Joel Gridley, Chief Analyst with Delta Risk, contributed to this blog.
Delta Risk’s managed security services (MSS), known as ActiveEye, use AlienVault USM to help our security operations center (SOC) and our trained analysts to better monitor and protect our clients’ networks. Over the course of many years supporting multiple industries, various compliance regulations, and a myriad of customer environments, we’ve developed several techniques that expand the functionality of AlienVault USM beyond most people’s expectations.
Every client is unique. Two customers of the same size and in the same industry can have completely different priorities and require completely different solutions. AlienVault USM is so extensible that it allows our ActiveEye services to satisfy the wide range of requirements that our customers demand. Because we can work each new solution into a standard USM option, we can often make suggestions for new features before the next customer even realizes they want them.
As an example, through discussions with one client, we found out they have a security enclave that should have no contact at all with the corporate network or the Internet. We also learned that at some points during recent firewall changes, certain critical devices suddenly had access to the Internet. This, of course, was an extremely easy fix. Since the AlienVault sensors were located on the corporate networks, we simply created a network object for the enclave subnet, and a rule that would forward an alarm any time that subnet was a source or destination in any event on the USM.
We developed a more complex solution for another client who needed to document, for compliance, every time someone granted an account with escalated privileges. The difficulty here was that Windows Event Logs treat user accounts the same as system accounts, and system accounts regularly change privilege levels depending on what function or tasks they are performing. Using directives with defined regex, we were able to generate emails to the customer’s ticketing system that would document the account change for user accounts only.
In another case, we contacted a customer who had spent the morning fielding complaints because the corporate two-factor authentication (TFA) process wasn’t allowing anyone to connect to the network. There were a number of failed login events due to the time between the server and client being too far apart, along with error events from the TFA server, in which the TFA server was not able to synchronize NTP. ActiveEye became the hero for shedding light on an easy solution that could have potentially taken hours to track down. AlienVault is not just for security issues – it allows us to help out with customer operations, too.
As an MSSP, the benefits of using AlienVault are limited only by the creativity of your analysts and engineers. AlienVault is an excellent platform to improve the quality of your managed security services by consolidating trends and attackers seen across your customer base. It’s invaluable for creating customized OTX Pulses to generate branded alarms based on the threat intelligence you have developed from your investigations – along with the Pulses that AlienVault works hard to keep up-to-date and relevant.
The ease of deploying host-based intrusion detection system (HIDS) agents makes it a trivial matter to better explain to non-technical customers what they need to do to provide you with the visibility they expect. This can be harder when using other solutions. Regardless of the comfort level of the customer, or their corporate policies, there is a deployment technique to suit them. You can download HIDS agents for them to manually install on each system, you can stage the assets and auto-deploy them using credentials your customer provides, or simply start a screen share session and let them enter credentials themselves to automatically deploy.
From security management to operations troubleshooting and compliance enforcement, there is limitless potential to the benefits provided by the AlienVault USM platform.