AlienVault OSSIM

How to choose between open source and commercial products of AlienVault

AlienVault OSSIM, Open Source Security Information and Event Management (SIEM), provides you with a feature-rich open source SIEM complete with event collection, normalization and correlation. Launched by security engineers because of the lack of available open source products, AlienVault OSSIM was created specifically to address the reality many security professionals face: A SIEM, whether it is open source or commercial, is virtually useless without the basic security controls necessary for security visibility.

AlienVault OSSIM addresses this reality by providing one unified platform with many of the essential security capabilities you need like:

  • Asset discovery
  • Vulnerability assessment
  • Intrusion detection
  • Behavioral monitoring
  • SIEM event correlation

AlienVault OSSIM leverages the power of the AlienVault Open Threat Exchange (OTX) by allowing users to both contribute and receive real-time information about malicious hosts. In addition, they provide ongoing development for AlienVault OSSIM. AlienVault OSSIM offers you a chance to increase security visibility and control in your network.

Product versions

AlienVault OSSIM is available as server-based software, there is a single version of AlienVault OSSIM.

AlienVault also offers an AlienVault Unified Security Management (USM) product, which is a commercial SIEM product. AlienVault USM has substantially more robust capabilities than AlienVault OSSIM. AlienVault USM is available as a virtual appliance, a hardware appliance and a cloud-based service.

 

Licensing and pricing

AlienVault OSSIM is open source, so its latest version is available for free to download.

AlienVault USM is a commercial product. A 30-day free trial is available for download.

 

AlienVault OSSIM, USM overview

AlienVault OSSIM has limited capabilities compared to its commercial counterparts, including the AlienVault USM product. AlienVault OSSIM is best suited for organizations without a SIEM that want to experiment with basic SIEM capabilities or that want to modify a SIEM to meet unusual organization-specific requirements. Small organizations looking for a more robust off-the-shelf SIEM product should consider evaluating AlienVault USM products.

AlienVault USM vs AlienVault OSSIM a feature comparison

Asset discovery and inventory

Asset discovery is a critical and necessary step in understanding who and what is connected to your infrastructure. AlienVault OSSIM and USM both provide built-in asset discovery. On a physical network, both products provide the ability to scan the network to identify assets on the network, determine basic information about those assets such as operating system, IP address, and MAC address, and what ports are active and listening.

 

Vulnerability assessment

Although AlienVault USM and AlienVault OSSIM both allow you to schedule vulnerability scans of your assets, a key consideration to keep in mind is the intelligence that powers the scans. In both platforms, vulnerability scans depend on a database of vulnerability signatures. For the USM platform, that database is both robust and dynamic, with new signatures added continuously in threat intelligence updates from the AT&T Alien Labs security research team. In AlienVault OSSIM, the default database is small and static unless you regularly contribute your data to power the scans.

 

Intrusion detection

Intrusion detection is another area where data changes the playing field. Both AlienVault USM and AlienVault OSSIM offer intrusion detection capabilities. However, the correlation rules and vulnerability signatures that power each solution’s intrusion detection capabilities are wildly different. AlienVault OSSIM offers a small number of static correlation rules that mostly serve as examples for users who want to write their own rules. While that makes it possible for you to customize rules based on your research, you should be aware of the significant time cost associated with tackling threat intelligence research on your own. In contrast, the Alien Labs security research team continuously delivers threat intelligence updates to the USM platform automatically, so its collection of correlation rules and vulnerability signatures is current with the ever-changing threat landscape. In case an intrusion is detected, the threat intelligence updates include incident response guidance within the platform itself to help you respond quickly and effectively. Having the Alien Labs security research team’s research delivered to your platform is comparable to hiring your own in-house research team but saving you that expense.

 

Behavioral monitoring

Yet again, data makes a difference. As with intrusion detection, behavioral monitoring and threat intelligence research in USM is driven by the Alien Labs security research team. In AlienVault OSSIM, the capabilities are there but not the correlation rules to drive them. You are responsible for creating those rules and keeping them up-to-date based on your threat intelligence research.

