AlienVault Threat Detection
One platform for threat detection, incident response, and compliance

Insider Threat Detection:

AlienVault Unified Security Management (USM) accelerates and simplifies insider threat detection with all the essential security capabilities you need in one easy-to-use console.

Detect and Minimize Threats from Within

In the wake of high-profile breaches where trusted employees were involved, enterprises are increasingly concerned about the threats those employees pose, such as:

• Disgruntled employees looking to damage systems or steal data
• Users engaged in corporate or state-sponsored espionage
• Unsuspecting users clicking on phishing e-mails
• Users illegally downloading torrents

Insider threat detection can be challenging because it often spans across a multitude of systems and services. The rise of cloud services complicates insider threat detection efforts because many traditional security tools are incompatible with cloud architecture, creating blind spots in your security plan. The AlienVault Unified Security Management (USM) platform provides visibility into your on-premises, private cloud, and public cloud environments, enabling you to detect insider threats across your entire critical infrastructure.

AlienVault USM delivers essential insider threat detection and management capabilities, including:

Insider Threat Visibility Across Your Critical Infrastructure

• Network Intrusion Detection (NIDS)
• Cloud Intrusion Detection
• Cloud access logs (Azure: Insights, AWS: CloudTrail, S3, ELB)

Privilege Escalation Detection

• Host Intrusion Detection System (HIDS)
• File Integrity Monitoring (FIM)
• Detect unauthorized user access attempts
• Monitor critical SaaS services like Office 365 and G Suite

Event Correlation

• Security Information and Event Management (SIEM)
• Detect communications with malicious hosts
• Centralized dashboard that prioritizes threats the way you want to see them

Insider Threat Visibility Across Your Critical Infrastructure

Insider threat detection techniques rely on visibility into what’s happening across your critical infrastructure. However, the rise of the public cloud represents a security blind spot for many organizations because traditional security methods were not built with the cloud in mind. Effective insider threat detection requires a solution built to accommodate all the environments you need to secure.

That’s why AlienVault USM provides a unified platform to help you detect and understand activity across any combination of on-premises, private cloud, and public cloud environments, including threats that come from malicious or careless users within your organization.

On-premises, AlienVault USM’s Network Intrusion Detection (NIDS) inspects traffic between your internal devices and critical systems, giving you visibility into what’s happening inside your perimeter and detecting internal connections to external known bad actors. By deploying an agent such as the AlienVault Host Intrusion Detection (HIDS) agent, you can gain even more granular information about activity in your environments.

AlienVault USM Appliance will also alert you whenever a user inserts a device into a USB port on a system you’re monitoring, keeping you informed of potentially unauthorized activity that can lead to data theft.

Cloud environments pose a unique challenge to insider threat detection efforts, both because traditional network security methods aren’t compatible with cloud infrastructure and because of the amount of damage a single user can inflict. (Imagine your root access keys getting into the wrong hands.)

AlienVault USM Anywhere provides full visibility into your cloud environments, using purpose-built sensors with direct hooks into cloud APIs to leverage the extensive controls service providers have built into cloud architecture.

In addition to enabling cloud intrusion detection capabilities for AWS and Azure, the USM Anywhere sensors support insider threat detection with detailed information about who logs into the management plane and what actions they take. For example, you can tell if someone has created or destroyed virtual machines, created new services, or changed the configurations of your virtual machines (say, from eight to sixteen gigabytes, or from one process to multiple).

You can use this data to detect insider threats such as careless or malicious use of your root access keys—before it causes your bill to skyrocket.

Privilege Escalation

Most companies track the activities of privileged users as an essential security practice. To bypass this, insiders will seek to escalate privileges in order to gain access to information, subvert controls, damage systems, or facilitate exfiltration of sensitive data—all while flying under the radar.

AlienVault USM provides the capabilities you need to identify privilege escalation and respond to it quickly, limiting the scope of a malicious insider’s impact on your organization.

