introduction to usm anywhere - alienvault · introduction to usm anywhere 1-9 you can think of usm...

Module 1

Introduction to USM Anywhere

1-2 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2016 AlienVault. All rights reserved.

In this module we will cover the following objectives: We will define the security threats that currently exist We will identify the challenges detecting threats in your environment. We will illustrate how AlienVault USM Anywhere works and what its benefits are.

Copyright© 2016 AlienVault. All rights reserved. Introduction to USM Anywhere 1-3

The scene we are about to hear looks at the challenges many organizations are facing today. 2 senior managers are discussing their concerns around Information Security and steps their company can take to address this growing risk.


[DIALOGUE] [Woman] That was one of the best all hands yet, everything is looking great. Sales are up, we are growing way quicker than anyone could have expected. [Man] Yeah but with all this growth the shareholders are becoming more concerned about data breaches. [Man] We need to establish a good security program to counteract any attempted attacks but we don’t have the budget for a full Security Operations Center in IT. [Woman] I understand the constraints but I really think this needs to be a priority. We need to be proactive and not reactive and be aware of what's going on inside our network. [Woman] I actually recall reading about a SaaS solution from AlienVault that delivers Asset Discovery, Vulnerability Assessment, Intrusion Detection, and Behavioral Monitoring. It might be the answer to our problems. Let me tell you more about it over lunch.


Your networks and systems are the core of your business and being aware of the health of your infrastructure is key, especially from an information security perspective. Your systems can be attacked in many different ways; something seemingly minor that could easily go un-noticed can develop into a major security breach. Let’s examine the progression of some security events and their potential impacts, going from least severe to most severe. Environmental Awareness: This is behavior indicating policy violations, vulnerable software, or suspicious communications.

• This could be something like a Windows system that is not up to date on its patching. • These are not markers of an attack but things to consider resolving.

Reconnaissance & Probing: This is behavior indicating an attacker attempting to discover information about your network.

• In this case an attacker might be scanning your network to find out what ports are open and listening.

• Here they are attempting to find a target so they can develop a plan of attack based on opportunities for exploit.

Delivery & Attack: This is behavior indicating an attempted delivery of an exploit.

• This could be an email with a link or an attachment that an employee clicks on, or even a USB drive that an unwitting employee plugs into their system.

• In this case the attacker has introduced some malicious code into your network in an effort to perform some further actions.

Exploitation & Installation: This is behavior indicating a successful exploit of a vulnerability or backdoor being installed on a system.

• In this case the attacker has successfully installed something on a target system or exploited a vulnerability.

• This can allow the attacker to acquire access and possibly elevate user privileges to install a persistent payload.


System Compromise: This is behavior indicating a compromised system.

• This is the most severe level of attack as the attacker has taken control of your system. • This would allow them to ex-filtrate high-value data as quietly and quickly as possible or they

could also use the compromised system to gain additional access, “steal” computing resources, and/or use in an attack against someone else.


Monitoring your environment for threats can be a daunting task. As we have seen, there are several levels of security events that can occur with varying levels of potential impact to your environment. Even if you do have a dedicated security operations person the volume of information can be extremely overwhelming and can impact their timely response to incidents. Let’s review some of the challenges that you face on a day to day basis and how AlienVault USM Anywhere can potentially address these challenges and make the most of your time by aiding in threat detection on your systems and networks. If you are the only person that is looking through raw logs and events and there is no one else to help you with your investigations or to providing a second opinion, in general the occurrences of false positives and false negatives will increase. A False Positive is something that looks like a threat but is in fact a non-issue. An example of a false positive would be repeated failed logon attempts from an internal user to their laptop because they simply forgot their password. A False Negative is something that might look normal but is in fact an attempted attack on your systems. Let’s use the failed login example again, you may see a single failed login to one of your servers from one IP address, seems like nothing right? However, this could be one of a thousand log on attempts from a range of IPs that are part of a Botnet attack where an attacker is using multiple systems to try and break into your system. USM Anywhere has built-in logic that will highlight the actual threats in your environment. With USM Anywhere doing the work to filter events that are not of concern you can focus on a dashboard that highlights events that merit your further investigation. The more manual intervention needed to try and decipher which events are in fact threats and which can be ignored directly impacts how quickly you can address issues. Even if you are only seeing the valid events there is a need to make sure you are addressing the most high impact threats first. USM Anywhere has the ability to proactively identify the attacks and alert you to the threat immediately so that you can put measures in place to address the issue. This means you can focus on the most pressing issues and more importantly, it significantly reduces the chances of missing False Negatives.


