Today more than 30 open-source security tools are built into this framework, making AlienVault the fastest way to start and the easiest way to manage a comprehensive security program.
Integrated Tools in AlienVault Unified Security Management Platform
1. TAKE YOUR OPEN SOURCE SECURITY
STRATEGY TO THE NEXT LEVEL
The power of open source from a single, unified console
WWW.ALIENVAULT.COM/
2. The World’s Most Widely Used SIEM
MEET OSSIM
OSSIM is trusted by 195,000+ security professionals in 175 countries…and counting
Established and launched by security engineers out of necessity
Users enjoy all of the features of a traditional SIEM – and more
4. Tools Classification
HOW IT WORKS
TOOLS integrated with AlienVault OSSIM are classified by behavior of
the tool with the network
Active: they generate traffic in network being monitored
Passive: they analyze network traffic without generating any traffic
Passive tools require port mirroring (SPAN)
configured in network equipment or virtual
machines to analyze traffic
6. Detecting Network Assets in AlienVault OSSIM
PRADS
What is it?
Signature-based detection engine used to passively detect network assets
OSSIM allows for distributed PrADS monitoring, to help simplify:
Inventory management
Version changes on services
Policy violations
Inventory correlation
Passive Tool
Passive.sourceforge.net
7. Identifying Network Hosts & Services in AlienVault OSSIM
NMAP (NETWORK MAPPER)
What is it?
Security scanner to discover hosts & services on network
Product includes interface for scheduling NMAP scans & inventory system to
manage results
The OSSIM user interface makes it easy to
schedule NMAP scans and manage results.
Quickly find: network assets, open
ports, service versions, operating
systems and product versions
Active Tool
nmap.org
8. Inventorying IT Assets in AlienVault OSSIM
OCS INVENTORY NG
What is it?
Lightweight agent; provides full enumeration on installed software
Collects information about hardware running OCS agent
OSSIM simplifies OCS inventory installation
and management of:
Hardware and software inventory
Vulnerabilities
Information on policy violations
Active Tool
ocsinventory.ng.org
10. Vulnerability Assessment in AlienVault OSSIM
OPENVAS
What is it?
Provides both authenticated and unauthenticated vulnerability detection
Actively scans network for known vulnerabilities per your specifications
Daily feed of network vulnerability tests (over 33,000)
Allows for scanning aggressiveness fine-tuning
OSSIM gives users the ability to schedule OpenVAS scans and reporting in
concert with vulnerability information.
Active Tool
openvas.org
11. Web Vulnerability Scanning in AlienVault OSSIM
NIKTO
What is it?
Performs comprehensive tests against web servers
NIKTO in OSSIM scans web servers for problems including:
Server and software misconfigurations
Default files and programs
Insecure files and programs
Outdated software
Active Tool
cirt.net/nikto2
13. Host-based Intrusion Detection in AlienVault OSSIM
OSSEC
What is it?
Host-based intrusion detection system
How it works?
OSSIM provides a web interface for OSSEC to simplify management of
distributed deployments
AlienVault Sensor collects events from OSSEC server
OSSIM can use Windows, UNIX and application logs, as well as registry and
file integrity monitoring information
Active Tool
ossec.org
14. Network Intrusion Detection in AlienVault OSSIM
SNORT
What is it?
Default IDS in virtual appliance
Generates security events for SIEM when analyzing network traffic
Combines signature, protocol and anomaly-based inspection
OSSIM makes it easy to manage distributed SNORT installations.
Manage IDS rules to monitor for malware signatures
and policy violations (p2P, unauthorized IM, games, etc.)
Passive Tool
snort.org
15. Intrusion Detection & Prevention in AlienVault OSSIM
SURICATA
What is it?
Intrusion detection and intrusion prevention, based on threat signatures
Same IDS signatures as SNORT
Advanced processing of HTTP signatures
Multi-threaded processing
OSSIM makes it easy to manage distributed Suricata
installations and manage IDS rules.
Passive Tool
Suricata.ids.org
16. Wireless Intrusion Detection System in AlienVault OSSIM
KISMET
What is it?
OSSIM uses the Kismet package for wireless IDS
Works with any wireless card supporting raw monitoring (rfmon) mode
With appropriate hardware, like Raspberry Pi, can sniff
802.11b, 802.11a, 802.11g & 802.11n traffic
OSSIM provides an interface for easy distributed deployments of Kismet.
WIFI network security monitoring
Rogue Apps detection
PCI compliance help
Passive Tool
kismetwireless.org
18. Security Event & Information Management
ALIENVAULT OSSIM
OSSIM, the open source SIEM, is the most
widely used SIEM in the world.
What can you do with it?
Event collection, normalization and
correlation
Leverage suite of pre-
integrated, best of breed security
tools for incident response
Passive Tool
www.alienvault.com/open-threat-exchange/projects
20. System & Network Monitoring in AlienVault OSSIM
NAGIOS
What is it?
Watches hosts & services and provides alerts
Configurable checking of assets
Can do checks with agent or remotely, without agent
Wide variety of plugins for monitoring apps and devices available
OSSIM provides web interface for Nagios, making distributed installations easy with:
Ongoing availability monitoring
Availability monitoring during logical
correlation (by request)
Visibility whether service ports are open or
closed
Active Tool
nagios.org
21. Network Traffic Capture in AlienVault OSSIM
TCPDUMP
What is it?
TCPDUMP is a command-line packet analyzer and libpcap
It is also a portable C/C++ library
What does it do?
Watches hosts and services and provides alerts
Configurable checking of assets
Can do checks with agent or remotely, without agent
Wide variety of plugins for monitoring apps and devices available
Active Tool
tcpdump.org
22. Generating Netflow Data in AlienVault OSSIM
FPROBE
What is it?
Collects network traffic data and distributes it as netflow flows
towards the specified collector
Libpcap-based tool
OSSIM provides an integrated console where you can view netflow
information, from FPROBE, to assist with incident response
Passive Tool
fprobe.sourceforge.net/
23. Netflow Collector in AlienVault OSSIM
NFDUMP
What is it?
Read netflow data from the files stored by NFCAPD
NFSUMP syntax is similar to TCPDUMP
OSSIM makes it easy to quickly implement NFDUMP for netflow analysis
Provides netflow data
Creates customizable, top N statistics of flows, IP addresses, ports etc.
Saves time by eliminating need for “How To” tutorial
Passive Tool
Nfdump.sourceforge.net
24. Collecting IP Traffic in AlienVault OSSIM
NFSEN
What is it?
Web based front end for NFDUMP
NFSEN is a network protocol developed by Cisco to run on iOS-enabled
equipment and collect IP traffic information
It is supported by other platforms, such as Juniper, Linux, FreeBSD and
OpenBSD
OSSIM aggregates NFSEN data and allows you to:
Display netflow data
Process netflow data within specific
time frame
Create historic and continuous profiles
Passive
nfsen.sourceforge.net
25. Network Use Monitoring in AlienVault OSSIM
NTOP
What is it?
Network probe providing real-time & historical network usage
Uses RRD Aberrant Behavior algorithm to draw predictions of future behavior
**If prediction differs from real traffic, an event is generated in OSSIM
In OSSIM, NTOP provides:
Network usage statistics
Asset information
Time & activity matrices
Real-time session monitoring
And network abuse information
Passive Tool
ntop.org
26. Play, share, enjoy!
START USING OSSIM TODAY
Download OSSIM
Join AlienVault OTX
Learn more about our commercial offering
Try AlienVault USM, free for 30 days
Join us for a LIVE Demo!