Great 5 Capabilities....where is the APT Button??

I remember asking a question on one of the demos they had online and it was regarding the capability of downloading executable or malicious files being detected by the NIDS. They laughed and said that one will have to have years and years of experience to analyze those files and that's why they don't have that functionality in their solution. I don't know if the "experts" have ever heard of Remnux or Cuckoo Sandbox . Anyways, I think that it will be great specially for organizations that cannot afford an IR team. Let's keep in mind that this product is being marketed a lot for SMBs and mid-sized businesses !!

It will be great to see SYSMON events being pulled by the OSSEC agents automatically a soon as it gets installed on the endpoint to have real complete visibility. I havent seen that yet. I have seen projects for Parsers but to work with ELSA. It would be great to see the AlienVault team to focus on getting as much information as possible of the endpoint too to help the IR team. You guys already have agents being installed on the endpoints, why not take advantage of it and show actually processes being created, call outs being made, etc. Remember that the nice packet capture feature will not be useful with encrypted traffic. Having the extra layer of detection will be really helpful. Knowing what files are being accessed or scanning for root-kits is useful but not enough for an IR engagement. During an intrusion, you need more information. Check Carbon-Black for some ideas on how to show the KILL CHAIN ! .

SAAS will be GREAT TOO!

Live response CAPABILITIES also will be a GREAT add-on for AlienVault USM. Launching a PSSession and adding functions to DELETE FILES, DOWNLOAD IOCs and KILL PROCESSES is really easy and it will be great to have a button that we can just press and have a shell on the Endpoint. EDR is HOT right now in the industry, and I wish I had that option in my USM Dashboard.