Summary
On a weekly basis we encounter existing Alien Vault deployments marginally and key features are not being leveraged. This paper is meant to highlight that key features within Alien Vault that can quickly and easily be enabled. These features are a core part of our deployment checklist for Alien Vault and must haves for every deployment to extract maximum value out of the solution.
Vulnerability Scanning
Despite being a cornerstone for the Alien Vault platform most clients don’t enable credential based (more extensive) scans. This can be configured easily and major value realized within hours. An essential part of a security program is to understand what vulnerabilities you have on the network and be able to operationalize and update those systems. Patched and updated systems are far less likely to be exploited and the first step is to identifying the systems requiring the updates. Many customers even have Tenable as well as Alien Vault. Why?
Dark Web enablement Dark Web scanning is via an Alien App powered by the Spy Cloud service. It alerts you when there is a direct hit for your credentials using @yourdomain accounts, includes information on whether the password was posted as well as allowing up to 10 personal email id’s for monitoring. This provides immediate value on day 1 to identify possibly compromised user accounts that need to be investigated. We use this tool in the SOC consistently to correlate against login events, locations of those events, failed logins and brute force attackers. Turn this feature on straight away!
Asset Discovery & Classification
A quick and easy value added feature is to sweep your network segments to identify devices on your network(s). Performing asset discovery allows you to take inventory of assets on the network, discovery rogue devices and it helps your security team classify those assets. Classifying the assets becomes critical when investigation potentially anomalous events. Understand what the device is, its functional role and having context around what is normal usage goes a long way when determining if it is expected behavior or not.
Filtering Rules
Enabling filtering rules is an essential component of setting up the system. Filtering log data that is not essential, required for compliance or essential for investigation allows you to store less data, potentially reducing your Alien Vault costs as well as reducing additional noise from potential alarms that would be generated that are false positives and not essential. Filtering specific events and behaviors that are known should be done within the first 30 days of deployment.
Help Desk Integration For Alarms
Integrating alarm notifications once the solution is properly tuned is an essential piece for staying aware of the events that are happening as they happen. We highly recommend integrating with the Slack app to stay up to the minute on what Is happening with your deployment. Once the system is tuned and only meaningful alarms are being generated, it is recommended alarms are sent to the ticketing system for event tracking and proper diligence.
Compliance Reporting Enablement
Asset Classification Without classifying your assets as HIPAA, PCI, NIST assets etc.. the nifty compliance template reports will not populate any data, will not give your auditor what they need to see and will not help you achieve compliance. In-scope assets must be properly classified or the compliance correlation and reporting will not work. Simple fix, high value on this configuration step!
AlienApp Enablement
This is our favorite part of the deployment. Did you know you could be automating remediation actions right now? Alien Vault continues to publish direct integrations with major vendors to allow for easily ingesting event data as well as being able to take action by creating tickets, quarantining endpoints, shutting machines down, blocking IP’s at the firewall and much more. As of this writing there are 17 AlienApps available for integration. More information can be found here: https://www.alienvault.com/products/alienapps .
