AlienVault USM Anywhere and Cisco Umbrella: Move Quickly from Detection to Protection

May 2, 2017  |  Jeff Olen

AlienVault® Unified Security Management™ (USM™) helps security professionals quickly assess and prioritize the most severe threats facing their environment. While detecting threats is obviously a necessary first step, executing an appropriate response in a timely manner can be challenging, especially given the myriad of tools that may be deployed as part of the overall security infrastructure.

USM Anywhere, AlienVault’s new cloud-based security monitoring platform, helps to close the gap between detection and response with AlienApps. AlienApps provide advanced automated response orchestration with leading security tools and applications, making it easier for security teams to respond quickly and efficiently to identified threats.

At the recent RSA Conference in San Francisco, I was thrilled to be joined by our friends from Cisco to demonstrate the new AlienApp for Cisco Umbrella (click here to watch a quick video from Cisco highlighting this exciting new integration with USM Anywhere and other new Umbrella features). Cisco Umbrella is a cloud security platform that enforces threat intelligence at the DNS- and IP- layers, which makes it a natural extension to the threat detection capabilities provided by USM Anywhere.

As an example, let’s look at how the combination of USM Anywhere and Cisco Umbrella can help provide an effective response to a phishing attack. First, the analyst reviewing the Alarms page of USM Anywhere sees an alarm related to phishing activity that has been detected by the AlienVault Network IDS.

Analyst reviewing Alarms in USM Anywhere

The AlienApp for Cisco Umbrella, which is included as part of the USM Anywhere platform, allows the security analyst to respond immediately to this threat. By clicking on the alarm, the analyst can not only review the relevant details of the event, but also initiate a response right from the USM Anywhere interface to send the malicious domain to Cisco Umbrella for enforcement.

From the alarm detail view, the analyst can simply click the “Select Action” button, choose the Cisco Umbrella app, and then select the “Report by HTTP hostname” action. This will automatically send the HTTP hostname to Cisco Umbrella via the Cisco Umbrella Enforcement API.

From alarm detail view, choose the Cisco Umbrella app

Alternatively, USM Anywhere can be configured to automatically send this information to Umbrella whenever phishing activity is detected, providing a fully automated response. Returning to the alarm detail view, the analyst can click “Create Rule” and create an orchestration rule that will automatically send the relevant information to Umbrella anytime this type of activity is detected.

USM Anywhere can be configured to automatically send info to Umbrella

Creating launch app actions in USM Anywhere for Cisco Umbrella

To see all the hostnames that AlienVault USM Anywhere has provided to Cisco Umbrella, you can go to the Settings/Integration area of the Cisco Umbrella dashboard.

USM Anywhere destination list to search domains

That’s it – in just a few simple steps with AlienVault USM Anywhere and Cisco Umbrella, you can close the gap between detection and protection.

Look for additional AlienApps use cases and partners in upcoming releases of USM Anywhere.

If you have feedback on your experience with the AlienApp for Cisco Umbrella, or have an orchestration and response use case in mind for USM Anywhere that would help streamline your security operations, we’d love to hear from you! Tell us about it in the AlienVault Product Forums.

Share this with others

Get price Free trial