ALIENVAULT USM FOR AWS SOLUTION GUIDE
Summary AlienVault Unified Security Management (USM) for AWS is a unified security platform providing threat detection, incident response, and compliance management for AWS environments. It is an AWS-native security solution for securing your ever-changing AWS environment against an evolving threat landscape: Scalable, centrally managed collection of essential security capabilities that identify suspicious or malicious behavior Built for the Amazon Shared-Responsibility security model, maximizing visibility of potential threats and makes it easy to use built-in AWS security features like CloudTrail and Security Groups Threat intelligence from AlienVault Labs Threat Research team maximizes the effectiveness of your security monitoring program and provides a global view of emerging threats Purpose-built for the unique resource-allocation and scalability requirements of the cloud environment, and satisfies rigorous monitoring and reporting requirements The USM for AWS platform includes all of the essential security capabilities you need to quickly identify and respond to malicious behavior and unsecure configurations in a single application, including: Asset discovery API-powered Asset Discovery Vulnerability assessment AWS infrastructure assessment Authenticated Vulnerability Assessment Intrusion Detection Behavioral Monitoring Log management (elastically scalable and searchable) Including S3 and ELB access log monitoring and alerting SIEM USM for AWS is an AWS-native solution that accelerates and CloudTrail monitoring and alerting simplifies threat detection and response, on day one. Event correlation AlienVault USM for AWS also helps you meet compliance requirements, including PCI DSS, HIPAA, FISMA, GLBA and ISO 27002. It is highly customized for operation in the AWS environment and integrates with the Amazon API to provide immediate visibility and threat detection. The Migration to Public Cloud Computing Organizations large and small are adopting cloud services. According to Spiceworks 1, 65% of organizations in North America and 56% in EMEA have already adopted cloud services. The adoption rate ranges between 68% for organizations with less than 19 employees to 53% for organizations with 500 or more employees. The services these organizations have adopted include web hosting, email hosting, productivity (including file sharing and online collaboration), application hosting, and backup/recovery. The implication of this migration to the cloud is that a significant portion of your organization s data is likely already in the cloud, or will be on its way shortly, and you need to ensure its security. Shared Responsibility for Security The Amazon environment offers significant advantages for many organizations with its innovative technology model. However, one aspect of this innovation that can present unanticipated challenges is its Shared Responsibility security model. As stated on AWS security portal 2, You must secure anything you put on the infrastructure or connect to the infrastructure. That means that if you rely on AWS, you need to evaluate the configuration of your network access and security controls regularly. Otherwise, you could inadvertently deploy insecure configurations, putting your instances and assets at risk. 1 Spiceworks State of IT Report 2014 2 http://aws.amazon.com/security/ 2
Targeting AWS Accounts AWS accounts are being targeted today by attackers who take advantage of the complete control AWS APIs provide and the lack of visibility most IT teams have over their AWS environments. Two common attacks are: Theft of compute power from compromised accounts for purposes like Bitcoin mining Use of compromised accounts to store data exfiltrated from other victims (such as credit card information, electronic health records, or porn) In addition to identifying malicious behavior directed towards your AWS resources, you also need to identify usage of AWS resources for shadow IT purposes. These unauthorized instances could be hosting applications and/or sensitive data while bypassing traditional IT controls, leaving your organization exposed to data breach. The bottom line: you need to ensure your AWS environment is secure. Unified Security Management for AWS The AlienVault Unified Security Management (USM) for AWS platform provides you with the security awareness and threat intelligence that you need to be able to detect and respond to threats, and manages compliance in your AWS environments. USM for AWS gives you visibility into: The state of your AWS infrastructure What assets are in your environment Assets that are misconfigured or vulnerable to exploits Who is using your resources and how they are using them Malicious activity targeting your environment Concerned About Account Credential Compromise? The single platform architecture of USM for AWS delivers the power and effectiveness of integrated security technologies to address common threats like compromised accounts. Key features include: Detect anomalous user activity Correlate all log data to detect unusual behaviors and alert on possible credential compromise Brute-force permission enumeration Identify attempts to use brute-force techniques to elevate permissions to compromise instances. Launch of new server types Alert on launching of new server types regardless of the instance to ensure all new servers comply with policies. USM for AWS is a completely AWS-contained security solution. Unlike hosted security services, we designed USM for AWS specifically to allow you to manage it yourself, and have complete control of your data. It runs completely in your AWS environment and your data never leaves your control. USM for AWS is purpose-built to enable you to secure your AWS environment with these essential features: Elastic Scalability - Scale your threat detection and response capabilities horizontally as your environment changes, to deploy exactly what you need, when you need it: Preconfigured CloudFormation templates simplify provisioning, allowing you to replicate the services you need as your environment scales Priced for elastic environments You can purchase USM for AWS to match your specific requirements as your deployment changes over time, to give you maximum flexibility and avoid paying for security you don t use 3
