AlienVault Intrusion Detection
Intrusion Detection Plus Everything You Need to Detect and Respond to Threats
Network Intrusion Detection System (IDS):
Accelerate Threat Detection with Intrusion Detection Systems
AlienVault Unified Security Management (USM) delivers built-in intrusion detection systems tools as part of an all-in-one unified security management console. It includes built-in host intrusion detection (HIDS), network intrusion detection (NIDS), as well as cloud intrusion detection for public cloud environments including AWS and Microsoft Azure, enabling you to detect threats as they emerge in your critical cloud and on-premises infrastructure.
To ensure that you are always equipped to detect the latest emerging threats, AlienVault Labs Security Research Team delivers continuous threat intelligence updates directly to the USM platform. This threat data is backed by the AlienVault Open Threat Exchange (OTX)—the world’s first open threat intelligence community.
- Leverage intrusion detection for any environment with built-in cloud IDS, network IDS, and host-based IDS (including File Integrity Monitoring (FIM))
- Use the Kill Chain Taxonomy to quickly assess threat intent and strategy
- Make informed decisions with contextual data about attacks, including a description of the threat, its method and strategy, and recommendations on response
- Use automatic notifications so you can be informed of key threats as they happen
- Work more efficiently with powerful analytics that uncover threat and vulnerability details - all in one console
Multiple Types of Intrusion Detection Systems for Any Environment
AlienVault USM enables early intrusion detection and response with built-in cloud intrusion detection, network intrusion detection (NIDS), and host intrusion detection (HIDS) systems. These tools monitor your traffic and hosts, along with user and administrator activities, looking for anomalous behaviors and known attack patterns. The built-in SIEM capability in the USM platform automatically correlates IDS data with other security information to give you complete visibility of your security posture.
Intrusion Detection in the Cloud
While traditional IDS and intrusion prevention (IPS) software is not optimized for public cloud environments, intrusion detection remains an essential part of your cloud security monitoring. That’s why AlienVault USM Anywhere provides native cloud intrusion detection system capabilities in AWS and Azure cloud environments. In USM Anywhere, cloud sensors purpose-built for AWS and Azure cloud environments leverage the management APIs of AWS and Azure, giving you full visibility into every operation that happens in your cloud accounts.
Network Intrusion Detection System (NIDS)
The network intrusion detection system (NIDS) capability of the USM platform detects known threats and attack patterns targeting your vulnerable assets. Complementary with anomaly detection tools, it scans your on-premises network traffic, looking for the signatures of the latest attacks, malware infections, system compromise techniques, policy violations, and other exposures, and it raises alarms in your AlienVault USM dashboard to alert you when threats are identified.
Host-based Intrusion Detection System (HIDS) and File Integrity Monitoring (FIM)
The host-based intrusion detection system (HIDS) capability of AlienVault USM employs an agent on each host to analyze the behavior and configuration status of the system, alerting on suspected intrusions. HIDS captures and monitors key events across the operating system and installed applications. Its File Integrity Monitoring (FIM) capabilities track access to and activity on files, including any changes in critical system files, configuration files, system and applications binaries, registry settings, and content files.
Quickly View Threats in the Dashboard
AlienVault USM uses the Kill Chain Taxonomy to highlight the most important threats facing your environment and the anomalies you should investigate. You can easily see the types of network security threats directed against your critical infrastructure and when known bad actors have triggered an alarm.
Quickly View Threats in the Dashboard
AlienVault USM uses the Kill Chain Taxonomy to highlight the most important threats facing your environment and the anomalies you should investigate. You can easily see the types of network security threats directed against your critical infrastructure and when known bad actors have triggered an alarm.
Complete Threat Evidence
See attack methods, related events, source and destination IP addresses, as well as remediation recommendations in a unified view, so you can investigate and respond to threats faster.
Reduced Noise
Correlating IDS/IPS data with multiple built-in security tools reduces false positives and increases accuracy of alarms.
