AlienVault Unified Security Management™ (USM)
AlienVault USM™ provides built-in vulnerability assessment with the essential capabilities you need for complete security visibility and threat intelligence, all in one easy-to-use console.
This page will help you understand how USM enables you to:
Get Immediate Results on Day One
records were put at risk in a breach involving keylogging
software. The attack affected at least 93,000 websites –
including brand names like ADP, Facebook, Gmail,
LinkedIn, Twitter, Yahoo, and more.
Vulnerability Assessment starts with Asset Discovery, which is essential to have for overall visibility of your network. It also helps you target the range of IPs for your vulnerability scan. You can granularly define the vulnerability scan to specific network segments and assets of interest. Scans can be either done ad-hoc or scheduled on regular intervals. With the number of network security events rising every year, it is essential for you to prioritize your remediation efforts and deploy the most important patches and security updates first. AlienVault USM can report on scanning results regularly to management to assist in documenting remediation progress. USM’s built-in vulnerability assessment filters through the noise of false positives and vulnerabilities that are less important and allows you to focus on risks that truly matter to your business.
Understand your network before scanning
USM™ provides auto-discovered, detailed asset information to help you visualize your entire network. You should focus your Vulnerability scans, at a minimum, on externally accessible assets that are the most important to the health of your business.
Scanning and reporting can be done on-demand, in response to an incident, or scheduled
USM™ allows you to schedule vulnerability scans to meet your requirements, such as hourly, weekly or monthly. In addition, you can scan more important network segments or groups more regularly. USM also provides flexible reporting, which can be done ad-hoc, or on a scheduled basis and sent to email addresses you specify.
Vulnerability scanning needs to provide you actionable information
Finding, verifying, and fixing vulnerabilities is a constant battle for IT. AlienVault USM helps accelerate that task by providing not only vulnerability scanning and assessment, but also details about the vulnerabilities themselves. The ability to see external threat information, such as communication with known malicious hosts via the community-powered Open Threat Exchange™ data delivered automatically into USM, helps prioritize your remediation efforts. In addition, AlienVault's USM integrated Host and Network IDS and SIEM provide rich contextual information to help with incident response.
Vulnerability information adds context for security incident response
As new threats enter the security landscape, you will be able to run vulnerability scans on-the-fly to help determine if you are vulnerable to new exploits. You will also be able to see the last scan results across your assets, to assist in incident response. You can see vulnerability and asset information conveniently displayed in a single console with USM.
AlienVault's USM™ built-in functionality gives you the ability to continuously identify insecure configurations, unpatched and unsupported software. You have the flexibility to implement vulnerability assessment that matches your needs. For example, you may wish to run authenticated scans on compliance-related assets and throttle back to passive vulnerability assessment on low risk assets where reducing network traffic matters more than validating stringent security configurations.
In addition to giving you maximum flexibility in implementing vulnerability assessment, USM software also encourages you to adopt a continuous process of vulnerability management by providing scheduled scans at frequent intervals, such as daily or weekly. In this way, you can keep on top of the changing threat landscape.
Traditional active network scanning
USM supports this common approach used by many vulnerability assessment tools, actively probing for suspected vulnerabilities in IT assets using carefully crafted network traffic to solicit a response.
Continuous vulnerability monitoring
USM supports this approach as well, which is also known as passive vulnerability detection. USM correlates the data gathered by its asset discovery scans with known vulnerability information for improved accuracy. This provides more relevant vulnerability information while minimizing network noise and system impact.
USM is also able to scan without requiring host credentials. This scan probes hosts with targeted traffic and analyzes the subsequent response to determine the configuration of the remote system and any vulnerabilities in installed OS and application software.
USM is able to conduct scanning on an authenticated basis. This entails access to the target host’s file system, to be able to perform more accurate and comprehensive vulnerability detection by inspecting the installed software and its configuration. For example, with Windows servers you can access registry keys and files, looking for traces of infiltration.
Prioritize and Remediate
Do It More Effectively With USM
IT risk cannot be prevented 100% - it can only be mitigated. The old fashioned "check list" approach of finding huge numbers of vulnerabilities and creating a list for some poor intern to fix is a thing of the past. With the complexity of IT and the rapidly changing threat landscape, it is also critically important to prioritize remediation based on a number of factors:
You need to factor in all of these issues to prioritize your remediation efforts. For example, you may have a high impact vulnerability on a low risk system (perhaps because it has only a test database of random data) that may be less important to remediate than a medium impact vulnerability on a high risk system (perhaps in the DMZ.)
Remediating vulnerabilities almost always has an impact on IT Operations and your users
Remediation is typically done with OS and application patching, downloading security updates and providing workarounds to avoid the vulnerability. These remediation actions can be inconvenient to your users at the least, and may impact your business.
The unified and coordinated capabilities of USM work in concert with vulnerability assessment
USM™ helps prioritize remediation with multiple technologies beyond simple vulnerability assessment: Host and Network Intrusion Detection Systems (IDS), Asset Discovery, netflow and Security Information and Event Management (SIEM.) Vulnerabilities must be exposed to threats in order to be exploited. With USM, you are aware when a vulnerable asset is actually exposed to threats.