You can use AlienVault USM to detect and alert on privilege escalation that doesn’t have a corresponding change request by deploying an agent to your systems, allowing you to collect critical information from your endpoint servers and workstations.

Events from the agent are forwarded to your USM deployment, allowing you to monitor admin groups for new users and take action if users are being added to groups inappropriately. You can also use file integrity monitoring (FIM) to track changes to your assets.

In addition, USM correlates suspicious events to detect when a user’s access to critical systems and applications may be malicious. This allows you to detect, respond, and neutralize the insider threat posed by employees trying to bypass security controls by escalating their rights, or by employees hijacking user credentials for malicious purposes.

If your organization uses Office 365, you can use USM Anywhere to monitor privilege escalation by auditing changes to roles or groups within Exchange Online. You can also keep track of activities like user access and mailbox management.

Because Office 365 users sometimes escalate privileges by delegating inbox access to another user (say, to an administrative assistant), it’s important to have forensic records in case an email gets into the wrong hands. With USM Anywhere, you can easily investigate who accessed the inbox or sent email messages.

Event Correlation

Humans, unlike computers, are often unpredictable in nature. As such, insider threat detection usually requires the ability to correlate seemingly benign events to detect insider threats that take place across various systems. Insiders will often account for existing security controls and attempt to keep their activity ‘low and slow’ to avoid triggering any alarms.

AlienVault USM can link disparate events across your on-premises, private cloud, and public cloud environments and correlate events related to malicious insiders. USM’s strong correlation engine uses built-in correlation rules to detect relationships between different types of events occurring in one or more monitored assets to identify suspicious activity. This eliminates the need for IT teams to create their own correlation rules, so they can spend their time mitigating threats rather than researching them.

That’s where the threat intelligence produced by the AlienVault Labs Security Research Team steps in to assist. Think of it as an extension to your IT team – they are constantly performing advanced research on current threats and developing updates to AlienVault USM’s threat intelligence. In addition to the vulnerability signatures, you receive continuous updates to SIEM correlation rules, IDS signatures, knowledgebase articles, and more.

Updating the AlienVault USM platform is extremely easy, designed to minimize downtime, and just requires a couple of mouse clicks. This ensures that AlienVault USM is conducting regular vulnerability scans for the latest threats without requiring in-house research or development of vulnerability data. This allows you to allocate your time and resources to other responsibilities and do more with a smaller team.

Ransomware Detection:

Accelerate ransomware detection and response with AlienVault Unified Security Management (USM)—an all-in-one security essentials solution with integrated threat intelligence that helps you to detect ransomware sooner to minimize the spread of infection.

Stop Ransomware in Its Tracks with Advanced Threat Detection

Ransomware is a top security concern for organizations today. Malicious actors continue to develop new techniques and strategies to trick victims into downloading and installing ransomware on their systems, and many IT teams are ill-equipped to respond.

Ransomware is a type of malware that encrypts files on a system, making them inaccessible until you pay a ransom (usually in the form of a cryptocurrency like bitcoin or prepaid cash cards) in exchange for the decryption key. Given the complexity and variety of new ransomware threats emerging daily, it can be difficult for IT teams of any size to figure out how to detect ransomware and respond to it while managing the rest of their cybersecurity needs.

AlienVault can help. Unlike alternatives, AlienVault Unified Security Management (USM) simplifies and accelerates threat detection so that IT teams can quickly respond to ransomware threats and contain outbreaks with targeted, automated, and orchestrated defense. AlienVault USM empowers IT teams with complete visibility into their entire risk surface by unifying security monitoring across cloud, on-premises, and hybrid environments.

As ransomware activity patterns evolve, the AlienVault Labs Security Research Team and the Open Threat Exchange (OTX) keep the USM platform up to date with continuous and automatic threat intelligence updates. This threat intelligence includes the latest threat indicators, vulnerabilities, and response guidance. It is fully operational and ready to use, so organizations of all sizes can quickly detect and contain ransomware activity without having to spend time researching emerging threats or writing correlation rules.