You will also see issues categorized from highest to lowest priority based on the potential security impact. With all the challenges that have already been mentioned, you are probably time constrained but to be effective you need to keep up to date on all the latest threats and exploits to make sure you can identify potential attacks. It is also key that you educate the workforce in your company on how to behave responsibly from a security perspective. One other major bonus is the ability of USM Anywhere to stay up to date, leveraging AlienVault Labs Threat Intelligence, which allows threats to be identified as soon as our team of experts becomes aware of their existence. Once identified, the detection rules are pushed to your deployment, giving the ability the detect the latest threats and alert you to the danger.


You can think of USM Anywhere as a solution that provides 5 essential tools for threat detection for your environments. Let’s go through these to give you an understanding of what they are and their purpose. Asset Discovery goes out and finds all the devices on your network. This can help you discover Assets in your network that you may not be aware of, such as a device brought in by an employee and connected to your network, or a computer you’ve forgotten about. Vulnerability Assessment looks at the Assets that have been discovered and analyzes them to see if there are vulnerabilities that could potentially be exploited. An example of this could be firmware that is out of date or an operating system that is behind on its updates. Authenticated scans have associated logon credentials allowing USM Anywhere to retrieve more accurate information about the Asset. Unauthenticated scans are more indicative of what an attacker will see if they scan your network, delivering information such as ports open and services listening. Intrusion Detection monitors the traffic on your network and the logs on your monitored assists to determine if someone is attempting to attack your environment. There are two types of Intrusion detection:

• The first is called Network Intrusion Detection which monitors all the traffic on the network and attempts to detect signatures in packets that are known indicators of malicious activity.

• The second type is Host Intrusion Detection, which collects and analyze logs from Assets, and also looks for problems with system integrity. This information can be retrieved from the Asset natively or through an agent installed on the Asset.

Signatures are characteristics of network traffic that can be observed to identify an intrusion attempt on your network or systems that has occurred or is in progress. There are 3 broad categories:

String Signature – Text strings that indicate commands or actions.

Port Signature – Connection attempts to well know or unexpected ports.

Header Condition Signature – Dangerous or illogical combinations in packet headers.


Behavioral Monitoring looks at your environment for suspicious behavior of users and assets by monitoring host and cloud access logs. Finally, we have Security Information and Event Management or SIEM for short. The SIEM focuses on several different areas including:

• Log Management: Facilitating the collection of log event data from various different sources in a normalized format, and also the retention of raw log data for later analysis as required.

• Event Correlation: Identifying potential security threats by detecting behavior patterns across different types of assets, that in turn produce Alarms that can be investigated.

• Reporting: Filter and explore alarms, event data, and vulnerability data which can be saved as views. These views can then be leveraged as a report template.

At the heart of all this we have Threat Intelligence, which compiles multiple threads of data together from all the components in USM Anywhere and starts to look for larger patterns. This information is provided by our AlienVault Labs team.

Normalization as it applies to USM Anywhere is the extraction of data from logs produced by external applications and devices. During data normalization each log file line is evaluated and translated into an event that identifies the event's type and subtype so it can be consumed by USM Anywhere.


AlienVault Labs is a team of security researchers who work to keep up to date on the latest malware and attacker tools on the security landscape. The Labs team focus on learning the behavior of attackers who are continuously trying to conceal their attempts to infiltrate your environment by misusing common protocols. The Labs team achieve this by correlating events that look unconnected into recognizable patterns that could be indicators of obfuscated attacks.

They also look at how attackers may be trying to extract or exfiltrate data from your network. Attackers will make every attempt to conceal this and instead of using a common protocol like FTP will use techniques that don’t look like they are extracting data. This research is used to make USM Anywhere even stronger by providing updates that will identify the latest threats in your environment. These updates are implemented once the team has thoroughly understood the exploits in use and can confidently identify these threats. Not only do they provide the ability to detect the threats but also the provide guidance on how to respond to such incidents helping you to address these threats quicker once detected. Finally, the Labs Team also publish information to the Open Threat Exchange or OTX for short, as soon as they become aware of a new threat. This information is automatically pulled into your USM Anywhere deployment meaning you are always kept up to date. If you would like to get more information on the AlienVault Labs Team please follow the link on this page. [Link https://www.alienvault.com/who-we-are/alienvault-labs]

Obfuscation means to hide the actual intent of communication and actions making it confusing, ambiguous and difficult to interpret. In an network security context this might mean obscuring an attack payload in an effort to make detection more difficult.

