Professional Documents
Culture Documents
www.frost.com
Final Thoughts....................................................................................................................... 8
TA B L E O F C O N T E N T S
AlienVault: What You SIEM is What You Get
However, a properly executed SIEM strategy is difficult to achieve, even in static network environments with limited
assets, much less for companies that have heterogeneous networks, transient end users, and plans of expansion.
Noting that companies big and small face challenges, the following are factors that a company needs to consider when
it purchases and then deploys a SIEM:
Personnel dedicated toward security. This, by far, is the most important consideration when
purchasing a SIEM. Naturally, the smaller the company is, it becomes less likely that there are dedicated
personnel for security. In small-to-midsized businesses (SMB), often the IT director/operation manager/
security practitioner is the same person. Worth noting, large companies and enterprises are not
immune to the personnel challenges. The strongest threat hunters are poached from one company to
another; a differentiator in network security tools is to empower entry-level security analysts with as
many triage and correlation tools on the dashboard as possible. Preferably, much of the investigation is
done within the platform before the analyst starts the investigatory process.
Budget. Technologies that protect networks include SIEM, vulnerability management (VM),
intrusion detection/intrusion protection systems (IDS/IPS), network access control (NAC),
endpoint protection platforms and endpoint detection response (EPP/EDR), firewalls, and
next-generation firewalls. Because budgets are tight, it is difficult to get all the tools needed to
successfully build an effective security program. Combined with resource constraints, this can lead
to a significant gap/deficit in the ability of an organization to detect and defend against threats.
The recent WannaCry ransomware attacks show how unprepared organizations can be without
the right tools to quickly detect, assess, and identify both vulnerable systems and threats to those
systems.
Type of deployment. Heterogeneous networks include on-premises, public cloud, and private
cloud environments, and often a combination of these networking paradigms. SMB might have a single
server room and one point of egress/ingress, but network complexities grow as companies become
larger.
Threat detection and prioritization. Finding IOC is not particularly hard; in fact, separating
noise from legitimate IOC is the real value of a cyber security tool. Subsequently, analysts finding
threat information and then prioritizing lists of threats becomes a time-sink. SIEM platforms must
cross-correlate factors such as exploitability, behavioral anomaly detection, value of the asset, and
risk and compliance. An emerging factor for successful SIEM deployments is the platforms ability to
ingest external threat intelligence sources.
Security orchestration and automation. All looks great in theory, but now turning the massive
amount of log data and translating correlative relationships into actionable response is what network
security teams ultimately want.
1. In the report, Security and Information Event Management (SIEM)Global Market Analysis: Is this the Best Technology for Threat Sensing? (K109-74),
June 2017, Frost & Sullivan estimated the global SIEM market for appliances and related services to be roughly $1.8 billion in calendar year 2016.
This white paper is about what Frost & Sullivan sees in AlienVaults approach to SIEM, Unified Security Management
(USM). Its USM platform, offered as either an on-premises appliance (USM Appliance) or as a SaaS offering (USM
Anywhere), provides asset discovery, vulnerability assessment, intrusion detection (cloud, host, and network),
behavioral monitoring, and SIEM (event correlation and log management), all combined and pre-configured out of
the box. AlienVault USM is a continually evolving product platform augmented with threat intelligence by AlienVault
Labs. AlienVault has enjoyed success with midsized and enterprise-sized customers (and customers that continued
with AlienVault as they grew), but the AlienVault culture has always been to optimize tools for resource-constrained
customers.
Ultimately, AlienVault has been about solutions more so than products. In October 2016, AlienVault introduced USM
Anywhere, a cloud-based SIEM-as-service.2 The platform progression was natural as it addresses specific client needs.
USM Anywhere was developed from the ground up for monitoring on-premises environments and cloud environments
like AWS and Azure, which seemed to be a better decision than trying to retrofit AlienVault USM Appliance for cloud
services. By offering both USM Appliance and USM Anywhere, AlienVault provides IT/network security teams of all
sizes multiple deployment options and the ability to scale network security as the company grows.
Both AlienVault USM Appliance and USM Anywhere are frequently updated with new threat intelligence from
AlienVault Labs, which minimizes the requirement for IT staff to conduct their own threat research in order to
write the complex correlation rules that are needed to keep SIEM threat detection capabilities up to speed with the
latest threats.3
Indicators of
Compromise (IOC)
Advanced Search
SIEM Platform Evolution
and Triage
Extensibility; Heterogeneous
Network Coverage
Events Correlation
User Behaviorial
Asset Discovery Analysis
Rules and
Alerts
Compliance Reporting
and Auditing Log Ingestion
Rates
TIME
2. In October 2016 it was offered to a few select accounts; AlienVault made USM Anywhere available to all companies in February 2017.
3. This was recently evidenced with WannaCry. AlienVault found the vulnerability signatures for MS17-010 as early as April 18, allowing customers to
identify vulnerable systems. On May 12, when WannaCry broke news, AlienVault had already seen it in the wild and had signatures created and delivered
to customers by early morning, allowing them to detect systems under threat and compromised.
