Host-based IDS systems, or HIDS, work by monitoring activity that is occurring internally on a host. HIDS look for unusual or nefarious activity by examining logs created by the operating system, looking for changes made to key system files, tracking installed software, and sometimes examining the network connections a host makes. AlienVault USM features a complete integration of OSSEC, one of the most popular and effective open source HIDS tools. In this live demo, we'll show you how USM helps you get more out of OSSEC with: Remote agent deployment, configuration and management Behavioral monitoring of OSSEC clients Logging and reporting for PCI compliance Data correlation with IP reputation data, vulnerability scans and more We'll finish up by showing a demo of how OSSEC alert correlation can be used to detect brute force attacks with USM

2. About AlienVault
AlienVault has unified the security products, intelligence and
community essential for mid-sized businesses to defend against
today’s modern threats

3. Agenda
OSSEC capabilities
AlienVault USM capabilities
Demo – See it in action
• Remote OSSEC agent deployment, configuration and management
• Behavioral monitoring of servers and workstations
• Logging and reporting for PCI compliance
• Data correlation with IP reputation data, vulnerability scans and more
• Correlating OSSEC events to detect attacks

4. OSSEC & AlienVault USM
Learning the Basics…

5. OSSEC capabilities
Log analysis based intrusion detection
File integrity checking
Registry keys integrity checking (Windows)
Signature based malware/rootkits detection
Real-time alerting and active response

6. OSSEC Architecture
Agent components:
Logcollectord: Read logs (syslog, WMI, flat files)
Syscheckd: File integrity checking
Rootcheckd: Malware and rootkits detection
Agentd: Forwards data to the server
Server components:
Remoted: Receives data from agents
Analysisd: Processes data (main process)
Monitord: Monitor agents

7. ASSET DISCOVERY
• Active Network Scanning
• Passive Network Scanning
• Asset Inventory
• Host-based Software Inventory
VULNERABILITY ASSESSMENT
• Continuous
Vulnerability Monitoring
• Authenticated / Unauthenticated
Active Scanning
BEHAVIORAL MONITORING
• Log Collection
• Netflow Analysis
• Service Availability Monitoring
SECURITY INTELLIGENCE/SIEM
• SIEM Event Correlation
• Incident Response
THREAT DETECTION
• Network IDS
• Host IDS
• File Integrity Monitoring
USM Platform
Integrated, Essential Security Controls

8. AlienVault USM Architecture
Embedded tools:
Asset discovery: Nmap, Prads
Behavioral monitoring: Netflow, Ntop, Nagios
Threat detection: Snort, Suricata, OSSEC
Vulnerability assessment: OpenVas
External collectors:
Syslog
WMI
SDEE

9. AlienVault Event Correlation
AlienVault USM correlates events from multiple sources, crossing OSSEC alerts
with information collected from embedded detectors and external sources.

10. OSSEC Management Interface
• Status monitor
• Events viewer
• Agents control manager
• Configuration manager
• Rules viewer/editor
• Logs viewer
• Server control manager
• Deployment manager
• Rules viewer/editor
AlienVault USM provides a comprehensive GUI for OSSEC alerts management:

11. Let’s See It In Action

12. 888.613.6023
ALIENVAULT.COM
CONTACT US
HELLO@ALIENVAULT.COM
Test Drive AlienVault USM
Download a Free 30-Day Trial
http://www.alienvault.com/free-trial
Try our Interactive Demo Site
http://www.alienvault.com/live-demo-site
Now for some Q&A..
Questions? Hello@AlienVault.com
Twitter : @alienvault