- Overview of the AlienVault USM Platform
- Differentiation through Delivery "Threat Detection That Works"
- Ways to Engage via Managed Services, Security Device Management and Professional Services
- AlienVault MSSP Program Details
The Ultimate Guide to Choosing WordPress Pros and Cons
AlienVault MSSP Program Overview Delivers Threat Detection
1. AlienVault – MSSP Program Overview
AUGUST 13, 2014
A DIFFERENT APPROACH TO SECURITY FOR MSSP’S
partners@alienvault.com
2. AGENDA
• Market Overview
• “The 5 areas customers consider when selecting an MSSP”
• Where most MSSPs struggle to offer real value
• Overview of the AlienVault USM Platform
• Differentiation through Delivery "Threat Detection That Works”
• AlienVault MSSP Program Details
3. Market Realities
WHAT WE KNOW ABOUT ORGANIZATIONS
• Lack the in-house capabilities required to keep pace with changing
business demands, compliance mandates, and emerging threats for
strategic implementation of new IT security solutions.
• Don’t have the capabilities to effectively monitor and manage the security
infrastructure to ensure optimal utilization of current assets.
• Have in-house IT staffs that spend too much time on day- to-day
operational security issues versus new strategic projects.
• Depend on IT security tools and processes that provide a reactive, rather
than proactive, approach to mitigating risk and minimizing data loss and
downtime.
… Which has led to organizations moving to
4. Those who look for a
platform that is already
integrated – or “Unified
(Integrated) Security
Two Types of MSSPs
Those who try to buy/build
and integrate it all on their
own…
5. Observations of MSSPs in the Market
CHALLENGES ON DELIVERING VALUE
Operationalizing the Offering
- Many MSSPs don’t have the experience needed to avoid the costly mistakes
and
end up managing the system far more than they spend on the value they bring to
their
customers. Attempting to tie disparate systems together is a failed strategy.
Basic (i.e. “Weak”) Correlation
- Correlation of events and Incident-specific reports are required to offer true
security
visibility; however most MSSPs don’t deploy solutions that allow customers to get
anything more than very basic reporting/correlation
Deployment of SIEM technology to provide in-house alerting and log analysis:
- MSSPs typically lack the needed insight into the customer IT and business
environment; thus, they are challenged in determining whether events involving
6. Let’s “double-click’ on these challenges
High Fidelity vs. False Positives
- “Custom” correlation is the only way to achieve any true value/threat visiblity from a SIEM
platform. The task of base-lining an environment and creating these alerts/alarms is daunting
enough in a single environment – How can an MSSP deliver this across many environments?
Poor Change Management
- Strong correlation is based on “known” baselines and an intimate understanding of a
customers environment. MSSPs by virtue of what they do – are an after thought to change
management by the organizations who work with MSSPs. Every change to that environment
impacts the fidelity of correlation. Poor correlation = poor threat detection.
Poor Log Storage
- Logs are only valuable to your customers if they can access them. Storing logs for a
sufficient period of time or in a location that the customer cannot be access makes the services
less valuable.
CORRELATION
7. Delivering Confidence, Simplicity &
ValueWHAT YOU CAN OFFER YOUR CUSTOMERS
Managed security operations and response
- Provide first line incident detection and triage
- Escalate to customer as needed for remediation response
Reporting of vulnerabilities and threats
- Identify known malicious entities probing their systems
- Detect latest attack payloads
- Identify compromised systems
- Leverage time-tested security controls with minimal deployment overhead
- Identify potentially insecure behaviors
- Identify unpatched software, known to vulnerable
… A single security technology stack makes this possible – AT
SCALE
8. POWER OF THE OPEN THREAT EXCHANGE
(OTX)
TO DETECT THREATS
Crowd-sourced threat data from 8,000+ sites across 140
countries
500,000+ IPs validated daily
Free Threat Services
• Reputation Alert Monitor
• Threat Finder
• Interactive Threat Map
18. MSSP “GETTING STARTED” PACKAGES
Public Training + Deployment
Assistance
Private Training + Deployment
Assistance
Packages include…
• AlienVault product training for one (1)
engineer at a public AlienVault training
center
• Three (3) days of remote support by a
Certified AlienVault Deployment Architect
• AlienVault product training for up to 8
people at your facility
• Three (3) days of remote support by a
Certified AlienVault Deployment Architect
Become a certified AlienVault MSSP partner
19. MSSP Partner of AlienVault
SMALL SAMPLING OF PARTNERS
Today we have 100+ MSSPs around the world… some supporting less than 5
customers…some supporting 100’s of customers
• Breaches/Infection rates have no correlation to company size so smaller MSSPs
have the same challenges that larger MSSPs do. The problem they solve is just
as significant.
• Larger companies do have larger budgets so when serving the small business and
mid-market; efficiency at scale is important.
We offer entry points for any
size MSSP. The largest to
the newly formed.
– It is difficult to strike the right balance between correlation rules that catch all possible attacks and correlation rules that produce too many false-positive alerts. Tuning often requires a professional services engagement and on-going expenses. This will continue to plague the MSSPs who choose traditional SIEM or Logging solutions as the complexity of managing all of the moves, adds, edits to the data sources (servers, devices, & applications) that feed them is not something they can solve for. Organizations rely on the data collection, normalization and retention for the purpose of correlation. Without strong (i.e. custom) correlation, detecting and responding to threats is impossible. Custom correlation must be verified every time there is a change on the network if an organization wants to ensure the fidelity of their correlation logic. For example, it’s not uncommon to see a data source change (OS/firmware update), which will dramatically impact the fidelity of the correlation rules/alarms/logic. This happens when updates are performed to network devices, servers (physical & virtual), anti-virus, applications, etc. Organizations are very dynamic. Correlation must also be dynamics UNLESS you solve for this another way.
The “Rules-based” approach – When a correlated security event is presented to the security analyst, it’s reasonable to expect the analyst to limit his or her investigation to the data sources reported by the alert. A “Rules-based” approach supports only a go-forward view of security data, if you get a correlation rule wrong, you can’t adjust the model and re-analyze the data, because events that didn’t match the old rule have already been discarded. Not the desired outcome…
AlienVault’s USM solution solves for this through “unifying” your entire security technology stack. We’ll dive into that later in this presentation…
AlienVault offers the only unified security management solution to unify the five essential security capabilities you need for complete security visibility. This translates into rapid time to value – faster and easier audits, targeted remediation, and more seamless incident response. The main advantages of USM are simplicity, streamlined installation and use, and the ability to update all the security functions concurrently. These concurrent updates allow AlienVault to do something no other solution on the market can do. AlienVault’s threat intelligence team can write, maintain and verify all the needed correlation delivering the highest levels of security visibility.