Professional Documents
Culture Documents
PA P E R
When it comes to data breaches, most agree that its not a matter of if, but when. In a recent report,
an astounding 76% of surveyed organizations admitted being victims of successful cyber attacks in
2015 up from 70 percent in 2014 and 62 percent in 20131.
Thats why its so essential to have the right tools in place to spot an event as soon as it happens, as
well as be able to respond effectively to minimize damage and recover quickly.
We believe the best way to approach Incident Response is to
deploy the OODA Loop method, developed by US Air Force
military strategist John Boyd. The OODA Loop focuses on the
key essential tactics for responding to any crisis: Observe,
Orient, Decide, and Act.
In this paper, youll read about a few specific use cases where
AlienVault technologies and services help you Observe,
Orient, Decide, and Act for effective incident response.
When observing for potential risks and impending threats, there are three essential success factors
that should guide your activity as an incident responder.
W H I T E
PA P E R
2 http://cyber.lockheedmartin.com/solutions/cyber-kill-chain
2
W H I T E
PA P E R
After all, when your goal is to hunt down attacks quickly, to minimize damage and rapidly recover,
quick prioritization is the key to your success. By automating event analysis and classification,
AlienVault USM arms your security team with automated prioritization for effective incident
response.
Using policies to take different actions with certain events (e.g., bypass the SIEM function and
go straight to logger) or to suppress entirely (e.g., you dont care about alerts that identify the
use of Dropbox on employees PCs)
Limiting the data a HIDS agent collects, changing the verbosity of how an asset logs, or
disabling services on a device to increase performance and/or throughput
W H I T E
PA P E R
Completely changing the USM architecture to improve performance or segregate data (such
as breaking out an All-in-One appliance into its separate components--Server, Sensor, and
Logger)
Observe: Summary
Key Takeaway #1: Observe from all angles.
How does AlienVault help? The AlienVault USM platform unifies the following distinct layers of
security monitoring telemetry to provide a full 360-degree view of your assets:
Emerging threat detection File Integrity Monitoring and host-based and network-based IDS,
powered by IOCs from AlienVault Labs and AlienVault OTX3, alert you to emerging threats for
immediate response.
Behavioral monitoring Netflow analysis and service availability monitoring enable you to
spot suspicious activity and collect forensic evidence with full packet capture.
Event log analysis / SIEM Unifies and analyzes observational details across your entire
infrastructure. This includes your firewalls, servers, routers, domain controllers, cloud
workloads and more to fuel your incident response program.
Key Takeaway #2: Apply prioritization with emerging AlienVault Labs Threat Intelligence
How does AlienVault help? AlienVault USM maps each security alarm against the Cyber Kill Chain
so that security analysts understand the intent of the malicious behavior and know which incidents
to investigate first. AlienVault Labs Threat Intelligence powers this prioritization by monitoring and
analyzing the latest attacker techniques, tools, and tactics and applying this analysis to our rules
engine.
3 OTX is the worlds first truly open threat intelligence community that enables collaborative defense with open access, collaborative research,
Integration with AlienVault USM and OSSIM, as well as ability to export IoCs to almost any security product. OTX enables everyone in the OTX
community to actively collaborate, strengthening their own defenses while helping others do the same. To learn more, go to
4
https://otx.alienvault.com
W H I T E
PA P E R
All of the information youve collected during the observation phase is essential for detecting a
security event that requires your investigation. But information alone, without any context, is not
sufficient for closed-loop incident response.
Thats where the Orient phase comes in.
Contextual information is essential for orientation. All of the data in the world is useless without
having the necessary context to understand the significance of that data. For example, a system
outage in your data center could either be an innocuous event (unexpected power failure) or
something more serious (denial of service attack). Without the necessary context to orient you for
example, an email announcement from your ISP about the outage - you cant implement an effective
response.
source of attack to determine attribution (if possible) and any additional intelligence
that can assist decision-making.
