Architecture

Agent, Sensor, Logger and the SIEM Correlation Engine & Console

The AlienVault Unified Security Management Platform™ (AV-USM™) consists of four components – agent, sensor, logger and the SIEM correlation engine & console  - which can be installed on a single machine or spread across continents.

“AlienVault offers the huge advantage of having all the components installed on a single server, ready for operation, with minimal configuration in just 5 minutes.”
- Colonel Jesús M. González Pérez, Army Head of Cyber Defence, Ministry of Defence, Spain

A plug and play architecture allows you to add more capacity by simply adding new components, deployed in a federated model or configured for horizontal scaling.

• The AlienVault Agent, a zero-administration agent provides the core capabilities needed for protecting your critical systems. It combines a number of open-source packages to discover the software packages installed on the machine, detect threats (through host-based intrusion detection) and monitor the ongoing behavior of the system (through file integrity monitoring). In addition, it provides the ability to do SIEM data collection in a low-overhead manner, collecting logs from remote hosts. These capabilities provide a rich view of what is installed on your critical systems and a way to keep tabs on their ongoing operation.
• Simply plug the AlienVault Sensor into the network to detect assets (through passive network monitoring or active scanning), identify vulnerabilities (through network vulnerability scanning), detect threats (through network-IDS and wireless-IDS) and monitor behavior (through netflow analysis, full packet capture and service monitoring). It comes built-in with a number of security controls and acts as a manager and aggregation point for remote data collectors providing the distributed collection of log information.
• The AlienVault Logger provides forensic storage. It digitally signs and stores all log files as they are collected, satisfying a number of regulatory obligations that require users to have full historical records of their system behavior for extended periods of time. The Logger has a highly scalable backend, full reporting capabilities and flexible retention policies built into the Console.
• The powerful AlienVault SIEM Correlation Engine applies security intelligence in order to take the raw event stream and produce actionable alerts. The security intelligence required to do this correlation is produced by the AlienVault Labs research group and is periodically updated within the SIEM.
• The AlienVault Console provides a central view into raw events and security alerts. The Console has full workflow for creating and handling incidents or integrating with an external ticket management system. The Console is also the interface that provides the centralized management capabilities for the ongoing maintenance of the AlienVault deployment.

Next, view Screenshots, watch Demos and download OSSIM.