SlideShare une entreprise Scribd logo

Beginner's Guide to SIEM

Télécharger en tant que PPTX, PDF
AlienVault
AlienVault

Get advice from security gurus on how to get up & running with SIEM quickly and painlessly. You'll learn about log collection, log management, log correlation, integrated data sources and how-to leverage threat intelligence into your SIEM implementation.

InternetTechnologie
1  sur  19
Or: “Everything You Wanted to Know About Log Management But were Afraid to Ask” WWW.ALIENVAULT.COM SIEM FOR BEGINNERS
A ROSE BY ANY OTHER NAME: SLM/LMS, SIM, SEM,SEC, SIEM Although the industry has settled on the term „SIEM‟ as the catch-all term for this type of security software, it evolved from several different (but complementary) technologies before it. LMS - “Log Management System” – a system that collects and store Log Files (from Operating Systems, Applications, etc) from multiple hosts and systems into a single location, allowing centralized access to logs instead of accessing them from each system individually. SLM /SEM– “Security Log/Event Management” – an LMS, but marketed towards security analysts instead of system administrators. SEM is about highlighting log entries as more significant to security than others. SIM – “Security Information Management” - an Asset Management system, but with features to incorporate security information too. Hosts may have vulnerability reports listed in their summaries, Intrusion Detection and AntiVirus alerts may be shown mapped to the systems involved. SEC - “Security Event Correlation” – To a particular piece of software, three failed login attempts to the same user account from three different clients, are just three lines in their logfile. To an analyst, that is a peculiar sequence of events worthy of investigation, and Log Correlation (looking for patterns in log files) is a way to raise alerts when these things happen. SIEM – “Security Information and Event Management” – SIEM is the “All of the Above” option, and as the above technologies become merged into single products, became the generalized term for managing information generated from security controls and infrastructure. We‟ll use the term SIEM for the rest of this presentation.
Q: WHAT’S IN THE LOGS? WHAT’S IN THE LOGS?!! A: The Information you need to answer “Who’s attacking us today?” and “How did they get access to all our corporate secrets? We may think of Security Controls as containing all the information we need to do security, but often they only contain the things they have detected – there is no „before and after the event‟ context within them. This context is usually vital to separate the false positive from true detection, the actual attack from merely a misconfigured system. Successful attacks on computer systems rarely look like real attacks except in hindsight – if this were not the case, we could automate ALL security defenses without ever needing to employ human analysts. Attackers will try to remove and falsify log entries to cover their tracks – having a source of log information that can be trusted is vital to any legal proceeding from computer misuse.
THE BLIND MEN AND THE SECURITY INFORMATION ELEPHANT SIEM is about looking at what‟s happening on your network through a larger lens than can be provided via any one security control or information source. Your Intrusion Detection only understands Packets, Protocols and IP Addresses Your Endpoint Security sees files, usernames and hosts Your Service Logs show user logins, service activity and configuration changes. Your Asset Management system sees apps, business processes and owners None of these by themselves, can tell you what is happening to *your business* in terms of securing the continuity of your business processes – but together, they can…
SIEM: A SINGLE VIEW OF YOUR IT SECURITY SIEM is essentially, nothing more than a management layer above your existing systems and security controls. It connects and unifies the information contained in your existing systems, allowing them to be analyzed and cross-referenced from a single interface. SIEM is a perfect example of the „Garbage In, Garbage Out‟ principle of computing : SIEM is only as useful as the information you put into it. The more valid information depicting your network, systems and behavior the SIEM has, the more effective it will be in helping you make effective detections, analysis and response in your security operations.
HALF A POUND OF LOGS, A CUP OF ASSET RECORDS…. Log Collection is the heart and soul of a SIEM – the more log sources that send logs to the SIEM, the more that can be accomplished with the SIEM. Logs on their own rarely contain the information needed to understand their contents within the context of your business Security Analysts have limited bandwidth to be familiar with every last system that your IT operation depends on With only the logs, all an analyst sees is “Connection from Host A to Host B” Yet, to the administrator of that system, this becomes “Daily Activity Transfer from Point of Sales to Accounts Receivable”. The Analyst needs this information to make reasoned assessment of any security alert involving this connection. True value of logs is in correlation to get actionable information
SIEM RECIPES A list of Ingredients to have a good SIEM Deployment LOGS AND ALERTS: Security Controls Intrusion Detection Endpoint Security (Antivirus, etc) Data Loss Prevention VPN Concentrators Web Filters Honeypots Firewalls Infrastructure Routers Switches Domain Controllers Wireless Access Points Application Servers Databases Intranet Applications KNOWLEDGE: Infrastructure Information Configuration Locations Owners Network Maps Vulnerability Reports Software Inventory Business Information Business Process Mappings Points of Contact Partner Information
How a Log File is Generated in your Network