In addition, AlienVault USM delivers advanced security orchestration and automation capabilities, as well as out-of-the-box integration with leading third-party security tools like Palo Alto Networks, Carbon Black, and Cisco Umbrella. So, you can plan and execute your ransomware response activities directly from AlienVault USM, saving you precious time and effort.

AlienVault USM delivers the essential security capabilities needed for ransomware detection:

Detect and Respond to Ransomware Threats Quickly with Unified Security Management

• Real-time threat detection with built-in essential security capabilities
• Coordinated incident response with integrated analysis and reporting

Monitor Every Environment with Comprehensive Intrusion Detection

• Unified security monitoring of Office 365 and other cloud apps to detect ransomware threats early on
• Cloud Intrusion Detection (AWS and Azure) – alert on critical events within your AWS and Azure environments consistent with ransomware indicators.
• Network Intrusion Detection – alert on known ransomware communication activity based on continuous updates from the AlienVault Labs Security Research Team
• Host Intrusion Detection – alert on known ransomware attack activity detected on the critical servers across all your environments

Reduce the Time between Detection and Response with Security Orchestration & Automation

• Integrated threat intelligence delivered by the AlienVault Labs Security Research Team provides early notice of ransomware attack indicators and activity in the wild
• Automated incident response triggered through tight integration with third-party security tools like Cisco Umbrella, Palo Alto Networks, and Carbon Black

Detect and Respond to Threats Quickly with Unified Security Management

Threat detection or threat monitoring tools provide a critical layer of defense against ransomware attacks. Real-time detection and rapid response are crucial to your ability to contain a ransomware outbreak and to limit its impact. This extends to everywhere you’ve deployed assets, whether in on-premises physical or virtualized infrastructure, in public clouds such as Microsoft Azure or Amazon Web Services, as well as cloud applications like Microsoft Office 365 and Google G Suite.

AlienVault USM centralizes threat detection of your critical environments and cloud apps, making ransomware detection and response both fast and easy. AlienVault USM delivers multiple layers of ransomware detection and correlates events from across your data sources, giving you complete visibility of your security posture at all times. Once a threat has been detected, AlienVault USM alerts you and gives detailed information about the threat, attack method, and affected asset(s), as well as guidance about how to respond, so you can react quickly and effectively.

Asset Discovery
Monitors your on-premises and cloud environments for new assets, identifying new systems and devices that need to be monitored and assessed for vulnerabilities that ransomware could exploit. Because ransomware downloaded by a single user can easily spread across your entire environment, it’s important to have visibility into all of the assets in your critical infrastructure.

Vulnerability Assessment
AlienVault USM continually scans your environments to detect vulnerabilities that attackers could exploit in a ransomware attack. The USM platform ranks vulnerabilities by severity so that you can prioritize your remediation efforts.

Network Intrusion Detection Systems (IDS)
Analyzes the network traffic to detect signatures of known ransomware and communications with known malicious servers. Using field-proven IDS technologies, AlienVault USM identifies attacks, malware, policy violations, and port scans that could be indicators of malicious activity throughout your environments.

Host Intrusion Detection (HIDS) and File Integrity Monitoring (FIM)
Analyzes system behavior and configuration status to identify suspicious activity and potential exposure. This includes the ability to identify changes to critical system and application files, as well as modifications to the Windows Registry, that could be made to initiate the ransomware’s encryption engine.

SIEM Event Correlation
Using machine learning and state-based correlation, the USM platform analyzes a large number of seemingly unrelated events across disparate systems to pinpoint the few events that are truly important. The AlienVault Labs Security Research Team regularly updates the USM platform with ransomware-specific correlation rules that identify a range of behaviors indicative of a ransomware infection, including downloading the ransomware file, systems attempting to connect with a C&C server and post data, multiple failed connections from a system attempting to connect to a domain (or multiple domains) within a narrow time window, and more.

