Protect your critical systems with built-in Host IDS in AlienVault Unified Security Management (USM).
A host-based intrusion detection system (HIDS) gives you deep visibility of what’s happening on your critical systems. With it, you can detect and respond to malicious or anomalous activities that are discovered in your environment.
On its own, host intrusion detection does not give you a complete picture of your security posture. You must be able to correlate your HIDS log data in a SIEM environment with other critical security data as well as the latest real-world threat intelligence.
AlienVault® Unified Security Management™ (USM™) eases security analysis and correlation by combining host-based IDS with other essential security capabilities in a single, unified security environment. With it, you can easily manage your network, cloud, and hybrid cloud security from a single pane of glass. In addition, continuous threat intelligence updates from AlienVault Labs are delivered to USM, backed by the AlienVault Open Threat Exchange™ (OTX™)—the world’s first open threat intelligence community.
Detect Changes & Threats to Critical Systems
Implement File Integrity Monitoring (FIM)
Deploy Host IDS in a Unified Security Management Platform
Receive the Latest Threat Intelligence from AlienVault Labs and OTX
AlienVault USM’s built-in host-based intrusion detection system monitors your critical systems and alerts you to any unauthorized or anomalous activities that occur.
A lightweight agent runs on each monitored host, tracking any changes made to critical system files, configuration files, log files, registry settings, and even important content files. The HIDS agent collects this information and sends it to USM for evaluation and correlation with other environmental data and threat intelligence.
With USM’s host-based IDS, you gain granular visibility into the systems and services you’re running so you can easily detect:
Detect Unauthorized & Anomalous Activities
When malicious or anomalous activities occur on a system—such as brute force authentication-based attacks, rapid file changes, or a user logging into an unauthorized asset—HIDS detects the activities and sends them to USM for analysis. When an alarm is generated in USM, it captures all you need to know about the incident, including asset information (OS, software, and identity), vulnerability data, network communication, raw log data, and more.
View Failed Attempts to Gain System Access
Know which of your assets attackers are trying to infiltrate before they get in. USM’s HIDS generates events on failed authentication attempts for Windows, MySQL, remote access, SSH service, as well as SQL injection, XSS, and multiple failed login attempts.
Protect the Integrity of the Data Collected
USM’s HIDS uses a client / server architecture to protect the data collected by the HIDS agents. Because an attack could compromise an agent as it compromises the operating system, it’s essential to store the forensic and security data separately from the host. This safeguard prevents you from relying on system data that may have been altered or destroyed on the compromised system.
Changes to configuration and system files are often the early signs of a breach. That’s why it’s essential to implement File Integrity Monitoring (FIM) on your critical systems, so you know as soon as changes happen.
File integrity monitoring allows you to track changes made to sensitive files on your critical systems. This provides a necessary audit trail and allows you to validate that the changes were authorized, expected, and did not jeopardize the integrity and security of the files.
USM’s host-based IDS enables you to do file integrity monitoring (FIM) and registry integrity monitoring (RIM) efficiently.
Meet Your Compliance Needs with File Integrity Monitoring
Many regulatory compliance standards require file integrity monitoring tools—either explicitly or implicitly—to be in place to pass a compliance audit.
PCI DSS: Requirements 10.5.5 and 11.5 specifically call for a file integrity monitoring (FIM) system to detect and alert you of unauthorized changes to critical system files, configuration files, and content files.
HIPAA: Compliance Standard § 164.312(c)(2) deals with data integrity and requires you to ensure that health information has not been altered or destroyed in an unauthorized manner.
GLBA: The Gramm-Leach-Bliley Act requires financial institutions to safeguard sensitive customer data. This includes (§314.4 -3) detecting, preventing and responding to attacks, intrusions, or other systems failures.
In AlienVault USM, the host intrusion detection system is natively integrated out of the box with other essential security capabilities. This significantly reduces the cost and complexity of integrating multiple disparate security tools and data sources. Instead, USM delivers complete visibility of your security posture on Day One and continues to update your environment with the latest security intelligence as new threats emerge or evolve in the wild.
AlienVault USM combines the following five security capabilities in a unified security management platform.
Asset Discovery & Inventory
USM automatically scans and discovers all the IP-enabled devices in your environment, how they’re configured, what services are listening on them, and any potential vulnerabilities and active threats being executed against them.
With vulnerability management in USM, you can find the weak spots in your environment that expose you to threats and remediate them before intrusions occur. And, when intrusions do occur, you have a unified view of important asset and vulnerability data so you can respond faster. USM performs authenticated and unauthenticated vulnerability scanning as well as continuous passive monitoring with the most up-to-date vulnerability signatures from AlienVault Labs.
SIEM & Log Management
USM has powerful SIEM and centralized logging capabilities built in so you can readily identify and investigate security incidents from a single console. USM correlates security events from its built-in security tools as well as from external data sources so that when an incident happens, you have immediate 360° visibility of the actors, targeted assets and their vulnerabilities, methods of attack, and more.
Network Intrusion Detection System (NIDS)
NIDS detects known threats and attack patterns targeting your vulnerable assets. It scans your network traffic, looking for the signatures of the latest attacks, malware infections, system compromise techniques, policy violations, and other exposures, and it raises alarms in your USM dashboard to alert you when threats are identified.
USM’s behavioral monitoring capabilities enable you to spot and investigate suspicious traffic and activities that fall outside of your baseline or “normal” operations. USM works to:
Researching threats and maintaining your SIEM software, IDS, and vulnerability assessment tools for the latest threat detection isn’t trivial. Without a team of in-house security analysts, this can be a challenge. AlienVault Labs’ research team fuels your USM platform with the latest threat intelligence updates, so you can focus on detecting and responding to the most critical issues in your environment.
The AlienVault Labs threat research team acts as an extension to your in-house security resources, mapping out the different types of attacks, the latest threats, suspicious behavior, vulnerabilities, and exploits they uncover across the entire threat landscape. They leverage the power of AlienVault Open Threat Exchange™ (OTX), the world’s largest crowd-sourced repository of threat data to provide global insight into attack trends and bad actors.
AlienVault Labs delivers the latest IDS attack signatures and correlation directives directly to your USM environment, so that you always have the most up-to-date threat intelligence as you monitor your environment for intrusions and other threats.
Continuous Security Intelligence Delivered
In USM, security intelligence is continuously delivered in the form of coordinated rulesets. These include:
Community-powered Threat Information via OTX
The Open Threat Exchange (OTX) is the world’s largest crowd-sourced repository of threat data. This community of security and IT professionals share threat data as it emerges, in “pulses” of indicators.
When you deploy USM, you get access to all AlienVault Labs OTX pulses by default. You can also subscribe to other OTX pulses posted by security researchers, AlienVault Partners, and OTX community members so that you get global insight into attack trends and bad actors that could impact your operations.