Determine scope and impact of attack based on the latest threat intelligence.
AlienVault Labs and AlienVault Open Threat Exchange (OTX) work together to monitor and analyze
the latest attacker tools and tactics, and then convert this intelligence into automated actions (e.g.
correlated rules, alarms, and tickets) within AlienVault USM so that you can effectively respond.
These tools enable you to quickly determine which assets are affected and the severity of the
activity or attack.
W H I T E
PA P E R
Heres a specific example. In your AlienVault USM demo environment4, you see an alarm for an
Exploitation and Installation event. In investigating further, you see that this involves an asset
thats running a vulnerable version of Java. And it may not be the only asset on the network
thats vulnerable. With AlienVault USM, you quickly review all events across all your assets to see
what other systems have this type of activity and vulnerable configuration. In addition, youve
automatically created an Asset Group based on these characteristics5 so that you can remediate
all of these vulnerabilities as a group, and can continue to monitor them to validate these fixes.
This dynamic watchlist enables you with the essential context for effective closed-loop incident
response.
4 Our USM demo environment is available for you to play with as well. Simply point your browser to: https://www.alienvault.com/live-demo-site
for hands-on AlienVault USM action.
5 In our example, Im using vulnerability or CVE data to automatically create an Asset Group, but you can use any characteristic or variable
that exists in our taxonomy to create an Asset Group. Examples include:
Asset Value
Network
Software running on assets
Sensor that monitors assets
Device type of asset
Open port or services running on assets
Location of assets
W H I T E
PA P E R
By viewing all events across a visual timeline, you can easily scan all of the security events and
activity across your network without having to consult multiple consoles, apps, or databases.
The simplified data visualization approach makes it easy to make quick conclusions about which
events require further investigation. In order to provide enough context yet not overwhelm your
users, who are already overworked and under appreciated, AlienVault chose to use a simplified
design for USMs event timeline. The bigger the circle, the more types of events that have occurred
within that category, and within that time frame.
Investigate source of attack to determine attribution (if possible) and any additional intelligence that
can assist decision-making.
According to cyber security expert Bruce Schneier6, strong attribution can lead to deterrence. It
can also provide the essential context to help detect and prevent future attacks and attackers that
may share those same motivations, tools and techniques. The tight integration between AlienVault
OTX and AlienVault USM enables our customers to use this intelligence for more reliable incident
response.
Heres an example from the trenches. In the AlienVault USM demo environment, we dont mind
a bit of poking and prodding from the neer do-wells in cyber space7. In fact, it helps us capture
interesting events that we can then share with our customers and partners. As you can see in this
screenshot, AlienVault OTX has identified that the source of this bruteforce authentication attack8
has an IP address associated with a known bad actor. By clicking on the Yes above, you can
review additional information collected by AlienVault OTX about this particular attacker.
6 https://www.schneier.com/blog/archives/2015/03/attack
7 As an aside, youre probably not surprised to hear that a lot of consumer goods are made in China. I wouldnt call cyber attacks a consumer
good, but I can say that there are plenty that are made in China.
8 Bruteforce authentication attacks are one of the most commonly used Delivery & Attack tactics. And since the SSH protocol has a history of
vulnerabilities, its a common target.
W H I T E
PA P E R
Additionally, you can search for this particular IP address across all of your events to find any
additional activity that may have impacted additional assets.
ORIENT: Summary
Key takeaway #1: Determine scope and impact of attack using the latest threat intelligence.
How does AlienVault help? AlienVault Labs Threat Intelligence orients USM customers by identifying
the latest threats, resulting in the broadest view of threat vectors, attacker techniques and effective
defenses. AlienVault OTX widens the threat context, by using crowd-sourced and communityverified threat intelligence on the latest attacks. Together AlienVault Labs and AlienVault OTX
convert this intelligence into action within the USM platform.
