|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
Providing strong and effective security for an organization’s network, IT infrastructure, and environment requires some forethought and planning. If you are now tasked with monitoring, managing, or maintaining network security operations within your organization, after USM Appliance has already been deployed, many of the planning steps and decisions may have already been made, but it is worth reviewing some of the overall best practices that many organizations follow in implementing and then maintaining network security operations in their environments. The general process is the following:
- Determine the scope of your network security operation, the range of networks and subnetworks to be covered, and the network devices or assets (host servers, applications, firewalls, routers, and switches) to be protected.
- Assess risk, determine what is most important to protect, and determine the type of network security you need to provide. Identify specific threats and vulnerabilities you need to address. Also determine specific regulatory compliance and other business standard requirements you need to meet.
- Define and determine security team roles, permissions, tasks, and responsibilities, and implement authentication and authorization to support USM Appliance security operations. Also determine notification and escalation strategy for emails, ticket handling, incident response, and compliance documentation requirements.
- Develop a plan for initial implementation and rollout of network security operations, plus planned updates and enhancements, based on priorities. Take into account the time and resources required for monitoring, incident analysis and response, compliance reporting and record-keeping, plus subsequent updates to address additions or changes in the environment, as well as new threats and vulnerabilities.
- Deploy and run USM Appliance to monitor and analyze the behavior of the environment. Use dashboards, reports, and other features of the USM Appliance web UI to examine events, network traffic, alarms, and notifications. Establish baseline behavior, identify threats and vulnerabilities, and eliminate or reduce false positives and other noise from normal, benign behavior. After establishing a baseline, you can use various tools provided within the USM Appliance web UI to investigate alarms and suspicious events, identify threats and vulnerabilities, and continue monitoring your network for attacks, intrusions, or any other type of malicious and potentially damaging behavior.
- Make continuous security lifecycle improvements and perform regular maintenance: new asset discovery and risk assessments, new vulnerability and threat detection, compliance reporting, backup and archival record-keeping.
- Incident Response — Develop and implement processes and procedures for incident response to provide special event and incident handling. Detect anomalies and suspect behavior; investigate, identify, and isolate threats, intrusions, or attacks; eradicate, remediate, or mitigate threats; conduct post-incident, post-mortem reviews to identify improvements to security processes and practices.