AlienVault v4.0 What is New?
There have been a lot of changes with AlienVault lately, but one thing has remained the same. The engineering team is delivering great product! AlienVault Unified Security Management v4.0 is a huge step forward for the AlienVault USM products. Within a year of the 3.0 launch, another major effort has been completed to bring AlienVault and OSSIM users a more complete solution with improved scalability, performance, and greatly simplified management.
I hope you all enjoy the improvements.
- AlienVault Center - reduces the effort required for configuring a large AlienVault deployment. AlienVault Center provides an easy to use web interface that provides full configuration capabilities for all AlienVault Components. Centrally perform system updates, configure network interfaces, monitor system status and configure log collection.
- Dynamic Asset Inventory - enhanced forensic visibility in dynamic environments. The new dynamic asset inventory provides deep historical insight into the state of a host even as the configuration of that asset changes, dramatically improving the capabilities of a incident response team. Full historical records for the asset are made available including details such as what services were running, what users were authenticated and how the network interfaces were configured.
- Enhanced Event Processing and Storage - improved algorithms for processing and storing events improves throughput and allows for retention of a longer window of events for forensic investigation. Users will see a 2-3x improvement in event throughput and up to a 5x increase in the time window for event storage.
- More than 200 Enhancements - ever improving on the user experience, there are over 200 enhancements and minor features throughout the product.
AlienVault Center provides centralized management and configuration of all AlienVault components. Through the web interface built into the SIEM, AlienVault Center allows users to update and manage the configuration of any connected AlienVault Sensor.
(OSSIM NOTE: Web interface is available for OSSIM users but only for local configuration, remote component management is only in the commercial version)
Remotely Configure & Update AlienVault Sensors
- Configure Data Plugins – remotely configure the sensor to receive and parse log files from external devices.
- Update AlienVault Threat Intelligence for Sensors – remotely update the sensor with the latest AlienVault Threat Intelligence including the latest IDS rules from Emerging Threats Pro.
- Update AlienVault software – remotely apply the latest patches from AlienVault
Remotely configure AlienVault Sensor
- Firewall – remotely manage the firewall settings.
- Network Interfaces – remotely configure the network interfaces installed on the machine, including which interfaces are used to monitor network traffic
- VPN – remotely configure VPN settings between AlienVault machines
- Event Forwarding – remotely configure event forwarding policies
Centrally manage configuration
- Replicate configuration - easily move configuration from one device to another
- Conflict detection – prevents accidental override of locally configured sensors. When changes are made locally users are alerted to the conflict.
Centrally monitor Sensor health and status
- Resource Utilization – centrally monitor current and historical utilization of critical system resources to detect potential deployment issues. This includes monitoring CPU, RAM, disk usage, and running processes
- Remote Troubleshooting – centrally access the debug logs from the AlienVault sensor to identify and troubleshoot deployment issues
Dynamic Asset Inventory
Understanding a complex computing environment is difficult enough, but when the assets in that environment dynamically change their configuration life is even harder. Dynamic asset inventory allows users to track assets even as their users change and configuration is modified. This provides a far better historical picture when doing forensic analysis of security alarms. You may be able to figure out who is using the computer right now, but who was authenticated when the alarm was triggered? Dynamic Host Identification provides that answer.
Historical host information for every event
- Historical State - for every event in the UI, the state of the host that it is associated with is displayed for the time of the event. This includes authenticated users, processes running, and network configuration.
(OSSIM NOTE: OSSIM users will only be able to access current state of the asset, not the historical context)
- Historical Record - for each asset a full historical record is maintained to track changes to the assets over time.
Scheduled Asset Scanning
- Active Scans - schedule periodic inventory scans to ensure your inventory is updated regularly.
- WMI Integration - schedule periodic queries to the Windows Management Instrumentation interface to gather system information from Windows machines.
- Host-based Inventory - leverage host-based agents to update the inventory on a periodic basis for the most complete coverage of non-windows assets.
Enhanced Event Processing and Storage
AlienVault’s event throughput and window length for event storage is always improving, but never so much as with AlienVault 4.0. A new architecture for long-term event storage and a brand new algorithm for event processing has allowed us to provide substantial improvements in both performance metrics. Improving the throughput allows for more events to be processed more efficiently increasing the visibility and scale of your installation. Extending the storage window for events allows for improved forensic investigation, providing analysts a larger set of events to search for additional evidence.
More than 200 Enhancements
Throughout the user interface and product there have been more than 200 enhancements made to the product. This includes a completely new dashboard, complete with customization that can be shared between users. An incredible effort has been made to improve the user experience with AlienVault 4.0, you can save the surprise and find the improvements as you use the product or you can read the spoilers in the Enhancement Summary Announcement
4 · ·