Siem / Event Correlation

A Complete SIEM, And So Much More

Single-purpose SIEM software or log management tools provide valuable information, but often require expensive integration efforts to bring in log files from disparate sources such as asset management, vulnerability assessment, and IDS products. With the Zartek Global USM™ platform, SIEM is built-in with other essential security tools for complete security visibility that simplifies and accelerates threat detection, incident response, and compliance management.

 

Fully Integrated SIEM Capabilities on Day 1

Drastically simplify SIEM deployment and gain valuable insight into your environment with an all-in-one platform that includes all the essential security capabilities you need, managed from a single pane of glass, working together to provide the most complete view of your security posture.

  • SIEM / event correlation
  • Asset discovery and inventory
  • Vulnerability assessment
  • Intrusion detection
  • NetFlow monitoring
  • Actionable, relevant threat intelligence from Zartek Global Labs threat research team
  • Integrated global real-time view of emerging threats and bad actors from OTX, the world’s first truly open threat intelligence community that enables collaborative defense with actionable, community-powered threat
  • 3,000+ Correlation Directives
    Ships with over 3,000 pre-defined correlation directives so you don’t have to spend hours creating your own.
  • Always VigilantContinuous updates from Zartek Global Labs include new correlation directives, threat signatures, remediation guidance, and more.

 

More Than Just a SIEM – It’s Unified Security Management™ (USM)!

Traditional SIEM solutions promise to provide what you need – but the path to get there is one most of us can’t afford. Traditional SIEM solutions integrate and analyze the data produced by other security technologies that are already deployed, but unfortunately most mid-market organizations don’t have those other technologies deployed yet!

Zartek Global USM provides a different path. In addition to all the functionality of a traditional SIEM, Zartek Global USM also builds the essential security capabilities into a single platform with no additional feature charges. And Zartek Global’s focus on ease of use and deployment makes it the perfect fit for mid-market enterprises and organizations with limited budget and few in-house resources.

 

Centralized Threat Alerts

Prioritize with Kill Chain Taxonomy

The promise of SIEM software is particularly powerful—collecting data from disparate technologies, normalizing it, centralizing alerts, and correlating events to tell you exactly what to focus on. Unfortunately, achieving and maintaining the promise of SIEM is time-consuming, costly, and complex.

Zartek Global USM builds in all the security capabilities you need plus a centralized alarm dashboard that utilizes the Kill Chain Taxonomy to focus your attention on the most important threats. It breaks attacks out into five threat categories that help you understand attack intent and threat severity, based on how they’re interacting with your network.

  • System Compromise – Behavior indicating a compromised system.
  • Exploitation & Installation – Behavior indicating a successful exploit of a vulnerability or backdoor/RAT being installed on a system.
  • Delivery & Attack – Behavior indicating an attempted delivery of an exploit.
  • Reconnaissance & Probing – Behavior indicating a bad actor attempting to discover information about your network.
  • Environmental Awareness – Behavior indicating policy violations, vulnerable software, or suspicious communications.

 

Identify Known Bad Actors Communicating with Your Systems

Indicated by the OTX™ ‘Atomic’ logo, alarms and events associated with known Indicators of Compromise (IoCs) are highlighted throughout USM. This allows you to prioritize and triage security events that contain data linked to malicious activity.

 

Reduced Noise

Correlate IDS data with multiple security tools to reduce false positives and increases accuracy of alarms.

 

Complete Threat Evidence

See attack type, number of events, duration, source and destination IP addresses, and more.

 

Automatic Notifications

Set up email notifications and implement phone messaging services such as SMS.

 

Workflow Management

Create tickets from any alarm, delegate to users, or integrate with an external ticketing system.

Simplify SIEM event correlation and accelerate your threat detection and incident response time. Zartek Global Unified Security Management™ (USM) brings together related asset, vulnerability, intrusion, malicious actor intent, and remediation info for every alarm. The result?

Zartek Global USM™ delivers everything you need in a single pane of glass to assess threats accurately and expedite response, with none of the integration headaches.

 

Know What Threats to Focus On, Right Now

Get alarms for assets under attack, understand how they’re being attacked, and see who’s doing it in just minutes

  • Targeted assets and their vulnerabilities
  • Integrated threat intelligence from Zartek Global Labs
  • Attacker intent, method and context-specific remediation guidance
  • Detailed malicious actor info from OTX, world’s first truly open threat intelligence community

 

Automate Event Correlation

When an incident happens you need immediate visibility into who, what, when, where, and how of the attack. Event log data doesn’t provide enough context to make effective decisions. IT teams without deep security expertise must conduct research into each alarm to understand the context—its significance and what to do about it.

The USM platform’s integrated threat intelligence from Zartek Global Labs eliminates the need for IT teams to spend precious time conducting their own research as it automatically correlates events into actionable intelligence. USM identifies the most significant threats targeting your network with timely, relevant threat intelligence that provides every detail you need in the alarm: what’s being attacked, who is the attacker, what is their objective, and how to respond.

Zartek Global Labs deliver regular updates to this threat intelligence in the form of a coordinated set of advanced correlation rules and product updates, including up-to-the-minute guidance on emerging threats and context-specific remediation guidance, which accelerates and simplifies threat detection and remediation.

You also receive notification when a known bad actor is targeting your network. The Zartek Global Open Threat Exchange™ (OTX) alerts you to Indicators of compromise (malicious IP address, domains, MD5 hashes of malware, etc.) are detected in your log files. OTX is the world’s first truly open threat intelligence community that enables collaborative defense with actionable, community-powered threat data.

Built-in SIEM software, data sources, and correlation rules simplify your threat detection and response, and compliance management

Too often, organizations that invest in a SIEM (Security Information and Event Management) are frustrated and disappointed by the amount of investment in technology and people it takes to generate useful information.

