SIEM Use Cases
Deploy AlienVault USM™ in less than an hour for actionable insight from the built-in SIEM software and over 2,000 pre-built correlation rules.
Too often, organizations that invest in a SIEM (Security Information and Event Management) are frustrated and disappointed by the amount of investment in technology and people it takes to generate useful information.
Whether it is maintaining the separate data sources that supply the SIEM tool with security events to analyze, or writing the correlation rules to make sense of the mountain of event data, SIEMs are not easy to maintain.
AlienVault Unified Security Management™ (USM™), with its built-in data sources, SIEM software, and over 2,000 correlation rules, gives IT teams with limited resources an all-in-one threat detection and compliance management platform.
The AlienVault USM™ platform is designed for you to go from installation to insight in as little as one hour, instead of the weeks or months it would take you with other SIEM technology.
These SIEM use cases examples show how you can rely on the AlienVault USM platform to detect a range of threats and deliver the insight you need:
SQL Injection and Other Web Application Attacks
- Identify vulnerable public-facing systems that are easily targeted
- Detect attacks directed at vulnerable systems
- Alert on compromised systems communicatingwith attackers
Watering Hole Attacks
- Detect malware attempting to install on systems
- Alert when multiple malware threats are from the same compromised website
- Detect compromised systems communicating with C&C
- Identify communication from known malicious hosts
- Detect malware infecting systems
- Alert on changes to services and/or privilege escalation as a result of a successful attack
Continuous Compliance Management
- Consolidate and automate your critical security controls
- Understand critical events and compliance status with network-wide visibility
- Utilize hundreds of built-in, customizable reports to satisfy your auditor
SIEM Use Case Example #1 – Detect SQL Injection and Other Web Application Attacks
SQL Injection attacks continue to be one the most common attacks of public-facing websites today due to the high number of SQL vulnerabilities. The attacks succeed when an attacker sends specially crafted commands to the SQL server that exploit vulnerability in the software.
An essential first step in detecting this SIEM use case example is to identify all systems running SQL (particularly public-facing systems) using the built-in Asset Discovery and Software Inventory technology in AlienVault USM. You can quickly create an asset group of all systems running SQL to ensure you are aware of any changes to the status of those systems.
To detect attacks directed at your SQL servers, you should deploy the built-in Intrusion Detection System (IDS) on the network and host IDS on the systems running SQL. Network IDS detects malicious content on your network targeting your SQL deployments, and host IDS provides detailed insight into the health of the targeted systems.
AlienVault USM™ will also alert you to any compromised systems communicating with known malicious hosts. Malware, once it compromises a system on your network, might attempt to communicate with the Command and Control (C&C) server. The built-in SIEM software, plus global visibility of known malicious hosts, will alert you to compromised systems communicating with C&C servers.
SIEM Use Case Example #2 – Detect Watering Hole Attacks
Watering Hole attacks target specific groups of users (such as government agencies, industries, or political organizations) who are likely to frequent specific websites. The attacker installs malware on the site that then attempts to compromise visitors’ systems.
In this SIEM use case example, AlienVault USM can detect the different stages of a Watering Hole attack and alert you to its presence in your network before any exfiltration of user credentials or confidential data occurs.
The built-in IDS within the AlienVault USM platform will detect the delivery of the malware payload from the compromised website. The continuously updated correlation rules can correlate multiple malware infections from the same compromised website, alerting you to a potential Watering Hole attack.
AlienVault IDS will also detect malware attempting to traverse the network and compromise other systems. The SIEM capability’s built-in correlation rules will also detect the outbound communication as the malware attempts to establish a communication channel with the Command and Control (C&C) server before exfiltrating the harvested data.
SIEM Use Case Example #3 – Detect Malware Infection
Malware is still the preferred method for gaining an initial foothold within a network, because of the ease with which attackers can install it on at least one system. Traditional preventive security technologies cannot keep all malware out, and your best defense is to be able to spot the malware and remove it before it can facilitate a data breach.
In this SIEM use case example, the SIEM software correlates events within the AlienVault USM platform to alert you to the presence of malware in several ways. One way is that the integrated community-powered threat data from OTX detects inbound communication from known malicious hosts, alerting you to those hosts in your network that may have inadvertently installed malware contained in an email or drive-by download. It detects outbound communication with malicious hosts as well, which could indicate a compromised system communicating with the C&C server.
Additionally, AlienVault USM™’s built-in IDS detects malicious code on your network and correlates that data with the built-in Asset Discovery and Vulnerability Assessment capabilities to alert you to traffic that is specifically targeting vulnerable systems.
AlienVault USM™ will also generate alerts when malware attempts to stop essential security services and change files on the targeted systems, a technique used to hide signs of the compromise from you. It can also detect privilege escalation on targeted systems as attackers seek “Admin” or “root” access.
SIEM Use Case Example #4 – Continuous Compliance Management
It is a challenge for organizations to achieve compliance while managing competing priorities, limited budgets, and small IT security teams with limited expertise. Regardless of which standard you are trying to meet, it is essential for you to be able to consolidate and automate your critical security controls to simplify your compliance efforts.
In this SIEM use case example, the AlienVault USM platform works as a single solution that automatically identifies audit events, generates alarms on those events that require immediate attention, and creates reports that satisfy your auditor. Regardless of which set of requirements or guidelines you’re trying to meet, AlienVault USM offers you a complete solution that builds in asset discovery, vulnerability assessment, host and network intrusion detection, file integrity monitoring (FIM) and SIEM–all in a single platform and console view.
With AlienVault USM, you can quickly get the insight you need to understand the location and compliance status of critical assets, network segmentation, vulnerabitlies on those assets, access privileges to those assets, and so on. The AlienVault USM platform offers hundreds of built-in, customizable reports for documenting your PCI ISO 27002, HIPAA or GPG 13 compliance. You can also customize these reports to satisfy any unique requirements you may have.