Automatic Notifications
Set up notifications through popular channels, including email and SMS, to proactively inform you of critical alarms that may indicate a system compromise or attack.
Attack Intent & Strategy
The Kill Chain Taxonomy breaks out threats into five categories, allowing you to understand the intent of the attacks and how they’re interacting with your cloud environment, on-premises network, and assets:
- System Compromise – Behavior indicating a compromised system.
- Exploitation & Installation – Behavior indicating a successful exploit of a vulnerability or backdoor/RAT being installed on a system.
- Delivery & Attack – Behavior indicating an attempted delivery of an exploit.
- Reconnaissance & Probing – Behavior indicating an actor attempt to discover information about your network.
- Environmental Awareness – Behavior indicating policy violations, vulnerable software, or suspicious communications.
Powerful Analytics Uncover Threat and Vulnerability Details – All in One Console
Get to the bottom of who and what’s targeting your assets and what systems are vulnerable.
Search and Analyze Events
You have the flexibility to conduct your own analysis. For example, you may want to search for events that came from the same host as the offending traffic triggering an alarm.
- Search events to identify activity and trends
- Filters help you find more granular data, such as by event name, IP address, and more
- Examine raw log data related to alarm activity
- Raw logs are securely transmitted and stored for forensics and compliance needs
Check Assets and Vulnerabilities
Search the built-in asset inventory for assets involved with an alarm. Integrated vulnerability assessment scans indicate whether an attack is relevant by identifying vulnerable operating systems, applications and services and more – all consolidated into a single view.
- See all reported alarms and events by asset
- Modify your mitigation / remediation strategy based on presence of threats targeting vulnerable systems
- AlienVault USM correlates reported vulnerabilities with malicious traffic to determine the probability of a breach
Examine Event Details
See the alarm, the individual event(s) that triggered the alarm, and the priority of the alarm.
You can click on any event to examine details such as:
- A summary and description of the event
- Indication of the severity of the event, and its source
- Normalized and enriched event details
- Source and destination IP addresses
- The raw log or event data
Host-based Intrusion Detection System (IDS):
Protect your critical systems in on-premises, cloud, and hybrid environments with the built-in host-based intrusion detection system (HIDS) of AlienVault USM.
Monitor and Protect Your Critical Systems with Host-based IDS
A host-based intrusion detection system (HIDS) gives you deep visibility of what’s happening on your critical systems. With it, you can detect and respond to malicious or anomalous activities that are discovered in your environment.
On its own, host intrusion detection does not give you a complete picture of your security posture. You must be able to correlate your HIDS log data with other critical security data and with the latest real-world threat intelligence.
AlienVault Unified Security Management (USM) eases security analysis and correlation by combining host-based IDS along with network- and cloud-based IDS, and other essential security capabilities in a single, unified security environment. With it, you can easily manage your cloud and on-premises security posture from a single pane of glass. In addition, continuous threat intelligence updates from the AlienVault Labs Security Research Team are delivered to AlienVault USM, backed by the AlienVault Open Threat Exchange (OTX)—the world’s first open threat intelligence community.
Detect Changes & Threats to Your Critical Systems
- Detect Unauthorized Access Attempts
- Identify Anomalous Activities
- Know When and Who Accessed & Changed Critical Files with File Integrity Monitoring (FIM)
- Protect the Integrity of your Assets and Data
Deploy Host IDS as part of a Unified Security Management Platform that includes:
- Asset Discovery & Inventory
- Vulnerability Assessment
- Network & Cloud IDS
- Behavioral Monitoring
- Incident Response
- SIEM Event Correlation and Log Management
Stay Vigilant with the Latest Threat Intelligence from AlienVault Labs and OTX
- AlienVault Labs Researches Threats for You
- Continuous Threat Intelligence Continuously Automatically
- Community-powered Threat Data from the AlienVault Open Threat Exchange (OTX)
Detect Threats to Your Critical Systems
AlienVault USM’s built-in host-based intrusion detection system (HIDS) monitors your critical systems and alerts you to any unauthorized or anomalous activities that occur.
