
AlienVault SIEM / Event Correlation
SIEM and Log Management Plus Everything You Need to Detect and Respond to Threats
SIEM and Log Management:
Go Beyond SIEM with Unified Security Management
Single-purpose SIEM software and log management tools provide valuable security information, but often require expensive and time-consuming integration efforts to bring in log files from disparate sources such as asset inventory, vulnerability assessment, endpoint agents, and IDS products. Once you have the data, you then must research and write correlation rules to identify threats in your environment. These challenges multiply as you migrate workloads and services from on-premises infrastructure to public cloud environments.
For today’s resource-strapped IT teams, the time and expense required to deploy a SIEM seriously delays their time to threat detection, and thus, return on investment.
Unlike other SIEM software, AlienVault Unified Security Management (USM) combines powerful SIEM and log management capabilities with other essential security tools—including asset discovery, vulnerability assessment, and intrusion detection (NIDS and HIDS)—to give you centralized security monitoring of networks and endpoints across your cloud and on‑premises environments–all from a single pane of glass.
With AlienVault USM, you can start detecting threats in your environment from Day One. That’s because the USM platform includes an extensive and continuously evolving library of correlation rules researched and written by the AlienVault Labs Security Research Team. This team of security experts tracks emerging threats in the wild and analyzes the crowd-sourced threat data of the Open Threat Exchange (OTX) to continuously update AlienVault USM with the latest security intelligence, so you have an always-up-to-date security monitoring platform.
AlienVault USM also enables you to centralize the storage of all your log data in the AlienVault Secure Cloud, a certified compliant environment. This alleviates the burden of having to manage and secure logs on-premises, while providing a compliance-ready log management environment.
See the Advantages of All-in-One Security Essentials Versus Traditional SIEM
- Save Time and Money in Integrating Multiple Third-Party Security Tools
- Start Detecting Threats on Day One with Pre-Written Correlation Rules
- Get Continuous Security Intelligence Delivered from AlienVault Labs
Discover a Smarter Way to Prioritize Your Incident Response
- Use the Kill Chain Taxonomy to Quickly Assess Threat Severity, Intent, and Strategy
- Remediation Recommendations and Noise Reduction Help You Work More Efficiently
Investigate Threats Deeper with Advanced Security Analytics
- Search and Analyze Security Data in Highly Granular Ways
- Dive Deep into Alarms with Unified Asset, Vulnerability, and Event Data
Stay Vigilant with Threat Intelligence Updates from AlienVault Labs
- Receive Continually Updated Correlation Rules and Threat Context from AlienVault Labs Security Research Team
- Leverage Community-Sourced Actionable Threat Intelligence from OTX
See the Advantages of All-in-One Security Essentials Versus Traditional SIEM
Traditional SIEM software solutions promise to provide what you need, but the path to get there is one that most of us can’t afford. Traditional SIEM solutions collect and analyze the data produced by other security tools and log sources, which can be expensive and complex to deploy and integrate. Plus, they require constant fine-tuning and rule writing.
AlienVault USM provides a different path. In addition to all the functionality of a world-class SIEM, AlienVault USM unifies the essential security capabilities needed for complete and effective threat detection, incident response, and compliance management—all in a single platform with no additional feature charges. Our focus on ease of use and rapid time to benefit makes the USM platform the perfect fit for organizations of all shapes and sizes.
Discover a Smarter Way to Prioritize Your Incident Response
The promise of SIEM software is particularly powerful—collecting data from disparate technologies, normalizing it, centralizing alerts, and correlating events to tell you exactly which threats to focus on first. Unfortunately, achieving and maintaining the promise of SIEM is time-consuming, costly, and complex.
AlienVault USM centralizes all the security capabilities you need and simplifies your response efforts by providing an intuitive, graphical alarm dashboard that utilizes the Kill Chain Taxonomy to focus your attention on the most severe threats.
For each alarm in AlienVault USM, you have a complete view of threat evidence: attack methods, related events, source and destination IP addresses, as well as incident response remediation recommendations in a unified view, so you can investigate and respond to threats faster. The USM platform works to reduce noisy alarms and false positives, making your work more efficient.
The Kill Chain Taxonomy in USM
AlienVault USM breaks out attacks into five threat categories to help you easily identify attack intent and threat severity, based on how threats interact with your environment.
- System Compromise – Behavior indicating a compromised system
- Exploitation & Installation – Behavior indicating a successful exploit of a vulnerability or backdoor/RAT being installed on a system
- Delivery & Attack – Behavior indicating an attempted delivery of an exploit
- Reconnaissance & Probing – Behavior indicating a bad actor attempting to discover information about your network
- Environmental Awareness – Behavior indicating policy violations, vulnerable software, or suspicious communications
Investigate Threats Deeper with Advanced Security Analytics
When an incident happens, you need immediate 360° visibility of the actors, targeted assets, exploitable vulnerabilities on those assets, methods of attack, and more. AlienVault USM delivers all this data in a unified console with rich security analytics, so you can instantly get the context you need to make fast, effective decisions.