However, these paradigms, while true, became problematic on two levels. In the first place, the race to create faster
SIEM engines and to create SIEM architectures for enterprises neglected SMB. SIEM platforms would be cost prohibitive
to all but the largest companies, and scaling down existing SIEM platforms would prove difficult. Secondly, if SIEMs only
stored log data and reported on compliance, then by definition, SIEM was a passive cyber security technology, and not
an actionable platform that could be used to fight or prevent active miscreants.
Since its inception in 2007, AlienVault has been designed to work on these two problems. AlienVault USM is designed
to help resource-constrained security teams and built to be cost effective. Even at its introduction, AlienVault
envisioned its SIEM platform to offer active cyber security. Currently, Frost & Sullivan sees AlienVault as offering five
important value propositions:
1. Specifically made for midsized enterprises and businesses with limited resourcespeople, skills,
budget. In SIEM, the platforms were largely considered for enterprise-sized businesses, and many companies are
attempting to retrofit products into an all-in-one (AIO) appliance, but AlienVault initially designed its appliances
for this very need.
2. Integrated security. Out-of-the-box security capabilities in AlienVault USM platforms include SIEM and log
management, asset management, behavioral monitoring, vulnerability assessment, file integrity management, and
intrusion prevention/detection. In combination, the end user achieves meaningful context for threat detection and
incident response.
3. Heterogeneous network support. AlienVault USM Appliance addresses a specific need for organizations
that require an on-premises virtual or physical appliance. The February 2017 release of USM Anywhere enables
AlienVault to offer cloud-based security monitoring across cloud and on-premises assets in one tool.
4. Integrated threat intelligence. Customers need information about threat actors, their methods, infrastructure,
and tools that are used to leverage vulnerabilities in their efforts to compromise and controlagain, all capabilities
of both the AlienVault USM Appliance and USM Anywhere platforms.
5. Life cycle management. The long card in SIEM is search and storage efficiency. AlienVault USM manages the
full discovery and rediscovery life cycle of critical assets within their infrastructure. By having SIEM and threat
detection capabilities, USM has historical visibility in the event that an asset or threat vector is rediscovered.
One of the first fundamentals in network security is to harden a network surface. The technology that is used to scan
for configuration errors and insecure endpoints is called vulnerability assessment scanning. As an always-on SIEM,
AlienVault USM gives its customers real-time vulnerability assessment as opposed to traditional VA scans, which
require pre-scheduling. Both AlienVault USM Appliance and USM Anywhere are able to continuously identify insecure
configurations, and unpatched and unsupported software.
The colloquialism goes, You cannot protect what you cannot see. Asset discovery is an important aspect of what
AlienVault provides. AlienVault scan technology uses a combination of passive, authenticated and unauthenticated
scanning providing asset discovery capabilities.
Network and host intrusion detection is standard to AlienVault USM Appliance and USM Anywhere. As mentioned
though, AlienVault takes a unified approach to security. Intrusion detection is a part of the SIEM function. The tie
in between SIEM and intrusion detection is an important differentiator; AlienVault Labs Threat Intelligence applies
appropriate event correlation rules against the raw event log data collected, as well as the events triggered by the built-
in intrusion detection software.
The AlienVault Labs Security Research Team leverages the data within OTX to analyze threat activity
using a set of machine-learning analysis systems to look for trends and behaviors, and translates that
activity into the threat intelligence that is delivered to both USM Appliance and USM Anywhere.
AlienVault Labs plays a critical role in the larger threat intelligence scheme. AlienVault maintains the Open Source SIEM
project (OSSIM). AlienVault continues to offer OSSIM as a free, open-source SIEM platform, and users of both OSSIM
and USM have the option to contribute threat data to the AlienVault Open Threat Exchange (OTX), which has
53,000 participants contributing over 10 million threat indicators daily. The AlienVault Labs Security Research Team
draws from the Open Threat Exchange (OTX) to develop new and updated threat intelligence, delivered continuously
to both USM Anywhere and USM Appliance.
USM Anywhere and USM Appliance include plugins that allow the parsing and normalization of third-party data (e.g.,
log data, machine data). This allows AlienVault to provide the log management and event correlation capability included
in its unified approach.
USM Anywhere also includes AlienApps, which are modular software components tightly integrated into the USM
Anywhere platform. AlienApps deliver technology quickly through the platform to extend, orchestrate, and automate
functionality between the built-in security controls in USM Anywhere and other tools that IT security teams utilize,
simplifying and accelerating threat detection and incident response processes.
Threat intelligence, asset discovery, network and host IDS data, vulnerability data, user behavioral monitoring data,
and externally collected log data are correlated to provide a comprehensive picture of the threat environment. This
correlation is happening in real time: USM calculates risk value for every event after it arrives at the USM Server.
AlienVault has a risk of event equation that includes asset value, event priority, and event reliability. At a defined
threshold an alarm is sounded.
The information is now consumable by the security analyst. Through the dashboard, an analyst understands the severity
of a threat, and can analyze data using built-in visualizations and analysis tools.
