AlienVault launched USM Anywhere, a security information and event management (SIEM) software-as-a-service, in just six months by building it entirely on Amazon Web Services (AWS). The new SaaS used services across AWS including EC2, S3, Lambda, RDS, and more. While most of the components ran in AWS, some sensors integrated with Azure, VMware, and other platforms. The product was developed using DevOps practices like infrastructure as code with Terraform, configuration management with Puppet, continuous integration with Bitbucket and Bamboo, and orchestration with Rundeck. Security measures included multi-factor authentication, separate VPCs and security groups, encryption of data at

1. 1
1
AlienVault USM Anywhere:
Building a Security SaaS In AWS In Six Months
Ernest Mueller

2. 2
The Story

3. 3
3
AlienVault
● OSSIM (2003, pre-AV)
● USM (2007, virtual/physical appliances)
● Open Threat Exchange (2012)
● Me (2015)
● USM Anywhere (2016, SaaS)
● Being acquired by AT&T (2018)

4. 4
4
USM Anywhere
● Unified Security Management
● SIEM (security log aggregator)
● Asset discovery
● Vulnerability assessment
● Intrusion detection
● Behavioral monitoring (coming)
● Bajillions of integrations
● SC Magazine 4.75/5, starts $650/mo

5. 5
5
USM “v6”
● Working on new version
of (virtual) appliance
product
● Cancelled SaaS false start
● Quick pilot go-to-market
as marketplace AMI
● “We’re going all SaaS! We
launch in 6 months! Go!”

6. 6
6

7. 7
Making the Sausage

8. 8
8
All AWS
● EC2
● EBS
● KMS
● Lambda
● SQS
● SNS
● SES
● S3
● RDS
● Cloudtrail
● Route53
● ECS
● DynamoDB
● CloudFormation
● VPC, IAM, and a
partridge in a pear tree

9. 9
9
Well, Mostly
● Azure for Azure and
Hyper/V sensors
● A VM host (in
Germany) for
VMWare sensors
● Datadog
● Runscope
● Artifactory
● Atlassian Cloud
● StatusPage
● VictorOps
● And so on

10. 10
10

11. 11
11
Components
● Product is Java, Postgres, Elasticsearch,
Angular.js - single tenant (one “control node”
and an Elasticsearch farm per customer)
● Rundeck and rerun for orchestration
● Terraform for provisioning
● Puppet for system config
● All Ubuntu
● A little docker and Lambda (zappa)

12. 12
12
Doing the DevOps
● All provisioning automated - initially
CloudFormation, now Terraform
● Orchestration code in bash, using rerun
framework for structure and unit tests, turned
into runbooks in Rundeck
● Bitbucket/bamboo/Artifactory CI pipeline -
everything’s an artifact, all automated testing
(no manual QA)

13. 13
All The Security

14. 14

15. 15
15
MFA Console and API
$ aws sts get-caller-identity
{
"Account": "641575277437",
"UserId": "AROAI5Q65RFRWKRK6FU7S:botocore-session-1530204633",
"Arn": "arn:aws:sts::641575277437:assumed-role/admin-mfa-cli/botocore-session-
1530204633"
}
$ aws ec2 describe-instances --profile develop
Enter MFA code for arn:aws:iam::641575277437:mfa/msoares-testing-mfa:
{
"Reservations": [
{
"Instances": [
...

16. 16
16
Network
● Separate security groups with defined ingress
and egress for everything
● Separate your VPCs
● MFA’ed bastion logins
● Workspace servers in each region to maintain
data locality

17. 17
17

18. 18
18
System Configuration
● Feed all new patches into CI pipeline
● Build AMIs for immutable deployments
● Terraform detaches EBSes - replaces servers -
attaches EBSes

19. 19
19
Encryption and Access Control
● Encrypt all the EBSes and S3 buckets
● Encrypt files with KMS
● We have a bundle of customer info - per
instance SSH keys, terraform state, etc. - all
KMS encrypted and
then put in an
encrypted S3 bucket

20. 20
20
Process...
● Change management: Pull requests with peer
review and release approvals.
● Incident management: Use incident command
system base
● Tag everything for monitoring, finance
● Giant wiki lists of everything
● Giant network diagrams of everything

21. 21
21
Monitoring

22. 22
Pain Points

23. 23
23
Things That Are Terrible
● AWS Reservations
● AWS Limits
● AWS Console
● Complexity
● Audits

24. 24

25. 25
Q&A