https://www.alienvault.com/who-we-are/alienvault-labs


The Open Threat Exchange is the world’s first open threat intelligence community that enables collaborative defense with open access and collaborative research. OTX allows relevant, timely, and accurate information about new or ongoing cyberattacks and threats to be shared as quickly as possible. Open threat intelligence community: AlienVault OTX provides open access to a global community of threat researchers and security professionals. It delivers community-generated threat data, enables collaborative research and enables anyone in the security community to actively discuss, research, validate, and share the latest threat data, trends, and techniques. Indicators of Compromise (or IOCs) are artifacts observed on the network or on endpoints that are identified with a high degree of confidence as threat vectors. In other words, the components that make up a threat. These are identified by the global community of threat researchers and security professionals and OTX is updated to reflect the data. IOCs may consist of IPv4 or IPv6 addresses, file hashes, URLs, or Domains however this is not an exhaustive list. OTX users can subscribe to Pulses. Pulses are a way to gain access to the very latest information about threats that have been identified on the Information Security landscape. Pulses provide you with a summary of the threat, a view into the software targeted, and the related IOCs that can be used to detect the threats. OTX also contains IP Reputation data which identifies IP addresses and domains worldwide as either malicious or suspicious until more data comes in to modify their threat ranking. This data is also submitted by the OTX community. An IP address with IP reputation data may also be contained in a pulse but this is not always the case. IP reputation data and Indicators of Compromise from OTX Pulses created by our Labs team are automatically incorporated into AlienVault USM Anywhere. USM Anywhere uses this data to generate events and if there is sufficient correlation between these events, USM Anywhere will generate an alarm. If you would like to get more information on the AlienVault Open Threat Exchange please follow the link on this page. [Link: https://www.alienvault.com/open-threat-exchange]

https://www.alienvault.com/open-threat-exchange


AlienVault Threat Intelligence provides automated updates to USM Anywhere for targeted detection of the latest threats. Unlike single-purpose threat intelligence feeds focused on only one security control, AlienVault Labs Threat Intelligence delivers multiple coordinated rulesets, fueled by the collective power of the Open Threat Exchange. AlienVault OTX delivers high frequency updates of indicators of compromise based on details collected about attackers’ infrastructure as well as details about the tools they use to infiltrate systems. All this data is sent through the OTX Analytics automated system where the information is processed. The AlienVault Labs team works in tandem with the Analytics team to produce Threat Intelligence updates that can confidently identify these threats in the customer’s environment. AlienVault Labs Threat Intelligence updates drives AlienVault USM Anywhere’s security capabilities in identifying the latest threats, resulting in the broadest view of attacker techniques, and effective defenses.


USM Anywhere will provide you with a single web-based interface from where you can monitor the security of all your environments. USM Anywhere is a Software-as-a-Service (SaaS) offering that is managed by AlienVault, and all system updates will be taken care of for you. USM Anywhere provides the ability to monitor all your company networks and assets no matter where they are. It can monitor your On-Premises environments whether you have a single office or multiple locations. However what if you have Assets running on Public Cloud offerings? USM Anywhere has that covered also, allowing for monitoring of Assets running on Amazon Web Services and also on Microsoft Azure. This is done by deploying USM Anywhere Sensors into each environment that you wish to monitor. These USM Anywhere Sensors then communicate back to Cloud-based USM Anywhere giving you a single pane of glass from which to view all your Assets. We will look at the USM Anywhere Sensors in greater detail in the coming modules.


Are you just starting out with security, trying to become familiar with some of the core terms and how to address security threats after USM Anywhere had detected them? Well if the concept of Security Operations is “Alien” to you these links may help provide you with some of the guidance you need. Insider’s Guide to Incident Response https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response A Day Inside a Security Operations Center https://www.alienvault.com/resource-center/webcasts/a-day-inside-a-security-operations-center The One-Man Security Operations Center https://www.alienvault.com/forms/webcast-thank-you/the-one-man-soc-habits-of-highly-effective-security-practitioners

https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response

https://www.alienvault.com/resource-center/webcasts/a-day-inside-a-security-operations-center

https://www.alienvault.com/forms/webcast-thank-you/the-one-man-soc-habits-of-highly-effective-security-practitioners

https://www.alienvault.com/forms/webcast-thank-you/the-one-man-soc-habits-of-highly-effective-security-practitioners


So let’s review what was covered in this module: We learned about the security threats that exist today We identified the challenges detecting threats We illustrated how USM Anywhere works and its benefits


Read the Documentation: https://www.alienvault.com/documentation/ Explore USM Anywhere Training Offerings: https://www.alienvault.com/training/ Check Out Our Product Forums: https://www.alienvault.com/forums/

HTTPS://WWW.ALIENVAULT.COM | [email protected]

https://www.alienvault.com/documentation/

https://www.alienvault.com/training/

https://www.alienvault.com/forums/

https://www.alienvault.com/

mailto:[email protected]

introduction to usm anywhere - alienvault · introduction to usm anywhere 1-9 you can think of usm...

Documents