Preventative security measures are often unsuccessful, with new polymorphic malware, and zero day exploits. Therefore it’s important to be on the watch for intruders. Context is critical when evaluating system and network behavior. For example, an abundance of Skype traffic in the network used by your inside sales team is probably a normal part of operations. However, if the database server that houses your customer list suddenly shows a burst of Skype traffic something is likely wrong.
As soon as AlienVault Unified Security Management™ (USM) is installed, the behavioral monitoring functionality starts gathering data to help you understand “normal” system and network activity. Using the built-in network behavior monitoring you can simplify the incident response when investigating an operational issue or potential security incident. And because AlienVault USM™ combines network behavioral analysis with service availability monitoring, you'll have a full picture of system, service, and network anomalies.
Network Behavioral Analysis
Behavioral monitoring for your network & systems is essential for spotting unknown threats. It's also useful in investigating suspicious behavior and policy violations
When it comes to identifying threats in your environment, the best approach is a multi-layered one. Intrusion detection systems (network and host IDS) identify known threats, and network behavior analysis can help you identify anomalies and other patterns that signal new, and unknown threats.
With AlienVault’s USM platform, you can achieve complete and multi-layered security. AlienVault USM provides the fusion of essential security capabilities required for reliable intrusion detection - fueling your incident response program and helping you meet various compliance requirements. By using a single unified console, the security analyst can break down security silos for a more seamless workflow.
Specifically, the behavioral monitoring capabilities built into AlienVault USM provide this core functionality with the following techniques:
Service & Infrastructure Monitoring
provides continuous monitoring of services run by particular systems. On a periodic basis, or on demand, the device is probed to confirm that the service is still running and available. This lightweight, continuous monitoring will detect unexpected service outages throughout your critical infrastructure.
performs network behavior analysis without needing the storage capacity required for full packet capture. NetFlow analysis provides the high-level trends related to what protocols are used, which hosts use the protocol, and the bandwidth usage. This information can then be accessed in the same interface as the asset inventory and alarm data to simplify incident response. With USM Appliance, you can generate alarms and get alerted when your netflow goes above or below certain thresholds.
Network Protocol Analysis / Packet Capture
allows security analysts to perform full protocol analysis on network traffic enabling a full replay of the events that occurred during a potential breach. This level of network monitoring can be used to pinpoint the exploit method used or to determine what specific data was exfiltrated.