Automated Asset Discovery Manage your security the way you manage your infrastructure by automatically maintaining an inventory of running instances: Enhance your internal governance capabilities and detect any unauthorized instances, applications, or data Satisfies Amazon scanning policies, eliminating the need for pre-approval by Amazon in EC2 and VPC and allowing you to update your inventory as needed Map all security data back to amazon instance-ids for real cloud forensics and complete visibility Vulnerability Assessment Secure, low-overhead, authenticated scanning allows you to stay current with any changes in your environment: Assess your infrastructure to understand your exposure and prioritize your risks regardless of number of instances Satisfies Amazon scanning policies, eliminating the need for pre-approval by Amazon in EC2 and VPC CloudTrail Monitoring & Alerting - Perform automated event correlation and alerting on data from the CloudTrail service, enabling you to correlate thousands of events each week and eliminate manual data analysis to detect behavioral changes, including: Suspicious instance creation New user creation Security group modification Log Management Provides complete log management for compliance with PCI-DSS, HIPAA, FISMA, FedRAMP, ISO 27002, NERC-CIP, or GLBA requirements. Send your logs to the USM instance with syslog, or use S3 or Amazon CloudWatch logs to gather your data for forensic storage and correlation USM for AWS provides secure collection and retention of both raw log data as well as normalized logs to preserve the chain of custody S3 Access Log Monitoring and Alerting - Automatically analyzes any S3 (Simple Storage Service) access logs of hosted content and material being tracked in your environment: Provides analytics and identifies and alerts on abuse patterns ELB Access Log Monitoring and Alerting - Automatically analyzes any ELB (Elastic Load Balancer) access logs being created in your environment for granular insight into data directed at your instances: Provides analytics and identifies and alerts on abuse patterns Event Correlation - Full-featured correlation engine that provides the ability to analyze the operational logs from your AWS environment: The AlienVault Labs team of threat researchers has created correlation rules to generate targeted alarms complete with remediation advice. End-users and MSSPs can also extend the system to alert on abuse patterns in applications or infrastructure. 4
Integrated Threat Intelligence To give our customers the very best threat detection and response capabilities, our products are powered by expert threat intelligence. The AlienVault Labs Threat Research Team generates novel research on high profile threats and emerging trends in the threat landscape. The AlienVault Labs team derives a significant amount of data from the security community, working with public research institutions, government organizations, and private companies and partners to share and analyze threat data. We supplement the AlienVault Labs research with data from our Open Threat Exchange (OTX). OTX is the largest and most authoritative crowd-sourced threat intelligence exchange in the universe, providing security for you that is powered by all. Every day, more than 26,000 participants from 140+ countries contribute over 1 million threat indicators to OTX. We automatically analyze raw OTX data through a powerful discovery engine that is able to granularly analyze the nature of the threat, and a similarly powerful validation engine that continually curates the database and certifies the validity of those threats. Deploying USM for Amazon Web Services (AWS) AlienVault s USM for AWS architecture consists of a modular, scalable, two-tier architecture: Sensor Nodes (data collectors) and Control Nodes (centralized management and storage) Deploy both the Sensor Node and Control Node on a single AMI in simple deployment For more complex deployments you can deploy more than one Sensor Node to collect data from your environment, managed by a Control Node 5
Summary Moving to the AWS environment can provide your organization with a wide range of benefits, including scalability, reliability, and lower TCO. However, to take advantage of the benefits of the AWS model while securing your applications and data, it s essential that you deploy an AWS-native solution to be able to effectively manage access and configuration. AlienVault USM for AWS is purpose-built for the AWS environment to provide Asset Discovery, AWS Infrastructure Assessment, Vulnerability Assessment, CloudTrail Monitoring and Alerting, S3 and ELB Access Log Monitoring and Alerting, Log Management, and Event Correlation. It is designed to address the security and configuration challenges you experience when trying to secure your elastic AWS environment. Threat intelligence from AlienVault Labs Threat Research team maximizes the effectiveness of your security monitoring program and provides a global view of emerging threats. About AlienVault AlienVault is the champion of mid-size organisations that lack sufficient staff, security expertise, technology or budget to defend against modern threats. Our Unified Security Management (USM) platform provides all of the essential security controls required for complete security visibility, and is designed to enable any IT or security practitioner to benefit from results on day one. Powered by the latest AlienVault Labs Threat Intelligence and the Open Threat Exchange the world s largest crowd-sourced threat intelligence exchange AlienVault USM delivers a unified, simple and affordable solution for threat detection and compliance management. AlienVault is a privately held company headquartered in Silicon Valley and backed by Trident Capital, Kleiner Perkins Caufield & Byers, GGV Capital, Intel Capital, Sigma West, Adara Venture Partners, Top Tier Capital and Correlation Ventures. For more information visit www.alienvault.com or follow us on Twitter (@AlienVault). 6