BEHOLD, THE POWER OF CORRELATION Correlation is the process of matching events from systems (hosts, network devices, security controls, anything that sends logs to the SIEM) Events from different sources can be combined and compared against each other to identify patterns of behavior invisible to individual devices… They can also be matched against the information specific to *your* business. Correlation allows you to automate detection for the things that should not occur on your network.
THE BEAUTY OF LOG CORRELATION Log Correlation is the difference between: “14:10 7/4/20110 User BRoberts Successful Auth to 10.100.52.105 from 10.10.8.22” and… “An Account belonging to Marketing connected to an Engineering System from an office desktop, on a day when nobody should be in the office”
SLOW COOK FOR 8 HOURS, SERVE TO HUNGRY ANALYSTS…. Your Network generates vast amounts of log data – a fortune 500 enterprise‟s infrastructure can generate 10 Terabytes of plain-text log data per month, without breaking a sweat. You can‟t hire enough people to read every line of those logs looking for bad stuff. I‟m serious, don‟t even try this. Even if you succeeded, they‟d be so bored they‟d never actually spot anything even if it was right in front of their face.. Which it would be. Log Correlation lets you locate the interesting places in your logs – that‟s where the analysts start investigating from… ..And they‟re going to find pieces of information that lead to other pieces of information as the trail of evidence warms up.. Being able to search through the rest of those logs for that one thing they suspect resides there, is one of the other key functions of a SIEM…. It‟s a good thing that a SIEM is fundamentally a…..
…..GIANT DATABASE OF LOGS. It would be amazingly useful if every operating system and every application in the world, recorded their log events in the same format – they don‟t. Most logs are written to be readable by humans, not computers. That makes using regular search tools over logs from different sources… a little difficult. These two logs say the same thing to a human being, but are very different from the machine‟s point of view. “User Broberts Successfully Authenticated to 10.100.52.105 from client 10.10.8.22” “100.100.52.105 New Client Connection 10.10.8.22 on account: Broberts: Success” Long story short – we‟re going to need to break down every known log message out there, into a normalized format. “User [USERNAME] [STATUS] Authenticated to [DESTIP] from client [SOURCEIP]” “100.100.52.105 New Client Connection 10.10.8.22 on account: Broberts: Success” So when you see a SIEM Product that talks about “how many devices it supports” – it‟s talking about how many devices it can parse the logs from.
SEARCHES, PIVOTING, AND CROSS-CORRELATION Breaking those log entries down into their components – normalizing them, is what allows us to search across logs from multiple devices, and correlate events between them. Once we‟ve normalized logs into a database table, we can do database style searches, such as : “Show [All Logs] From [All Devices] from the [last two weeks], where the [username] is [Broberts]” This is what allows us to do automated correlation as well, matching fields between log events, across time periods, across device types. “If A single Host fails to log in to three separate servers using the same credentials, within a 6-second time window, raise an alert” Just as with any database, event normalization allows the creation of report summarizations of our log information “What User Accounts have accessed the highest number of distinct hosts in the last month?” “What Subnet generate the highest number of failed login attempts per day, averaged out over 6 months?”
BUT WAIT, THERE’S MORE! So you‟ve now seen that SIEM is a recording device for the systems that form your information infrastructure. SIEM allows you to give analysts access to information from these systems, without giving them access to the systems themselves. Event Correlation allows you to encode security knowledge into automated searches across events and asset information to alert on things happening within your infrastructure, and create a starting point for human analysis into a sea of log data. But, to keep up with today‟s threat landscape you need more that just SIEM – you need relevant data, a unified approach and integrated threat intelligence to truly get a holistic view of your security posture. OBLIGATORY PRODUCT PITCH TIME: AlienVault USM and OSSIM (Open-source version), are designed to include many data sources as part of core product and provides the threat intelligence to stay ahead.
MANY POINT SOLUTIONS…INTEGRATION ANYONE? OR AlienVault USM
powered by AV Labs Threat Intelligence USM ASSET DISCOVERY • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory VULNERABILITY ASSESSMENT • Continuous Vulnerability Monitoring • Authenticated / Unauthenticated Active Scanning BEHAVIORAL MONITORING • Log Collection • Netflow Analysis • Service Availability Monitoring SECURITY INTELLIGENCE • SIEM Event Correlation • Incident Response THREAT DETECTION • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring ALIENVAULT USM BRINGS IT ALL TOGETHER AlienVault USM starts at $3600
Features: AlienVault USM Traditional SIEM Log Management ✔ ✔ Event Management ✔ ✔ Event Correlation ✔ ✔ Reporting ✔ ✔ Asset Discovery ✔ $$ 3rd-party product that requires integration Network IDS ✔ $$ 3rd-party product that requires integration Host IDS ✔ $$ 3rd-party product that requires integration Wireless IDS ✔ $$ 3rd-party product that requires integration NetFlow ✔ $$ 3rd-party product that requires integration Full Packet Capture ✔ $$ 3rd-party product that requires integration Vulnerability Assessment ✔ $$ 3rd-party product that requires integration Continuous Threat Intelligence ✔ Not Available Unified Console for Security monitoring technologies ✔ Not Available
Play, share, enjoy! RECOMMENDED NEXT STEPS: Learn more about our commercial offering • Try AlienVault USM, free for 30 days • Join us for a LIVE Demo (hosted every Thursday) Or try our Open Source version • Download OSSIM Join the Open Threat Exchange (OTX) , the world‟s largest crowd-sourced threat sharing repository.

