities built into the USM Platform provide this core functionality using the following techniques.

  • Passive network monitoring  - by passively monitoring the network traffic, hosts and installed software packages are enumerated identifying the protocols and ports used in the captured traffic. The tool used for this is:
    • Passive Realtime Asset Detection System (PRADS) - monitors IP headers to identify operating systems and running software packages.&monitors IP & hardware MAC address pairings. It's used to create an inventory and to detect MAC Spoofing (a common attack technique). It also detects services running.
  • Active Network Scanning - active scanning probes the network to try and illicit responses from machines. Based on the response, the tool identifies the machine and software installed on the machine. The tool used for this is:
    • NMap - a network scanner that can identify hosts, the operating system as well as services. NMap can often identify the software and version of services without having any credentials to the host.

Asset Discovery

  • Host-based software inventory - installation of a host-based agent provides the additional visibility. From an inventory perspective, the agent can enumerate all software installed on the machine, not just the software that is actively using the network (as is the case for passive network monitoring) or the software that listens on a port (as required for active scanning). This provides a far more comprehensive and accurate inventory. The tool used for this is:
    • OCS Inventory NG - a lightweight agent with a server based management interface that provides full enumeration of installed software packages

Vulnerability Assessment

After discovering the critical assets and services operating in your environment, it is important to understand where your weaknesses are. Vulnerability assessment provides an automated means for identifying insecure configurations and software which has known vulnerabilities. Periodic assessment with up-to-date detection rules is critical for identifying the weaknesses providing exploit targets.

Vulnerability Assessment operates in two modes: unauthenticated and authenticated scanning. An unauthenticated scan actively probes hosts using carefully crafted network traffic to illicit a response. This combination of the targeted traffic and the subsequent response allows an analysis engine to determine the configuration of the remote system and the vulnerabilities in the running software. An authenticated scan uses the provided access to the remote host’s file system and performs more accurate and comprehensive detection of vulnerabilities by inspecting the installed software. The tools USM uses for this are:

Vulnerability Assessment

  • OpenVAS - a framework of several tools and services allowing for comprehensive vulnerability analysis. This scanner provides both authenticated and unauthenticated vulnerability detection. OpenVAS was created as a fork of the Nessus project when Nessus became closed source.
  • Nikto - a scanner for web servers that tests for dangerous files and outdated versions of software. It also looks for multiple index files.

Threat Detection

In order to address today's rapidly changing threat landscape, you'll need more than just intrusion detection system software for your network and for your critical hosts. You need truly unified threat management, which combines intrusion detection with asset inventory, vulnerability assessment, behavioral monitoring, and SIEM or event correlation. AlienVault uses a variety of technologies to gather information on a variety of threat vectors, so that you instantly know the who, what, where, when and how of these attacks.

  • Host IDS and File Integrity Monitoring (FIM) - analyzes system behavior and configuration to identify behavior which could indicate compromise. This includes the ability to recognize common rootkits, to detect rogue processes, and to signal modification to critical configuration files. The tool used for this is:
    • OSSEC - host-based intrusion detection that provides FIM, rootkit detection, and policy monitoring. In addition OSSEC provides log analysis of software packages installed on the host.

  • Network IDS - analyzes the network traffic to detect signatures of known attacks and patterns which indicate malicious activity. This is used to identify attacks, malware, policy violations and port scans. The tools used for this are:
    • Snort - a network intrusion detection / intrusion prevention system that can perform signature, anomaly and protocol analysis to detect malicious activity.
    • Suricata - a network intrusion detection / intrusion prevention system which is also based on threat signatures and provides very advanced processing of HTTP streams and multi-threaded processing

Threat Detection

  • Wireless IDS - accesses the wireless card to monitor wireless traffic and identify rogue networks.  This allows for the detection of wireless clients, associated networks and encryption used. This capability is critical for wireless policy enforcement. The tool used for this is:
    • Kismet - a wireless intrusion detection system.  It monitors wireless traffic and identifies networks and associated clients. Is capable of determining encryption method and detecting scanners that are trying to break in to wireless networks.

 

IDS + WIDS + HIDS = Smarter

Behavioral Monitoring

Because USM combines network behavioral analysis with service availability monitoring, you'll have a full picture of system, service, and network anomalies.

