Intrusion Detection System (IDS)

AlienVault^® Unified Security Management™ (USM™) delivers built-in intrusion detection systems for your critical IT infrastructure, enabling you to detect threats as they emerge in the cloud and on premises. With AlienVault USM, you can also collect and correlate events from your existing IDS/IPS into a single console for complete security visibility while protecting your investments.

USM provides comprehensive intrusion detection as part of an all-in-one unified security management console. It includes built-in host intrusion detection (HIDS), network intrusion detection (NIDS), as well as AWS IDS and Azure IDS for your public cloud environments.

To ensure that you are always equipped to detect the latest emerging threats, AlienVault Labs Security Research Team delivers continuous threat intelligence updates directly to USM. This threat data is backed by the AlienVault Open Threat Exchange™ (OTX™)—the world’s first open threat intelligence community.

Intrusion Detection Systems for Any Environment

• Intrusion Detection for AWS & Azure Clouds
• Network Intrusion Detection System (NIDS)
• Host Intrusion Detection System (HIDS) and File Integrity Monitoring (FIM)

Quickly View Threats in the Dashboard

• Use the Kill Chain Taxonomy to quickly assess threat intent and strategy
• Automatic notifications and noise reduction help you to work more efficiently

Powerful Analytics Uncover Threat and Vulnerability Details – All in One Console

• Search and analyze events and event details in highly granular, flexible ways
• Identify assets and vulnerabilities in a consolidated view

Integrated Threat Intelligence from AlienVault Labs

• Continuous threat intelligence delivered, so you can focus on responding to threats faster
• Powered by the Open Threat Exchange (OTX)

Intrusion Detection in the Cloud

While traditional IDS software is not optimized for public cloud environments, intrusion detection remains an essential part of your cloud security monitoring. That’s why USM Anywhere™ provides native intrusion detection system (IDS) capabilities in AWS and Azure cloud environments. Purpose-built cloud sensors in USM Anywhere leverage the control plane management tools in AWS and Azure, giving you full visibility into every operation that happens in your cloud “data center.”

Network Intrusion Detection System (NIDS)

On premises, use the built-in network intrusion detection system (NIDS) to catch threats targeting your vulnerable systems with signature-based anomaly detection and protocol analysis technologies. NIDS sensors collect data from multiple on-premises applications, systems, and devices to identify the latest attacks, malware infections, system compromise techniques, policy violations, and other exposures.

Host-based Intrusion Detection System (HIDS) and File Integrity Monitoring (FIM)

Host Intrusion Detection Systems (HIDS) enable you to analyze system behavior and configuration status to track user access and activity. With built-in HIDS in USM, you can detect potential security exposures such as system compromise and changes to critical configuration files (e.g. registry settings, /etc/passwd), common rootkits, and rogue processes.

Benefits of Host Intrusion Detection include:

• Simple installation of HIDS sensors
• The ability to log verbose application activity, providing security visibility at the application layer
• The ability to run file and Windows registry integrity scans to spot any tampering with sensitive and essential files
• Rootkit detection and other malware installation detection on your servers and workstations

Get to the bottom of who and what’s targeting your assets and what systems are vulnerable.

Search and Analyze Events

You have the flexibility to conduct your own analysis. For example, you may want to search for events that came from the same host as the offending traffic triggering an alarm.

• Search events to identify activity and trends
• Filters help you find more granular data
• Sort by event name, IP address, and more
• Examine raw log data related to alarm activity
• Raw logs are digitally signed for evidentiary purposes

Check Assets and Vulnerabilities

Search the built-in asset inventory for assets involved with an alarm. Integrated vulnerability assessment scans indicate whether an attack is relevant by identifying vulnerable operating systems, applications and services and more – all consolidated into a single view.

• See all reported alarms and events by asset
• Modify your mitigation / remediation strategy based on presence of threats targeting vulnerable systems
• Correlate reported vulnerabilities with malicious traffic

Examine Event Details

See the alarm, the individual event(s) that triggered the alarm, and the priority of the alarm.

You can click on any event to examine details such as:

• Normalized event
• SIEM information
• Reputation of source and destination IP addresses
• Knowledge base about the event
• Forensics data about what triggered the event

Inspect Packet Captures

Use integrated packet capture functionality to capture interesting on-premises traffic for offline analysis. In USM Appliance, packets can be viewed in the web user interface, or you can download the capture as a PCAP file.

• Set capture timeout
• Select number of packets to capture
• Choose source and destination IP addresses to capture