Recommandé

SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
SHRIYARAI4
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 

Recommandé

SIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur VatsSIEM - Activating Defense through Response by Ankur Vats
SIEM - Activating Defense through Response by Ankur Vats
OWASP Delhi
 
IBM Security QRadar
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez
 
What is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the BasicsWhat is SIEM? A Brilliant Guide to the Basics
What is SIEM? A Brilliant Guide to the Basics
Sagar Joshi
 
Security Information and Event Managemen
Security Information and Event ManagemenSecurity Information and Event Managemen
Security Information and Event Managemen
S Periyakaruppan CISM,ISO31000,C-EH,ITILF
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
SIEM : Security Information and Event Management
SIEM : Security Information and Event Management SIEM : Security Information and Event Management
SIEM : Security Information and Event Management
SHRIYARAI4
 
QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk QRadar, ArcSight and Splunk
QRadar, ArcSight and Splunk
M sharifi
 
Security Information Event Management - nullhyd
Security Information Event Management - nullhydSecurity Information Event Management - nullhyd
Security Information Event Management - nullhyd
n|u - The Open Security Community
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEM
Patten John
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
Rizwan S
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
k33a
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
Owais Ahmad
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
SandeshUprety4
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
Priyanka Aash
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
PencilData
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
mohamed nasri
 
Q radar architecture deep dive
Q radar architecture deep diveQ radar architecture deep dive
Q radar architecture deep dive
Kamal Mouline
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
Priyanka Aash
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
Osama Ellahi
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
Jonathan Sinclair
 
