Managed Detection and Response
Cyber Threats are real. Federal, state, and industry regulations are increasingly putting pressure on organizations to invest heavily in cyber security. The availability of good security professionals is in short supply. Even though Large organizations have budgets to address, they rather use their resources to mitigate the risks rather than monitoring the alarms. Small and Medium size businesses are caught in a dilemma. They don’t have the resources to manage the cyber threats and ensure that their network is monitored.
Securely Managed has created a managed security service offering just for you!
Our Solution
Our MSSP solution is based on AlienVault, now owned by AT&T and operated as AT&T Cybersecurity. AlienVault solution is a Unified Security Management (USM) solution that operates as USM Appliance and USM Anywhere and is a very quick solution to implement. The USM Anywhere is a cloud-based solution that is accessible from anywhere if you have the right credentials and link. AlienVault’s USM Anywhere includes five essential security functions that provide enhanced visibility to your IT operating environment. These functions allow AlienVault USM to deliver threat detection, incident response, and compliance management across all IT environments. The security functions are:
- SIEM:
- Log Management that ingests and analyzes logs from different systems including Windows, Linux, etc.
- Open Threat Exchange (OTX) allows AlienVault USM to quickly identify if an endpoint has been compromised and provides over 19 million threat indicators daily from over 100,000 global contributors that investigate emerging threats.
- Event Correlation that puts together all the events in your IT environment and raises an alarm if an incident is identified.
- Incident response that can be used as is or integrated into you existing incident response process.
- Asset Discovery:
- Performs an active and a passive scan of the network to identify all IT assets with an IP address in the network(s).
- Maintains an inventory of all identified assets.
- Maintains an inventory of all identified software, mapped to the assets.
- Vulnerability Scanning
- Provides vulnerability scanning and monitoring that can be scheduled to suit your environment
- Allows for authenticated and unauthenticated scans of the IT assets
- Identifies risks and remediations based on industry standards scheme
- Uses the identified risks in analysis and correlation
- Intrusion Detection
- Network IDS (NIDS) identifies threats in the network by analyzing network packets
- Host IDS (HIDS) identifies threats that may exist and/or affect an endpoint
- File integrity monitoring allows AlienVault USM to monitor changes to identified files and folders
- Behavior Analysis
- Netflow analysis that identify insecure protocols and services as well as identify source and destination ip addresses, perform forensic assessments, etc.
- Provides and monitors for service availability
Architecture
AlienVault USM supports a tiered and distributed architecture. At the bottom of this architecture are the agents that are installed on the endpoints. The agent can be AlienVault’s native agent or NxLog service, if NxLog is already installed. Where the system supports syslog, the syslog can be forwarded to AlienVault so that the USM Anywhere serves as the syslog server. As such system log events from Windows, Linux, and network infrastructure devices are ingested and analyzed by USM Anywhere.
Depending on the size of the organization, one or more sensors are deployed within the organization. The sensor is responsible for performing the grunt work of discovering assets, performing vulnerability scans, identify software, etc. AlienVault sensor can be installed on a VMware, Hyper-V, Azure, or AWS platform.
As the sensors collect events, these are forwarded to the sub-domain in the cloud for analysis and correlation. In case of a security incident, an alarm will be generated at the sub-domain. The browser access provides access to the users at the sub-domain where the users can view alarms, configure the system, or generate reports. What the user is able to do depends on the access rights granted the user.
AlienVault provides a seamless integration to a list of cloud applications through its AlienApps integration. Some examples of these integrations include Cisco, Office 365, Google G Suite, McAfee ePO, Sophos, Carbon Black, PaloAlto, etc. The list of application continues to grow.
Reporting and SOC Services
The AlienVault USM overview dashboard shown below provides various types of information, at a glance, to the user. In addition to the overview dashboard, AlienVault USM has other information and configuration screens that provide more detailed information through its drill-down capability. In addition, it provides search and filtering capabilities to allow the user to reduce the scope of displayed items.
Overview Dashboard
Windows Assets Dashboard
