Build a smarter Security Operations Center (SOC) for your cloud, hybrid cloud, and on-premises critical infrastructure with AlienVault Unified Security Management (USM).
Build a Smarter SOC with
Unified Security Management
The purpose of a Security Operations Center (SOC) is to identify, investigate, prioritize, and resolve issues that could affect the security of an organization’s critical infrastructure and data. A well-developed and well-run SOC can perform real-time threat detection and incident response with SOC analysts that can deliver rapid security intelligence to stakeholders and senior management identifying when an attack starts, who is attacking, how the attack is being conducted, and what data or systems are being compromised.
For many organizations, however, “SOC Analyst” is just one of many hats worn by IT professionals. Today’s IT teams need a solution that provides the same threat detection and incident response capabilities as a world-class security operation center, but at a fraction of the cost to deploy and manage it.
Whether you’re looking for a “SOC in a box” or looking to extend the threat detection capabilities of your enterprise security operations, AlienVault USM delivers a smarter SOC solution.
USM is continuously updated with the latest threat intelligence from AlienVault Labs Security Research Team, backed by the Open Threat Exchange™ (OTX™), so you always have the latest threat information from the global security community.
AlienVault USM delivers the power of a SOC out of the box with Security Operations Center tools and essential capabilities that allow you to:
Identify the Business-Critical Assets in Your Environment
- Discover your critical assets within minutes of deploying USM
- Perform continuous active asset scans to identify devices as they come online
Find the Vulnerabilities in Your Environment Before Attackers Do
- Actively scan your critical assets for vulnerabilities that attackers could exploit
- Launch vulnerability scanning in AWS and Azure cloud environments
Use Multi-Layered Threat Detection Technologies to Identify Attacks
- Cloud Intrusion Detection
- Network Intrusion Detection (NIDS)
- Host Intrusion Detection (HIDS)
Know What’s “Normal” Behavior – and What’s Not
- Take a baseline of your network activities with multiple behavioral monitoring technolog
Know which Threats to Focus on Right Now
- Leverage powerful SIEM event correlation to alert you to the most severe threats
- Use the Kill Chain Taxonomy to prioritize incident response activities
Identify the Business-Critical Assets in
Having a deep understanding of all the assets in your cloud environments and data center is the first step in being able to respond to and contain the most serious threats. Asset discovery and inventory enables you to prioritize and mitigate threats to critical systems, which is an essential component of an effective security operations center.
Within minutes of installing USM, you’ll be able to discover all the devices connected to your environment, what services are running on them, how they’re configured, any potential vulnerabilities and active threats being executed against them.
Active asset scanning—built into USM—probes your environments for responses from devices. These responses provide clues that help identify the device, the OS, running services, and configuration details. This information creates an inventory for vulnerability scanning and intrusion detection.
With devices dynamically connecting and disconnecting from your environment—especially in elastic cloud environments—it’s important to continuously scan for assets. With USM, you can readily schedule asset scans and asset group scans to run on a per-minute, hourly, or daily basis.
Find the Vulnerabilities in Your Environment
Before Attackers Do
Being able to pinpoint “holes” or vulnerabilities in your IT environment gives you a deeper understanding of how your organization may be exploited during a breach.
A security operations center needs to run vulnerability assessment on a regular and on-going basis to ensure new vulnerabilities are discovered and responded to in a timely manner.
AlienVault USM provides the following approaches to automate vulnerability assessment:Active Network Scanning
AlienVault USM actively probes the network to elicit responses from hosts. This allows AlienVault USM to determine the configuration of the remote system and cross-reference with a database of known vulnerabilities.Host-based Assessment
Using access to the file system of a host, AlienVault USM’s analysis engine can perform a more accurate detection of vulnerabilities by inspecting the installed software and comparing with a list of known vulnerable software packages.
Create scans that run per-minute, hourly, or daily during your off-peak hours. Automated scanning ensures continuous visibility of your vulnerabilities as your IT landscape changes.AWS Vulnerability Scanning
USM Anywhere™ uses a purpose-built cloud sensor for AWS that automatically performs network vulnerability assessment with your AWS environment.Azure Vulnerability Scanning
In USM Anywhere, the native Azure cloud sensor automatically scans your Azure environment to detect assets, assess vulnerabilities, and deliver remediation guidance.
Use Multi-Layered Threat Detection Technologies
to Identify Attacks
Whereas vulnerability assessment helps you discover vulnerabilities in your systems, intrusion detection uncovers the attacks that are actively exploiting those vulnerabilities.
USM enables you to perform multi-layered intrusion detection in the cloud and in your data center. It leverages Open Threat Exchange™ (OTX™) threat intelligence validated and refined by AlienVault Labs Security Research Team to identify the latest tools, techniques. and attack methods used in the wild, so you stay one step ahead.Network Intrusion Detection System (NIDS)
Catch threats targeting your on-premises vulnerable systems with signature-based anomaly detection and protocol analysis technologies.Host Intrusion Detection System (HIDS) and File Integrity Monitoring (FIM)
USM analyzes system behavior and configuration status to detect potential security exposures such as system compromise, modification of critical files, rootkits and rogue processes.
USM Anywhere delivers native cloud intrusion detection system (CIDS) capabilities in AWS and Azure cloud environments. In USM Anywhere, purpose-built cloud sensors leverage the control plane management tools in AWS and Azure, giving you full visibility into every operation that happens in your cloud “data center.”Threat Intelligence
USM receives threat intelligence updates continuously from the AlienVault Labs Security Research Team. The team acts as an extension to your IT team. They are constantly performing advanced research on current threats to develop updates to AlienVault USM’s threat intelligence in the form of SIEM correlation rules, IDS signatures, response guidance, and more.
Know What’s “Normal” Behavior –
and What’s Not
Despite the best efforts of a security operations center team, not all breaches are avoidable. To minimize the impact of a breach, you need to be able to recognize when one might have occurred in your environment and know what to do next to minimize impact.
In a well-run security operations center, having the tools and process in place to monitor and set baselines for system behavior allows you to quickly detect and respond to breaches.
USM Anywhere leverages cloud-specific log data, including AWS VPC Flow logs, to identify the traffic patterns in your public cloud environment, so you can determine “normal” activity and identify any deviations.
USM Appliance™ provides the following behavioral monitoring capabilities:Active Service Monitoring
Validates that services running on hosts are continuously available.Netflow Analysis
Analyzes the protocols and bandwidth used by each device and alerts where behavior falls outside of the norm.Network Traffic Capture
Captures the TCP/IP stream allowing for replay of activity to determine what happened during a breach.
Know Which Threats to Focus on Right Now
When a variety of security technologies are deployed at scale, a security operations center can quickly become overwhelmed with a vast amount of data to analyze. This leads to questions like: What should be done first? What data needs further analysis? And where is my time best spent?
Evaluating each stream of data independently can be a poor use of your time. Instead, all data streams need to be considered as a whole with each adding further context to the other.
USM automates and simplifies the process of collating and correlating the vast amounts of data with its built-in Security Information and Event Management (SIEM).
SIEM normalizes and analyzes data from disparate sources and correlates it together to present a complete picture of the incidents occurring in the overall system. This is presented in a centralized dashboard which is arranged into the following five categories of the Kill Chain Taxonomy.
- System Compromise
- Exploitation & Installation
- Delivery & Attack
- Reconnaissance & Probing
- Environmental Awareness