A lightweight agent runs on each monitored host, tracking any changes made to critical system files, configuration files, log files, registry settings, and even important content files. The HIDS agent collects this information and sends it to the USM platform for evaluation and correlation with other environmental data and threat intelligence.
With the USM platform’s host-based IDS, you gain granular visibility into the systems and services you’re running so you can easily detect:
- System compromises
- Privileged escalations
- Installation of unwanted applications
- Modification of critical application binaries, data, and configuration files (e.g. registry settings, /etc/passwd)
- Rogue processes
- Critical services that have been stopped, or that failed to start
- User access to systems
Detect Unauthorized & Anomalous Activities
When malicious or anomalous activities occur on a system—such as brute force authentication-based attacks, rapid file changes, or a user logging into an unauthorized asset—HIDS detects the activities and sends them to the USM platform for analysis. When an alarm is generated in the USM platform, it captures all you need to know about the incident, including asset information (OS, software, and identity), vulnerability data, network communication, raw log data, and more.
Identify Changes and Access to Critical Files with File Integrity Monitoring (FIM)
File integrity monitoring allows you to track access and changes made to sensitive files on your critical systems, and is specified for compliance with regulations and standards like PCI DSS. This provides a necessary audit trail and allows you to validate that the changes were authorized, expected, and did not jeopardize the integrity and security of your system and application binaries, and configuration and data files.
View Failed Attempts to Gain System Access
Know which of your assets attackers are trying to infiltrate before they get in. The USM platform’s HIDS capability generates events on failed authentication attempts for Windows, MySQL, remote access, SSH service, and more.
Deploy Host IDS as part of a Unified Security Management Platform
In AlienVault USM, the host intrusion detection system is natively integrated out of the box with other essential security capabilities. This significantly reduces the cost and complexity of integrating multiple disparate security tools and data sources. Instead, the USM platform delivers complete visibility of your security posture on Day One and continues to update your environment with the latest security intelligence as new threats emerge or evolve in the wild.
AlienVault USM combines the following essential security capabilities in a unified security management platform.
Asset Discovery & Inventory
The USM platform automatically scans and discovers all the IP-enabled devices in your environment, how they’re configured, what services are listening on them, and any potential vulnerabilities and active threats being executed against them.
Vulnerability Assessment
With vulnerability management in AlienVault USM, you can find the weak spots in your environment that expose you to threats and remediate them before intrusions occur. And, when intrusions do occur, you have a unified view of important asset and vulnerability data so you can respond faster. AlienVault USM performs authenticated and unauthenticated vulnerability scanning as well as continuous passive monitoring with the most up-to-date vulnerability signatures from the AlienVault Labs Security Research Team.
Network and Cloud Intrusion Detection System (IDS)
The IDS capabilities of the USM platform detect known threats and attack patterns targeting your vulnerable assets. It scans your network traffic and activities within cloud environments (including AWS and Microsoft Azure), looking for the signatures of the latest attacks, malware infections, system compromise techniques, policy violations, and other exposures, and it raises alarms in AlienVault USM to alert you as soon as threats are identified.
Behavioral Monitoring
The behavioral monitoring capabilities of the USM platform help identify anomalous user and administrator activities that fall outside of your baseline or “normal” operations. AlienVault USM works to identify suspicious events, such as changes to technical policies, the creation and deletion of significant volumes of user accounts, and more.
Incident Response
The USM platform delivers detailed information on detected threats, along with recommended guidance on how to contain and mitigate the threat. Built-in AlienApps deliver the ability to orchestrate responses, whether manually or automatically, working with third-party solutions like Palo Alto Network Firewalls, Cisco Umbrella, Carbon Black, and more to implement responses such as isolating infected systems, and blocking access to known malicious IP addresses and domains.
