PRODUCT REVIEW:
AlienVault USM Anywhere

601

We reviewed AlienVault® USM Anywhere™ and were impressed with the many robust threat monitoring, detection, and incident response capabilities packed into a single platform. AlienVault is a superb choice for organizations of all sizes but especially those with limited resources and in-house security expertise that are looking for comprehensive security management at an affordable price. Read on for more details as we dive deeper into AlienVault USM Anywhere.

AlienVault USM Anywhere Dashboard

Overview

AlienVault USM Anywhere is an all-in-one SaaS-delivered security management platform that centralizes and simplifies threat detection, incident response, and compliance management across cloud and on-premises environments.

To achieve this promise, USM Anywhere unifies essential security technologies—asset discovery, vulnerability assessment, intrusion detection (network, host, and cloud), incident response, SIEM correlation and log management and reporting—into one, unified platform. The platform collects, analyzes, validates and curates threat information and provides IT admins with actionable intelligence for proper incident response.

This unified security management approach helps customers alleviate the burden of otherwise having to purchase, integrate, and manage multiple point security products, saving significant time and money. This makes the solution especially attractive for companies that want to deploy threat detection, incident response and compliance management, but have limited resources and in-house security expertise.

Key Capabilities

USM Anywhere provides the following essential security capabilities out of the box (we will review some of these in greater detail in the next section):

  • Asset Discovery: built-in active and passive network discovery, asset inventory, infrastructure, and software inventory
  • Vulnerability Assessment: active network scanning, continuous vulnerability monitoring
  • Threat Detection: network IDS (NIDS), host IDS (HIDS), cloud IDS (AWS IDS, Azure IDS), file integrity monitoring
  • Behavioral Monitoring: monitor user and administrator activity across your on-premises and cloud assets and applications
  • SIEM: log management, SIEM event correlation, analysis, and reporting
  • Incident Response: recommended guidance and orchestrated responses for threat containment or mitigation
  • Security & Compliance Reporting: built-in and customizable reports for regulation standards and compliance frameworks

Product Review

The advantages of this integrated approach are to simplify setup, reduce implementation time, remove integration complexity, and decrease the overall operating cost of the solution.

Let’s take a look at a few scenarios:

      • Detect and Contain Malware and Ransomware. Using both its intrusion detection (across host, network and cloud) and correlation engine, USM Anywhere quickly detects and alerts on different variants of malware and ransomware that can affect an organization. The product provides the analyst with full details about the attack method and strategy, the systems involved in the attack (source and destination), and the associated event(s) that comprised the attack, along with response guidance. Through AlienApps™, which extend the capabilities of USM Anywhere to 3rd party IT security and management products, the analyst can initiate an orchestrated response to the threat from within the USM Anywhere UI. For example, the analyst can instruct Carbon Black to isolate the infected endpoint, or block communications with a known C2 server using Palo Alto Firewall.

        • Secure Office 365. USM Anywhere uses the Office 365 Management API to monitor user and administrator activities, across all Office 365 services, including Azure Active Directory, Exchange Online, OneDrive for Business, SharePoint Online, and more. With this, analysts can detect potential anomalies such as users logging in from unfamiliar countries, delegating Exchange mailbox privileges, modifying and downloading files, sharing data outside the organization, changing one of Office 365 policies (e.g. DLP Policy), and more.
        • Monitor AWS. Using CloudWatch and CloudTrail APIs, as well as logs for different services such as load balances and S3 storage, USM Anywhere facilitates monitoring of AWS environments, and corresponding user access and changes within the AWS public cloud. This supports identification of new assets being created, such as new virtual machines or platform services, security group modifications, misconfiguration of S3 access controls that could expose sensitive data, use of IP addresses that were previously identified as malicious, and more.
        • Log Management. USM Anywhere facilitates the automated collection of log and event data from across on-premises and cloud environments, which it normalizes for automatic and human analysis, and enriches with data (as appropriate) such as detailing the country from where a brute force authentication attack originates. This data is then transferred into compliance-ready storage, where it is retained for at least one year. Compared to the manual log aggregation that many organizations still do today, this automation can dramatically reduce both time and costs, as well as help meet compliance log management requirements.

    Customers also benefit both from the unified capabilities of the USM Anywhere platform and the integrated threat intelligence of AlienVault’s Open Threat Exchange® (OTX), the world’s largest crowd-sourced repository of threat data, which provides real-time actionable information about threats and incidents that may impact them. The integration to the OTX community-powered threat repository allows customers to continuously learn from and collaborate with others who have experienced similar security incidents.

