AlienVault. Unified Security Management (USM) 5.1 Running the Getting Started Wizard



Similar documents
Monitoring VMware ESX Virtual Switches

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

User Management Guide

AlienVault. Unified Security Management 5.x Configuration Backup and Restore

AlienVault Unified Security Management (USM) x. Configuring High Availability (HA)

Assets, Groups & Networks

AlienVault. Unified Security Management (USM) x Initial Setup Guide

AlienVault Unified Security Management (USM) 4.x-5.x. Deploying HIDS Agents to Linux Hosts

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

How to send s triggered by events

Deploying HIDS Client to Windows Hosts

How to configure High Availability (HA) in AlienVault USM (for versions 4.14 and prior)

Module 1: Overview. Module 2: AlienVault USM Solution Deployment. Module 3: AlienVault USM Basic Configuration

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

SevOne NMS Download Installation and Implementation Guide

Asset Management Guide

Device Integration: Checkpoint Firewall-1

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

Device Integration: CyberGuard SG565

Net Inspector 2015 GETTING STARTED GUIDE. MG-SOFT Corporation. Document published on October 16, (Document Version: 10.6)

The SIEM Evaluator s Guide

Configuring Virtual Switches for Use with PVS. February 7, 2014 (Revision 1)

SSL-VPN 200 Getting Started Guide

6.0. Getting Started Guide

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Device Integration: Citrix NetScaler

Defender Token Deployment System Quick Start Guide

Novell ZENworks Asset Management 7.5

Deployment Guide: Transparent Mode

Unified Security Management (USM) Asset Management Guide

Web based training for field technicians can be arranged by calling These Documents are required for a successful install:

AlienVault. Unified Security Management x Offline Update and Software Restoration Procedures

HDA Integration Guide. Help Desk Authority 9.0

Cyberoam Virtual Security Appliance - Installation Guide for XenServer. Version 10

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

F-Secure Messaging Security Gateway. Deployment Guide

SOS SO S O n O lin n e lin e Bac Ba kup cku ck p u USER MANUAL

Device Integration: Cisco Wireless LAN Controller (WLC)

WatchDox Administrator's Guide. Application Version 3.7.5

How to enable File Integrity Monitoring (FIM)

LepideAuditor Suite for File Server. Installation and Configuration Guide

Parallels Plesk Panel

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

Juniper Networks Management Pack Documentation

PineApp Surf-SeCure Quick

NMS300 Network Management System

IIS, FTP Server and Windows

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

TechNote. Configuring SonicOS for MS Windows Azure

Unified Security Management and Open Threat Exchange

Configuration Guide. Remote Backups How-To Guide. Overview


Classroom Management network FAQ and troubleshooting

Unified Threat Management

Macs are not directly compatible with Noetix.

Configuration Information

ShadowControl ShadowStream

NETWRIX EVENT LOG MANAGER

Guide to the LBaaS plugin ver for Fuel

Pharos Control User Guide

Installing and Configuring vcenter Support Assistant

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

Setting up Hyper-V for 2X VirtualDesktopServer Manual

Discovery Guide. Secret Server. Table of Contents

IBM Aspera Add-in for Microsoft Outlook 1.3.2

Citrix Virtual Classroom. Deliver file sharing and synchronization services using Citrix ShareFile. Self-paced exercise guide

Suricata IDS. What is it and how to enable it

User Guide. Version 3.2. Copyright Snow Software AB. All rights reserved.

QualysGuard Asset Management

LifeSize UVC Manager TM Deployment Guide

User Guide. Version R91. English

Setting up Hyper-V for 2X VirtualDesktopServer Manual

Configuring Security for FTP Traffic

Manual. 3CX Phone System integration with Microsoft Outlook and Salesforce Version 1.0

HIRSCH Velocity Web Console Guide

StarWind Virtual SAN Installation and Configuration of Hyper-Converged 2 Nodes with Hyper-V Cluster

