[Review] AlienVault USM Anywhere

There are so many threats in our modern age of connectivity, but is there an easy way to stay on top of them? Thanks to USM Anywhere™ from AlienVault®,  the only company called “visionary” in the Gartner SIEM (Security Information and Event Management) Magic Quadrant in 2013, 2014, 2015 and 2016, your security protection will be more comprehensive and simpler.

Figure 1: USM Anywhere’s dashboard displays the type of threats your company faces in an easy-to-read interface.

USM Anywhere provides Unified Security ManagementTM (USMTM) for your on-premises and cloud environments, and cloud applications like Office 365, in one single, SaaS-delivered solution. It covers five essential security capabilities: asset discovery to identify the different operating systems and software running in your environments, vulnerability assessment to scan for known vulnerabilities where a patch may be available, intrusion detection to identify risks and threats at the host, network and file level, behavioral monitoring of what users and administrators are doing online, and SIEM log management for the aggregation and ability to investigate your security event data from all your devices and assets.

The first typical use case for USM Anywhere is threat detection, identification of external and internal attacks against your organization, such as malware infections, phishing attacks, brute-force authentication attacks, and privilege escalations, as well as identification of existing vulnerabilities that need patching. The second use case is incident response, as the platform provides detailed information about what triggered an alarm, where the attack is coming from, and what is being attacked, as well as recommended guidance on how to remediate. The third use case is compliance management of regulations and policies such as PCI DSS, HIPAA, and GDPR to provide assurance that your implemented controls are working as expected.

USM Anywhere uses a graph analysis and rules-based correlation engine that continuously analyzes your environments for threats, and automatically detects and links behavior patterns from disparate, but related events, to identify and alert you about anomalies and threats. This is particularly useful for companies with small, under-resourced IT teams who might not have the time or expertise to identify and mitigate attacks. Attacks can originate from malicious actors external to your organization using malware, brute force authentication attacks, phishing attempts and infected sites, as well as from trusted insiders who may be escalating privileges, sharing content outside of the organization, downloading sensitive data to a thumb drive, or installing unapproved software on your company’s assets.

 

Figure 2: You can set up and see your data in USM Anywhere in less than an hour.

The initial implementation of USM Anywhere typically takes under an hour, which is particularly beneficial for resource-and time-strapped companies. Since USM Anywhere is a SaaS-delivered product, you don’t have to worry about deploying expensive hardware and infrastructure in your data center; all you need to do is deploy your first USM Anywhere sensor in an environment that you want to monitor. The sensor then takes care of all the monitoring needs, including connection to and analysis of assets on that environment, using native APIs and built-in security monitoring tools to inspect network traffic, collect of event data over syslog or through native data collection in cloud-based infrastructures – and then securely relaying events to USM Anywhere that is hosted in the AlienVault secure cloud. Within minutes of deploying the sensor, you can review the security state of your environment and investigate identified threats and anomalies.

USM Anywhere is single-tenant service, ensuring that every customer’s account and data is isolated from those of other customers. Rigorous personnel screening and tight internal security controls provide customers further assurance that their data is secure within the AlienVault secure cloud. Should you run into any problems, there are numerous support options including documentation, a community forum and a customer support team. The process is simple enough for you to set up yourself, but if you want extra help, AlienVault has training and certified implementation partners who can deploy, configure, or customize your solution.

You can install USM Anywhere sensors to monitor Amazon Web Services (AWS) or Microsoft Azure cloud environments, as well as cloud services like Microsoft Office 365 and Google’s G Suite. For your office or retail store premises, virtual sensors are available for Microsoft Hyper-V and VMware that can monitor your physical and virtual IT infrastructure. Physical and guest operating systems, including Windows and Linux, can also be monitored using an integrated agent like osquery or by forwarding events to the USM Anywhere sensor. The license for USM Anywhere is based on volume of raw data consumed and includes one sensor by default. Additional USM Anywhere sensors can be purchased for $150 monthly.