Whether it is maintaining the separate data sources that supply the SIEM tool with security events to analyze, or writing the correlation rules to make sense of the mountain of event data, SIEMs are not easy to maintain.

AlienVault USM™, with its built-in data sources, SIEM software, and over 2,000 correlation rules, gives IT teams with limited resources an all-in-one threat detection and compliance management platform.

The AlienVault USM platform is designed for you to go from installation to insight in as little as one hour, instead of the weeks or months it would take you with other SIEM technology.

These SIEM use cases examples show how you can rely on the AlienVault USM platform to detect a range of threats and deliver the insight you need:

 

SQL Injection and Other Web Application Attacks

  • Identify vulnerable public-facing systems that are easily targeted
  • Detect attacks directed at vulnerable systems
  • Alert on compromised systems communicatingwith attackers

 

Watering Hole Attacks

  • Detect malware attempting to install on systems
  • Alert when multiple malware threats are from the same compromised website
  • Detect compromised systems communicating with C&C

 

Malware Infection

  • Identify communication from known malicious hosts
  • Detect malware infecting systems
  • Alert on changes to services and/or privilege escalation as a result of a successful attack

 

Continuous Compliance Management

  • Consolidate and automate your critical security controls
  • Understand critical events and compliance status with network-wide visibility
  • Utilize hundreds of built-in, customizable reports to satisfy your auditor

 

SIEM Use Case Example #1 – Detect SQL Injection and Other Web Application Attacks

SQL Injection attacks continue to be one the most common attacks of public-facing websites today due to the high number of SQL vulnerabilities. The attacks succeed when an attacker sends specially crafted commands to the SQL server that exploit vulnerability in the software.

An essential first step in detecting this SIEM use case example is to identify all systems running SQL (particularly public-facing systems) using the built-in Asset Discovery and Software Inventory technology in AlienVault USM. You can quickly create an asset group of all systems running SQL to ensure you are aware of any changes to the status of those systems.

To detect attacks directed at your SQL servers, you should deploy the built-in Intrusion Detection System (IDS) on the network and host IDS on the systems running SQL. Network IDS detects malicious content on your network targeting your SQL deployments, and host IDS provides detailed insight into the health of the targeted systems.

AlienVault USM will also alert you to any compromised systems communicating with known malicious hosts. Malware, once it compromises a system on your network, might attempt to communicate with the Command and Control (C&C) server. The built-in SIEM software, plus global visibility of known malicious hosts, will alert you to compromised systems communicating with C&C servers.

 

SIEM Use Case Example #2 –Detect Watering Hole Attacks

Watering Hole attacks target specific groups of users (such as government agencies, industries, or political organizations) who are likely to frequent specific websites. The attacker installs malware on the site that then attempts to compromise visitors’ systems.

In this SIEM use case example, AlienVault USM can detect the different stages of a Watering Hole attack and alert you to its presence in your network before any exfiltration of user credentials or confidential data occurs.

The built-in IDS within the AlienVault USM platform will detect the delivery of the malware payload from the compromised website. The continuously updated correlation rules can correlate multiple malware infections from the same compromised website, alerting you to a potential Watering Hole attack.

AlienVault IDS will also detect malware attempting to traverse the network and compromise other systems. The SIEM capability’s built-in correlation rules will also detect the outbound communication as the malware attempts to establish a communication channel with the Command and Control (C&C) server before exfiltrating the harvested data.

 

SIEM Use Case Example #3 –Detect Malware Infection

Malware is still the preferred method for gaining an initial foothold within a network, because of the ease with which attackers can install it on at least one system. Traditional preventive security technologies cannot keep all malware out, and your best defense is to be able to spot the malware and remove it before it can facilitate a data breach.

In this SIEM use case example, the SIEM software correlates events within the AlienVault USM platform to alert you to the presence of malware in several ways. One way is that the integrated community-powered threat data from OTX detects inbound communication from known malicious hosts, alerting you to those hosts in your network that may have inadvertently installed malware contained in an email or drive-by download. It detects outbound communication with malicious hosts as well, which could indicate a compromised system communicating with the C&C server.

Additionally, AlienVault USM’s built-in IDS detects malicious code on your network and correlates that data with the built-in Asset Discovery and Vulnerability Assessment capabilities to alert you to traffic that is specifically targeting vulnerable systems.

AlienVault USM will also generate alerts when malware attempts to stop essential security services and change files on the targeted systems, a technique used to hide signs of the compromise from you. It can also detect privilege escalation on targeted systems as attackers seek “Admin” or “root” access.

 

SIEM Use Case Example #4 –Continuous Compliance Management

It is a challenge for organizations to achieve compliance while managing competing priorities, limited budgets, and small IT security teams with limited expertise. Regardless of which standard you are trying to meet, it is essential for you to be able to consolidate and automate your critical security controls to simplify your compliance efforts.

In this SIEM use case example, the AlienVault USM platform works as a single solution that automatically identifies audit events, generates alarms on those events that require immediate attention, and creates reports that satisfy your auditor. Regardless of which set of requirements or guidelines you’re trying to meet, AlienVault USM offers you a complete solution that builds in asset discovery, vulnerability assessment, host and network intrusion detection, file integrity monitoring (FIM) and SIEM–all in a single platform and console view.

With AlienVault USM, you can quickly get the insight you need to understand the location and compliance status of critical assets, network segmentation, vulnerabitlies on those assets, access privileges to those assets, and so on. The AlienVault USM platform offers hundreds of built-in, customizable reports for documenting your PCI ISO 27002, HIPAA or GPG 13 compliance. You can also customize these reports to satisfy any unique requirements you may have.