SECURITY OPERATIONS CENTER
Prevention vs. Detection
1 Asset Discovery
FEATURE SPOTLIGHT: Asset Detail
2 Vulnerability Assessment
A Closer Look: Vulnerability Assessment in AlienVault USM
Regularly Scheduled Auto-scanning
Create scans that run daily, weekly, or monthly during your off-peak hours. Automated scanning ensures continuous visibility of your vulnerabilities as your IT landscape changes.
Authenticated scans perform vulnerability assessment by using host credentials to probe your assets deeply, looking for vulnerable software packages, local processes, and services running on the system.
Cloud Infrastructure Scanning
AlienVault USM uses purpose-built cloud sensors to interface directly with cloud providers to automatically perform network vulnerability assessments of your AWS and Azure environments, including assets, security groups, and configurations.
Vulnerability Scan Scheduler
3 Behavioral Monitoring
4 Intrusion Detection
AlienVault USM Integration with AlienVault Labs Threat Intelligence
Before explaining how this integration works, it’s important to understand how the AlienVault Labs Security Research Team develops its threat intelligence updates. Through a combination of proprietary research, collaboration with other security research institutions, and insights from the community-driven threat data within the AlienVault Open Threat Exchange (OTX), AlienVault collects tens of millions of threat indicators every day, including malicious IP addresses and URLs, domain names, malware samples, and suspicious files. AlienVault aggregates data from a wide range of sources, including:
- External threat vendors (such as McAfee, Emerging Threats, Virus Total)
- Open sources (including the SANS Internet Storm Center, the Malware Domain List, as well as from collaboration with state agencies and academia)
- AlienVault USM and AlienVault OSSIM users voluntarily contributing anonymized data
- Community-contributed threat data in the form of OTX “pulses” (the format for the OTX community to share information about threats)
- High-interaction honeypots that we set up to capture the latest attacker techniques and tools. We scale up instances of the honeypots depending on activity.
Next, we have set up automated systems and processes which leverage machine learning to assess the validity and severity of each of these threat indicators collected in OTX, including:
- A contribution system (for malware)
- A URL system (for suspicious URLs)
- An IP reputation system (for suspicious IP addresses)
SIEM Secret Sauce: Threat Intelligence
Even though we have a whole chapter dedicated to Threat Intelligence, we still feel compelled to emphasize how essential dynamic threat intelligence is to the value of your SIEM, and the overall functioning of your SOC. Without threat intelligence, your SIEM would have no alarms, and no interesting reports to review. While it would be nice to have no alarms to respond to (because that means nothing is wrong or you’re on vacation), it basically means that there’s no correlation or analysis being done on your raw event log data. Or, you may have some sample or DIY correlation rules as a starting point, but you’re no longer looking for the latest threats because your threat intelligence hasn’t been updated since the LoveBug virus.
The point is…threats are constantly evolving, cyber attackers are constantly upping their game, and so too must your SOC. As new indicators and countermeasures are being discovered, collected, shared, analyzed and implemented, the more difficult we will all make it for the bad guys. That’s why AlienVault built the platform (AlienVault USM), the community (OTX), and the threat intelligence (AlienVault Labs Security Research Team) to create a SOC for all teams to implement—no matter the size.