SIEM & Log Management
The USM platform incorporates powerful SIEM and centralized logging capabilities, so you can readily identify and investigate security incidents from a single console. Security events from across monitored environments and the host-, network-, and cloud-IDS capabilities of the USM platform are aggregated and correlated, and when incidents are identified you have immediate 360° visibility of the actors, targeted assets and their vulnerabilities, methods of attack, and more.
File Integrity Monitoring:
Accelerate Compliance with File Integrity Monitoring
Changes on critical servers often signal a breach. That's why it's essential to use file integrity monitoring (FIM) for your critical systems so you're alerted as soon as file changes occur in critical system files, configuration files, and sensitive data files, as well as log and audit files which could be modified to hide an attacker's tracks. In fact, if those servers are in scope of your cardholder data environment (CDE), PCI DSS requirements 10.5.5 and 11.5 state you must install FIM software to pass your audit.
AlienVault Unified Security Management (USM) helps you meet these PCI DSS requirements with file integrity monitoring that's built into its unified platform for threat detection, response, and compliance management. AlienVault USM simplifies security and compliance with centralized visibility of your on-premises and cloud environments, including AWS and Azure, as well as cloud applications such as Office 365 and G Suite, helping to eliminate potentially dangerous blind spots. Our unified platform combines multiple security capabilities within a single pane of glass, including SIEM, log management, intrusion detection, vulnerability assessment, incident response automation, and more, ensuring you have the essential tools at your fingertips to not only demonstrate and maintain compliance, but very importantly, gain crucial full-environment threat detection and response capabilities.
Implement FIM on Your Critical Assets
- Monitor file access to sensitive data in your CDE and know when changes are made to critical files
- Investigate FIM-triggered alarms to identify who accessed, downloaded, and modified critical files
- Easily report out on FIM activities using the built-in PCI DSS reports and create your own custom views and reports for review
Streamline Server Auditing with Combined Host Intrusion Detection and FIM
- Deploy file integrity monitoring, registry monitoring, & host-based IDS together in one solution
- Monitor privileged user activity per PCI DSS requirements
Get Compliance-Ready Faster with Unified Security Essentials
- Meet your compliance objectives faster and on-budget with AlienVault USM
AlienVault Is Trusted & Verified
AlienVault makes compliance a top priority for your organization and for ours. We have adopted the NIST Cybersecurity Framework (CSF), aligning our security controls and processes with industry-proven security best practices. We use our own USM platform to demonstrate and maintain compliance, working with third-party auditors to regularly test our systems, controls, and processes.
Implement File Integrity Monitoring on Your Critical Assets
Generally speaking, you should be selective about where and how you enable your FIM solution, since many system and application files will change often in a dynamic environment. You should focus on monitoring the integrity of critical files on in-scope assets to detect unauthorized modifications which could indicate compromised devices or applications. In other words, install FIM wherever you need to monitor changes made to in-scope servers.
The built-in FIM capabilities in AlienVault USM enable you to easily monitor the systems that contain sensitive data within your CDE, whether in the cloud or on-premises, alerting you to changes made to critical files. But it doesn’t stop there, AlienVault USM correlates file integrity monitoring data with other data across the environment, for full visibility and context. Any access or modification to a monitored file is tracked, and the correlation capabilities within the USM platform will generate an alarm to notify you of any anomalous activity against the file. And, though not all accesses and changes require a response, it’s important to monitor all activity to first determine a baseline and then detect any abnormalities like policy violations or potential system compromise. The end result is actionable intelligence that enables you to prioritize accordingly.
Last but not least, AlienVault USM features customizable, pre-defined templates for PCI DSS and other compliance regulations that make it fast and simple to review FIM activity across your environment and quickly generate audit reports on the spot.
