Module 2

Setting Up USM Anywhere

2-2 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2016 AlienVault. All rights reserved.

In this module we will cover the following objectives: We will define the functionality of the USM Anywhere Sensor. We will identify the different platforms where Sensors can be deployed. We will outline the information to capture before deploying your first Sensor. We will walk through your first Sensor deployment.

Copyright© 2016 AlienVault. All rights reserved. Setting Up USM Anywhere 2-3

The following scene introduces Jack, who is responsible for managing the USM Anywhere solution and monitoring the security of the entire company infrastructure in addition to numerous other responsibilities. Jack’s boss has just signed up for USM Anywhere and now it is up to Jack to implement the solution.

2-4 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2016 AlienVault. All rights reserved.

[DIALOGUE] [BOSS] Hi Jack, I just forwarded you the credentials I got from AlienVault so you can set up USM Anywhere to monitor all our environments. It has the code you will need to activate the first sensor and connect to USM Anywhere. It also lets you know where you can get the sensor from and has links to the documentation on how to deploy it. [JACK] Thanks, it would be great if you have any details around other resources to help me understand what I need to put in place to get everything up and running quickly. [BOSS] Well, aside from the information in the email I also have a link to some getting started video training that talks about the different sensor types, things to consider before starting, and recorded walkthroughs that may be helpful. I’ll send you a link. [JACK] Great, I’ll look at that now. I’ll update you once the initial setup is complete.

Copyright© 2016 AlienVault. All rights reserved. Setting Up USM Anywhere 2-5

The USM Anywhere Sensor is a key component of the USM Anywhere Solution, responsible for discovering your assets, scanning for vulnerabilities and collecting data from your assets and networks. These Sensors can be deployed as Virtual Machines (VM) running on VMware ESXi or Microsoft Windows 2012 servers running Hyper-V to monitor your on-premises environments. Sensors can also be deployed to monitor your Cloud based environments whether they are running on Amazon Web Services or Microsoft Azure. We will discuss each Sensor deployment in greater detail later. Once deployed, these USM Anywhere Sensors then communicate back to the cloud-based USM Anywhere, giving you a single pane of glass to view all your Assets and Networks from one place. In USM Anywhere, an asset is a piece of equipment on the company's network that bears a unique IP address. An asset can be a server, a router, a firewall, a printer, or an individual PC. These Sensors are the front-line security module of the USM Anywhere platform and provide detailed visibility into your environment. The Sensor takes all the information from your environments, normalizes it, and in turn sends this normalized information to USM Anywhere. At that point Event Correlation takes place, identifying potential security threats by detecting behavior patterns across different asset types. If a threat is detected, it produces an Alarm to alert you to the potential security issue. It should be noted that the Sensor also forward all the raw log data received back to USM Anywhere where it is archived in the event that it is required for auditing or compliance purposes.

2-6 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2016 AlienVault. All rights reserved.

Before starting the deployment of your first sensor it is advisable to do some initial ground work that helps everything run smoothly. The three main areas to consider are networking requirements, account requirements, and system requirements for the Assets you intend to monitor. If you want a more detailed list, please see the Student Guide for this module. [Jump to Appendix]

Copyright© 2016 AlienVault. All rights reserved. Setting Up USM Anywhere 2-7

Let’s start by looking at some of the Networking requirements and details that you should gather. You will need to make sure that whatever network your sensor’s management interface is connected to has access to the internet so that it can connect back to USM Anywhere. Likewise, you will need to make sure that all required outbound ports are open between the sensor and your internet gateway. These are listed on the Student Guide. [Jump to Appendix] If you are deploying the Sensor to VMware ESXi or Microsoft Hyper-V and wish to perform Network Intrusion Detection (NIDS) by monitoring the network traffic, you will need to enable Promiscuous Mode on the ports that the Sensor Network Monitoring Interfaces are connected. You will also need to make sure that Port Mirroring, sometimes known as a SPAN (Switched Port Analyzer) port, is enabled on the upstream physical switch that the virtual network is connected to, in order to make sure all the network traffic flowing through that device is seen and monitored. One point to note, at the time of writing, NIDS is not available on cloud-based sensors. Finally, it is also valuable to have an overall picture of your network topology so that you can best utilize your sensor interfaces to discover and monitor the assets and traffic that you desire.

2-8 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2016 AlienVault. All rights reserved.