Search and Analyze Events
In AlienVault USM, all relevant security data is available at your fingertips with intuitive search and filter capabilities, making incident investigation a fast and efficient process. In the USM platform, you can easily:
- Search events to identify activity and trends
- Apply filters to find more granular data
- Sort by event name, IP address, and more
- Create, save, and export custom data views
- Generate custom reports from any view or leverage pre-built templates
- Examine raw log data related to alarm activity
- Access OTX pulses and “in the wild” security information
Unified Security Visibility of Assets, Events, and Vulnerabilities
For every alarm raised in AlienVault USM, you can drill down to see the related assets, vulnerabilities, events, and much more from a single consolidated view. All-in-one unified security management means that you can:
- See all alarms and events per asset
- Proactively query endpoints for additional information
- Know if your vulnerabilities affect high-priority or business-critical assets
- Correlate vulnerabilities with malicious activities
- Drill down in an alarm to see the individual events that triggered the alarm
- View forensics data about what triggered events
- Instantly launch pre-built forensics and response actions directly from an event or alarm
- Create an orchestration rule directly from an executed action to apply to similar alarms and events that occur in the future
SIEM Event Correlation:
With the power of SIEM event correlation delivered in AlienVault Unified Security Management (USM), you can easily detect and respond to emerging threats without the complexity of integrating multiple security tools and researching and writing SIEM correlation rules.
SIEM Event Correlation Made Simple
SIEM event correlation is an essential part of any SIEM solution. It aggregates and analyzes log data from across your network applications, systems, and devices, making it possible to discover security threats and malicious patterns of behaviors that otherwise go unnoticed and can lead to compromise or data loss.
However, in traditional SIEM platforms, correlation can get pretty complicated pretty quickly. First, you have to collect all of the relevant security data from your applications, systems, and devices. The most common data sources include your network IDS, vulnerability assessment tool, and your servers. Once you have the data, you then have to research the threats in your environment to understand their behavior and to write correlation rules to identify it.
Writing correlation rules is time consuming and requires a deep understanding of how attackers operate, which is constantly evolving. Just when you think you understand how they operate, attackers shift their tactics, and the rules you’ve created become obsolete and useless. In short, threats are a moving target that never stop changing. It’s no wonder that some of the largest organizations in the world continue to be breached, despite the millions of dollars they spend on security.
AlienVault USM dismantles the challenges of traditional SIEM correlation so that you can focus your attention on what really matters – keeping your organization secure and in compliance. AlienVault USM combines the essential security capabilities you need into a single platform, drastically reducing your deployment time and complexity as well as total cost of ownership. The solution leverages the AlienVault Labs and the AlienVault Open Threat Exchange (OTX) to deliver event correlation rules and threat intelligence updates straight to your USM environment so that you don’t have to understand every single threat targeting your environment and build correlation rules to detect them.
Save Time and Money with All-in-one Security Essentials
- Alleviate integration headaches with a complete unified security platform
- Easily collect data from third-party applications, systems, and devices to feed the SIEM event correlation
- Start detecting threats immediately with 3000+ correlation rules delivered out of the box
Continuous Threat Intelligence Delivered as Threats Change
- AlienVault Labs is an extension to your security research team
- Keep pace with attackers with correlation rules and security updates delivered directly from AlienVault Labs
- Leverage the Open Threat Exchange, the world’s largest open threat intelligence community
Focus on the Threats That Matter Right Now
- Prioritize your response efforts with automated risk assessment and alarm escalation
- Quickly assess your threat exposure with a cyber kill chain prioritization strategy
Save Time and Money with All-in-one Security Essentials
Effective threat investigation and response requires more than a standalone SIEM event correlation product. When an incident happens, you need immediate 360° visibility of the actors, targeted assets, exploitable vulnerabilities on those assets, methods of attack, and more. Log data alone doesn’t provide enough context to make fast, effective decisions.
However, it can be extremely expensive and complex to purchase all of the separate essential security tools you need to get this amount of contextual information and to integrate these products with a traditional SIEM to achieve a holistic view of your threats and vulnerabilities.
By contrast, AlienVault USM delivers five essential security capabilities - asset discovery, vulnerability assessment, intrusion detection (IDS), behavioral monitoring, and SIEM – all on a single, easy-to-use platform. This significantly reduces the costs and complexity of deploying and managing a security solution, while still providing you with all of the contextual information you need to respond to threats in one place. When threats happen, AlienVault USM provides every detail you need: what’s being attacked, who is the attacker, what is their objective, and how to respond.
In addition, AlienVault USM ships with over 3,000 pre-defined SIEM correlation rules, so you don’t have to spend hours creating your own. As the threats change, the threat intelligence is continuously updated to monitor for those changes. With AlienVault USM, you can launch faster and start detecting existing threats in your environment on day one.
Focus on the Threats That Matter Right Now
It’s not productive—let alone feasible—to investigate every incident and alarm raised in your SIEM. For example, an alarm that’s raised after five failed password attempts in a row could either be the early signs of a brute force attack or someone who accidently left on caps lock while typing his password.
So, how do you decide which alarms to ignore and which ones to focus on right now?
With AlienVault USM, it’s simple. We prioritize events and sequences of events based on cyber kill chain taxonomy so that you can quickly assess your threat exposure and take action on the activities in the later stages of the cyber kill chain – the highest-priority threats in your environment.
Designing your monitoring and response plan around the cyber kill chain model is an effective method because it focuses on how actual attacks happen, from initial probing to exploitation of your vulnerabilities to compromising your system and stealing resources.
In addition, AlienVault USM has built-in intelligence to assess the risk of events based on multiple parameters and to escalate alarms and alerts as that risk grows. By cutting through the noise of alarms to help you focus on the threats that matter, AlienVault USM makes it easier to keep your network environment protected.