AlienVault decided to build USM Anywhere from the ground up, instead of trying to kludge AlienVault USM onto
cloud architectures. The basic construct of USM Anywhere is a hub-and-spoke architecture, meaning that sensors can
be deployed quickly and inexpensively. USM Anywhere includes cloud-native sensors for AWS and Azure, and virtual
sensors for VMware and Hyper-V environments. USM Anywhere is comprised of two components:
Cloud-based USM Anywhere. This component is responsible for event correlation, event storage and event
analysis, and provides the interface to the user to investigate, analyze, and respond to incidents.
USM Anywhere Sensor. This component is responsible for data collection, asset scanning, vulnerability
scanning, and environment awareness. It collects and shares the resulting information with USM Anywhere
for processing.
Prior to USM Anywhere, AlienVault faced a conundrum. While having a SIEM platform with a unified security
management posture was smartly implemented, the drawback was AlienVault USM Appliance was only able to integrate
data from third-party applications using plugins. Customers are looking for more, however. Customers want the ability
to orchestrate response actions with the environment and third-party applications as well. Further, as more and more
organizations adopt cloud infrastructure, a cloud solution was needed.
Enter AlienApps. The creation of AlienApps is an essential feature on USM Anywhere. AlienApps are modular,
extensible additions to USM Anywhere that allow AlienVault to collect, analyze, and visualize data from third-party
platforms via pre-built dashboards, and provide orchestrated security response with third-party applications. More than
just a fabric linking APIs, AlienApps provide an orchestrated security response with both the network infrastructure (as
in the case of the AlienVault Forensics and Incident Response AlienApp) and other security tools.
AlienApps are in their beginnings, but an early AlienApp demonstrates how USM Anywhere can gain added visibility and
initiate an orchestrated response. The integration with Cisco Umbrella provides information about data consumption
and automated response actions within Cisco Umbrella. If malware is discovered, the Cisco Umbrella AlienApp
can instruct the Cisco firewall to automatically blacklist URLs identified as malicious. Along with Cisco Umbrella,
McAfee ePolicy Orchestrator, Microsoft Office 365, Google G Suite, Palo Alto Networks Next Generation Firewalls,
ServiceNow IT Service Management and Security Operations, and Carbon Black have AlienApps supported natively
(out of the box) in USM Anywhere.
The basic licensing agreement for USM Anywhere is a minimum monthly subscription for 250GB, and the largest
standard engagement is 10TB (AlienVault can work with the customer for larger engagements). All USM Anywhere
tiers come with one sensor included, 90 days of hot storage and one year of cold storage. Hot storage is readily
searchable using Elastic Search wrapped in a graph-based data store to enable high-speed query response and analysis.
Added cold storage can be purchased to store raw logs and events longer, contingent upon the use cases.
A final point worth making is that USM Anywhere is fully hosted in AlienVaults Secure Cloud. The same dynamics in
USM Appliance with regard to saving analysts time in case management and in triage are applicable to USM Anywhere.
In addition, USM Anywhere allows for appreciable savings in hardware and utilities, eliminating all the costs associated
with having to drop a server into a data center environment (facility, cooling, power, and ongoing maintenance).
FINAL THOUGHTS
In what turned out to be prescient thinking by AlienVault, the company recognized there was a midmarket play that
was being missed by other SIEM vendors. AlienVault understood that a SIEM platform that unifies SIEM with other
key capabilities (asset discovery, vulnerability management, intrusion detection and behavioral monitoring) needed for
effective threat detection and response would resonate with clientele of all sizes.
Currently, AlienVault security products are extensible for multi-tenant environments as well as for heterogeneous
networks. In coordination with its customers, AlienVault can create a security posture that protects networks on-
premises, in public and private clouds, and in any combination of network environments.
Lastly, while having a single vendor to rely on for an integrated security posture, and extensibility and visibility over
multiple network security architectures is desired, perhaps the greatest value proposition offered by AlienVault is the
savings realized in IT/security man-hours. On all AlienVault products, AlienVault Labs Threat Intelligence applies the
appropriate event correlation rules against the raw event log data collected, as well as the events triggered by the
built-in intrusion detection software. The ability to normalize and correlate log data, and integrate this with threat data
intelligence from AlienVault Labs, saves security teams time in incident investigations.
https://www.alienvault.com/docs/data-sheets/usm-anywhere-plugins-list.pdf
https://www.alienvault.com/docs/data-sheets/usm-plugins-list.pdf
For information about USM Anywhere and to start a free trial, go to:
AlienVault USM Anywhere
Frost & Sullivan, the Growth Partnership Company, works in collaboration with clients to leverage visionary innovation
that addresses the global challenges and related growth opportunities that will make or break todays market participants.
For more than 50 years, we have been developing growth strategies for the Global 1000, emerging businesses, the public
sector and the investment community. Is your organization prepared for the next profound wave of industry convergence,
disruptive technologies, increasing competitive intensity, Mega Trends, breakthrough best practices, changing customer
dynamics and emerging economies?