AlienVault USM Anywhere Customer Quick Start Guide

AlienVault USM Anywhere Customer Quick Start Guide

Summary

This document is intended as a step by step guide for new customer implementations of USM Anywhere with an introduction to the incident ticketing process and interacting with the SOC. 

The solution and service are deployed in phases. The methodology is driven around properly assessing what is currently within the customer environment and determining where and how to best deploy the in-scope tools but also gain as much context about the networks and assets as possible to help enrich the quality of service delivered. 

The deployment phases are:



Deployment Responsibilities Matrix


Alien Vault USM Anywhere has various requirements and tasks associated in order to properly and fully deploy the solution. The next two sections detail out the deployment tasks with associated owners along with related collateral or directives to aid in completion of the deployment.

Subscriber Requirements


Action Or Task
Description
Directive Or Collateral
Provide a static internal IP for appliance management
Static IP Assigned by you that will be assigned to the sensor(s).

Enable the sensor(s) within your hypervisor
Base configuration within your hypervisor
Download Sensors: CLICK HERE
Steps for VMWare Deployment: CLICK HERE
Steps for Hyper-V Deployment: CLICK HERE
AWS Deployment: CLICK HERE
Azure Deployment: CLICK HERE
Enable port mirror from managed switches
Requires a managed switch or network packet broker. Copies network traffic to designated port(s) for Network IDS evaluation
Each vendor has it's own procedure for enabling port mirroring. Below is a list of common switches and links to vendor documentation for port mirroring.

Additionally, please pay special attention to the Network IDS Enablement section within this document
Deploy Windows / Linux / Mac Agents
Collects system event logs and forwards to Alien Vault Cloud
Agent Installation Instructions: CLICK HERE
Enable sending of syslog from in scope devices
Syslog is a standard feature on network devices to forward log data to the sensor for compliance enablement and security correlation
Send syslog level 2 over UDP Port 514 to the IP Address of your sensor
Generate and share API Tokens to SOC as needed (OKTA, Office365, AWS, etc..)
Alien Vault has various API integrations called Alien Apps to allow for logs data to be securely ingested. Once provided, the SOC will configure in the backend to validate the connection succeeded and logs are flowing.
Alien Apps Guides For How To Get API Keys From Vendors: CLICK HERE
Modify Firewall Policy per the requirements
Allows required connectivity to and from the appliance to the CyFlare cloud for data processing and analytics
This document - see "Firewall Rules"
Complete SOC Survey
SOC Survey provides context to your environment and allows the SOC to create properly tune the solution and corresponding playbook so that alerts are not raised that are previously known or authorized by your organization
SEE ATTACHED TEMPLATE. Once populated please send to socir@cyflare.com and the soc will update playbooks accordingly
Provide a distribution list or email address to be designated as the Incident Handler (IH) for all SOC generated tickets to be sent to
This is the main contact the SOC will use for sending of all tickets. This is typically an email distribution list if multiple contacts need to be notified at ticket creation time
Please send this to your assigned CSM
If a different contact than the IH, identify an email or distribution list that should receive reporting from the SOC
Identifies the recipient of any automated or manual reporting that is sent from the SOC to your organization
Please send this to your assigned CSM
Accept support portal invite 
Your CSM will send you an invite that must be accepted in order to completely setup the support portal account enabling ticket management and knowledge base article review
Check spam folder as the invite may go to spam. You may see the invite come from "socir@cyflaresupport.zohodesk.com"

CyFlare Responsibilities

The following list describes the actions CyFlare will be responsible for when deploying your Alien Vault solution.


Action or Task
Description
Send welcome email from Customer Success Manager (CSM)
Introduction email to you that includes contact information for your Customer Success Manager, project sequencing and several other links to help you get started with the service
Create Alien Vault Portal account
Your unique account within the Alien vault cloud
Create requested user account(s) within the portal
Individual credentials for users that require access to your portal account
Assist with sensor(s) to requested location(s)
CyFlare configures, validates and ships your appliance(s) based on the IP information provided at time of order
Provide Bulk Deployment Script agent deployments
The SOC or CSM will provide you with script to be used for bulk agent deployment. This is useful if you use SCCM or another software deployment tool. This custom file is tokenized and specific for your portal.
Create CyFlare support portal account(s) as requested
The support portal is where you can create & view tickets as well as search and view the knowledgebase. Your CSM will send invites requiring you to accept and complete your account setup
Validate SSH access to deployed sensor(s)
SOC will confirm we can connect via the SSH details provided (public ip and port) to the sensor in the event troubleshooting is required. This is provided to ease the burden on your organization if sensor specific troubleshooting is required
Validate sensor connectivity
SOC will confirm that the sensor is connected, sending traffic as expected and working as expected


Deployment Requirements & Dependencies

The following checklist highlights the required changes, validations and configuration needed within the infrastructure to fully deploy the Alien Vault Solution. Any configuration work required within the Alien Vault UI will be completed by the SOC. The deployment team will assist with the sensor build and configuration within your hyper-visor as needed via phone and remote support tools.