MyNetFone Virtual Fax. Virtual Fax Installation

HIPAA Compliance Use Case

Clock Link Installation Guide. Detailed brief on installing Clock Link

How to Configure the Cisco UC500 for use with Integra Telecom SIP Solutions

SOA Software API Gateway Appliance 7.1.x Administration Guide

F-SECURE MESSAGING SECURITY GATEWAY

Vantage RADIUS 50. Quick Start Guide Version 1.0 3/2005

VELOCITY. Quick Start Guide. Citrix XenServer Hypervisor. Server Mode (Single-Interface Deployment) Before You Begin SUMMARY OF TASKS

OneLogin Integration User Guide

SecuraLive ULTIMATE SECURITY

CASHNet Secure File Transfer Instructions

System Administration Training Guide. S100 Installation and Site Management

ReadyNAS Setup Manual

Managing Qualys Scanners

Setting Up Your FTP Server

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

User's Guide. Product Version: Publication Date: 7/25/2011

Kaseya 2. Quick Start Guide. for Network Monitor 4.1

How To Manage Security On A Networked Computer System

Welcome to the QuickStart Guide

Comodo LoginPro Software Version 1.5

Setting up Citrix XenServer for 2X VirtualDesktopServer Manual

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Transcription:

AlienVault Unified Security Management (USM) 5.1 Running the Getting Started Wizard

USM v5.1 Running the Getting Started Wizard, rev. 2 Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat Exchange, AlienVault OTX Reputation Monitor, AlienVault OTX Reputation Monitor Alert, AlienVault OSSIM, and OSSIM are trademarks or service marks of AlienVault, Inc. All other registered trademarks, trademarks or service marks are the property of their respective owners. Revision to This Document Date July 27, 2015 August 18, 2015 September 11, 2015 Revision Description Original document. Updated a screenshot based on the 5.1.1 release. Added the limitation that each USM Sensor can have up to 100 plugins enabled. September 11, 2015 USM v5.1 Running the Getting Started Wizard, rev. 2 Page 2 of 14

Contents Contents Introduction... 4 About the Getting Started Wizard... 4 Running the Getting Started Wizard... 4 Task 1: Configuring Network Interfaces... 5 Task 2: Discovering Assets in Your Network... 7 Option 1: Discovering Assets via a Network Scan... 8 Option 2: Importing a CSV List of Assets... 9 Option 3: Adding Assets Manually... 10 Task 3: Deploying Host Intrusion Detection System (HIDS) to Servers... 10 Task 4: Enabling Log Management... 11 Task 5: Joining AlienVault Open Threat Exchange (OTX) TM... 13 September 11, 2015 USM v5.1 Running the Getting Started Wizard, rev. 2 Page 3 of 14

Introduction Introduction The objective of this document is to guide users through the Getting Started Wizard to perform initial configuration of AlienVault USM. The Getting Started Wizard is only available on USM All-in- One appliances. The appliance should have been deployed and configured as described in the AlienVault USM 4.8-5.x Initial Setup Guide. About the Getting Started Wizard AlienVault provides a Getting Started Wizard on USM All-in-Ones to help first time users configure the built-in security capabilities. Customers can walk through a simple, step-by-step workflow to set up networks, run asset discovery scan, deploy HIDS agents, and configure external data sources in minutes. You will be able to perform the following tasks in the Getting Started Wizard: Configure network interfaces Discover assets Deploy Host Intrusion Detection Systems (HIDS) Configure log management Join and/or connect to your AlienVault Open Threat Exchange (OTX) account Running the Getting Started Wizard Running the Getting Started Wizard is highly recommended but optional. You can skip it at any time by clicking the Skip AlienVault Wizard button on the welcome page (Figure 1) or subsequent pages. Figure 1. Getting Started Wizard - Welcome Page September 11, 2015 USM v5.1 Running the Getting Started Wizard, rev. 2 Page 4 of 14