SIEM Log Management & Reporting
The USM platform provides the ability to automate the centralized collection and normalization of events and logs from devices, servers, applications and more from across your on-premises and cloud environments, as well as from your cloud applications like Office 365. This data is centrally retained for at least one year, helping support compliance requirements and forensic investigations into attacks recently discovered, and yet require investigation of more historic data. Centralized collection also fuels automatic attack analysis by enabling analysts to perform search queries on collected data. Analysts can also run any of the built-in and customizable reports, such as to demonstrate compliance with standards like PCI DSS, or for regular review of security events and activities.

Monitor Every Environment with Comprehensive Intrusion Detection

Early ransomware, like Reveton and Citadel, simply locked you out of a system and displayed a page demanding payment. In contrast, today’s sophisticated strands of ransomware quietly encrypt your sensitive data without interrupting your normal computer usage, so you’re less likely to notice a problem until after your files have been affected. While it’s difficult to identify and halt an encryption process in progress, the sooner you detect ransomware in your environment, the better chance you have at isolating the compromised system from your environment and protecting your data (all without paying out ransoms to cyber-criminals

If your users are accessing corporate data in SaaS-delivered cloud apps like Office 365 and G Suite, it’s essential to monitor these environments to catch ransomware threats early on (e.g. phishing emails). AlienVault USM provides multi-layered intrusion detection capabilities so that you can quickly detect ransomware across your cloud and on-premises environments. In addition to security monitoring for commonly used SaaS apps, AlienVault USM delivers cloud intrusion detection for your public AWS and Azure cloud environments, as well as built-in network intrusion detection (NIDS), and host-based intrusion detection (HIDS) for your critical on-premises infrastructure. You can even integrate data from your existing IDS/IPS into AlienVault USM, allowing you to collect, correlate, and track events from a single place.

Security Monitoring within Office 365 for Advanced Ransomware Detection
AlienVault collects, analyzes, and centralizes event data from every app, system, and environment that’s critical to your business. Because users commonly access corporate data through SaaS apps like Office 365, it becomes essential to monitor these apps to detect the early warning signs of ransomware attacks, such as a phishing email attempt. Continuous threat intelligence updates from the AlienVault Labs Security Research Team arm your defenses with advanced warning of the latest ransomware indicators.

Cloud Intrusion Detection (CIDS)
AlienVault offers native cloud IDS capabilities to keep your AWS and Azure environments secure. USM Anywhere uses purpose-built sensors to monitor your cloud environments from the management plane, giving you visibility into your organization’s cloud-based activities.

Network Intrusion Detection Systems (NIDS)
On premises, network IDS sensors are deployed on the network using a tap or network span and use signature-based detection to identify ransomware and other threats to your critical systems.

Host Intrusion Detection Systems (HIDS)
With File Integrity Monitoring (FIM) built into the Host-based IDS (HIDS), AlienVault USM keeps a close watch on the files and registries of your sensitive assets and critical systems to detect when anomalous activities and file or registry changes occur.

Reduce the Time between Detection and Response with Security Orchestration & Automation

A ransomware attack can spread rapidly across your systems and quickly render them unusable. Time is of the essence. As soon as ransomware is detected in your environment, you must move swiftly to contain the threat and to prevent it from proliferating across your environment. If done manually or done across many disparate systems, or if the attack happens outside of typical working hours, your response effort may be delayed or too slow to contain the attack.

AlienVault USM has advanced security orchestration and automation capabilities that help you respond quickly and efficiently to threats affecting your environments, including response actions that work in alignment with third-party security tools like Cisco Umbrella, Palo Alto Networks, and Carbon Black. For example, if the USM platform detects evidence of ransomware on one of your assets, you can easily orchestrate the isolation of that system from your network through the built-in integration with Carbon Black, helping to prevent further spread of the ransomware.

The security orchestration responses available within AlienVault USM can also be automated, making your response faster and more efficient. For example, if AlienVault USM detects communication with a DGA-generated domain known to be malicious, such as ransomware communicating with its ‘Command & Control’ server, you can orchestrate a response action that passes the malicious domain details to Cisco Umbrella, which then blocks traffic between that domain and your employees and assets.