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
AlienVault
 
SIEM for Beginners
SIEM for BeginnersSIEM for Beginners
SIEM for Beginners
BAKOTECH
 

Contenu connexe

Tendances

SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
Rizwan S
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 

Tendances (20)

SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 
What is SIEM
What is SIEMWhat is SIEM
What is SIEM
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
Siem solutions R&E
Siem solutions R&ESiem solutions R&E
Siem solutions R&E
 
SOC and SIEM.pptx
SOC and SIEM.pptxSOC and SIEM.pptx
SOC and SIEM.pptx
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Introduction to QRadar
Introduction to QRadarIntroduction to QRadar
Introduction to QRadar
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Q radar architecture deep dive
Q radar architecture deep diveQ radar architecture deep dive
Q radar architecture deep dive
 
Effective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
 
SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?SOC: Use cases and are we asking the right questions?
SOC: Use cases and are we asking the right questions?
 

Similaire à Beginner's Guide to SIEM

Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
karlhennesey
 
Anomali Product Brochure
Anomali Product BrochureAnomali Product Brochure
Anomali Product Brochure
Todd Helfrich
 
The potential of SIEM technology
The potential of SIEM technologyThe potential of SIEM technology
The potential of SIEM technology
vijay1926
 

Similaire à Beginner's Guide to SIEM (20)

SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
SIEM for Beginners: Everything You Wanted to Know About Log Management but We...
 
SIEM for Beginners
SIEM for BeginnersSIEM for Beginners
SIEM for Beginners
 
Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3Crypto sim_cryptolog_cryptospot_v3
Crypto sim_cryptolog_cryptospot_v3
 
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyUse Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiency
 
Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and Compliance
 
Overall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docxOverall Security Process Review CISC 6621Agend.docx
Overall Security Process Review CISC 6621Agend.docx
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
 
Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through Correlation
 
Ch11
Ch11Ch11
Ch11
 
Ch11 system administration
Ch11 system administration Ch11 system administration
Ch11 system administration
 
Changing the Security Monitoring Status Quo
Changing the Security Monitoring Status QuoChanging the Security Monitoring Status Quo
Changing the Security Monitoring Status Quo
 
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecMaceo Wattley Contributor Infosec
Maceo Wattley Contributor Infosec
 
SIEM vs EDR
SIEM vs EDRSIEM vs EDR
SIEM vs EDR
 
Anomali Product Brochure
Anomali Product BrochureAnomali Product Brochure
Anomali Product Brochure
 
The potential of SIEM technology
The potential of SIEM technologyThe potential of SIEM technology
The potential of SIEM technology
 
Introduction to SIEM.pptx
Introduction to SIEM.pptxIntroduction to SIEM.pptx
Introduction to SIEM.pptx
 
13 essential log_col_infog
13 essential log_col_infog13 essential log_col_infog
13 essential log_col_infog
 
Splunk for Security Workshop
Splunk for Security WorkshopSplunk for Security Workshop
Splunk for Security Workshop
 
Hands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout SessionHands on Security - Disrupting the Kill Chain Breakout Session
Hands on Security - Disrupting the Kill Chain Breakout Session
 
security onion
security onionsecurity onion
security onion
 

Plus de AlienVault

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
AlienVault
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
AlienVault
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
AlienVault
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
AlienVault
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
AlienVault
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
AlienVault
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
AlienVault
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
AlienVault
 

Plus de AlienVault (20)

Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and ExploitsMeltdown and Spectre - How to Detect the Vulnerabilities and Exploits
Meltdown and Spectre - How to Detect the Vulnerabilities and Exploits
 
Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?Malware Invaders - Is Your OS at Risk?
Malware Invaders - Is Your OS at Risk?
 
