Network Security Monitoring
AlienVault® Unified Security Management™ (USM™) gives you complete network security monitoring for your cloud, hybrid cloud, and on-premises infrastructure, all in a single pane of glass.
Complete Network Security Monitoring in a Single Pane of Glass
Effective network security monitoring requires you to collect, analyze, and correlate security data from across your cloud and on-premises environments to identify threats and intrusions. Alone, intrusion detection systems (IDS) are not enough. To fully monitor and protect your network, you need a unified view of—
- What's connected to your infrastructure at all times
- Vulnerable systems that could be exploited
- Threats and activity with known malicious hosts
- Baseline of network behavior and any deviations
- Security incidents with correlated event data
- Regular threat intelligence updates
Traditionally, orchestrating this information within network security monitoring software has been complex, expensive, and out of reach for most organizations. AlienVault® Unified Security Management™ (USM™) breaks through this complexity and expense by bringing together five essential security capabilities on an all-in-one platform that’s cost effective and easy to use.
In addition, continuous threat intelligence updates from AlienVault Labs are delivered to USM, backed by the AlienVault Open Threat Exchange™ (OTX™) — the world’s first open threat intelligence community.
AlienVault USM delivers essential network security monitoring tools in a single pane of glass, enabling you to—
Know Your Assets & Vulnerabilities
- Asset Discovery & Inventory
- Vulnerability Assessment
Detect Threats & Intrusions Faster
- Cloud Intrusion Detection (CIDS)
- Network Intrusion Detection (NIDS)
- Host-Based Intrusion Detection (HIDS)
Monitor Network Behavior for Suspicious Activity
- Monitor Cloud Activity in USM Anywhere™
- Inspect Packet Captures
- Analyze Network Flow in USM Appliance™
Analyze Security Incidents with SIEM
- Cross-Correlation Directives
- Incident Response Guidance
Leverage AlienVault Labs Threat Intelligence
- Intelligence Updates Delivered Continuously
- OTX Community-driven Threat Intelligence
Know Your Assets & Vulnerabilities
For effective network security monitoring, you need to see what devices are connected in your environment and how the vulnerabilities on those assets expose you to threats and intrusions.
Because USM uniquely combines asset discovery and inventory, vulnerability assessment, intrusion detection data and threat intelligence all within a single pane of glass, you can know (within in minutes of installation)–
- What assets are connected / online
- What vulnerabilities exist on those assets
- What threats or intrusions are being executed against your vulnerable assets
- Which vulnerabilities are actively being exploited in the wild and how
Knowing which vulnerabilities are actively being exploited in the wild helps you to better plan and prioritize your remediation activities.
Asset Discovery & Inventory
With USM, you can auto-discover all the IP-enabled devices on your network, how they’re configured, what services are installed and actively listening, any potential vulnerabilities, and any active threats being executed against them. USM uses active network scanning to discover assets.
With vulnerability assessment in USM, you can find and fix the “holes” in your network that expose you to threats and intrusions. And, when intrusions do occur, you have a unified view of important asset and vulnerability data so you can respond faster.
USM performs authenticated vulnerability scanning with the most up-to-date vulnerability signatures from the AlienVault Labs Security Research Team.
Detect Threats & Intrusions Faster
Attacks do not usually happen in one swift blow. Rather, they unfold in multiple steps. The earlier you detect attacks, the better chance you have at intervening to prevent a data breach or other harm.
USM enables early intrusion detection and response with built-in cloud intrusion detection (CIDS), network intrusion detection (NIDS), and host intrusion detection (HIDS) systems. These tools monitor your traffic and hosts, looking for anomalous behaviors and known attack patterns. The built-in SIEM capability in USM automatically correlates IDS data with other security information to give you complete visibility of your security posture.
In addition, AlienVault Labs Security Research Team delivers the latest IDS attack signatures and correlation directives directly to your USM environment, so that you always have the most up-to-date threat intelligence as you monitor your environment for intrusions and other threats.
Cloud Intrusion Detection System (CIDS)
USM Anywhere provides native intrusion detection system (IDS) capabilities in AWS and Azure cloud environments. Purpose-built cloud sensors in USM Anywhere provide direct access to AWS and Azure APIs, so you have full visibility into every operation that happens in your cloud "data center."
Network Intrusion Detection System (NIDS)
NIDS detects known threats and attack patterns targeting your vulnerable assets. It scans your on-premises network traffic, looking for the signatures of the latest attacks, malware infections, system compromise techniques, policy violations, and other exposures, and it raises alarms in your USM dashboard to alert you when threats are identified.
Host-based Intrusion Detection System (HIDS)
HIDS employs an agent on each host to analyze the behavior and configuration status of the system. HIDS tracks user access and activity, including any changes in critical system files, configuration files, registry settings, and content files, making it an effective file integrity monitoring (FIM) tool.
