Advanced Threat Detection Anywhere Modern Threats Appear
Your organization’s security depends on your ability to rapidly detect and respond to emerging threats across your cloud and on-premises environments. Yet, attack methods and strategies evolve constantly, making threat detection an always-moving target.
Most organizations simply don’t have the resources or time to extensively research the global threat landscape for the latest attack vectors, nor can they spend time analyzing every indicator that an attack is happening.
AlienVault® Unified Security Management® (USM) is built with these organizations in mind. AlienVault USM performs advanced threat detection across your cloud and on-premises environments. It combines multiple essential security capabilities – asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, endpoint detection and response, SIEM event correlation, and log management – in one unified console. This gives you everything you need to quickly identify, analyze, and respond to emerging threats–in one cost-effective and easy-to-use solution.
In addition, the AlienVault Labs Security Research Team works on your behalf to research the latest global threats and vulnerabilities, and delivers threat intelligence updates continuously into the USM platform. That way, you get the assurance of an always-up-to-date and optimally performing security monitoring solution, even without a dedicated in-house security team.
AlienVault Labs leverages threat intelligence from the Open Threat Exchange® (OTX™)—the world’s largest open threat intelligence community of security experts, researchers, and IT professionals worldwide who provide global insight into the latest attack trends, bad actors, indicators of compromise, and affected industries.
Focus on the Threats That Matter Right Now
- Quickly assess threats with automated alert prioritization
- Make informed decisions with full details on every alarm, including a description of the threat, its method and strategy, and recommendations on response
Get Compete Threat Visibility with All-in-One Security Essentials
- Achieve multi-layered threat detection for your on-premises and cloud environments using the USM platform’s built-in host-, network-, and cloud-based intrusion detection systems and endpoint detection capabilities
- Easily search and analyze threats with a consolidated view of your assets, vulnerabilities, and malicious activities in your environment
- Eliminate your security blind spots by aggregating and correlating events from all your devices, servers, endpoints, and applications, as well as monitoring user and administrator activities
Stay Vigilant with Continuous Threat Intelligence Delivered
- Receive continuous, curated threat intelligence from AlienVault Labs Security Research Team, delivered automatically to the USM platform
- Leverage threat data from the world’s largest open threat intelligence community—OTX
- Stay ahead of emerging threats with correlation rules that are continually and automatically updated with the latest threat intelligence
Focus on the Threats that Matter Right Now
With the constantly evolving nature of the threat landscape, it can be difficult—especially with limited resources—to address every incident and alert that occurs in and across your on-premises and cloud environments. Instead, you must be able to cut through the clutter of alerts and false positives to effectively prioritize your threat detection and response activities.
AlienVault USM Anywhere automatically prioritizes the most severe threats facing your environment. The platform uses the Kill Chain Taxonomy to categorize threats by severity in a highly visual and instantly recognizable way, so that you can immediately know which threats to focus on first. It also provides you with contextual information to help you understand attack intent and threat severity, based on how the threats are interacting with your environment.
- System Compromise – Behavior indicating a compromised system. This is the most severe threat level.
- Exploitation & Installation – Behavior indicating a successful exploit of a vulnerability or backdoor/RAT being installed on a system.
- Delivery & Attack – Behavior indicating an attempted delivery of an exploit.
- Reconnaissance & Probing – Behavior indicating a bad actor attempting to discover information about your network.
- Environmental Awareness – Behavior indicating policy violations, vulnerable software, or suspicious communications.
Get Compete Threat Visibility with All-in-One Security Essentials
AlienVault USM provides multiple essential security capabilities to help identify, understand, and contain threats—all through a single pane of glass. With all security-related data about your assets, vulnerabilities, and intrusions centralized and easily searchable, and backed by threat intelligence from AlienVault Labs and OTX, you can investigate faster and respond sooner to risks and threats against your critical infrastructure.
- Discovery of assets across on-premises, cloud, and hybrid environments
- Identification of software & services deployed on each asset
- Ability to group assets, supporting simplified monitoring and review
- Scans for vulnerabilities across all your monitored environments
- Prioritization based on the severity of the vulnerability, so you can prioritize response
- Indication of any available patches for identified vulnerabilities
Endpoint Detection and Response
- Maintain continuous visibility of your endpoints in the cloud, on premises, and remote
- Get built-in file integrity monitoring (FIM) to monitor changes to critical files and registries as required by many regulatory compliance standards
- Proactively query endpoints for information needed for forensics investigations
- Cloud IDS (CIDS)
- Network IDS (NIDS)
- Host IDS (HIDS)
AlienVault USM delivers multi-layered IDS for your cloud, hybrid cloud, and on-premises environments threat detection needs. Built-in network intrusion detection (NIDS), host intrusion detection (HIDS), and native cloud intrusion detection (CIDS) capabilities work in concert, giving you comprehensive intrusion detection across your entire IT landscape and eliminating your security blind spots.
- Monitor cloud access and activity logs (Azure: Monitor, AWS: CloudWatch, CloudTrail, S3, ELB, VMware and Hyper-V access logs)
- Monitor user and administrator activities on systems and applications, including Okta, Active Directory, Office 365, and G Suite
- AWS VPC Flow Monitoring
Incident Response Guidance
- Review context on the threat, including details on strategy, method, and actor
- See enriched information on the incident from the Open Threat Exchange (OTX), with links to ‘pulses’ from the OTX community
- Review the affected asset, including details about what software and services are installed, and any other related vulnerabilities and alarms
- Identify the destination IP address or domain to which communications are being passed (e.g. a Command & Control Server)
- Recommended actions to take for further investigation and threat containment
SIEM & Log Management
- Event correlation by graph-based machine learning and finite-state machine (FSM) correlation engines
- Integrated threat intelligence, including updated correlation directives, from AlienVault Labs Security Team, and the AlienVault Open Threat Exchange (OTX)
- Aggregation of logs from all servers, endpoints, and applications across your on-premises, cloud, and hybrid environments
- Up to 90 days of searchable events stored within fast, Elasticsearch storage
- At least 12-months of raw log retention
What is threat hunting?