W H I T E
PA P E R
Key takeway #2: Review event in the context of other activity on network to establish a timeline.
How does AlienVault help? AlienVault USM provides a unified timeline for all events to easily make
connections between and among disparate but related events. The simplified design and userfriendly event viewer makes it easy to see events within a contextual timeline to assist in effective
decision-making.
Key takeaway #3: Investigate source of attack to determine attribution (if possible) and any additional
intelligence that can assist decision-making.
How does AlienVault help? Working with other cyber security industry leaders like Kaspersky on
projects like Operation Blockbuster9, AlienVault Labs works tirelessly to uncover and analyze details
on attack campaigns for reliable attribution. Community-driven initiatives, like AlienVault OTX and
OTX pulses (collections of IoCs generated by the OTX community) enable defenders to describe
and submit any type of online threat including malware, fraud campaigns, and even state sponsored
hacking. These discoveries are tightly integrated into AlienVault USM in the form of correlated
directives for automated event analysis and more informed incident response.
The first two stages in the OODA loop Observe and Orient - are all about security monitoring
essentials. Gathering as much data as possible and then placing it in the context of local and global
risk so that you can make the best decision possible.
9 For more information on Operation BlockBuster, take a look at AlienVault Labs Jaime Blascos blog article: Operation BlockBuster unveils
the actors behind the Sony attacks.
9
W H I T E
PA P E R
These first two phases benefit from using automated tools for data collection and analysis, but
deciding what to do based on this intelligence unfortunately cant be outsourced to non-humans. At
least not yet.
That said, AlienVault Labs, AlienVault USM and AlienVault OTX provide as much guidance as
possible for the best possible decision and outcome.
The key incident response goals for the Decide phase include the following:
Determine
asset owner information and any relevant instructions associated with the asset.
Document
W H I T E
PA P E R
Review asset owner information and any relevant instructions associated with the asset.
When youre an incident responder, the more you know about the assets on your network, the better
youll be at investigating incidents that involve them. This is true especially of the servers in your
environment.
Its often not clear who owns an asset, how its configured, or what software is installed, despite
checking a variety of management tools, spreadsheets, and other docs. With AlienVault USM,
you can document and review who owns an asset and what to do and contact in the event of
an incident, as well as rich data on the vulnerabilities that exist, the software thats installed and
running, and any recent changes to critical files.
11
W H I T E
PA P E R
12
W H I T E
PA P E R
Additionally, you can monitor, review, and share trouble ticket resolution statistics on the AlienVault
USM dashboard. All of which contributes to effective decision-making and process improvement.
DECIDE: Summary
Key takeaway #1: Determine the immediate next steps in responding to the incident.
How does AlienVault help?
AlienVault USM integrates emerging threat intelligence with operational guidance written by
AlienVault Labs researchers that are customized for each alarm, so you can make better decisions in
the heat of the moment.
Key takeaway #2: Review asset owner information and any relevant instructions associated with the
asset.
How does AlienVault help?
AlienVault USMs rich Asset Inventory capability allows IT admins to document specifics about each
asset to instruct responders about what to do in case of an incident.
Key takeaway #3: Document all remediation tactics planned for the affected assets.
How does AlienVault help?
AlienVault USM enables IT admins to automate remediation activity by immediately creating a
trouble ticket associated with alarms that require attention.
13
W H I T E
PA P E R
By now, weve walked you through each of the first three phases of an effective incident response
plan. Weve shown how AlienVault USM, AlienVault Labs, and AlienVault OTX provide the foundation
you need to OBSERVE, ORIENT, and DECIDE how to respond to incidents.
Now its time to ACT.