The user-friendly, graphical dashboard provides a single, unified view of security across all of your critical infrastructure and allows users to compare alarms, events and data from different time periods. All data is analyzed to identify potential threats that require investigation. These threats are delivered in the form of an alarm, which is available for instant investigation in the USM Anywhere dashboard, or through your mobile device, without having to be physically present at your servers. The alarms describe the who, what, why, when, and how of the attack with the option to analyze data in greater detail, such as the exact log entries referenced and the payload of the network packet.

The alarms also contain incident response guidance with recommended steps on how to respond to the attack using a manual or automated response, allowing you to orchestrate an action to effect change in the environment. For example, USM Anywhere’s AlienApp for Cisco Umbrella includes the ability to send IP addresses of malicious servers or domains to Cisco Umbrella, which will then block both employee and system access to those IP addresses. As another example, the Forensics and Response AlienApp allows you to easily collect data from a server to help further investigate a security issue, or you can use the AlienApp for Carbon Black to quarantine an infected system from the rest of the network.

All data sent to USM Anywhere is stored in AlienVault’s secure cloud for security analysis and goes into the graph-based ‘hot’ data storage tier, which includes ElasticSearch. Data is stored in the hot storage tier for 90 days, and then archived within a cold storage tier for one year. Companies that need to store their data for multiple years as part of security requirements or for regulatory compliance can optionally purchase more.

 

Figure 3: Drill down to search for and view the time and types of specific security attacks.

No security monitoring solution is going to provide absolute safety for your IT infrastructure; however, USM Anywhere comes close by staying in step with threats through its continuously updated threat intelligence. The AlienVault Labs Security Research Team is a dedicated team of security researchers that analyze threat data to deliver updated threat intelligence to AlienVault customers. Supplementing the team’s research is data from the AlienVault Open Threat Exchange®(OTXTM), an open source community of over 65,000 participants from more than 140 countries that contribute over 14 million threat indicators daily. A good example of the effectiveness of the AlienVault threat intelligence is the Lab team’s analysis of the Google Docs phishing scam on May 3, 2017. What looked like a shared document coming from a personal contact actually was a malicious actor, but the AlienVault team delivered an updated rule for all users to detect it and alert them before most even knew they were under attack. More recently, when WannaCry and Petya-variant ransomware epidemics infected systems around the world, AlienVault threat intelligence actually delivered vulnerability detection signatures a month prior to the first attack, and when the attack actually took place delivered updated correlation signatures to its customers within hours to help them identify potentially compromised systems quickly and effectively.

As described earlier, USM Anywhere also stays on top of the bad guys with AlienApps™. In the past, your company may have bought multiple security solutions to address the known set of security threats, and as the threat landscape evolved additional solutions were procured, resulting in a soup of technologies that required additional and significant investment to keep up to date and to try to get to work together. AlienApps provide an agile framework that easily wraps new security capabilities around your company’s existing tools and displays the data from their APIs in USM Anywhere’s dashboard, as well as (where applicable) provide users with the ability to initiate responses through those solutions directly from within the USM Anywhere console. There are currently AlienApps available for Google G SuiteMicrosoft Office 365, Okta, ServiceNow, Carbon Black, McAfee ePO, Palo Alto Networks next generation firewalls, Cisco Umbrella, and for Dark Web Monitoring, with more being developed and introduced every month.

Other competitors can deliver each essential security capability as individual point solutions, but only AlienVault’s USM Anywhere will provide your company with the most comprehensive security monitoring within a single SaaS solution, which saves you time, money and resources. As your hybrid cloud environment changes and grows, USM Anywhere’s Open Threat Exchange and AlienApps continuously check for threats and solutions and scales to match your threat detection needs to ensure that your company stays protected even as things constantly change. Pricing is based on your data usage and starts at $1,575 per month for 250GB. For more information, contact AlienVaultexplore an interactive demo, or read user reviews on TrustRadius.

Additional Resources:

AlienVault Blog

451 Research Report – AlienVault USM Anywhere

Beginner’s Guide to Hybrid Cloud Security 

SC Magazine Review of AlienVault USM Appliance

Kelsey Leljedal

Kelsey Leljedal is a web strategist from Philadelphia. She has enjoyed learning about changes in technology since her first web job in 2012. When she isn’t doing research she takes classes, creates art, reads, travels, and takes in the food and culture in the City of Brotherly Love. Contact Kelsey at [email protected]