How to Use AlientVault SIEM for Threat Detection & Incident Response
Malware comes via attachments, malvertising, man-in-the-middle, man-in-the-browser, social engineering and countless other vectors. Even the most stringent of binary whitelisting can be quickly rendered ineffective by a compromised application, server update or exploits in otherwise legitimate software. Endpoint protection factors in as well, but there will always be occasions where malware has evolved to a new hash and your product's heuristics just happen to miss it.
Such situations demonstrate the deficiencies of reactive quarantining from an incident response perspective. No person nor piece of software can reliably predict what will be relevant to an investigation and what should be retained. However, it is possible to avoid reliance on such predictions by proactively retaining everything that could be relevant.
Learn Incident Response
What Does AlientVault SIEM Do?
AlientVault SIEM is an all-in all-in-one platform designed to provide and guarantee complete defense to the enterprise against current security threats. Different security aspects provided by the SIEM include:
- Asset discovery:
Finds all assets on your network. This is done via active network scanning, passive network monitoring, asset inventory and software inventory. - Vulnerability assessment: Helps identify system vulnerabilities on your network via network vulnerability testing and continuous vulnerability monitoring.
- Intrusion detection: Detects malicious traffic on your network via network IDS, host IDS, file integrity checks and file monitoring.
- Behavioral monitoring:
Discovers suspicious behavior and potentially compromised systems via netflow analysis, service availability monitoring and full packet capture. - Multiple security functions in a single console:
Correlates and analyzes security event data from across your network via log management, event correlation, incident response and reporting.
What Benefits Does AlientVault Provide?
With the functionalities available through AlienVault, you can easily analyze potential threat vectors and the impacts they may have on on your business. This is illustrated in the screenshot below:
Each alarm provides detailed and customized instructions on how to investigate and respond to malicious activity.
Customizable executive dashboards provide overviews and click-through details about your security and compliance posture.
Dashboards provide everything you need to know about an asset for incident investigation and response.
Automated asset discovery provides granular details on all devices in your network
Targeted guidance eliminates the guesswork associated with integrating data sources and provides precise suggestions for improving visibility.
Built-in network flow analysis provides all the data you need for in-depth investigations, including packet capture.
Secure storage of raw event data satisfies regulatory compliance requirements while an easy-to-use interface allows for quick searches.
Identifies malicious actors attempting to interact with your network using dynamic IP reputation data.
Built-in network IDS and host IDS results in more accurate threat detection and event correlation, faster deployment and simpler management.
Built-in vulnerability assessment simplifies security monitoring and speeds remediation.
How Can I Use AlienVault to Detect SQL Injection?
SQL injection has been around for about 10 years. This is when nefarious SQL commands are covertly inserted into the database in an attempt to harm data-driven applications. You can use AlientVault to detect SQL injection following the methods below.
-
Network IDS spotting SQLi
One of the first methods in detecting SQL injection is network intrusion detection system (NIDS). This gives system administrator the ability to analyze all inbound and outbound network traffic to make sure there are no malformed data packets which can cause harm or damage to your network infrastructure. This also gives the system administrator the ability to see when and where the system is being attacked.
-
Host IDS detecting SQLi by watching file activity
The next approach is leveraging a host-based intrusion detection system (HIDS), allowing system administrators to monitor activity locally on a server. For example, HIDS agent parses the logs on IIS or Apache web server locally once it is installed. Just by monitoring log and file activity, the system threats are effectively monitored.
With the AlienVault HIDS, you can monitor changes to files, and have visibility to information such as which files and tables in your database were affected by the attack. In addition, the HIDS will look for patterns indicating SQLi and send alerts accordingly.
HIDS Dashboard
HIDS performs file integrity checking and operating system audit logging. This alone provides the capability to detect multiple forms of attacks, most notably monitoring for malicious attacks via web server logs. Here's an example of how USM displays an SQL injection and its associated threat details via the HIDS.