Next let’s consider the credentials that you will need to set up USM Anywhere and successfully obtain information from your assets to monitor their security. You will need all relevant credentials for any Asset you wish to collect log data from in your environment. While the Sensor can perform a scan against the assets without credentials, an authenticated scan, which allows USM Anywhere to log onto the device, will deliver far more information about potential vulnerabilities, installed software packages, and running processes & services. USM Anywhere allows you to define these credentials manually and associate them with Assets you specify. USM Anywhere also has the ability to query Windows Active Directory to obtain credentials for Assets that have been added to the Active Directory domain. This feature is available on VMware ESXi, Microsoft Hyper-V and Azure Sensors and you will need Active Directory Administrator credentials to configure this in USM Anywhere. Last but not least, you will need to make sure you are logged into your Hypervisor (ESXi or Hyper-V) or cloud environment (AWS or Azure) with sufficient privileges to make all necessary configuration changes required by the Sensor so that it can be deployed successfully and leverage all the functionality that is available. We will be covering this in more detail on the coming slides.

A Hypervisor is a system that creates and runs Virtual Machines, allowing multiple operating systems to run simultaneously on a single system by sharing its resources. This system is commonly referred to as the Host and the VMs running on it are known as Guests.

Copyright© 2016 AlienVault. All rights reserved. Setting Up USM Anywhere 2-9

The last section we will look at is requirements on the Assets themselves. As mentioned we can discover Assets without login credentials but it is preferable if we can gain authenticated access to them to gain a better insight into any security issues they may be facing. Authenticated Scans on Linux systems require Secure Shell (SSH) to be enabled as well as having the correct credentials as discussed previously. Windows systems should have Windows Remote Management (WinRM) up and functional and port 5985 needs to be open on the Windows Firewall if it is enabled.

2-10 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2016 AlienVault. All rights reserved.

The other factor we need to consider is getting log data as well as other information back from our Assets to the Sensor. Assets forward their logs to the USM Anywhere Sensors using the syslog protocol. This data is received over UDP port 514 so you need to make sure nothing is blocking this communication. Many systems have the ability to forward syslog data natively, however there are services and agents available that can be enabled on systems where either there is no syslog forwarding by default or more in-depth information is desired. Linux and Unix based systems can leverage rsyslog to forward log data to the Sensor but we also support the osquery agent which provides significantly more information about the system that is consumable by USM Anywhere. We also support log data received from ossec agents but we do not run an ossec server on our Sensor. An ossec server would need to be deployed and configured to forward the data to the Sensor so that is an extra configuration step that you will need to consider. Windows systems can leverage the nxlog agent to forward their logs to the Sensor. We also support the implementation of sysmon which runs as a windows service to log more detailed system activity to the Windows event log. To be clear, nxlog is responsible for forwarding the data, sysmon only enhances the information that is captured. We also support the ossec agent on Windows systems with the same caveats as we called out previously. It should be noted however that AlienVault does not distribute any of the agents or services described here.

Copyright© 2016 AlienVault. All rights reserved. Setting Up USM Anywhere 2-11

Now let’s discuss sensor functionality. We will start by looking at functionality that applies to all sensor types with one exception that we will highlight. One feature that is common across all Sensor types is the ability to receive Syslog data from any devices configured to forward this information. When received by the Sensor it is normalized and sent to USM Anywhere to be further analyzed for potential threats. Sensors allow for Authenticated scans of Assets by leveraging stored credentials that you define on USM Anywhere. As we discussed in the Preinstall Checklist section this allows USM Anywhere to detect potential vulnerabilities, installed software packages, and running processes and services. Finally, Sensors can also discover all assets on a given network without the need for credentials. This functionality is available to all Sensors with the exception of AWS. It should be noted that assets can be added individually to USM Anywhere also.

2-12 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2016 AlienVault. All rights reserved.

The VMware sensor comes in the Open Virtual Format (OVF) and can be deployed through vCenter or directly to an ESXi Hypervisor version 5.1 and later. The VM itself requires 4 CPU cores and 12GB of memory to run as well as total available disk space of 150GB. Now let’s review some capabilities of the VMware Sensor. As mentioned previously, the VMware Sensor has the generic features which include:

• Log Data Collection • Authenticated Asset Scans • Unauthenticated Asset Discovery Scans

Now let’s look at some more targeted features available on the VMware sensor. The VMware Sensor provides the ability to monitor the packets on networks that you select. This is done by attaching one of the Sensor network interfaces to a port configured in Promiscuous mode on a Virtual Switch. In addition, the upstream physical switch that the ESXi host is connected to must have Port Mirroring enabled. This will allow USM Anywhere to perform analysis on network traffic, which will aid in the detection of threats in your environment. There are some capabilities that are unique to the VMware Sensor which are as follows: There is an option for you to enter credentials for either your vCenter or ESXi servers which will allow the Sensor to discover VMs registered on the ESXi servers through the vSphere API. Not only does this allow for the discovery of assets but it also monitors user logins within your vSphere environment and feeds the information back to USM Anywhere. For more information, and links to additional material, please consult the Student Guide. [Jump to Appendix]