If the wizard is skipped, every time when the admin user logs in, a banner that reads Extend your visibility. Collect more data now. appears above the primary navigation bar (see Figure 2). Clicking this banner will launch the wizard again. The wizard remains accessible through the banner until you click the Finish button after the last task. Figure 2. Banner to bring back the Getting Started Wizard To run the Getting Started Wizard click Start (see Figure 1). We recommend that you perform the tasks in the order they are listed, because you will not be able to configure certain tasks if the previous one is not completed. Task 1: Configuring Network Interfaces An AlienVault USM All-in-One appliance comes with six network interfaces numbered eth0 to eth5. These interfaces will be used by AlienVault to monitor the network using the built-in IDS capabilities, run asset scans, collect log data from your assets, run vulnerability scans, and generate NetFlows. The options available for each interface include: Management. The management interface is used to communicate with the AlienVault Console and connect to the web interface. This interface is configured during the initial setup steps from the AlienVault Console. While eth0 is set as the default, it can be configured to a different interface. See AlienVault USM 4.8-5.x Initial Setup Guide for details. You cannot configure the management interface in the wizard. Network Monitoring. By configuring a network interface for network monitoring, the interface will be in passive listening mode, also known as promiscuous mode. In promiscuous mode, the interface will listen to traffic as it comes by on the wire. To use this option the administrator needs to set up a network tap or span to allow traffic flowing through this network interface so it can monitor for threats. Since AlienVault USM s built-in IDS capability uses the network monitoring interface, one of the network interfaces in the USM must be dedicated to this. Log Collection & Scanning. Use the Log Collection & Scanning interface to reach out to the networks and systems that you want to collect data from or scan using AlienVault USM s built-in asset discovery, vulnerability assessment, and availability monitoring tools. Setting up this interface will require that you assign an IP address and network mask to the interface. Not In Use. This is the default option for all the interfaces (except the Management interface) on this screen. This means that the network interface is not configured and will not be used. September 11, 2015 USM v5.1 Running the Getting Started Wizard, rev. 2 Page 5 of 14

The management interface is configured to also perform network monitoring, log collection and scanning by default. You do not need to configure additional interfaces if they are on the same subnet as the management interface. But if you want to monitor networks and/or collect logs from a different subnet, follow the instructions below. To configure network monitoring 1. Choose the network interface that will be used for network monitoring 2. Select Network Monitoring from the drop-down list. Once selected, AlienVault will immediately configure the network interface to listen for incoming traffic. 3. Configure your virtual machine to get traffic from your physical network. Figure 3. Getting Started Wizard Configure Network Interfaces Once the network is forwarding data to the selected network interface, the Status indicator shown in Figure 3 will go from red to green. This indicates that the interface is both configured and receiving data as expected. Once you've configured the network monitoring interface, you'll need to ensure that it is receiving network traffic. If you are on a virtual network, ensure that you are getting network traffic and not just virtual switch traffic. Follow the instructions found here. September 11, 2015 USM v5.1 Running the Getting Started Wizard, rev. 2 Page 6 of 14

To configure log collection and scanning 1. Choose the network interface that will be used for log collection and scanning. 2. Select Log Collection & Scanning from the drop-down list. A screen pops up and asks for an IP Address and Netmask. This information will be used to configure the network interface with a static IP address. 3. On the IP Address & Netmask box, enter an IP address and netmask for a different subnet. The Configure Network Interfaces screen displays again. The IP address you supplied is shown as the IP address for the interface. This will indicate that the interface configuration is successful. 4. Configure the other interfaces as needed for additional log collection and scanning. In some situations the network that you want to monitor may not be accessible from the IP address provided without setting up a route in the routing table. This is an extreme case and should not happen often. If a route is required, you will need to jailbreak the system using the AlienVault Console and configure the route using the command line. After you have finished configuring the network interfaces, click Next at the bottom-right corner to proceed. Task 2: Discovering Assets in Your Network Understanding what is in your environment is a critical step to identify threats and vulnerabilities. You can use the built-in asset discovery capability to scan your networks and find assets, manually enter assets, or import assets from a CSV file. The Asset Discovery task in the Getting Started Wizard helps to accomplish this. Figure 4. Getting Started Wizard - Asset Discovery September 11, 2015 USM v5.1 Running the Getting Started Wizard, rev. 2 Page 7 of 14

