Module 4

Sensor Apps and AlienApps™

4-2 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2017 AlienVault. All rights reserved.

In this module we will cover the following objectives:

We will define the functionality of Sensor Apps and AlienApps We will review examples of some existing Sensor Apps and AlienApps We will demonstrate use cases for an AlienApp in USM Anywhere

Copyright© 2017 AlienVault. All rights reserved. Sensor Apps and AlienApps™ 4-3

Organizations find themselves trapped in a “threat cycle”. As threats continue to evolve, organizations keep acquiring more and more point solutions to address the latest threat. With each new point solution brought on, the organization may have addressed the discrete problem from that particular threat, but the next threat that arises will require yet one more point solution. They remain stuck in the threat cycle. Organizations need a way out.

Point solutions, by their very nature, are disconnected from each other, each requiring separate orchestration and management capabilities. The integration of these point solutions takes time and resources that most organizations don’t have. These organizations need help integrating their security tools to deliver better security outcomes -- namely, timely and effective threat detection and incident response.

4-4 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2017 AlienVault. All rights reserved.

First we will define the 2 different types of Apps available in USM Anywhere and how they are different from each other.

Sensor Apps provide core sensor functionality in USM Anywhere. This includes the discovery of Assets, finding Vulnerabilities through Asset scanning as well as Host and Network Intrusion Detection through log collection and network packet sniffing.

AlienApps are focused on adding extensibility to USM Anywhere, allowing for integration with other systems and applications in your ecosystem. We will be providing further detail on this later in the module.

Copyright© 2017 AlienVault. All rights reserved. Sensor Apps and AlienApps™ 4-5

One example of a sensor app is our network IDS.

If we select this app, we see the status of our interfaces and whether or not they are receiving data. We can also see the status of each interface as we scroll down, the alerts generated, ICMP, UDP and TCP packets, and total packets processed. If we wanted to disable the app, we could use the button in the upper right hand corner. We may do this because of maintenance happening or other event we wanted to pause collecting data for.

4-6 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2017 AlienVault. All rights reserved.

AlienApps are modular software components tightly integrated into the USM Anywhere platform that deliver technology quickly through the platform to extend, orchestrate, and automate functionality between the built-in security controls in USM Anywhere and other tools that IT security teams utilize, simplifying and accelerating threat detection and incident response processes.

Extensible and flexible AlienApp architecture in USM Anywhere enables AlienVault to quickly add new security technologies to keep you ahead of the changing threat landscape and significantly improving your threat detection and response capabilities.

Advanced security orchestration capabilities deliver automated and user-initiated actions or responses when threats are detected by USM Anywhere, shortening the time between detection and response.

Data enrichment and analytics helps you capture, analyze, visualize, and respond to threats, improving your visibility into the latest threats and reducing the signal to noise ratio for better prioritization of threats which demand immediate attention.

Copyright© 2017 AlienVault. All rights reserved. Sensor Apps and AlienApps™ 4-7

The AlienApps tab lists all AlienApps currently available on your USM Anywhere Deployment. This list will continue to grow as more and more AlienApps are created.

Clicking on any of the AlienApps will bring you to a configuration and status screen where you can: • Enable and disable the AlienApp• Check the current status of the AlienApp• Configure credential so that the AlienApp can connect to the 3rd Party solution.• Check the Actions that are available to be executed as a scheduled job, one off action or as

part of an Orchestration Rule• Check the History of Actions executed by this AlienApp and when they completed.

4-8 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2017 AlienVault. All rights reserved.

Each App can be categorized as a “Detection” App and/or a “Response” App, or both, depending on the App’s functionality.

Response Apps have to ability to execute App Actions providing workflow that coordinates response actions with the infrastructure and third-party applications to provide security orchestration.

AlienApps that are associated with technology from third parties (e.g. the AlienApp for Cisco Umbrella) as well as Sensor Apps that are contained within the USM Anywhere platform (e.g. the Forensics and Response App) can have actions that meet one, none or both of these criteria.

We will now look at some examples of Detection and Response that exist for our AlienApps.

Office 365 - https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/apps/alienapp-office365.htm

The Office 365 AlienApp is solely a Detection App which allows you to retrieve information about user, administration, system, and policy actions and events from Office 365. There are no actions that can be leveraged via this AlienApp

ServiceNow - https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/apps/alienapp-servicenow-config.htm

ServiceNow Service Management is a Cloud Based Incident Management tool with built-in ITIL best practices.

The AlienApp is a Response App which can created Incidents (tickets) in ServiceNow so that they can be tracked and worked using ITIL best practice. All Incidents created are also tracked on the USM Anywhere interface.

Copyright© 2017 AlienVault. All rights reserved. Sensor Apps and AlienApps™ 4-9

Cisco Umbrella - https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/apps/alienapp-cisco-umbrella-config.htm

Cisco Umbrella is a cloud-delivered security service for the Cisco Integrated Services Router (ISR). It offers visibility and enforcement at the DNS layer, so you can block requests to malicious domains and IPs before a connection is ever made.

The AlienApp ingests data from Cisco Umbrella to USM Anywhere for analysis and allows actions to be triggered within Cisco Umbrella based on risk identified from USM Anywhere. This is one of a few examples of an AlienApp that delivers both Detection and Response in the same App.

4-10 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2017 AlienVault. All rights reserved.

An App Action is a Detection or Response function of a Sensor App or an AlienApp that can be triggered in various different ways.

