Learning AlienVault

aliens jd hancock
flickr / JD Hancock (Creative Commons BY or BY-SA)

AlienVault. No, it's not a new online game, it's a SIEM and a very impressive one at that. After attending a week long class on this tool – which has been placed in the “visionary” quadrant for SIEM for the third year in a row by the esteemed folks at Gartner, I have a clearer view of how SIEM products work and how this one in particular can be positioned to detect and report on significant threats.

The acronym, SIEM, stands for “security information and event management”. The power behind these security tools is that they collect and correlate information from numerous sources -- syslog files, alerts, the results of vulnerability scans, etc. -- to get the big picture of what's happening on your network with respect to security. Think of it this way. Suspicious occurrences on one system might not worry you much. Suspicious occurrences on dozens of systems might get your attention. Suspicious occurrences on dozens of sensitive servers will likely get you and your security teammates sprinting into action. This tool can help ensure that you know the difference.

If you look at things that happen on your network as single events, it's hard to pick out those that are significant from those that represent the normal range of activities on a network -- harder still if you get thousands of such alerts or tens of thousands of log entries. But if you can view a possible incident by connecting a series of events occurring on one system, several systems, or many systems, you might get an entirely different perspective on what's happening. That’s where the power of SIEM tools pays off.

One of the features of AlienVault that I learned about in class and that appealed to me greatly is its ability to rank systems. You can easily tell the tool which of your systems or subnets are the ones you really care about – the systems housing your most sensitive data, your “secret sauce”. The values you assign to these systems make it more likely that anything that happens on them that could indicate a security compromise will be brought quickly to your attention.

I was also impressed by the very flexible way that AlienVault could be configured for just about any organization – both in terms of size and distribution. Where do you put your sensors, your servers, and your loggers? Are you a candidate for an all-in-one (a single device that handles all three functions) or would a configuration with multiple devices installed at a number of different sites suit you better?

The various appliances that comprise an AlienVault installation include:

  • Sensors – deployed throughout your organization, these systems do the log collection and event detection
  • Servers – these systems correlate the information provided to them by the sensors and support the management interface and reporting tools
  • Loggers – these systems store raw event data in long-term archives for possible forensic investigations or compliance requirements

There’s also OTX – the Open Threat Exchange – that provides a way for you to take advantage of insights provided by many other organizations to help your installation identify threats that you might not otherwise be able to recognize as hostile. I found the tool’s dashboard both easy to use and customize. Of course, being a Unix devotee, I also appreciated the Linux platform that it runs on, though it was clear that any need for the command line is quickly dissipating and most people who use AlienVault may never find themselves anywhere in the vicinity of bash. The product includes numerous discernable capabilities including:

  • asset discovery
  • vulnerability assessment
  • threat detection
  • behavioral monitoring
  • security intelligence

I was also impressed that the price tag is not likely to scare anyone off. AlienVault seems positioned to fit into everything from fairly small companies to complex, large ones with potentially different needs.

OSSIM, the open source SIEM product, is AlienVault’s free tool and you can also get a free 30-day trial if you’d like a test drive the real deal.

The instructor who taught the class that I took was truly excellent -- an engineer who has worked with the product for many years and who provided the kind of insight that customers will need to help ensure that their installations are likely to be very effective. He was able to share his knowledge of what to watch out for, what works really well and not so well, how to ensure that you spot the important indicators, and how to avoid being overwhelmed with alerts. While I found the class to be quite intense and wished that I might have had a day in between each day of class to review what was covered and let it sink in a bit more, the class worked well and walked me through the important stages of setting up and administering an effective AlienVault system. The class provided enough lab time for me to get comfortable with moving around the interface and making modest changes – at least enough that I could see how easily these changes could be made. And I went home with some electronic documents to help jog my memory if I forget how various aspects of the system work.

The class lasted for 4.5 days, followed by a 40 question test. The test required a score of 25/40 to pass and be certified as an “AlienVault Certified Security Analyst” (ACSA) and an “AlienVault Certified Security Engineer” (ACSE) – something nice to hang on your office wall!

All in all, I was impressed with both the capabilities of the tool and its flexibility and think the class was invaluable for anyone who is deploying or thinking about deploying this technology.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.