New attacks, or zero-day attacks, are often only found with behavioral analysis.  Understanding the behavior of your system as a whole includes understanding which assets communicate with one another, determining when services appear and disappear, and modeling network flow and protocol usage to detect anomalies. By being able to detect when a service is no longer available it is possible to confirm an attack, by being able to detect the use of a new network protocol it is possible to determine if an attacker has compromised a host on the network, by being able to detect anomalous amounts of FTP or SSH traffic it is possible to detect the ex-filtration of data. None of these signals is enough on their own, but when fed into a powerful SIEM this data can be used to pinpoint alerts and target malicious activity. The monitoring capabilities built into the USM platform provide this core functionality with the following tools:

  • Netflow - allows for the analysis of network traffic without having to provide the storage capacity required for full packet capture. Network flow analysis provides the high-level trends related to what protocols are used, which hosts use the protocol, and the bandwidth usage. The tools used for this are:
    • NFDump / NFSens - a network flow tool that captures the summary information necessary to do network flow analysis. Includes graphical front-end for network flow analysis. NFSens can analyze and display data captured by NFDump or any other device capable of producing network flow data.
    • Fprobe - generates netflow data
    • nTop - a lightweight network probe that provides network usage statistics and protocol detection.

Behavioral Monitoring

  • Nagios - a lightweight monitoring tool which provides continuous monitoring of operating systems and services ensuring availability and alerting when unexpected outages are detected.
  • Tcpdump - for network protocol analysis / and high-speed continuous full packet capture and storage. When protection and attribution outweigh cost, full forensic capture of the network traffic is sometimes necessary. Capturing the full packet stream allows for analysts to perform thorough protocol analysis on traffic allowing them to fully recreate the events that occurred during a breach. This can be used to pinpoint the method used for exploit or to determine what data was exfiltrated. AlienVault USM provides a web-based front end for the inspection of this data in the Traffic Capture section.
    • Packet capture occurs automatically through the USM IDS. Specifically, any packet that triggers an IDS signature is automatically logged with the IDS event.
    • Session monitoring can be invoked via policy actions by executing tcpdump in response to a correlation event (or any event).

SIEM Event Correlation

Security Information and Event Management (SIEM) - in order to help efficiently understand the massive amount of data that comes from the other security tools it is essential to have capabilities to analyze and correlate this information. SIEM takes the raw stream of data from all of these sources and generates the actionable alarms that a security organization needs to address. The tool used for this is:

  • OSSIM - an open-source SIEM, providing the framework for defining custom correlation rules in addition to the numerous built-in correlation directives.
  • Log Management - proprietary log centralization and storage technology

SIEM Event Correlation

Emerging Threat Intelligence

AlienVault Labs Threat Intelligence maximizes the efficiency of your security monitoring program, by delivering the following directly to your AlienVault Unified Security Management (USM) installation:

  • Network and host-based IDS signatures – detects the latest threats in your environment
  • Asset discovery signatures – identifies the latest OS’es, applications, and device types
  • Vulnerability assessment signatures – dual database coverage to find the latest vulnerabilities on all your systems
  • Correlation rules – translates raw events into actionable remediation tasks
  • Reporting modules – provides new ways of viewing data about your environment
  • Dynamic incident response templates – delivers customized guidance on how to respond to each alert
  • Newly supported data source plug‐ins – expands your monitoring footprint

With this easily consumable threat intelligence fueling your USM platform, you’ll be able to detect the latest threats and prioritize your response efforts. Specifically, you’ll extend your security program with:

  • Real-time botnet detection – identifies infection and misuse of corporate assets
  • Data exfiltration detection – prevents leakage of sensitive and proprietary data
  • Command-and-control traffic (C&C) identification – identifies compromised systems communicating with malicious actors
  • IP, URL, and domain reputation data – prioritizes response efforts by identifying known bad actors and infected sites
  • APT (Advanced Persistent Threat) detection – detects targeted attacks often missed by other defenses
  • Dynamic incident response and investigation guidance – provides customized instructions on how to respond and investigate each alert

Emerging Threat Detection
AlienVault Labs