Option 1: Discovering Assets via a Network Scan AlienVault USM needs to have an understanding of your network topology to run asset scans, vulnerability scans, and use other built-in capabilities. The Getting Started Wizard includes an option to scan your networks for assets. To scan your networks 1. Click Scan Networks (Option 1 in Figure 4). The Scan Networks screen displays. 2. Choose one or more networks that you would like to scan (see Figure 5). You should already have one or more networks defined based on the network interfaces you configured in Task 1: Configuring Network Interfaces. 3. Click Scan Now to initiate the scan. The confirmation screen displays showing how many assets may be scanned based on the network defined. 4. Click Accept to start the scan. Be aware that if you created a large network (e.g. 10.10.10.0/16) the scan may take a long time. We suggest that you create smaller networks. You can stop the scan at any time by clicking Stop Scan. But if you stop the scan while running, no asset data will be retained and you'll need to run the scan again. Once the scan is completed, AlienVault USM will prompt you to schedule a recurring scan so you can discover changes in the environment periodically. The default option is to run a weekly scan. You can change it to either daily or monthly by using the drop-down, or select no scan by clicking the "x". Click OK to accept and continue. Figure 5. Getting Started Wizard Scan Networks September 11, 2015 USM v5.1 Running the Getting Started Wizard, rev. 2 Page 8 of 14

If your desired network cannot be found at step 2 above, you can add more networks manually or import networks from a CSV file on the Scan Networks screen (see Figure 5). To add more networks manually 1. Enter a meaningful name to describe the network (e.g. DMZ, Employee Office). 2. Enter the CIDR notation for the network. 3. Enter a description for the network (optional). 4. Click +Add. If you make a mistake and define the network incorrectly, use the delete icon (trash can) to delete and re-enter the network. To import networks from CSV file 1. Click the Import from CSV to display more options. 2. Click Choose File and select a CSV file. 3. Click Import to upload the selected file. Pay attention to the formats allowed in the CSV files. The CIDR field is required. It can be a list separated by comma. The delimiter for the columns is semicolon. Option 2: Importing a CSV List of Assets In AlienVault USM, you are also able to import a list of assets from a CSV file. To import from the CSV 1. Click Import from CSV (Option 2 in Figure 4). The Import Assets from CSV lightbox pops up. 2. Click Choose File and select a CSV file. 3. Click Import to upload the selected file. Pay attention to the formats allowed in the CSV files. The IP address field is required. It can be a list of IPs separated by comma. The delimiter for the columns is semicolon. A confirmation screen displays showing the number of hosts that have been imported. September 11, 2015 USM v5.1 Running the Getting Started Wizard, rev. 2 Page 9 of 14

Option 3: Adding Assets Manually If you do not have access to a list of assets in the form of a CSV, you can quickly add them manually. To add an asset manually 1. From the Scan & Add Assets screen (Option 3 in Figure 4), provide a meaningful name for the asset (e.g. domain controller). 2. Enter the IP address in the field provided. 3. Choose the asset type from the list. 4. Click +Add. After you have finished adding all the assets, click Next at the bottom-right corner to proceed. Task 3: Deploying Host Intrusion Detection System (HIDS) to Servers We recommend deploying Host Intrusion Detection System (HIDS) in order to perform file integrity monitoring, rootkit detection and to collect event logs. For windows machines the HIDS agent will be installed locally, but for Unix/Linux environments the HIDS monitoring will be agentless. Unix/Linux systems are monitored remotely and only include file integrity monitoring capability. HIDS needs administrative access to create directories, files, set permission and launch processes. You must provide credentials of the administrator account on the system that you want to deploy the HIDS on. To Deploy HIDS 1. Choose the Windows or Unix/Linux tab based on your server s operating system. 2. Enter the Username and Password. For Unix/Linux systems, this should be SSH credentials. 3. Optionally, for Windows systems, enter the Domain information as well. 4. From the asset tree on the right, choose the asset(s) that you would like to deploy a HIDS agent to. 5. Click Deploy. HIDS Deployment lightbox comes up asking for confirmation 6. On HIDS Deployment lightbox, click Continue. The deployment starts. A progress bar displays showing the percentage. Once it finishes, a message displays the number of devices with HIDS successfully deployed. 7. Click OK. September 11, 2015 USM v5.1 Running the Getting Started Wizard, rev. 2 Page 10 of 14