 

SIEM event correlation

AlienVault OSSIM provides SIEM event capabilities that allow you to correlate and analyze security event data from across your critical infrastructure and respond quickly to incidents. USM offers faster, more dynamic SIEM functionality using a unique graph-based analytics engine that allows it to correlate SIEM events more quickly. As a result, you’re also able to run ad-hoc queries on the large data sets generated by centralizing security monitoring of all your on-premises IT environments, providing you with an efficient way to view and parse that data in with a high degree of granularity.

 

Endpoint detection and response (EDR)

Another difference between AlienVault OSSIM and USM is EDR. In USM, you can deploy agents to your hosts for continuous endpoint monitoring, as well as proactive querying during incident investigations. The agent is a lightweight, adaptable endpoint agent based on Osquery that is easy to deploy and manage directly from USM.

 

Threat intelligence

Without threat intelligence, a SIEM is an empty shell. The threat landscape is continuously changing with the almost-daily discovery of new vulnerabilities, new attack techniques, and new strains of malware. You do not have the time or the resources to research these emerging threats on your own, let alone determine if your environment is at risk or already compromised. For both AlienVault USM and AlienVault OSSIM users, Open Threat Exchange (OTX) provides threat data contributed daily from a global community of security researchers and practitioners. USM takes that threat data to the next level with continuous threat intelligence updates from the Alien Labs security research team, making it easier for IT professionals to keep up with the latest threats.

 

Community-powered threat data from the OTX

The OTX is the world’s largest open threat intelligence community. It enables collaborative defense with actionable, community-powered threat data, and global insight into attack trends and bad actors. OTX pulses provide users with a summary of the threat, a view into the software targeted, and the related indicators of compromise (IOC) that can be used to detect the threats.

IOCs include:

    • IP addresses
    • Domains
    • Hostnames (subdomains)
    • Email
    • URL
    • URI
    • File hashes: MD5, SHA1, SHA256, PEHASH, IMPHASH
    • CIDR rules
    • File paths
    • MUTEX name
    • CVE number

Both AlienVault USM and AlienVault OSSIM users have access to community-powered data from the OTX. A major difference is the delivery.

 

Reports and dashboards

Without an easy way to visualize and interpret your data, it is easy to get lost. Whereas AlienVault OSSIM offers some basic dashboards, USM provides a wide range of data visualization capabilities to interpret and communicate the dynamic nature of the threat landscape and the value of the security systems that you have put in place. For example, the USM platform’s intuitive dashboard and analytics interface allow you to view an at-a glance analysis of top assets and networks affected by discovered vulnerabilities. You can view threats by severity, allowing you to prioritize your efforts better and quickly drill down to get more information about any particular threat.

 

Log management and log retention

To decide between AlienVault USM and AlienVault OSSIM, you need to consider your log retention requirements especially if you are in a regulated industry or have stringent log retention requirements as a best practice. Even if you do not need it for compliance purposes, log retention is important to forensic and threat investigations. AlienVault OSSIM only retains SIEM events, which means you will have a limited backlog of data to investigate in case of an intrusion, making it difficult to determine how long ago the intrusion began or how pervasive the effects have been.

 

Conclusion

AlienVault OSSIM is an excellent starter SIEM, you have a fully functioning SIEM in a few hours. The insight you get, immediately is worth the time setting it up. If you are willing to invest some more time, you can fine tune it to really provide deep insight into your network and you will most likely be satisfied with it if your company is a SMB or mid enterprise.

If you need out of the box thousands of correlation directives, NIDS/HIDS signatures, hassle free state of the art threat intelligence, proper log management, compliance reports, OSSIM is too small for you, you will need to go with the AlienVault USM platform.

 

References
https://cybersecurity.att.com/
http://success.alienvault.com/
http://alienvault.com/

Related posts

Leave a Reply

Your email address will not be published. Required fields are marked *