Many Detection Apps have associated scheduled jobs that are automatically created. These jobs will trigger an App to go out and retrieve environmental details, logs and so on so they can be analyzed by USM Anywhere. An example of this would be the “Scan Audit Exchange Events” in the Office 365 AlienApp.

You have the option to create your own scheduled jobs to trigger any App Actions available for Sensor Apps or an AlienApps that you have configured in your environment to suit your own particular needs.

You can trigger an App Action on a once off bases directly from an Alarm, Asset or Vulnerability in your USM Anywhere deployment. A typical use case for this might be the creation of a Servicenow incident so that a particular issue can be tracked and worked. Another example would be the Asset Scanner and Authenticated Asset Scanner Sensor Apps which could be triggered directly against an Asset or Asset Group.

Finally, you also have the option to trigger an App Action as a response to a specific set of circumstances in your environment. An example of this would be if an event or alarm is seen with Ransomware traffic coming from a malicious domain an Action could be triggered to send the details directly to Cisco Umbrella telling it to block DNS requests to this domain and prevent further traffic from entering your network.

Copyright© 2017 AlienVault. All rights reserved. Sensor Apps and AlienApps™ 4-11

We will now look at how Sensor Apps can be leveraged to aid in Detection and Response.

In this example we have received a System Compromise Alarm for one of our Windows Assets.

We initially use the Forensics And Response App to query the compromised asset for a list of logged on users and in return we receive an event listing all the requested information.

Once we have this information and are confident that there is indeed a viable threat we can issue an Action which disables networking on the Asset as a containment response in an attempt to prevent other systems being compromised.

The actions listed above only make up a small subset of all those available for the Forensics And Response App, all of which can be initiated manually or automatically through an Orchestration rule.

4-12 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2017 AlienVault. All rights reserved.

We will now look at two Use Cases for how an AlienApp can be leveraged to aid in Detection and Response.

Example 1: USM Anywhere collects data from Cisco Umbrella through the associated AlienApp for detection and analytics. In this example we have received information from Umbrella regarding traffic or DNS requests for a domain associated with Botnets. This information is normalized into Events and correlated using threat intelligence. This creates an Alarm that alerts us to a potential malware infection on one of our Assets.

Example 2: In this Use Case, USM Anywhere has detected one of our Assets interacting with a site that is associated with phishing activity. Here we see leverage the AlienApp to initiate a response to this Alarm by contacting Umbrella and instructing it to block DNS requests for the malicious domain so that other assets can be protected.

To get further detail on how USM Anywhere leverages AlienApps to interact with Cisco Umbrella to aid in Detection and Response please review this Webcast entitled “Shorter, Faster Threat Detection and Response with AlienVault and Cisco”: https://www.alienvault.com/resource-center/webcasts/shorter-faster-threat-detection-and-response-with-alienvault-and-cisco

Copyright© 2017 AlienVault. All rights reserved. Sensor Apps and AlienApps™ 4-13

In the following video we will demonstrate how Sensor Apps and AlienApps are used in USM Anywhere

We will review the main screen on the Web UI and look at what makes up an App. We will then further investigate how the various actions can be evoked in USM Anywhere.

4-14 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2017 AlienVault. All rights reserved.

So let’s review what was covered in this module:

We defined the functionality of Sensor Apps and AlienApps We reviewed examples of some existing Sensor Apps and AlienApps We demonstrated use cases for an AlienApp in USM Anywhere

Copyright© 2017 AlienVault. All rights reserved. Sensor Apps and AlienApps™ 4-15

Read the Documentation: https://www.alienvault.com/documentation/

Explore USM Anywhere Training Offerings: https://www.alienvault.com/training/

Check Out Our Product Forums: https://www.alienvault.com/forums/

HTTPS://WWW.ALIENVAULT.COM | TRAININGHELP@ALIENVAULT.COM

4-16 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2017 AlienVault. All rights reserved.

Module 4

Appendix

Copyright© 2017 AlienVault. All rights reserved. Sensor Apps and AlienApps™ 4-17

AlienApps™ Resources

Product Pages

AlienApps product page: https://www.alienvault.com/products/alienapps

AlienApp for Palo Alto Networks page: https://www.alienvault.com/app/palo-alto-networks

AlienApp for Cisco Umbrella page: https://www.alienvault.com/app/cisco-umbrella

AlienApp for ServiceNow page https://www.alienvault.com/app/servicenow

AlienApp for Carbon Black page: https://www.alienvault.com/app/carbon-black

Documentation

About AlienApps: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/apps/about-alienapps.htm

AlienApp for Cisco Umbrella: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/apps/alienapp-cisco-umbrella-config.htm

AlienApp for G Suite: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/apps/alienapp-g-suite.htm

AlienApp for McAfee ePO: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/apps/alienapp-mcafee-epo-config.htm

AlienApp for Office 365: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/apps/alienapp-office365.htm

AlienApp for Palo Alto Networks: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/apps/alienapp-palo-alto-config.htm

AlienApp for ServiceNow: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/apps/alienapp-servicenow-config.htm

Videos and Webinars

AlienApps 2 Minute Overview: https://www.alienvault.com/resource-center/videos/alien-apps-overview

Identify and Block Threats with Cisco Umbrella and AlienVault® USM Anywhere™: https://www.alienvault.com/resource-center/videos/alienvault-cisco-umbrella-rsa

“Shorter, Faster Threat Detection and Response with AlienVault and Cisco”: https://www.alienvault.com/resource-center/webcasts/shorter-faster-threat-detection-and-response-with-alienvault-and-cisco