Threat Details
-
OTX assisting with SQL injection
Known IP addresses attempting SQL attacks are checked against the OTX database. It combines input from the NIDS, HIDS, and OTX, and alerts system administrators the problem needs attention.
Learn Incident Response
Get hands-on experience with incident response tools and techniques as you progress through nine courses.
Summary
The AlienVault Security Management platform is an all-in-one tool that will not only help you to protect your network infrastructure, but also your other IT assets. It provides information and data to you in real time to gauge the cyber threat landscape in order to further fortify your primary lines of defense. An added advantage is you can gain real-time threat intelligence from both the AlienVault Labs and Open Threat Exchange.
Sources
Incident Response
Build your skills responding to each phase of an incident, and get a technical deep dive of the tools and techniques used. What you'll learn:- IR phases and stages
- IR tools and techniques
- Conducting memory, network and host forensics
- And more
In this Series
- How to Use AlientVault SIEM for Threat Detection & Incident Response
- Disaster recovery: What's missing in your cyber emergency response?
- How will zero trust change the incident response process?
- How to build a proactive incident response plan
- Sparrow.ps1: Free Azure/Microsoft 365 incident response tool
- Uncovering and remediating malicious activity: From discovery to incident handling
- DHS Cyber Hunt and Incident Response Teams (HIRT) Act: What you need to know
- When and how to report a breach: Data breach reporting best practices
- Cyber Work Podcast recap: What does a military forensics and incident responder do?
- Top 8 cybersecurity books for incident responders in 2020
- Digital forensics and incident response: Is it the career for you?
- 2020 NIST ransomware recovery guide: What you need to know
- Network traffic analysis for IR: Data exfiltration
- Network traffic analysis for IR: Basic protocols in networking
- Network traffic analysis for IR: Introduction to networking
- Network Traffic Analysis for IR — Discovering RATs
- Network traffic analysis for IR: Analyzing IoT attacks
- Network traffic analysis for IR: TFTP with Wireshark
- Network traffic analysis for IR: SSH protocol with Wireshark
- Network traffic analysis for IR: Analyzing DDoS attacks
- Wireshark for incident response 101
- Network traffic analysis for IR: UDP with Wireshark
- Network traffic analysis for IR: TCP protocol with Wireshark
- Network Traffic Analysis for Incident Response: Internet Protocol with Wireshark
- ICMP protocol with Wireshark
- Cyber Work with Infosec: How to become an incident responder
- Simple Mail Transfer Protocol (SMTP) with Wireshark
- Internet Relay Chat (IRC) protocol with Wireshark
- Hypertext transfer protocol (HTTP) with Wireshark
- Network traffic analysis for IR: FTP protocol with Wireshark
- Infosec skills - Network traffic analysis for IR: DNS protocol with Wireshark
- Network traffic analysis for IR: Data collection and monitoring
- Network traffic analysis for Incident Response (IR): TLS decryption
- Network traffic analysis for IR: Address resolution protocol (ARP) with Wireshark
- Network traffic analysis for IR: Alternatives to Wireshark
- Network traffic analysis for IR: Statistical analysis
- Network traffic analysis for incident response (IR): What incident responders should know about networking
- Network traffic analysis for IR: Event-based analysis
- Network traffic analysis for IR: Connection analysis
- Network traffic analysis for IR: Data analysis for incident response
- Network traffic analysis for IR: Network mapping for incident response
- Network traffic analysis for IR: Analyzing fileless malware
- Network traffic analysis for IR: Credential capture
- Network traffic analysis for IR: Content deobfuscation
- Traffic analysis for incident response (IR): How to use Wireshark for traffic analysis
- Network traffic analysis for IR: Threat intelligence collection and analysis
- Network traffic analysis for incident response
- Creating your personal incident response plan
- Security Orchestration, Automation and Response (SOAR)
- Top six SIEM use cases
- Expert Tips on Incident Response Planning & Communication
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Incident response
Disaster recovery: What's missing in your cyber emergency response?
Incident response
Incident response
Incident response
Sparrow.ps1: Free Azure/Microsoft 365 incident response tool