Security operations center (SOC) tools

Knowing what assets are in your environment is the first step in knowing your security posture. You need to know what systems exist—instances and servers—as well as what’s been installed and running on those systems (e.g. applications, services, and active ports). A reliable asset inventory along with the automated ability to discover new assets is foundational for building a SOC.

AlienVault USM captures accurate, real-time information on all the assets in your on-premises and cloud environments. On-premises, the USM platform scans your environments to gather information from devices to help determine the OS, running services, and installed software (often without requiring any credentials). To discover assets in your cloud environments, AlienVault USM hooks directly into cloud providers’ APIs to give you immediate visibility of your cloud infrastructure. AlienVault USM leverages native cloud services like AWS CloudWatch and Azure Monitor to collect data from your cloud environments and begin detecting threats.

Vulnerabilities represent the tiny cracks that an attacker uses to infiltrate your critical systems. This is commonly referred to as the “attack surface,” and these tiny cracks can open up when you least expect it. That’s why it’s essential to continually assess your entire IT landscape for vulnerabilities. Additionally, you may be subject to a variety of contractual and regulatory mandates (e.g. PCI DSS, SOX, etc.) that require periodic vulnerability assessments to demonstrate compliance.

AlienVault includes a built-in vulnerability assessment tool that allows you to effectively detect those tiny cracks.  Whereas traditional approaches to network vulnerability scanning and analysis rarely focus on usability and can seem cumbersome by those in IT wearing multiple hats, AlienVault USM takes a different approach. The USM platform provides a unified and easy-to-use platform that bolsters comprehensive vulnerability scanning software with asset discovery, a streamlined UI, and easy scheduling so you can ensure continuous vulnerability assessment without having to manage the process manually. Scheduling scans in advance allows you to easily manage your network vulnerability scanning program as well as minimize disruption of critical services during peak time. In case your critical infrastructure includes cloud environments, AlienVault USM offers cloud vulnerability scanning capabilities using cloud-native sensors for your Azure and AWS environments, giving you complete visibility into your cloud and on-premises environments from a single pane of glass. 

At its most basic, effective cyber security monitoring comes down to exception management. What activities represent exceptions to the norm? (e.g. policy violations, error messages, spikes in outbound network activity, unexpected reboots, etc.) What is required for all this to work is an understanding of what the “norm” looks like. Creating a baseline of system and network behavior provides the essential foundation with which to spot anomalies—which often signal the presence of cyber adversaries on your environment.

In order to capture a baseline, it’s critical to combine behavioral monitoring technologies, to provide a full, 360-degree perspective. Additionally, applying correlation rules against this data will help you identify and classify the latest risks, as well as capture data to support in-depth forensic investigations.

AlienVault USM provides fully integrated behavioral monitoring technologies within its platform, including visibility of user behavior in your cloud environments and applications. The USM platform provides cloud access logs (Azure: Monitor, AWS: CloudTrail, S3, ELB); AWS VPC flow monitoring; asset access logs; and VMware access logs.

Cloud Application Monitoring for applications like Office 365 allows you to track user and admin activity that might indicate a data breach.

Cloud Access Logs capture who requests data from your cloud environments and what they access.

Cloud Management Plane Integration ensures that you are able to monitor your AWS and Azure instances automatically.

Detecting an intruder at the point of entry can have the greatest impact on reducing system compromise and data leakage. That’s why intrusion detection systems (IDS) are considered one of the “must-have” SOC tools for identifying known attacks and known attacker activity. The keyword is “known.” On-premises, IDS operate based on correlation rules that detect known patterns of suspicious activity using unique intrusion signatures. This means it’s essential to keep your correlation rules current with the latest threat intelligence updates to be able to detect emerging threats. If you use cloud infrastructure, you also need to keep in mind that some traditional IDS methods won’t suffice because cloud providers restrict access to low-level network traffic. Effective cloud IDS requires access to the management plane for your cloud provider.

AlienVault USM offers three types of intrusion detection technologies (IDS) that you
can enable on a per-network, per-asset group, or per-server basis. Network Intrusion Detection (NIDS) analyzes on-premises network traffic to detect known attack patterns that indicate malicious activity (e.g. malware infections, policy violations, port scans, etc.).

The USM platform’s Host-based Intrusion Detection (HIDS) analyzes system behavior and configuration that could indicate system compromise. This includes the ability to recognize common rootkits, to detect rogue processes, and detect modification to critical configuration files. Additionally, AlienVault USM delivers Cloud Intrusion Detection (CIDS), including AWS IDS and Azure IDS, a cloud-native solution that interacts directly with the management plane of each cloud service provider to provide intrusion detection in your cloud environments.

The AlienVault Labs Security Research Team keeps AlienVault USM up-to-date with the latest threat intelligence on a continuous basis, adding new correlation rules, intrusion signatures, and response templates as threats emerge. The threat intelligence research provided by the Security Research Team is a critical extension to your SOC team, allowing you to focus on response.

Collecting and analyzing system events from across your network provides a wealth of raw source material that you can use to mine for suspicious activity. Security Information and Event Management (SIEM) tools were developed on the assumption that by looking for certain patterns of activity and sequences of events, you can detect a cyber attack as well as validate and demonstrate regulatory compliance. SIEM tools provide a core foundation for building a SOC because of their ability to apply dynamic correlation rules against a mountain of disparate and varied event log data to find the latest threats.

AlienVault USM combines all of the essential security monitoring technologies, including SIEM, onto a single platform. Our SIEM capability normalizes and analyzes event log data from disparate sources and applies correlation rules developed and maintained by the AlienVault Labs Security Research Team to find and classify potential threats. When an alarm is triggered by a correlation rule, details about the event and activity are classified according to an event taxonomy based on a simplified version of Lockheed Martin’s cyber kill chain (an industry standard). This event classification enables SOC analysts to prioritize which events to focus on, in order to quickly respond and investigate.

Additionally, AlienVault’s SIEM correlation logic also translates into rich and highly detailed compliance ready data. Raw event log data from hundreds and thousands of systems are aggregated and analyzed to identify policy violations and demonstrate compliance to auditors.