Copyright© 2016 AlienVault. All rights reserved. Setting Up USM Anywhere 2-13

The Microsoft Hyper-V sensor comes with a template descriptor in eXtensible Markup Language (XML) format and disk images in Virtual Hard Disk (VHD) format. To run a Hyper-V Sensor, you will need either Windows Server 2012 or Windows Server 2012 R2 with Hyper-V running. The VM itself requires 4 CPU cores and 12GB of memory to run as well as total available disk space of 150GB. Now let’s review some capabilities of the Hyper-V Sensor. As mentioned previously, the Hyper-V Sensor has generic features which include:

• Log Data Collection • Authenticated Asset Scans • Unauthenticated Asset Discovery Scans

Now let’s look at some more targeted features available on the Hyper-V sensor. The Hyper-V Sensor provides the ability to monitor the packets on networks that you select. This is done by attaching one of the Sensor network interfaces to a port configured in Promiscuous mode on the Virtual Network. In addition, the upstream physical switch that the Hyper-V Server is connected to must have Port Mirroring enabled. This will allow USM Anywhere to analyze the network traffic, which will aid in the detection of threats in your environment. For more information and links to additional material please consult the Student Guide. [Jump to Appendix]

2-14 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2016 AlienVault. All rights reserved.

The Amazon Web Services sensor comes as a CloudFormation Template in 2 forms depending on the environment in AWS you are deploying to. If you are using a Virtual Private Cloud you will use the t2.medium template. If you are using the classic Elastic Compute Cloud you will use the m3.medium template. You must launch your T2 instances into a virtual private cloud (VPC); they are not supported on the EC2-Classic platform. Amazon VPC enables you to launch AWS resources into a virtual network that you've defined. You cannot change the instance type of an existing instance in EC2-Classic to a T2 instance type. In addition to the resource requirements of the templates themselves, you will need a 12GB Elastic Block Store (EBS) volume. To deploy the CloudFormation template you will need a privileged user account with permissions to create Identity and Access Management (IAM) resources. Now let’s review some capabilities of the AWS Sensor. As mentioned previously, the AWS Sensor has generic features which include:

• Log Data Collection • Authenticated Asset Scans • It does not currently allow for Unauthenticated Asset Discovery Scans but this is made up for

by features we will be discussing in a moment. Now let’s look at some more targeted features available on the AWS sensor. The AWS sensor has many capabilities that leverage existing AWS functionality: It can discover all VMs running in your AWS environment automatically. It also has the option to monitor CloudTrail, CloudWatch, Elastic Load Balancer (ELB), and Simple Storage Service (S3) Access Logs if these features are enabled.

Copyright© 2016 AlienVault. All rights reserved. Setting Up USM Anywhere 2-15

Another useful feature is the Sensor’s ability to retrieve and process log files from other systems stored in a designated Simple Storage Service (S3) bucket. This can make it easier to monitor systems that may otherwise be unreachable. Finally, we also have the ability to review the AWS configuration itself to identify any vulnerabilities that could potentially be exploited. For more information and links to additional material please consult the Student Guide. [Jump to Appendix]

2-16 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2016 AlienVault. All rights reserved.

Finally, the Azure sensor comes in a similar format to Hyper-V; it contains a template descriptor in JavaScript Object Notation (JSON) format and disk images in Virtual Hard Disk (VHD) format. When deploying the template, it will use the Standard_D2_v2 VM size and requires Data Disk Volume of 12GB You will need to perform the deployment with a user account that has privileges in the resource group where you want to install the USM Anywhere Sensor. You will also need to have an account that has Active Directory administrator access. Now let’s review some capabilities of the Azure Sensor. As mentioned previously, the Azure Sensor has the generic features which include:

• Log Data Collection • Authenticated Asset Scans • Unauthenticated Asset Discovery Scans

Now let’s look at some more targeted features available on the Azure sensor. The Azure sensor has many capabilities that leverage existing Azure functionality:

• It can discover all VMs running in your Azure environment automatically. • It also has the option to monitor Azure Application Insights Logs.

For more information and links to additional material please consult the Student Guide. [Jump to Appendix]

Copyright© 2016 AlienVault. All rights reserved. Setting Up USM Anywhere 2-17

We will now look at the overall workflow as it relates to setting up USM Anywhere for the first time from a high level. You will receive an email that contains an authentication code and details on how to obtain and deploy a sensor. This information will be different depending on where you will be hosting your Sensor VM. Next you will download your Sensor. The format of the files that make up the Sensor VM are tailored so they may be imported into whichever platform you are hosting on. Import the Sensor into your environment and power it on. Once it comes online, find the IP address that was allocated either dynamically or use a static IP that you define and, using a supported browser, connect to the Sensor UI. Once you have accessed the UI, you will be prompted to enter the authentication code you received in the Activation Email and click Activate. You will notice that the code starts with a “C”; only authentication codes for initial sensor deployment start with a C, subsequent authentication codes for additional sensors will start with a “S” but we will see this later. This will kick off the process of initiating your USM Anywhere instance and subsequently connecting your sensor to that instance. Once these operations have completed, the screen will update and present you with a URL for your USM Anywhere instance as well as a username and password. You then connect to the USM Anywhere Web UI with these credentials to complete the configuration through the wizard.