How to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVaultHow to Solve Your Top IT Security Reporting Challenges with AlienVault
How to Solve Your Top IT Security Reporting Challenges with AlienVault
 
Simplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USMSimplify PCI DSS Compliance with AlienVault USM
Simplify PCI DSS Compliance with AlienVault USM
 
Insider Threat Detection Recommendations
Insider Threat Detection RecommendationsInsider Threat Detection Recommendations
Insider Threat Detection Recommendations
 
Alienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworksAlienvault threat alerts in spiceworks
Alienvault threat alerts in spiceworks
 
Open Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's GuideOpen Source IDS Tools: A Beginner's Guide
Open Source IDS Tools: A Beginner's Guide
 
Malware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usmMalware detection how to spot infections early with alien vault usm
Malware detection how to spot infections early with alien vault usm
 
Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
Improve threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usmImprove threat detection with hids and alien vault usm
Improve threat detection with hids and alien vault usm
 
The State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHICThe State of Incident Response - INFOGRAPHIC
The State of Incident Response - INFOGRAPHIC
 
Incident response live demo slides final
Incident response live demo slides finalIncident response live demo slides final
Incident response live demo slides final
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
Improve Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation DirectivesImprove Security Visibility with AlienVault USM Correlation Directives
Improve Security Visibility with AlienVault USM Correlation Directives
 
How Malware Works
How Malware WorksHow Malware Works
How Malware Works
 
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than EverNew USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
New USM v5.0 - Get Complete Security Visibility Faster & Easier Than Ever
 
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
New OSSIM v5.0 - Get Security Visibility Faster & Easier Than Ever
 
AWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & ResponseAWS Security Best Practices for Effective Threat Detection & Response
AWS Security Best Practices for Effective Threat Detection & Response
 
Improve Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USMImprove Threat Detection with OSSEC and AlienVault USM
Improve Threat Detection with OSSEC and AlienVault USM
 

Dernier

2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 

Dernier (20)

Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
20240510 QFM016 Irresponsible AI Reading List April 2024.pdf
 