The PCI DSS standard is explicit on this. If you need to demonstrate PCI DSS compliance, then you must install FIM on your critical assets to track changes to:
- Critical system files, including system and application executables
- Configuration files & content files, including cardholder data and other sensitive information
- Centrally stored, historical, or archived log and audit files
- Digital keys and credentials used for secure authentication and authorization of entities and users
With AlienVault USM, you get comprehensive visibility and a necessary audit trail, enabling you to easily track changes to critical files, regardless of the asset’s location, enabling you to validate any that changes made were authorized, expected, and did not jeopardize the integrity or security of the data in those files, or negatively impact the security operations of your business-critical systems.
Streamline Server Auditing with Combined Host Intrusion Detection and FIM
Deploy FIM, Windows Registry Monitoring, & HIDS Together
You can simplify the implementation of FIM and a host-based intrusion detection system (HIDS) with the unified AlienVault USM platform, rather than installing multiple single-purpose tools in your environment. With AlienVault USM, you can perform file integrity monitoring, Windows registry monitoring, and host-based intrusion detection (HIDS), giving you the most robust intrusion detection and change management controls in a single, lightweight solution.
Monitor Privileged User & Administrator Activity
Monitoring privileged user activity on your critical systems and accounts is an essential security best practice. In fact, many regulatory standards, including PCI DSS, explicitly require it. AlienVault USM’s implementation of host-based IDS enables you to monitor user activity on your critical systems. These events are forensically captured, processed, and correlated with other data to provide the necessary context you need for effective incident response.
Get Compliance-Ready Faster with Unified Security Essentials
While file integrity monitoring is a critical component of PCI DSS compliance, as well as other regulatory standards, FIM tools alone aren’t enough to pass your next audit. You need a broad range of security technologies and capabilities to demonstrate compliance for the other PCI DSS Requirements. And while it may seem tempting to use a standalone file integrity monitoring tool—be it open-source or commercial—to pass your next audit, it's not a viable shortcut to compliance.
For most IT security teams, it is a significant challenge to source, purchase, and integrate all the multiple point security solutions needed to be compliance-ready. Not only does this consume significant time, resources, and budget, but most organizations need to be audit-ready yesterday.
AlienVault USM addresses the urgency, high costs, and complex technical challenges that surround PCI compliance. By bringing together multiple essential security capabilities needed to meet compliance on one unified platform–including asset discovery, vulnerability assessment, threat detection (including malware and ransomware), incident response, and compliance log management and reporting–USM delivers a fast, affordable, and easy-to-use compliance management solution.
Whether your cardholder environments touch your on-premises infrastructure, AWS or Azure cloud, or exist across a hybrid environment, the USM platform delivers a comprehensive set of security technologies and integrated threat intelligence that can be fully deployed in days, not weeks or months. With it, you can get ready for your fast-approaching audit and maintain continuous security and compliance management all year long.
Discover How AlienVault USM Supports PCI DSS Requirements
| PCI Requirement | PCI Sections AlienVault USM Addresses | How AlienVault USM Helps |
|---|---|---|
| 1. Install and maintain a firewall configuration to protect cardholder data. | 1.1, 1.2, 1.3 |
|
| 2. Do not use vendor-supplied defaults for system password and other security parameters. | 2.1, 2.2, 2.3, 2.4, 2.6 |
|
| 3. Protect stored cardholder data | 3.6, 3.7 |
|
| 4. Encrypt transmission of cardholder data across open, public networks | 4.1, 4.3 |
|
| 5. Protect all systems against malware and regularly update antivirus software or programs | 5.1, 5.2, 5.3, 5.4 |
|
| 6. Develop and maintain secure systems and applications | 6.1, 6.2 |
|
| 7. Restrict access to cardholder data by business need to know | 7.1, 7.3 |
|
| 8. Identify and authenticate access to system components | 8.1, 8.2, 8.5 |
|
| 9. Restrict pysical access to cardholder data | N/A |
|
| 10. Track and monitor all access to network resources and cardholder data | 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8 |
|
| 11. Regularly test security systems and processes | 11.1, 11.2, 11.4, 11.5, 11.6 |
|
12. Maintain a policy that addresses information security for all personnel |
12.1, 12.5, 12.8 |
|