How we Improved Infrastructures log Monitoring using AlienVault USM Anywhere
Pankaj KC profile photo
August 28, 2019

How we Improved Infrastructures log Monitoring using AlienVault USM Anywhere

Score 9 out of 10
Vetted Review
Verified User
Review Source

Software Version

USM Anywhere (SaaS)

Overall Satisfaction with AlienVault USM

We use it to detect network risks and vulnerabilities to a reasonable and appropriate level. Using across the whole organization. It's also being used to comply with current legislation (security related logs should be recorded).
  • As for us, it casually integrated to AWS cloud and local infrastructures, in simple words easy to implement
  • Processes different types to logs using its very own inbuilt plugins and display it in an understandable manner for the non-technical users as well
  • Has its own very accurate correlation rules to generate alarms from the processed logs
  • Has an open threat intelligence community which can be integrated with the AlienVault account
  • In order to collect the system logs from various servers, it has an AlienVault agent that can be installed on the windows, MAC and Linux. It collects the various types of logs such as user activity, shell history, file integrity, etc., logs
  • Any suspicious alarm can be added as a ticket on its console and can be processed according to severity type.
  • Server and Network vulnerabilities details can be scanned through the USM.
  • Customizable dashboards view in the console makes easy to monitor logs from the different sources.
  • Events view can be customized according to the data source plugins.
  • USM has a feature of suppressing and filtering out the logs from the console. Suppression hides the logs from the console dashboard whereas filtering block the similar type of log entering the alienvault console which helps to reduce the storage usage
  • Asset Discovery: Maintains and scans dynamic asset inventory and software inventory for large scale organization
  • Security & Compliance Reporting: contains customizable reports for regulation standards and compliance frameworks
  • It uses sensors to collect data from different sources which results in extra cost for the sensor server
  • Support is very poor
  • It would be great if there was document to study on how can we identify and monitor suspicous logs
GuardDuty can be used to monitor VPC flow log and DNS query logs and CloudTrail related logs. Its has its own threat intelligence from AWS security and third party intelligence. It is limited only to AWS resources whereas AlienVault USM can be used from all the networks and infrastructures inside an organization.
In the current scenario, threat actors are using more sophisticated tools, techniques and procedures to penetrate the organization networks, USM provides real-time log processing and notification alerts for the threats. With the help of threat intelligence, it can constantly harvest and process knowledge about different threat actors and severe external threats, such as APT (Advanced persistent threats). One example can be as follows:
  1. You have the list of domains that were visited from your organization employee
  2. You compare this list of domains with lists of malicious domains obtained from different OTX(open threat exchange pulse) providers that have already been posted on OTX.
  3. If a match is found, an alert is raised to take appropriate action.
  4. The same process is repeated at regular intervals to check all the new domains.
As per our compliance policy, we need to have a log review process monthly. With the help of USM, it has been easier to do that. It centralizes the logs and process to give the exact scenario of our infrastructures network and system logs. This product provides pre-built and customizable dashboards to view data collected by different sensors. Otherwise, we had to go through every single log and review it manually which would have resulted in frustration.
If you have a bigger organization that has a bigger network infrastructure which needs to be monitored in every aspect, then AlienVault USM is perfect for it. It automatically detects threats and sends out email notifications from which necessary actions can be taken. It has a correlation engine, which quickly detects and alerts on different variants of malware that can affect your organization. It provides full details on the attack method and strategy, the systems in the network involved in the attack (source and destination)with the geo-location, and the associated event that comprised the attack, along with response guidance.

Since it is very expensive I do not recommend it for small organizations it requires additional infrastructures to implement the AlienVault within the premise.