Introduction to USM Appliance
This guide provides information for users of the
AlienVaultUSM Appliance system, that are responsible for monitoring
network security, and identifying and addressing security threats in
their environment. The guide also describes operations provided by the
USM Appliance web UI, which is used to perform most USM Appliance
network security tasks after the initial USM Appliance system
deployment.
Topics covered in this guide include the following:
l Introduction — this section, which includes the following topics:
l Prerequisites and Requirements
— target audience recommended skills and background and supported
browsers for using the USM Appliance web user interface to perform
network security operations.
l USM Appliance Network Security Concepts and Terminology
— description of key terms such as assets, threats, and
vulnerabilities, and how USM Appliance calculates risk for specific
assets.
l About USM Appliance Components
— the high-level description of key USM Appliance components:
USM Appliance Server, USM Appliance Sensor, and USM Appliance Logger
Prerequisites and Requirements
The information in this guide is primarily intended for security
engineers, security analysts and operators, IT managers and
professionals, and system administrators, using USM Appliance to provide
network security within their own organization’s environment. Users
must also have knowledge of their organization’s network infrastructure
and the networking technologies they use. Recommended skills for users
include the following: l Basic TCP/IP networking knowledge and skills
including IP addressing, DNS, switching, and routing. l Basic
familiarity with IT security concepts and associated skills, including
threats, vulnerabilities
Information provided in this guide assumes a customer has completed the
installation and configuration of AlienVault USM Appliance as described
in the Initial Setup section of the USM Appliance Deployment Guide. In
addition, users of this guide need the appropriate credentials to access
USM Appliance, a web browser (to access the USM Appliance web UI
through HTTPS), and SSH access (for operations performed from the
USM Appliance command line). USM Appliance supports the following
browsers
USM Appliance Network Security Concepts and Terminology
When working with USM Appliance and using the USM Appliance web UI to
perform network security operations, it is important to understand a few
basic USM Appliance network security concepts.
Assets
First, a key tenet of the USM Appliance system is that it monitors
assets. Assets are all devices in an enterprise that have some value to
the enterprise and, generally, that it is possible to monitor or gather
information about, such as their status, health or availability,
configuration, activity, and events. The value comprises either the cost
of the device itself or the value of the data that is stored on the
device or travels through the device. l An asset is defined as a unique
IP address. l Assets are organized into networks based on IP addressing.
l Networks are organized into locations or regions, based on their
geographical location.
Typically, at least one USM Appliance Sensor is used to monitor one
geographically self-contained location. If several locations are used by
an enterprise, each location is monitored with at least one
USM Appliance Sensor, which sends information to the USM Appliance
Server about assets that are in the same location. Plugins are used in
the USM Appliance Sensor to extract and normalize data from different
data sources into standard-format events. USM Appliance provides a wide
assortment of plugins that can be used to collect events for most
commonly encountered data sources. You can enable up to 10 plugins per
asset and up to 100 plugins per USM Appliance Sensor.
Risk
Another important concept to understand is a risk. In most
organizations, priorities for network security operations are determined
primarily by risk, that is, factors such as the value of assets, the
potential damage that particular threats pose to assets and the
vulnerabilities those assets have to threats, and the likelihood that
actual attacks will be carried out. In USM Appliance, risk values are
calculated for each raw event received from the USM Appliance sensor as
well as for additional security events generated as a result of
correlation or cross-correlation of multiple events. USM Appliance
generates an alarm for any event that has a calculated risk value
greater than or equal to 1. The formula that USM Appliance uses to
calculate risk for individual events is the following: Calculated Risk
Value = (Asset Value * Event Priority * Event Reliability) / 25 In this
formula, Asset Value is the value (0 to 5) that your organization
assigns to a specific asset that is connected to an event. Event
Priority is a priority ranking (0 to 5) that is based on the event type,
such as authentication failure, web attack, or denial of service, which
indicates the urgency with which an event should be investigated.
(AlienVault provides an event taxonomy to classify various events by
category and subcategory. See USM Appliance Event Taxonomy, on page
137). Event Reliability is a reliability ranking (0 to 10) that
specifies the likelihood that an event is a real attack or a
Threats
About USM Appliance Components
AlienVault USM Appliance has three core components:
l USM Appliance Sensor — deployed throughout your network to collect events from various devices on the network.
l USM Appliance Server — aggregates and correlates information gathered
by the USM Appliance Sensors, and provides single-pane-of-glass
management, reporting, and administration. l USM Appliance Logger —
securely archives raw even
The USM Appliance Sensor collects raw log data and other information
from various network devices, host servers, and applications, normalizes
the data into a standard-event format and sends the events on to the
USM Appliance Server. Customers can choose from over 200 sensor plugins
to process raw log files and other information from different network
devices that might be deployed in a customer’s network environment. Once
events have reached the USM Appliance Server, you can use the
USM Appliance web UI to view and analyze events, establish policy and
correlation rules, investigate and address alarms, and perform other
network security operations.
About USM Appliance Network Security Capabilities
USM Appliance is designed primarily to help mid-size organizations
effectively defend themselves against today’s advanced threats. The
USM Appliance platform provides five essential security capabilities in a
single console, giving you everything you need to manage both
compliance and threat
The USM Appliance Web User Interface
The USM Appliance web user interface (or web UI) provides access to all
the tools and capabilities that USM Appliance makes available for
managing the security of your organization’s network and computers and
other devices in the network. From the USM Appliance web UI, you can
view all essential information about network devices, applications, user
activity, and network traffic in your environment. As you monitor
information coming in from devices, you can go about defining and
refining policies and correlation directives to fine-tune the behaviour
of your USM Appliance system to alert you of potential security issues
and vulnerabilities. The USM Appliance web UI runs in a standard web
browser. Your system administrator can provide the web URL address and
credentials to log in and access the features and functions appropriate
to your role in your organization’s security operation. When you first
log in, the USM Appliance web UI displays the Executive Dashboard
AlienVault
Reviewed by Admin
on
11:20 PM
Rating:
Reviewed by Admin
on
11:20 PM
Rating:
No comments: