Detect Advanced Persistent Threats (APTs) and minimize damage caused by them with all the essential security capabilities you need in a single console.
Minimize Damage from Advanced Persistent Threats
Data breaches attributed to Advanced Persistent Threats (APTs) continue to make headlines when they involve large, well-known entities (large corporations, governments, etc.) and/or result in the exfiltration of sensitive data. However, APTs also frequently target the valuable data found in smaller networks. Often this is because smaller organizations tend to lack the technologies and security expertise to detect these types of attacks.
You Can’t Prevent a Breach
You can, however, arm yourself with the best-in-breed technologies of AlienVault Unified Security Management™ (USM) to detect APTs at every stage of the attack. This, coupled with an intuitive platform, provides you with the security expertise needed to minimize the damage to your environment.
AlienVault USM™ gives you essential APT detection capabilities for each stage of an APT attack:
Identify Vulnerable Systems Being Targeted by APTs
Detect Communication with C&C Servers and Monitor Systems & Applications for Privilege Escalation and File Changes
Get Alerted to Compromised Systems Before Exfiltration of Data
A patient, determined attacker can compromise any network. The first step in any defense against APTs is to know what systems are on your network, and what vulnerabilities exist on those systems. Attackers target unpatched and misconfigured systems to gain the foothold necessary to eventually exfiltrate regulated or confidential data.
AlienVault USM scans your network for devices and determines what vulnerabilities exist through both passive and active scanning techniques, depending on your policies and preferences. It then prioritizes the vulnerability data, telling you what are the highest priority vulnerabilities to address
AlienVault USM’s built-in network IDS technology also detects malicious traffic attempting to exploit vulnerabilities on the targeted systems. Common malware delivery methods include email attachments disguised as everyday documents (word files, pictures, PDFs), links to websites hosting malware or code designed to exploit common vulnerabilities.
Preventive tools like antimalware, antispam, and web content filters can’t keep up with every new malware variant associated with today’s APT campaigns. This means that you need the ability to detect the attacker’s initial compromise of your network. AlienVault USM provides this level of insight with cross correlation of contextual data, driven by AlienVault Labs Threat Intelligence.
During an advanced persistent threat attack, a common first move is to compromise one of your systems to use as a base of operations for deeper infiltration into your network. Following that, increased access to additional systems will be attempted by gaining root or administrative privileges through exploits, social engineering, or brute-force password cracking.
With threat data from OTX (Open Threat Exchange) integrated into AlienVault USM, you’ll get alerted to a wide range of Indicators of Compromise (IoCs) in any inbound or outbound communication. Due to their previous association with known threats, these IoCs are evidence of potentially malicious activity in your network (ranging from initial compromise to expansion to other systems, and ultimately exfiltration of your sensitive data).
In addition, Host IDS agents deployed on critical systems that store valuable data will detect the privilege escalation attempts as the attacker attempts to gain root or admin privileges. Once the attacker has admin access, he will stop security-related services running on the compromised systems, or start unwanted services in order to facilitate his malicious activities.
AlienVault USM’s built-in File Integrity Monitoring (FIM) capability will monitor essential files to detect changes to critical application configurations, or data files. It will also detect the modification of log files, which is a common technique attackers use to cover their tracks and evade detection.
One challenge IT teams of all sizes face is how to sift through their mountains of log data to detect signs of an APT campaign before data exfiltration occurs. AlienVault USM’s built-in SIEM capability aggregates and correlates event data from all of the platform’s data sources, as well as third party tools, into one management console.
The integrated Threat Intelligence from AlienVault Labs correlates the events from disparate sources to alert you to the highest priority threats facing your network today, including those related to Advanced Persistent Threats. With over 2,000 correlation rules pre-built into the AlienVault USM platform, you can spend your time responding to specific threats, instead of trying to research the significance of a particular event. Additionally, the Kill Chain Taxonomy makes it very easy for you to focus your response efforts on the most critical threats, showing you who, what, where, when, and how you’re being attacked, as well as the attacker’s intent to help you combat APTs at every stage.