USM™ provides remediation advice for vulnerabilities that are found
It includes dynamic incident response templates and 3rd party references to help you figure out how to remediate vulnerabilities that a scan may find. This advice saves you time looking up each vulnerability and tracking down this information yourself. In addition, the advice is vetted by AlienVault Labs and kept up-to-date.
"False positives" or "false alarms"
are another problem that USM software addresses. There are certain vulnerabilities that IT is well aware of, and they have been deemed to not be an issue. USM allows these known vulnerabilities to be suppressed from correlation and reporting, saving management time.
AlienVault USM™ can send email to people, open a ticket in the built-in ticketing system, or send an email to an external help desk / ticketing system
It can also be configured to execute a script to take automated actions, which is appropriate in some situations. AlienVault's built-in software ticketing system creates trouble tickets from vulnerability scans and alarms. These tickets specify who owns the remediation, the status and descriptive information. The tickets also provide a historical record of issues handled, as well as the capability to transfer tickets, assign them to others and push work to other groups.
With USM™ you can view
updated vulnerability reports, kick off new vulnerability scans, generate tickets, and conduct false positive analysis – all through a single console. This console provides the prioritized actionable information to allow you manage risk to your IT assets most effectively.
Single-purpose vulnerability scanning tools are valuable, but USM provides the overall security visibility they lack.
Faster Deployment Time
Go from install to insights in less than an hour with USM. All of the built-in security controls are pre-integrated and optimized to work together out of the box.
Low Administrative Overhead
Deploy and manage your IDS, HIDS, SIEM, and more from the same console.
Tuned Event Correlation
With the core data sources are already built-in, over 2,000 event correlation rules are already "fine tuned" and optimized, right out of the box.
Full Packet Capture
Any packet that triggers an IDS signature is automatically captured and displayed with the IDS event. Session monitoring and full packet capture can then be invoked for more extensive forensic investigation.
Reduced False Positives
IDS are notorious for "false positives," events that appear to indicate an intrusion, but are actually harmless. AlienVault USM eliminates many false positives by cross-correlating multiple security tools, including asset inventory, IDS, vulnerability scanning, behavioral analysis and visibility to netflow data.
Full Threat Context
All you need to know about an incident is captured in each alarm, including asset information (such as OS, software, identity), vulnerability data, visibility to netflow data, raw log data, and more.
Each alarm provides step-by-step guidance on interpreting the threat, and how to contain it and respond.
Continually Updated Signatures and Rules
Continuous and coordinated updates to catch the latest threats.
Attacks morph over time and new exploits are discovered every day. AlienVault Labs
does the heavy lifting for you, with a variety of collection and analysis techniques,
continually updating your USM installation continually with new signatures, rules,
reports, and plug ins.
Daily Threat Indicator Analysis
Using advanced sandboxing techniques to quarantine malware samples while we conduct static and dynamic analysis, we analyze the more than 3 million threat indicators submitted by our more than 37,000 participants in over 140 countries every day. This analysis provides key insights into the latest attacker tools and techniques.
Honeypot Deployment and Analysis
Our global honeypots are essentially “virtual venus fly traps” set up to detect, capture, and analyze the latest attacker techniques and tools. Leveraging honeypots placed in high traffic networks, our threat intelligence subscribers are armed with the latest defensive strategies in the form of updated event correlation rules, IDS and vulnerability signatures, remediation guidance, and more.
Attacker Profile Analysis
We’re constantly monitoring hacker forums and underground networks for in-depth profiling of the common traits of cyber criminals. This information gives us unparalleled access for understanding the “attack horizon” and has resulted in major discoveries such as the evolution of Sykipot, Red October, and other malware outbreaks.
Threat Intelligence Collaboration
We’ve established strong connections with government agencies, academic researchers and other security vendors around the world. These relationships enable us access to pre-published vulnerability and malware updates as well as enhanced verification of our own research.
Attack Alarms and Investigation
Investigate Root Cause Faster Than Ever
Instantly know the who, what, where, when and how of attacks – no matter where they originate.
AlienVault USM™ includes several different security monitoring technologies to gather information on a variety of threat vectors. Because we have access to everything you need to know about an asset, you can get to root cause faster than ever.
AlienVault Labs Threat Intelligence applies more than 2,000 event correlation rules against the raw event log data we collect, as well as the events triggered by our built-in intrusion detection software. This enables rapid, accurate, and actionable guidance that interprets the severity of the exposure based on the full threat context, telling you what to address first.
Kill Chain Attack Categorization
USM utilizes the Kill Chain Taxonomy that categorizes each alarm by the intent of the attacker for effective prioritization, so you know which events to focus on for deeper investigation and analysis.
AlienVault USM™ can notify people via email, open a ticket in the built-in ticketing system, or integration with an external help desk / ticketing system. You can also configure it to execute a script to take automated and custom actions, based on your environment. USM's built-in software ticketing system creates trouble tickets from vulnerability scans and alarms. These tickets specify who owns the remediation, the status and descriptive information. The tickets also provide a historical record of issues handled, as well as the capability to transfer tickets, assign them to others and push work to other groups.
Step-by-Step Investigation Instructions
AlienVault Labs provides specific, contextual guidance on what to do when an alarm is triggered, so you can contain and investigate the incident quickly.