2-18 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2016 AlienVault. All rights reserved.

In the following video we will demonstrate the deployment of a VMware Sensor. We will look at some configuration steps on the Sensor console and then move to the Sensor UI where we will perform the initial activation and connection to USM Anywhere.

Copyright© 2016 AlienVault. All rights reserved. Setting Up USM Anywhere 2-19

In the following video we look at the components of the VMware Sensor setup wizard. We will highlight what the purpose of each screen is but we will not be performing all the configuration steps highlighted until future modules.

2-20 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2016 AlienVault. All rights reserved.

In the following video we look at connecting a second sensor to USM Anywhere. We will see how additional authentication codes are generated on the USM Anywhere website. We will then look at how the Sensor is added to USM Anywhere.

Copyright© 2016 AlienVault. All rights reserved. Setting Up USM Anywhere 2-21

So let’s review what was covered in this module: We defined the functionality of the USM Anywhere Sensor. We identified the different platforms where Sensors can be deployed. We outlined the information to capture before deploying your first Sensor. We walked through your first Sensor deployment.

2-22 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2016 AlienVault. All rights reserved.

Read the Documentation: https://www.alienvault.com/documentation/ Explore USM Anywhere Training Offerings: https://www.alienvault.com/training/ Check Out Our Product Forums: https://www.alienvault.com/forums/

HTTPS://WWW.ALIENVAULT.COM | TRAININGHELP@ALIENVAULT.COM

Copyright© 2016 AlienVault. All rights reserved. Setting Up USM Anywhere 2-23

Module 2

Appendix (Updated 10/05/16)

2-24 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2016 AlienVault. All rights reserved.

Port and Connectivity Requirements

USM Anywhere Sensor to USM Anywhere

Outbound: Port 7100 SSL (TCP) to *.AlienVault.Cloud

Outbound: Port 443 to *.AlienVault.Cloud Asset to USM Anywhere Sensor

Syslog Data: UDP Port 514

Linux Authenticated Scans: SSH Port 22

Windows Authenticated Scans: WinRM Port 5986

Copyright© 2016 AlienVault. All rights reserved. Setting Up USM Anywhere 2-25

Sensor Specific Requirements

AlienVault USM Anywhere Data Sheet

Document: https://www.alienvault.com/docs/data-sheets/DS-USM-Anywhere.pdf

VMware vSphere

Documentation: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/vmware/about-vmware-sensor-deployment.htm

Microsoft Hyper-V

Documentation: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/hyperv/about-hyperv.htm

Amazon Web Services

Documentation: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/aws/about-usm-aws-sensor-deployment.htm

Microsoft Azure

Documentation: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/azure/about-azure.htm

2-26 AlienVault USM Anywhere: Getting Started Rev A Copyright© 2016 AlienVault. All rights reserved.

3rd Party Technology Referenced

Amazon Web Services

CloudFormation Template: https://aws.amazon.com/cloudformation/aws-cloudformation-templates/

Virtual Private Cloud: https://aws.amazon.com/vpc/

Elastic Compute Cloud: https://aws.amazon.com/ec2/

Elastic Block Store: https://aws.amazon.com/ebs/

Identity and Access Management (IAM): https://aws.amazon.com/iam/

CloudTrail: https://aws.amazon.com/cloudtrail/

CloudWatch: https://aws.amazon.com/cloudwatch/

Elastic Load Balancer (ELB): https://aws.amazon.com/elasticloadbalancing/

Simple Storage Service (S3): https://aws.amazon.com/s3/

Microsoft Azure

Application Insight Logs: https://azure.microsoft.com/en-us/documentation/articles/app-insights-overview/

Copyright© 2016 AlienVault. All rights reserved. Setting Up USM Anywhere 2-27

Documentation Quick Links

Configuring Network Intrusion Detection (Port Mirroring / Promiscuous Mode)

VMware vSphere: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/get-started-wiz/monitoring-vmware.htm

Microsoft Hyper-V: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/get-started-wiz/portmirroring/hyper-v.htm

Configuring Authenticated Scans

SSH and WinRM: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/get-started-wiz/configuring-windows-scans.htm

Configuring Log Data Collection

rsyslog: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/get-started-wiz/configuring-unix-send-data-syslog.htm osquery: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/get-started-wiz/collecting-logs-linux.htm NXLog and Sysmon: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/get-started-wiz/collecting-logs-windows.htm All Additional Supported Plugins: https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/plugin-management/supported-plugins/supported-plugins.htm