Figure 6. Getting Started Wizard Deploy HIDS After you have finished deploying the HIDS agents, click Next at the bottom-right corner to proceed. Task 4: Enabling Log Management One of the key capabilities provided by AlienVault USM is the ability to collect external data from network devices, security devices, and your servers. The data collected allows AlienVault USM to correlate events to see patterns of activity and issue alarms. The Getting Started Wizard allows you to easily configure each of the assets you've discovered or added in the Asset Discovery task with the appropriate plugin to collect the data from your assets. On the Log Management screen within the Getting Started Wizard, you will see a list of assets discovered in Task 2: Discovering Assets in Your Network that are network devices. You can enable one or more plugins for each of these assets. You will not be able to collect data from those assets that do not have any plugin enabled. To enable plugins for each asset 1. Select the correct Vendor, Model, and Version number corresponding to the data that you want to collect from that asset. All three fields are required. The Version field will default to - if no other selection is available. The Add Plugin button is enabled. 2. Click Add Plugin if you want to enable another plugin for the same asset. September 11, 2015 USM v5.1 Running the Getting Started Wizard, rev. 2 Page 11 of 14

Another row is added for you to select the Vendor, Model, and Version number for a different plugin. 3. Repeat step 1 and 2 for each plugin you want to enable. You can enable up to 10 plugins per asset and up to 100 plugins per USM Sensor. Figure 7. Getting Started Wizard Log Management Configuration 4. Repeat step 1-3 for each asset. 5. Click Enable to enable the selected plugins. The system enables the plugins. 6. The screen changes to show which plugins are now enabled and if it is receiving data. Green indicator means the plugin is enabled, while grey means the plugin is currently disabled. Figure 8. Getting Started Wizard Log Management Confirmation 7. Click Instructions to forward logs to learn how to configure your assets to send data to AlienVault USM. After you have enabled plugins for your assets, click Next at the bottom-right corner to proceed. September 11, 2015 USM v5.1 Running the Getting Started Wizard, rev. 2 Page 12 of 14

Task 5: Joining AlienVault Open Threat Exchange (OTX) TM AlienVault Open Threat Exchange (OTX) TM is an open information sharing and analysis network, created to put effective security measures within the reach of all organizations. Unlike invitationonly threat sharing networks, OTX provides real-time, actionable information to all who want to participate. Enabling AlienVault OTX in your installation will allow you to automatically share anonymous threat information with the OTX community. In return you will receive crowd-sourced threat updates every 30 minutes. The image below shows a sample of the data being sent from an AlienVault USM installation to OTX. The data being collected are, source and/or destination IP address of an event, the name of the event, and the number of times such event occurred. Figure 9. Sample data collected by OTX Once you have finished installing and configuring AlienVault USM (with OTX enabled), you will be able to quickly see which alarms indicate malicious activity from a known bad actor on the Alarms page. For more information, see Using USM and OSSIM 5.1 with OTX on the AlienVault Documentation Center. To enable OTX in your AlienVault installation, you must enter the OTX key and connect to your OTX account. If you previously signed up for an OTX account, you must still complete the OTX signup process to access the enhanced OTX platform released with USM 5.1. In this case, it is important that you provide the same email address that you previously used when you registered for an OTX account. This allows OTX to identify your existing account record. If you do not have an OTX account and would like to sign up for it, you can do so from the Getting Started Wizard. To join OTX from the Getting Started Wizard 1. On the Join OTX screen (see Figure 10), click Sign Up Now. A popup takes you to the sign up page on https://otx.alienvault.com. 2. Fill out the information (username, emaill address, and password) and click Sign Up. A page appears informing you that a verification email with a link to OTX was sent to the email address you provided. 3. After you receive the email, click the link and, on the confirmation page for logged-in USM users, click Login. September 11, 2015 USM v5.1 Running the Getting Started Wizard, rev. 2 Page 13 of 14

A USM key page appears, displaying your OTX key and stating that the username you used to register for OTX is logged in. 4. Copy the OTX key and paste it into the Enter OTX Key field shown in Figure 10. 5. Click Next. The Thank You for Joining the Open Threat Exchange page appears. 6. Click Finish. Figure 10. Getting Started Wizard Join OTX Important: Contrary to skipping the wizard, you will NOT be able to run the Getting Started Wizard again once you have clicked the Finish button. September 11, 2015 USM v5.1 Running the Getting Started Wizard, rev. 2 Page 14 of 14

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information