Security Visibility and Actionable Intelligence

SIEM and Log Management Software

screenshot of siem and log management software

AlienVault Unified Security Management™ (USM) provides full function Security Information and Event Management (SIEM) and log management software capabilities, with the added advantage of integrated host and network IDS, netflow analysis, and vulnerability assessment for complete security monitoring. Learn More

Download A Free Trial

  • Provides log aggregation and storage plus full SIEM functionality with event correlation across all the built-in security tools
  • Includes network intrusion detection (NIDS), host-based intrusion detection (HIDS), and wireless intrusion detection (WIDS)
  • Combines asset discovery, vulnerability assessment, IDS, SIEM, and netflow analysis in one console
  • Utilizes real-time insights from OTX based on crowd-sourced info on known malicious hosts
  • Stays current with continuous updates including new rule sets, signatures, reports, and more
  • Offers full threat context and step-by-step response guidance for attacks
  • Deploys and provides insights in less than an hour
14%
of data breaches are
perpetrated by insiders
 78%
of initial intrusions were
rated as low difficulty

SIEM and Log Management Built In

Worsening Threat Landscape Makes a Unified Approach Necessary

With organizations of all sizes reacting to the worsening security threat landscape, Security Information and Event Management is a hot topic. Today, there are many "single purpose" SIEM products on the market and they are generally used for security threat management and regulatory compliance. SIEM solutions include log management, event management, correlation, and more sophisticated reporting than purpose-built log management products. Both have value in the worsening threat landscape:

Preventative measures are no longer enough.

Targeted attacks and malware, as well as well-publicized data breaches and data theft are intensifying the need for businesses to be able to detect attacks, react and remediate quickly. Anti-virus and anti-malware solutions are often no longer enough USM's built-in security intelligence and monitoring capabilities are required to let you keep up with malware and security incidents.

Log management products aggregate log data (event logs and audit data) and store it for analysis.

Event logs and audit data come from almost every IT system - operating systems (e.g. Windows, Linux, etc.), network equipment (routers, switches), security devices (firewalls, web application firewalls, UTMs, intrusion detection systems), vulnerability assessment tools, and more The USM built-in log management provides the raw logs you will need for forensic analysis.

Event logs and audit data vary significantly

Every system, device, and application has their own way of providing event logs and audit data. This requires log management tools to understand how to consume and understand the logs. So log management tools will normalize logs into a common format for easier analysis. Log management tools also feature centralized aggregation of logs from all suppliers. With the built-in capabilities of USM, your logs are normalized and provided for correlation to the built-in SIEM.

Logs need to be stored securely and retained for longer periods of time to support compliance regulations.

Organizations are required by regulations such as PCI DSS, HIPAA, and SOX to centrally collect and retain logs securely and preserve the chain of custody. In addition, security analysts need to easily search, analyze, and report on the data to monitor for potential threats that impact the organizations systems and sensitive data. AlienVault USM controls the chain of custody throughout the data's entire life cycle and offers analysts a simple, intuitive incident response solution to evaluate the data and respond to threats. AlienVault USM provides both raw log data as well as normalized logs.

SIEM versus Log Management

Hunter versus Gatherer

While Log Management point products provide the basics of collecting logs, normalizing them and storing them in a central location, SIEM point products provide a more complete solution to security, operations and compliance challenges, with log management capabilities as well as more aggressive methods of handling intrusions. Whereas log management might be characterized as a "Gatherer" - collecting and storing logs, SIEM would be better characterized as a "Hunter." SIEM technology lets security practitioners go "on the hunt" for intruders in their network.

SIEMs automate much of what an analyst would have to do manually,

by providing real-time correlation and pattern detection. Using Boolean-type logic, log correlation involves looking for associated events across different systems that indicate there may be a security or operational problem. For example,If we see multiple failed logins, a privileged escalation, after hours access, and IDS alarm within a short period of time, this may indicate a security breach. This correlation capability can provide security insights that would be almost impossible for a user to identify in a typical IT environment. USM's built-in SIEM saves analyst time by correlating events to provide actionable information from massive amounts of data.

Based on SIEM analysis and correlation, alarms are fired and can be viewed.

Alarms progressively become more credible, as supporting events occur.

AlienVault USM goes above and beyond both SIEM and Log Management software.

The USM platform is an excellent solution for security, operations and compliance requirements. It provides full SIEM capabilities with the added advantage of integrated host and network IDS, visibility to netflow data and vulnerability assessment to provide comprehensive security visibility on a “single pane of glass”. Rather than having to purchase multiple point products, USM provides all of these technologies in a single console.

USM provides compliance reporting capabilities to assist in many types of regulatory compliance requirements,

which can be big time savers for IT. In addition to security and operations concerns, a growing number of organizations are required to prove regulatory compliance. In healthcare, it’s HIPAA, in nuclear energy it’s NERC CIP, in retail it’s PCI-DSS, and so on. While it can be argued that compliance does not assure security or risk management, it is often a requirement to do business at all. AlienVault's USM built-in SIEM provides compliance reporting capabilities to assist in many types of regulatory compliance requirements which can be big time-savers for IT.

SIEM provides visibility.

In incident response, it's critical to see the big picture, then be able to "drill down" and see more information about assets under attack. SIEM provides ongoing vigilance in watching for suspicious activity - even when the IT professional is not watching the alarm interface. AlienVault's USM built-in SIEM capability provides rich context information about alarms, in order to determine appropriate actions to take. Contextual information includes affected assets, the vulnerability of the assets, and situational awareness and visibility into what is going on in your network around this suspicious activity.