Beginner's Guide to SIEM

  • 1. Or: “Everything You Wanted to Know About Log Management But were Afraid to Ask” WWW.ALIENVAULT.COM SIEM FOR BEGINNERS
  • 2. A ROSE BY ANY OTHER NAME: SLM/LMS, SIM, SEM,SEC, SIEM Although the industry has settled on the term „SIEM‟ as the catch-all term for this type of security software, it evolved from several different (but complementary) technologies before it. LMS - “Log Management System” – a system that collects and store Log Files (from Operating Systems, Applications, etc) from multiple hosts and systems into a single location, allowing centralized access to logs instead of accessing them from each system individually. SLM /SEM– “Security Log/Event Management” – an LMS, but marketed towards security analysts instead of system administrators. SEM is about highlighting log entries as more significant to security than others. SIM – “Security Information Management” - an Asset Management system, but with features to incorporate security information too. Hosts may have vulnerability reports listed in their summaries, Intrusion Detection and AntiVirus alerts may be shown mapped to the systems involved. SEC - “Security Event Correlation” – To a particular piece of software, three failed login attempts to the same user account from three different clients, are just three lines in their logfile. To an analyst, that is a peculiar sequence of events worthy of investigation, and Log Correlation (looking for patterns in log files) is a way to raise alerts when these things happen. SIEM – “Security Information and Event Management” – SIEM is the “All of the Above” option, and as the above technologies become merged into single products, became the generalized term for managing information generated from security controls and infrastructure. We‟ll use the term SIEM for the rest of this presentation.
  • 3. Q: WHAT’S IN THE LOGS? WHAT’S IN THE LOGS?!! A: The Information you need to answer “Who’s attacking us today?” and “How did they get access to all our corporate secrets? We may think of Security Controls as containing all the information we need to do security, but often they only contain the things they have detected – there is no „before and after the event‟ context within them. This context is usually vital to separate the false positive from true detection, the actual attack from merely a misconfigured system. Successful attacks on computer systems rarely look like real attacks except in hindsight – if this were not the case, we could automate ALL security defenses without ever needing to employ human analysts. Attackers will try to remove and falsify log entries to cover their tracks – having a source of log information that can be trusted is vital to any legal proceeding from computer misuse.
  • 4. THE BLIND MEN AND THE SECURITY INFORMATION ELEPHANT SIEM is about looking at what‟s happening on your network through a larger lens than can be provided via any one security control or information source. Your Intrusion Detection only understands Packets, Protocols and IP Addresses Your Endpoint Security sees files, usernames and hosts Your Service Logs show user logins, service activity and configuration changes. Your Asset Management system sees apps, business processes and owners None of these by themselves, can tell you what is happening to *your business* in terms of securing the continuity of your business processes – but together, they can…
  • 5. SIEM: A SINGLE VIEW OF YOUR IT SECURITY SIEM is essentially, nothing more than a management layer above your existing systems and security controls. It connects and unifies the information contained in your existing systems, allowing them to be analyzed and cross-referenced from a single interface. SIEM is a perfect example of the „Garbage In, Garbage Out‟ principle of computing : SIEM is only as useful as the information you put into it. The more valid information depicting your network, systems and behavior the SIEM has, the more effective it will be in helping you make effective detections, analysis and response in your security operations.
  • 6.
  • 7. HALF A POUND OF LOGS, A CUP OF ASSET RECORDS…. Log Collection is the heart and soul of a SIEM – the more log sources that send logs to the SIEM, the more that can be accomplished with the SIEM. Logs on their own rarely contain the information needed to understand their contents within the context of your business Security Analysts have limited bandwidth to be familiar with every last system that your IT operation depends on With only the logs, all an analyst sees is “Connection from Host A to Host B” Yet, to the administrator of that system, this becomes “Daily Activity Transfer from Point of Sales to Accounts Receivable”. The Analyst needs this information to make reasoned assessment of any security alert involving this connection. True value of logs is in correlation to get actionable information
  • 8. SIEM RECIPES A list of Ingredients to have a good SIEM Deployment LOGS AND ALERTS: Security Controls Intrusion Detection Endpoint Security (Antivirus, etc) Data Loss Prevention VPN Concentrators Web Filters Honeypots Firewalls Infrastructure Routers Switches Domain Controllers Wireless Access Points Application Servers Databases Intranet Applications KNOWLEDGE: Infrastructure Information Configuration Locations Owners Network Maps Vulnerability Reports Software Inventory Business Information Business Process Mappings Points of Contact Partner Information
  • 9. How a Log File is Generated in your Network
  • 10. BEHOLD, THE POWER OF CORRELATION Correlation is the process of matching events from systems (hosts, network devices, security controls, anything that sends logs to the SIEM) Events from different sources can be combined and compared against each other to identify patterns of behavior invisible to individual devices… They can also be matched against the information specific to *your* business. Correlation allows you to automate detection for the things that should not occur on your network.
