|
|
Enterprise Security Management (SIM)
The AlienVault solution has been specially designed to facilitate security management of large, distributed networks. It provides a complete solution from low level detection to high level reporting.
|
|
Security Management
AlienVault’s SIEM provides management tools for making sense of vast amounts of data; for rapidly analyzing and responding to immediate threats; and for gaining visibility into and addressing risks that apply to the organization.
Centralized management, global visibility
AlienVault’s SIEM collects and analyzes logs coming from AlienVault probes or from any number or type of network devices such as firewalls, IPS, routers and switches, operating systems or applications.
For large, distributed networks, multiple management servers can be deployed, in a customizable, hierarchical architecture such that data from hundreds of thousands of workstations can be easily monitored and synthesized. Responsibility for analysis and storage of information can be assigned to different nodes, which report up to a central system that in turn provides a global view of enterprise information risk at any given moment.
Intelligent Risk Management
Responding effectively and on a timely basis to threats often requires the analysis of an enormous number of events collected daily, hourly or continuously. Without an automated tool to help employers find patterns, filter, clean and analyze all the data that form the context of an attack, the task of protecting the organization becomes exceedingly complex, time-consuming and resource intensive. The AlienVault SIEM solution provides intelligence through continuous collection, correlation and analysis of events from multiple, distinct data sources, which it then analyzes and prioritizes or rules out as a possible attack.
This is where AlienVault makes a difference: providing the ability for complex situation analysis, with 4 levels of correlation, conducting a risk assessment in near real time for each event received. The AlienVault correlation engine is able to track complex patterns and includes in its analysis all the variables that define context such as: vulnerability, degree of anomaly, network status, service availability and inventory and value of the equipment and assets involved.
|
|
Discovering and tracking new patterns is fundamental to the task of identifying the distributed or abstract attacks that classic detection systems miss.
A number of powerful threat mitigation tactics are made possible through the correlation of context data. For example, combining knowledge of known vulnerabilities, inventory and asset value, and network data allows for filtering out a large number of attacks that will not affect a target operating system; or for prioritizing attacks involving a service known to be vulnerable; or for monitoring the status of a network or service subject to a denial of service attack.
This understanding of context information enables accurate risk assessment. Decisions made concerning immediate threats must always be performed on the basis of thorough analysis of risk parameters such as those mentioned: the asset value at risk, the nature and degree of the threat to which it is subject, as well as the reliability of the data used to identify the attack. A risk assessment such as this allows for differentiation between an attack on a system containing customer accounts and one targeting a test system. This distinction, although seemingly obvious, does not occur in most of the existing security systems.
AlienVault’s management console provides a comprehensive risk profile related to the organization, each of its networks, and each of its information assets.
Frequently Asked Questions:
What is the difference between the free open source and commercial open source versions?
Security Detection
AlienVault Sensors have been designed for managed security. They compile an arsenal of technology into a single device, and introduce it into each remote network as if it were an “eye” detecting and surveilling remote, unauthorized activity. The combined effect of numerous detection and control points is global visibility, and compliance management.
Context detection and monitoring
AlienVault Sensors are installed on each network segment and inspect all traffic, detect attacks through various methods and collect information on attack context without affecting the performance.
These sensors utilize more than 10 expert systems that identify attacks along 5 different axes:
- Intrusion Detection
- Anomaly Detection
- Vulnerability Detection
- Discovery, Learning and Network Profiling systems
- Inventory systems
Detection systems locate in near real time, both known and unknown attacks through learning and anomaly reporting.
Vulnerability detection systems discover and identify latent network threats and can correct them before an attack occurs. This information, stored by the Management Server, is of vital importance when an attack is in progress. Prior knowledge of vulnerabilities in systems is vitally important when assessing the risk associated with an attack, prioritizing, alerting, and launching countermeasures.
The network information gathered by AlienVault probes also provides detailed information in near real time about network usage of each computer, and collects this data for analysis. The system automatically creates a highly detailed usage profile of each element on the network.
Forensic Information
Information collected by the Management Server is stored securely and may be consulted to determine, at any given point in time, the how a given system, device or other asset has been used, by whom, and when. This detailed usage profile allows operators to perform forensic analyses when unusual behavior is detected.
Frequently Asked Questions (FAQs)
Can I use the system without a remote Sensor?
Yes, the system can be employed on a single hardware platform with the Management Server, database and sensor configured as an all-in-one solution, collecting events directly from systems and devices already deployed on the network.
What tools are included with the Sensor?
Attack Detection using Snort IDS for real time detection
Vulnerability Scanning using Open VAS Vulnerability Scanner
Network Monitoring and Profiling with Ntop
Anomaly Detection with Spade, and RRD aberrant-behavior
Inventory and asset management: with p0f, pads, arpwatch, OCS and nmap
Availability with nagios
In certain cases it can be deployed as a firewall
What is the difference between an AlienVault probe and an IPS?
Both cover different functions. IPSs are being used more and more as more intelligent firewalls. These devices, located in-line, are very effective at stopping a limited number of very well defined attacks, but cannot be configured to detect many other more complex threats or suspicious behavior. They do not provide full visibility of what's happening on the network.
AlienVault probes/sensors are designed to have a much wider range of surveillance, detecting all known attacks, abnormal behavior and providing a virtual eye for operators of remote networks.
Installation of these devices is often complementary, and may offer and additional layer of security through various features. AlienVault SIEM may be configured to collect events from IPS's, monitor them, and include data from them in analyses and reports.
How are the probes installed in the network?
They are installed unobtrusively, offline, with a view of all traffic, but without affecting flow. They are transparent to the network and do not produce any delay or other perceptible impact.
From which systems can logs be collected?
OSSIM Agents feature specific plugins to gather events from external detectors such as a Checkpoint Firewall, a Real Secure IDS, a Windows machine, syslog logs, any kind of UNIX or a Cisco Router.
Generally speaking, any system that generates logs and is able to export them somehow
|
|
|
Request More Information