USM provides sophisticated reporting capabilities, above and beyond log management or SIEM.

These reports can be scheduled for delivery on a certain cadence or can be ad hoc, allowing the generation of reports for a particular interest. AlienVault's USM canned and custom reporting capabilities are very useful in terms of demonstrating regulatory compliance.

AlienVault USM catches threats wherever they exist within your network,

by combining network-based intrusion detection software (IDS), wireless intrusion detection software (WIDS), and host-based intrusion detection software (HIDS) that also includes file integrity monitoring (FIM). AlienVault USM relies on a lightweight OSSEC agent that is provisioned, managed, and monitored via our web-based console. With the built-in FIM capability, as soon as any changes to critical files are executed, an alarm can be triggered in our Alarms display. These might be changes that do not require a response; however, it’s important to monitor all activity to capture baselines, and notice any abnormalities like policy violations or potential system compromise.

AlienVault Unified Security Management

SIEM and Log Management Plus Other Essential Security Tools

Single-purpose SIEM or Log Management tools are extremely valuable, but often require expensive integration efforts to bring in log files from sources such as IDS. With USM, SIEM / Event Correlation come integrated out-of-the box with a host of security tools. AlienVault USM delivers a complete view into the security of your environment by combining SIEM with automated asset discovery, vulnerability data, visibility to netflow data, network IDS, host IDS wireless IDS and visibility to known malicious hosts.

Faster Deployment Time

Go from install to insights in less than an hour with USM. All of the built-in security controls are pre-integrated and optimized to work together out of the box.

Low Administrative Overhead

Deploy and manage your IDS, HIDS, WIDS, SIEM, and more from the same console.

Tuned Event Correlation

With the core data sources are already built-in, our 1600 event correlation rules are already "fine tuned" and optimized, right out of the box.

Full Packet Capture

Any packet that triggers an IDS signature is automatically captured and displayed with the IDS event. Session monitoring and full packet capture can then be invoked for more extensive forensic investigation.

Reduced False Positives

IDS are notorious for "false positives" where events seem to indicate an intrusion, but are actually harmless. AlienVault USM helps prevent false positives by cross-correlating multiple security tools, including behavioral analysis and security intelligence

Full Threat Context

All you need to know about an incident is captured in each alarm, including asset information (such as OS, software, identity), vulnerability data, visibility to netflow data, raw log data, and more.

Actionable Alarms

Each alarm provides step-by-step guidance on interpreting the threat, and how to contain it and respond.

Continually Updated Signatures and Rules

Continuous and coordinated updates to catch the latest threats.

Global Threat Intelligence, Localized for You

Utilize Global Threat Intelligence Automatically

Attacks morph over time and new exploits are discovered every day. AlienVault Labs
does the heavy lifting for you, with a variety of collection and analysis techniques,
continually updating your USM installation continually with new signatures, rules,
reports, and plug ins.

Daily Malware Analysis

Using advanced sandboxing techniques to quarantine malware 
samples while we conduct static and dynamic analysis, we analyze over 500,000 unique malware samples every day. This analysis provides key insights into the latest attacker tools and techniques.

Honeypot Deployment and Analysis

Our global honeypots are essentially “virtual venus fly traps” set up to detect, capture, and analyze the latest attacker techniques and tools. Leveraging honeypots placed in high traffic networks, our threat intelligence subscribers are armed with the latest defensive strategies in the form of updated event correlation rules, IDS and vulnerability signatures, and more.

Attacker Profile Analysis

We’re constantly monitoring hacker forums and underground networks for in-depth profiling of the common traits of cyber criminals. This information gives us unparalleled access for understanding the “attack horizon” and has resulted in major discoveries such as the evolution of Sykipot, Red October, and other malware outbreaks.

Threat Intelligence Collaboration

We’ve been able to establish strong connections with state agencies around the world, academic researchers and other security vendors. These relationships enable us access to pre-published vulnerability and malware updates as well as enhanced verification of our own research.

8,000+ Collection points in more than 140 countries
500,000 Unique malware samples analyzed
every day

Attack Alarms and Investigation

Investigate Root Cause Faster Than Ever

Instantly know the who, what, where, when and how of attacks – no matter where they originate.

Actionable Alarms

AlienVault USM includes several different security monitoring technologies to gather information on a variety of threat vectors and because we have access to everything you need to know about an asset you can get to root cause faster than ever.

Risk Prioritization

AlienVault Labs Threat Intelligence applies more than 1600 event correlation rules against the raw event log data we collect, as well as the events triggered by our built-in intrusion detection software. This enables rapid, accurate, and actionable guidance that interprets the severity of the exposure based on the full threat context.

Attack Categorization

Each alarm is categorized by the intent of the attacker for effective prioritization, so you know which events to focus on for deeper investigation and analysis.

Ticketing

In terms of remediation, AlienVault USM can notify people via email, open a ticket in the built-in ticketing system, or integration with an external help desk / ticketing system. It can also be configured to execute a script to take automated and custom actions, based on your environment. USM's built-in software ticketing system creates trouble tickets from vulnerability scans and alarms. These tickets specify who owns the remediation, the status and descriptive information. The tickets also provide a historical record of issues handled, as well as the capability to transfer tickets, assign them to others and push work to other groups.

Step-by-Step Investigation Instructions

AlienVault Labs provides specific, contextual guidance on what to do when an alarm is triggered, so you can contain and investigate the incident quickly.

Free Trial Demo Get Price ChatNeed help?