But first In the previous section, we talked about the need to decide whether your IR team should
focus on preserving evidence (in order to prosecute a data breach) vs. recovering quickly (and
potentially lose transient forensic artifacts). This decision is far beyond the scope of this paper, and
its an important one. In the meantime, if youre interested in preserving data for further investigation,
SIFT (SANS Investigative Forensics Toolkit) is a collection of various open source tools that can
assist you in performing forensics analysis tasks.10
For the purposes of this paper, we wanted to focus on recovery and remediation, as well as the
specific ways that AlienVault helps you achieve these essential incident response goals within the
Act phase:
Quickly implement remediation on all affected assets and verify that remediation has been
implemented properly.
Review and update security awareness training programs or security policies as appropriate.
Review (and potentially reconfigure) security monitoring controls based on lessons learned from
the incident.
Quickly implement remediation on all affected assets and verify that remediation has been
implemented properly.
10 An international team of forensics experts, led by SANS Faculty Fellow Rob Lee, created the SANS Incident Forensic Toolkit (SIFT)
Workstation for incident response and digital forensics use and made it available to the whole community as a public service. Check it out at:
http://digital-forensics.sans.org/community/downloads#overview
14
W H I T E
PA P E R
Its difficult to cover all of the possible remediation activities that you may need to implement, since it
will largely depend on the specific threat, impact, targeted assets, and scope. That said, chances are
that this will likely include activities such as:
Review and update security awareness training programs or security policies as appropriate.
Every security incident investigation provides you with the opportunity to assess how well your
security program is working (in terms of both security awareness and security policies and
procedures). Were not suggesting that users are to be blamed for every security incident. Instead,
the more vigilant your users can be about cyber security, the more likely that the risk of incidents will
decrease (in terms of frequency as well as impact).
A good first step is establishing effective user activity monitoring, so that you get a baseline for
expected user behavior. AlienVault USM provides detailed user activity reporting, across all the
assets in your environment so that you can verify that security policies are being followed, and
any violations are documented and investigated. In addition, you can set up AlienVault USM to
run reports at regularly scheduled intervals (the screenshot below captures just a few of the many
reporting options for monitoring user activity).
15
W H I T E
PA P E R
Review (and potentially reconfigure) security monitoring controls based on lessons learned from the
incident.
Once youve completed and verified all necessary remediation steps (and this goes for patching
systems as well as tweaking security policies), its now time to do a critical analysis of the entire
incident for essential lessons learned. Ask yourself and your team:
16
W H I T E
PA P E R
ACT: Summary
Key takeaway #1: Quickly implement remediation on all affected assets and verify that remediation has
been done properly.
How does AlienVault help?
AlienVault USMs integrated Vulnerability Assessment checks for software weaknesses or
misconfigurations that could expose systems to increased risk. AlienVault USMs Asset Inventory
capability gives you granular data about your assets, including all installed software so you can
verify that the necessary patches have been installed or that specific services have been disabled.
Key takeaway #2: Review and update security awareness training programs or security policies as
appropriate.
How does AlienVault help?
AlienVault USM provides detailed user activity monitoring reports so that you can measure security
awareness and policy compliance over time.
Key takeaway #3: Review (and potentially reconfigure) security monitoring controls based on lessons
learned from the incident.
How does AlienVault help?
The AlienVault USM platform makes it easy to fine-tune each security monitoring capability based
specifically on what you glean from a post-mortem analysis.
Summary
AlienVault USM, AlienVault Labs, and AlienVault OTX provide the foundation you need for effective
incident response. From Observing and Orienting to Deciding and Acting, AlienVault is your partner
in detecting and responding to the latest threats. Thanks to our all-in-one approach to security
monitoring, you and your fellow incident responders will have more time to spend on active threat
hunting and less time on managing individual point products.
Learn more about the AlienVault Unified Security Management (USM) Platform
See the 90-second demo
Start detecting threats with a 30-day trial of AlienVault USM
Join the Open Threat Exchange (OTX)
2016 AlienVault. All rights reserved. AlienVault and the AlienVault logo are trademarks or registered trademarks of AlienVault.
All other names and trademarks are for identification purposes and are the property of their respective owners.