The process of threat hunting involves proactively searching for malware or attackers that are hiding within a network. Rather than simply relying on security solutions or services to detect threats, threat hunting is a predictive element to a layered security strategy, empowering organizations to go on the offensive looking for threats. Threat hunting is typically carried out by highly skilled security professionals using sophisticated toolsets to identify and stop hard-to-find malicious activities on a network.
According to Microsoft, an attacker resides on a compromised network a median time of 146 days before being discovered, making this kind of attack an advanced persistent threat (APT). In this amount of time, attackers residing on a network in stealth, can exfiltrate data, access applications to identify and use business details to commit fraud, or laterally move through a network gathering credentials for access to even more valuable data and resources.
Why is threat hunting necessary?
Organizations implementing good security practices and tools such as antivirus, email, and web scanning, firewalls, etc. are taking the necessary first steps. A layered security strategy can be effective in stopping the majority of cyberattacks. However, it should be assumed that some small percentage of advanced attacks will evade detection by traditional security solutions, giving cyber criminals access to an organization’s network for as long as they deem necessary to carry out their malicious activities. Because of the potential risk, it’s this small percentage of attacks that can spur an organization to participate in threat hunting.
Implementing a security posture that prevents and detects attacks is defensive in nature – as the idea is to attempt to stop an attack before it happens. Threat hunting is a predictive and offensive tactic, based on the assumption that an attacker has already successfully gained access (despite an organization’s best efforts). Threat hunting uses a mixture of forensics capabilities and threat intelligence to track down where attackers have established footholds within the network and eliminate their access before any damaging malicious actions can take place.
Threat hunting and indicators of compromise (IoCs)
Threat hunting generally begins with security analysts working through threat intelligence, understanding of the environment they secure, and other security data sources to postulate about a potential threat. Threat hunters then look for indicators of compromise (IoCs) found in forensic “artifacts” to identify threatening activity that align with the hypothesized threat activity.
These artifacts are bits of data from server logs, network traffic, configurations, and more that help threat hunters determine if suspicious activities have taken place. Artifacts include:
- Network-based artifacts – Monitoring listening ports of internet-facing systems, threat hunters can monitor traffic as well as look through packet session recordings, looking for unusual outbound traffic, abnormal communication geographies, irregular amounts of inbound or outbound data, etc.
- Host-based artifacts – Changes in file systems and the Windows registry are two places threat hunters can find anomalous settings and content. Scanning registry values and monitoring changes made to file systems are common threat hunting activities.
- Authentication-based artifacts – Monitoring or reviewing the login (or attempted login) of privileged accounts on endpoint, servers, and services can be useful for a threat hunter to follow the trail used by an attacker to identify which accounts have been compromised and need to be remediated.
The path taken during the “hunt” is only defined by the details discovered. For example, spotting anomalous outbound network traffic would lead a threat hunter to take a closer look at the endpoint transmitting that traffic. Thus, there’s no one established threat hunting process that applies to every hunt.
Threat hunting tools
Cyber threat hunters need to examine both historical and current state details of what actions have transpired on systems and across the network. They need to rely on a number of tools and data sources to assist with their investigations. These include:
- Security monitoring tools – Cyber threat hunters use the monitoring data from various kinds of security monitoring solutions. The monitoring data from firewalls, endpoint protection, data loss prevention, network intrusion detection, insider threat detection, and other security tools all provide threat hunters with attack details that help paint a picture of the activities performed by an attacker still residing in the network. The goal is to collect event log data from as many sources as is possible to also provide context by correlating the various monitoring data sets.
- SIEM solutions – Security Information and Event Management (SIEM) solutions collect structured log data from a wide range of sources within a network environment, providing near-real-time analysis of the data and producing security alerts to IT. SIEM solutions help threat hunters to automatically gather and make sense of the massive amount of log data from security monitoring tools and other sources, making it possible to identify previously unseen security threats.
- Analytics tools – Cyber threat hunters are human, so there’s only so much analysis and correlation the mind can come up with on its own. Analytics tools that do either statistical or intelligence analysis can be of great use. Tools offering statistical analysis use mathematical algorithms instead of human-defined rule sets to identify any data anomalies that may signify attack activity. Intelligence analytics software allows the threat hunter to visualize complex relational data through the use of interactive dashboards. These analysis tools make it possible for threat hunters to see otherwise hidden relationships between different data sets that, together, can indicate an attack.
- Threat intelligence – Threat hunters need a repository of data on known malicious IP addresses, malware hashes, IoC artifacts, etc. This data can be found in both open source and subscription-based forms on the web, such as the Open Threat Exchange powered by cmt-technologies.
How threat hunting empowers cmt-technologies solutions
One of our key brand promises is to deliver our customers the tactical threat intelligence needed for timely and resilient detection and response to threats against their organization.
cmt-technologies delivers breakthrough visibility across your business via our unrivaled vantage point of the threat landscape. We collect diverse threat data for analysis, interpretation, and enrichment from our global sensor network, cmt-technologies proprietary data sources, and cmt-technologies Open Threat Exchange (OTX). This tactical threat intelligence is integrated into our Unified Security Management (USM) platform and our Managed Threat Detection and Response service.