AlienVault USM Anywhere and Cisco Umbrella: Move Quickly from Detection to Protection

May 2, 2017 | Jeff Olen
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

AlienVault® Unified Security Management™ (USM™) helps security professionals quickly assess and prioritize the most severe threats facing their environment. While detecting threats is obviously a necessary first step, executing an appropriate response in a timely manner can be challenging, especially given the myriad of tools that may be deployed as part of the overall security infrastructure.

USM Anywhere, AlienVault’s new cloud-based security monitoring platform, helps to close the gap between detection and response with AlienApps. AlienApps provide advanced automated response orchestration with leading security tools and applications, making it easier for security teams to respond quickly and efficiently to identified threats.

At the recent RSA Conference in San Francisco, I was thrilled to be joined by our friends from Cisco to demonstrate the new AlienApp for Cisco Umbrella (click here to watch a quick video from Cisco highlighting this exciting new integration with USM Anywhere and other new Umbrella features). Cisco Umbrella is a cloud security platform that enforces threat intelligence at the DNS- and IP- layers, which makes it a natural extension to the threat detection capabilities provided by USM Anywhere.

(In addition to this blog, AlienVault and Cisco will be presenting a joint webcast showing the AlienApp for Cisco Umbrella on May 18th at 10AM PDT.  Register for this webcast to learn much more!)

As an example, let’s look at how the combination of USM Anywhere and Cisco Umbrella can help provide an effective response to a phishing attack. First, the analyst reviewing the Alarms page of USM Anywhere sees an alarm related to phishing activity that has been detected by the AlienVault Network IDS.

Analyst reviewing Alarms in USM Anywhere

The AlienApp for Cisco Umbrella, which is included as part of the USM Anywhere platform, allows the security analyst to respond immediately to this threat. By clicking on the alarm, the analyst can not only review the relevant details of the event, but also initiate a response right from the USM Anywhere interface to send the malicious domain to Cisco Umbrella for enforcement.

From the alarm detail view, the analyst can simply click the “Select Action” button, choose the Cisco Umbrella app, and then select the “Report by HTTP hostname” action. This will automatically send the HTTP hostname to Cisco Umbrella via the Cisco Umbrella Enforcement API.

From alarm detail view, choose the Cisco Umbrella app

Alternatively, USM Anywhere can be configured to automatically send this information to Umbrella whenever phishing activity is detected, providing a fully automated response. Returning to the alarm detail view, the analyst can click “Create Rule” and create an orchestration rule that will automatically send the relevant information to Umbrella anytime this type of activity is detected.

USM Anywhere can be configured to automatically send info to Umbrella

Creating launch app actions in USM Anywhere for Cisco Umbrella

To see all the hostnames that AlienVault USM Anywhere has provided to Cisco Umbrella, you can go to the Settings/Integration area of the Cisco Umbrella dashboard.

USM Anywhere destination list to search domains

That’s it – in just a few simple steps with AlienVault USM Anywhere and Cisco Umbrella, you can close the gap between detection and protection.

Look for additional AlienApps use cases and partners in upcoming releases of USM Anywhere.

If you have feedback on your experience with the AlienApp for Cisco Umbrella, or have an orchestration and response use case in mind for USM Anywhere that would help streamline your security operations, we’d love to hear from you! Tell us about it in the AlienVault Product Forums.

Jeff Olen

About the Author: Jeff Olen, AlienVault
Jeff joined the AlienVault product management team in 2016, with a primary focus on the USM Anywhere platform. He has more than 15 years of experience managing award-winning software products in a variety of industries including security, education, legal and digital media.
Read more posts from Jeff Olen ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
GET PRICE FREE TRIAL