AlienVault Threat Intelligence
Essential for Keeping Up with Today’s Cyber Threat Landscape
In today’s dynamic and evolving threat environment, busy IT security teams don’t have the time or resources to do threat analysis of emerging threats on their own. Instead, they turn to AlienVault Labs to do the research for them with continuous Threat Intelligence updates that are fully integrated into the AlienVault Unified Security Management™ (USM) platform for threat assessment, detection, and response.
(Note: The AlienVault Threat Intelligence Service is included in the first year license cost for every USM All-in-One appliance, Standard Server or Enterprise Server.)
Your USM platform receives updates every 30 minutes from the AlienVault Labs threat research team. This dedicated team spends countless hours analyzing the different types of attacks, emerging threats, suspicious behavior, vulnerabilities and exploits they uncover across the entire threat landscape.
The AlienVault Advantage:
Ownership of both the built-in data sources and the management platform that make up the USM platform gives AlienVault a unique advantage over other security point products. Providing predictable data sources enables our threat research team to have a comprehensive understanding of the interactions between the different data types being collected, correlated and analyzed. This in-depth knowledge enables us to engineer the USM platform to provide effective security controls and seamlessly integrated threat intelligence for any environment.
AlienVault Labs Threat Intelligence drives the USM platform’s threat assessment capabilities by identifying the latest threats, resulting in the broadest view of threat vectors, attacker techniques and effective defenses. Unlike single-purpose updates focused on only one security control, AlienVault Labs regularly delivers eight coordinated rule set updates to the USM platform. These updates eliminate the need for you to spend precious time conducting your own research on emerging threats, or on alarms triggered by your security tools. These rule sets maximize the efficiency of your security monitoring program by delivering the following updates directly to your AlienVault USM™ installation:
- Correlation directives – USM ships with over 2,000 pre-defined rules that translate raw events into specific, actionable threat information by linking disparate events from across your network
- Network IDS signatures – detect the latest malicious traffic on your network
- Host IDS signatures – identify the latest threats targeting your critical systems
- Asset discovery signatures – detect the latest operating systems, applications, and device information
- Vulnerability assessment signatures – uncover the latest vulnerabilities on your systems
- Reporting modules – receive new views of critical data about your environment to management and satisfy auditor requests
- Dynamic incident response templates – customized guidance on how to respond to each alert
- Newly supported data source plugins – expand your monitoring footprint by integrating data from legacy security devices and applications
Finding Smaller Needles in Bigger Haystacks
Identify the Most Significant Threats Facing Your Network Right Now
IT teams of all sizes suffer from having too much security event data and not enough actionable threat intelligence. Many security tools generate a steady stream of alerts about important (and not so important) activity, causing IT teams to sacrifice their valuable time by trying to manually correlate disparate activity in their log files. They dig through thousands of seemingly innocuous events, hoping to find those few indicators that can signify system compromise or data breach. At the same time, attack techniques have become more sophisticated, making breaches harder to detect.
Logs carry important information such as what your users are doing, what data they are accessing, the performance of your systems and overall network health. They will also contain evidence of system compromise and data exfiltration, if you know where to look. However, reading raw logs isn’t easy, for several reasons, including:
- Logs vary from system to system or even from version to version on the same system
- They are usually hard to interpret and not easily read by IT staff
- Logs are focused on recording events generated by each system and have limited visibility (e.g., a firewall sees packets and network sessions, while an application sees users, data, and requests)
- Logs are static, fixed points in time, without the full context or sequence of related events.
AlienVault USM solves these problems with its powerful correlation engine. Over 2,000 pre-built correlation directives continuously analyze event data to identify potential security threats in your network. USM automatically detects and links behavior patterns found in disparate yet related events generated across different types of assets, telling you what are the most significant threats facing your network right now.
With this easily consumable threat intelligence fueling your USM platform, you’ll be able to detect the latest threats and prioritize your response efforts. Specifically, you’ll extend your security program with:
Real-Time Botnet Detection
Identifies infection, compromise, and misuse of corporate assets
Data Exfiltration Detection
Prevents leakage of sensitive and proprietary data
Command-and-Control (C&C) Traffic Identification
Identifies compromised systems communicating with malicious actors
IP, URL, and Domain Reputation Data
Prioritizes response efforts by identifying known bad actors and infected sites
APT (Advanced Persistent Threat) Detection
Detects targeted attacks often missed by other defenses
Dynamic Incident Response and Investigation Guidance
Provides customized instructions on how to respond and investigate each alert
Advanced Alien Intelligence to Combat Advanced Threats
Here are a few of our collection and analysis techniques:
Security Artifact Analysis
Using a wide range of collection techniques, including advanced sandboxing to quarantine malware samples, the AlienVault Threat Research team analyzes over 1 million unique security artifacts every day. This analysis provides key insights into the latest attacker tools and techniques.
Honeypot Deployment and Analysis
Our global honeypots are essentially “virtual venus fly traps” set up to detect, capture, and analyze the latest attacker techniques and tools. Leveraging the insight gained by honeypots placed in high traffic networks, our AlienVault Labs team arms our USM customers with the latest defensive strategies in the form of updated event correlation rules, IDS and vulnerability signatures, and more.
Attacker Profile Analysis
We’re constantly monitoring hacker forums and underground networks for in-depth profiling of the common traits of cyber criminals. This information gives us unparalleled access for understanding the “attack horizon” and has resulted in major discoveries such as the evolution of Sykipot, Red October, and other malware outbreaks.
Open Collaboration with State Agencies, Academia, and Other Security Research Firms
Thanks to the broad reach of our threat intelligence sharing community, we’ve been able to establish strong connections with state agencies around the world, academic researchers and other security vendors. These relationships enable us to get access to pre-published vulnerability and malware updates as well as enhanced verification of our own research. By gathering community-powered threat intelligence from a diverse installed base that is spread across many industries and countries and composed of organizations of all sizes, we’re able to shrink an attacker’s ability to isolate targets by industry or organization size.