    In addition to AlienVault’s integrated threat intelligence with their OTX community, the USM Anywhere product provides heterogeneous network support across physical appliances and virtual/cloud environments. This includes cloud applications like Microsoft’s Office365 and Google’s G-Suite. Through their AlienApps, integrated modular software add-on components, USM can monitor, analyze and enable orchestrated responses through 3rd party productivity, management and security products such as ServiceNow, JIRA, Carbon Black, Cisco Umbrella, Palo Alto Firewalls, and more. The platform allows for the aggregation, normalization, and enrichment of events and logs from multiple systems deployed across an organization. It uses a mix of both machine-learning and state-based correlation to accelerate identification of emerging threats.

    Compliance Features

    IT organizations must be able, upon request from regulatory auditors and management, to demonstrate compliance with many different regulatory standards (e.g. HIPAA, PCI-DSS, SOX, etc.) and compliance frameworks (e.g. NIST CSF, COBIT). USM has built-in and customizable reports for popular regulations and industry standards that allow organizations to review the status of their IT security controls, and also provides numerous dashboards and built-in visualizers.

    Data retention is a key aspect of all industry compliant security requirements. Embedded in the USM platform are two automatic storage features; 1) up to 90 days of “hot storage,” which allows data and events to be searchable, reportable and available to trigger alerts, and 2) at least one year of “cold storage,” for auditing and forensic purposes. Both storage features provide historical visibility to help meet compliant practices and requirements.

    Summary

    Bottom line: AlienVault’s USM Anywhere platform is a good fit for organizations of any size that have resource-constrained security teams and budgets. USM provides a powerful, yet cost effective security management solution that eliminates the need to acquire, integrate, and manage multiple stand-alone products.

    We like that USM Anywhere offers a wide range of pre-built and customizable dashboards that use data gathered by sensors, and also that it includes the flexibility to add intel from third-party applications and environments (on-prem, private and public cloud) to provide a more comprehensive picture of an organization’s threat environment.

    What AlienVault Customers Say

  • AlienVault is used by companies such as Parking Panda, CareerBuilder, and Colony Starwood Homes who confirm their satisfaction with the solution.

    “We are utilizing AlienVault USM Anywhere to help us meet our ISO 27001 certification initiatives and to help manage our security all in one spot.”
    – Lucas Schafroth, IT Analyst, HomeServices Lending LLC

    “With USM Anywhere, I can monitor my cloud environment and my local environment together, and I no longer have to use my own hardware for number crunching and analysis – that’s all handled by the USM Anywhere cloud system. This product brings together everything I need under one roof and the enhanced reporting and dashboard make things much easier to manage for small teams. AlienVault is the only company that makes this possible.”
    – Jason Weitzman, Security Engineer at Colony Starwood Homes

    “AlienVault [USM Anywhere] has done a great job of detecting security threats in the environments where we have it deployed. We had a ransomware outbreak on a network with AlienVault deployed and the product detected it and alerted immediately. I was very impressed. It’s also done a great job of identifying potential security vulnerabilities, which has helped us lock down our customer networks.”
    – Jeremy Wanamaker, CEO, Complete Network Support

    Delivery & Deployment

    AlienVault’s USM Anywhere is available as a SaaS-delivered solution with a monthly subscription license, eliminating the burden of upfront CAPEX investment.

    USM Anywhere requires customers to deploy USM Anywhere Sensors, which are virtual appliances that can be deployed on-premises on Hyper-V and VMWare, and on AWS or Azure public cloud environments. Sensors can also connect to and monitor cloud applications including Office 365, G Suite, and more. Once provisioned and activated, USM can be delivering insights in less than 1-2 hours.

    Licensing & Pricing

    USM Anywhere is available as a monthly subscription license, starting at $650 USD.

    About AlienVault

    AlienVault simplifies the way organizations detect and respond to today’s evolving threat landscape. The company’s unique and award-winning approach is used by thousands of customers and combines multiple security controls of the all-in-one platform, AlienVault Unified Security Management, with the power of AlienVault’s Open Threat Exchange, the world’s largest crowd-sourced threat intelligence community, making effective and affordable threat detection attainable for resource-constrained IT teams. AlienVault is a privately held company headquartered in Silicon Valley.

    For more information, please visit: https://www.alienvault.com