  • 11. THE BEAUTY OF LOG CORRELATION Log Correlation is the difference between: “14:10 7/4/20110 User BRoberts Successful Auth to 10.100.52.105 from 10.10.8.22” and… “An Account belonging to Marketing connected to an Engineering System from an office desktop, on a day when nobody should be in the office”
  • 12. SLOW COOK FOR 8 HOURS, SERVE TO HUNGRY ANALYSTS…. Your Network generates vast amounts of log data – a fortune 500 enterprise‟s infrastructure can generate 10 Terabytes of plain-text log data per month, without breaking a sweat. You can‟t hire enough people to read every line of those logs looking for bad stuff. I‟m serious, don‟t even try this. Even if you succeeded, they‟d be so bored they‟d never actually spot anything even if it was right in front of their face.. Which it would be. Log Correlation lets you locate the interesting places in your logs – that‟s where the analysts start investigating from… ..And they‟re going to find pieces of information that lead to other pieces of information as the trail of evidence warms up.. Being able to search through the rest of those logs for that one thing they suspect resides there, is one of the other key functions of a SIEM…. It‟s a good thing that a SIEM is fundamentally a…..
  • 13. …..GIANT DATABASE OF LOGS. It would be amazingly useful if every operating system and every application in the world, recorded their log events in the same format – they don‟t. Most logs are written to be readable by humans, not computers. That makes using regular search tools over logs from different sources… a little difficult. These two logs say the same thing to a human being, but are very different from the machine‟s point of view. “User Broberts Successfully Authenticated to 10.100.52.105 from client 10.10.8.22” “100.100.52.105 New Client Connection 10.10.8.22 on account: Broberts: Success” Long story short – we‟re going to need to break down every known log message out there, into a normalized format. “User [USERNAME] [STATUS] Authenticated to [DESTIP] from client [SOURCEIP]” “100.100.52.105 New Client Connection 10.10.8.22 on account: Broberts: Success” So when you see a SIEM Product that talks about “how many devices it supports” – it‟s talking about how many devices it can parse the logs from.
  • 14. SEARCHES, PIVOTING, AND CROSS-CORRELATION Breaking those log entries down into their components – normalizing them, is what allows us to search across logs from multiple devices, and correlate events between them. Once we‟ve normalized logs into a database table, we can do database style searches, such as : “Show [All Logs] From [All Devices] from the [last two weeks], where the [username] is [Broberts]” This is what allows us to do automated correlation as well, matching fields between log events, across time periods, across device types. “If A single Host fails to log in to three separate servers using the same credentials, within a 6-second time window, raise an alert” Just as with any database, event normalization allows the creation of report summarizations of our log information “What User Accounts have accessed the highest number of distinct hosts in the last month?” “What Subnet generate the highest number of failed login attempts per day, averaged out over 6 months?”
  • 15. BUT WAIT, THERE’S MORE! So you‟ve now seen that SIEM is a recording device for the systems that form your information infrastructure. SIEM allows you to give analysts access to information from these systems, without giving them access to the systems themselves. Event Correlation allows you to encode security knowledge into automated searches across events and asset information to alert on things happening within your infrastructure, and create a starting point for human analysis into a sea of log data. But, to keep up with today‟s threat landscape you need more that just SIEM – you need relevant data, a unified approach and integrated threat intelligence to truly get a holistic view of your security posture. OBLIGATORY PRODUCT PITCH TIME: AlienVault USM and OSSIM (Open-source version), are designed to include many data sources as part of core product and provides the threat intelligence to stay ahead.
  • 16. MANY POINT SOLUTIONS…INTEGRATION ANYONE? OR AlienVault USM
  • 17. powered by AV Labs Threat Intelligence USM ASSET DISCOVERY • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory VULNERABILITY ASSESSMENT • Continuous Vulnerability Monitoring • Authenticated / Unauthenticated Active Scanning BEHAVIORAL MONITORING • Log Collection • Netflow Analysis • Service Availability Monitoring SECURITY INTELLIGENCE • SIEM Event Correlation • Incident Response THREAT DETECTION • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring ALIENVAULT USM BRINGS IT ALL TOGETHER AlienVault USM starts at $3600
  • 18. Features: AlienVault USM Traditional SIEM Log Management ✔ ✔ Event Management ✔ ✔ Event Correlation ✔ ✔ Reporting ✔ ✔ Asset Discovery ✔ $$ 3rd-party product that requires integration Network IDS ✔ $$ 3rd-party product that requires integration Host IDS ✔ $$ 3rd-party product that requires integration Wireless IDS ✔ $$ 3rd-party product that requires integration NetFlow ✔ $$ 3rd-party product that requires integration Full Packet Capture ✔ $$ 3rd-party product that requires integration Vulnerability Assessment ✔ $$ 3rd-party product that requires integration Continuous Threat Intelligence ✔ Not Available Unified Console for Security monitoring technologies ✔ Not Available
  • 19. Play, share, enjoy! RECOMMENDED NEXT STEPS: Learn more about our commercial offering • Try AlienVault USM, free for 30 days • Join us for a LIVE Demo (hosted every Thursday) Or try our Open Source version • Download OSSIM Join the Open Threat Exchange (OTX) , the world‟s largest crowd-sourced threat sharing repository.