Monitor Network Behavior to Spot Suspicious Activity
To catch the latest threats, you must be able to keep a pulse on the activities happening in your environment to identify any anomalies and other unknown patterns of behavior. Behavioral monitoring enables you to spot and investigate suspicious activities that fall outside of your baseline or "normal" operations.
AlienVault USM provides built-in behavioral monitoring capabilities to:
- Monitor asset access logs, VMware ESXi access logs, and cloud access logs including Azure Insights, AWS CloudTrail, S3, ELB, and VPC Flow Logs
- Identify protocols and baseline “normal behavior”
- Spot anomalies, policy violations, and suspicious activity
- Monitor system services and detect unexpected outages. Conduct full protocol analysis on on-premises network traffic
With AlienVault USM, you can use multi-layered behavioral monitoring techniques to detect anomalous and suspicious activity that could signal an emerging threat or intrusion in your cloud or on-premises environment.
Inspect Packet Capture
Security analysts can inspect packet captures of on-premises network traffic. USM displays the relevant payload information in each event summary, enabling deeper security analysis of security-related events.
Monitoring Cloud Activity in USM Anywhere
It’s essential to your cloud security monitoring to know what users and services are consuming your cloud resources so that you can identify the account activities that constitute “normal user behavior” and investigate the activities that do not. With USM Anywhere, you can natively monitor your AWS and Azure account activities and identify changes that may be indicative of a threat to your cloud environment.
Network Flow Analysis in USM Appliance
In USM Appliance, network flow analysis provides high-level trends related to your “normal” network traffic behavior, including protocols, hosts, and bandwidth usage, without needing the storage capacity required for full packet capture. Having network flow data side-by-side with asset inventory and alarm data in USM makes incident response faster and easier.
Analyze Security Incidents with SIEM
The goal of network security monitoring is to detect and respond to threats as early as possible to prevent data loss or disruption to your operations. However, this can be complicated when mountains of security-related events and log data are continuously produced by multiple disparate security tools.
USM has powerful SIEM and centralized logging capabilities built in so you can aggregate and make sense of security data generated across your network. Going beyond traditional SIEM products, USM natively combines five essential security capabilities so that when an incident happens, you have immediate 360° visibility of the actors, targeted assets and their vulnerabilities, methods of attack, and more.
USM ships with ready-to-use SIEM correlation rules so that you can launch faster and start detecting threats on Day One. As threats evolve, threat intelligence is continuously updated by AlienVault Labs and delivered directly to USM.
For IDS-generated events, which by themselves can be quite noisy, USM checks to see what vulnerabilities would be needed for an exploit to be successful. USM then checks if the asset is actually vulnerable. This data is correlated and risk is assessed, so you can to focus in on the information that really matters most.
Incident Response Guidance
USM delivers dynamic incident response guidance to assist you with your intrusion response, including details about:
- The internal host, such as owner, network segment, and services that are installed
- Network protocols in use and associated risks
- The external host and known past exploits
- The importance of identifying C&C traffic
- Specific actions to take for further investigation and threat containment
Leverage Threat Intelligence from AlienVault Labs and OTX
To successfully monitor your cloud and on-premises environments for security threats and intrusions, you need always-up-to-date security intelligence. Without a dedicated in-house team of security analysts, this can be a challenge.
That's why the AlienVault Labs Security Research Team spends countless hours analyzing the current threat landscape and mapping out the different types of attacks, the latest threats, suspicious behavior, vulnerabilities and exploits they uncover.
The AlienVault Labs Security Research Team continuously publishes intelligence updates to USM in the form of correlation directives, IDS signatures, vulnerability audits, asset discovery signatures, IP reputation data, report templates, data source plugins, and more.
The AlienVault Labs Security Research Team leverages security intelligence from OTX, the world’s largest crowd-sourced repository of threat data, so you get global insight into attack trends and bad actors that may impact your network.
Correlation Directive Updates Delivered
Correlation directives are policy rules that link together specific events and sequences of events indicative of a threat or intrusion. They are used to correlate events generated by the built-in USM essential capabilities and by other network data sources to raise alarms that alert you as security incidents escalate.
AlienVault researches, writes, and continuously delivers the latest correlation rules to USM, saving you significant time and effort, so you can focus on responding to incidents and protecting your data.
OTX Community-Driven Threat Intelligence
OTX is a community for security and IT professionals to share threat data as it emerges. AlienVault Labs Security Research Team leverages OTX threat data to bolster the threat intelligence updates in USM. You can also browse the community-created OTX pulses to stay informed with threat intelligence from security researchers, AlienVault Partners, and other members.