The company I’m working for is ramping up capability to support AlienVault USM Anywhere. Here’s a few notes from what I’ve learned about the product.
Alienvault’s USM Anywhere is delivered as a VM image that can be deployed under VMware, or in a cloud environment such as Amazon AWS or Microsoft Azure. This VM is referred to as the “sensor”.
In brief, it’s a Security Information and Event Manager ( SIEM ). Yes, I know the market is awash with SIEM products ( Splunk, QRadar, etc. ) but Alienvault’s offering is well worth looking at. It’s also cheaper.
It works by receiving log data via syslog which it processes before sending data to the global Alienvault management platform. It has enhanced features in that the software can connect to other VMs or cloud instances and execute further functions on the host itself to do things such as:
- asset discovery
- identifying software packages installed
- listing patch levels
- gathering general system information such as user accounts
- host intrusion detection
- looking for vulnerabilities, including configuration errors
- behavioral monitoring
- event correlation and response
- executing custom written commands and scripts
This all works pretty well – there is extensive dashboards that can be customised to suit the operator’s needs, and the log searching functions are excellent.
The sensor image that you deploy will collect your data and forward it to Alienvault’s global analysis centre. From a browser you can then log into the dashboard to alter the configuration, view the results, analyse the data, or request that the sensors does further analysis.
One limitation though is that for the sensor supports only a few differing operating system types when connecting into hosts. At the time of writing, only RHEL and Debian based Linuxes and Windows were supported.
All in all it’s a pretty good product. I liked the ability to launch custom analysis and scripts against servers when particular events were detected. In one example, USM Anywhere was able to detect a failed ssh login on a Linux server, and automatically responded by querying the source host ( a Windows server ) to see who was logged in and what they were doing. That’s pretty cool, because it’s exactly what a security operations person would need to do.
I hope to write more about USM Anywhere as I get more into it. Watch this space.