Deployment requirements:
  1. Configure firewall rules according to the rules table provided below
  2. Enable sensor(s) within your chosen Hyper-visor per the installation steps
  3. Create and provide a service account with read permissions to target machines for authenticated vulnerability scanning (enables comprehensive vulnerability reporting)
  4.  Alien Vault EDR Machine Agent requirement
    1. A 64-bit Windows host system running Windows 8.1 or later.
    2. TLS 1.2 must be enabled on the host system.
    3. PowerShell 3 or higher is installed on the host system.
    4. You have login credentials for the host system with full administrator rights.
Important: Some antivirus software may block the osqueryd service and prevent it from starting. If your service is not starting because of antivirus software, you need to add the \ProgramData\osquery\osqueryd\ path to your antivirus exclusions policy.

Firewall Rules

Before you deploy a USM Anywhere Sensor, you must configure your firewall permissions to enable the required connectivity for the new Sensor. Initial deployment of a USM AnywhereSensor requires that you open egress/outbound ports and protocols in the firewall for communication with USM Anywhere and AlienVault cloud resources. The USM AnywhereSensor receives no inbound connections from outside the firewall.

Note: To launch the USM Anywhere Sensor web UI during the initial setup, you need to allow inbound traffic to the Sensor IP address through TCP port 80. You can remove access to this port after the Sensor successfully connects to USM Anywhere. You do not need to allow inbound traffic to port 80 from the Internet.

Type
Ports
Inbound/Outbound
Endpoints
Purpose
TCP
443
Outbound
update.alienvault.cloud
Communication with AlienVault for initial setup and future updates of the Sensor
TCP
443
Outbound
reputation.alienvault.com
Ongoing communication with Open Threat Exchange®
TCP
443
Outbound
your USM Anywheresubdomain
.alienvault.cloud
Ongoing communication with USM Anywhere
TCP
9443
Outbound
vCenter Server
Authenticate Sensor to ESXi
SSL / TCP
7100
Outbound
your USM Anywheresubdomain
.alienvault.cloud
Ongoing communication with USM Anywhere
UDP
53
Outbound
DNS Servers (Google Default)
Ongoing communication with USM Anywhere
UDP
123
Outbound

0.amazon.pool.ntp.org

1.amazon.pool.ntp.org

2.amazon.pool.ntp.org

3.amazon.pool.ntp.org

Synch with NTP services in the AlienVault cloud
TCP
22 and 443
Outbound
prod-usm-saas-tractorbeam.alienvault.cloud

SSH communications with the USM AnywhereRemote Support server.

For more information about remote technical support through the USM Anywhere Sensor console, see Troubleshooting and Remote Sensor Support.

Important: USM Anywhere Sensor deployed in AWS might require outbound access to specific AWS resources, based on the Sensor App in use. For example, the Amazon Web Services Sensor App must have the ability to connect to the AWS API (port 443). However, the actual API endpoint might be different depending on the service (such as S3 or CloudWatch).

USM Anywhere normally gives systems explicit access to the AWS API.

USM Anywhere cannot deploy the AWS Sensor in an AWS GovCloud region.



Supported Web Browsers

USM Anywhere works best in the latest version back of the following web browsers:

  • Mozilla Firefox
  • Google Chrome


Sensor-Specific Requirements

Each USM Anywhere Sensor has unique requirements. See the following topics for detailed information about these sensor-specific requirements:


Note: During the sensor setup process you must have the address of your internal authoritative DNS server ready to add during the installation process. If not it must be provided to your Sales Engineer to add at a later time.


SOC Access to Sensor


Though this step is not required, from time to time the SOC may need to troubleshoot the sensors and can do that without burdening your staff if we are provided SSH access. 

The possible options for enabling that are typically the following options though we can adhere to what is normal for your organization:

  • Provide the SOC Non-Persistent VPN
  • Jump-Box SSH access is preferred for configuration and troubleshooting. 
  • Direct SSH Access to a provided static public IP
  • Direct SSH Access via port forwarding to a static public IP

Vulnerability Scanning

Scanning for vulnerabilities is a required component for HIPAA and PCI Compliance. It is also a critical component to understanding where addressable vulnerabilities may be within your network so that those can be patched and reduce the risk window of known exploits being leveraged by bad actors.

An authenticated asset scan verifies scanned IPs and detects vulnerabilities, configuration issues, and software. The USM Anywhere Sensor initiates a credentialed SSH (Linux) or WinRM (Windows) connection to the asset and remotely runs a series of commands for host-based assessment.

In order to enable Vulnerability Scanning:

Create and provide an administrative account with READ privileges for vulnerability scanning. For Windows, this is a WinRM connection that must be enabled on each system (port 5985, 5986). For Linux, this is a credentialed SSH connection so SSH must be enabled.

https://www.alienvault.com/documentation/usm-anywhere/deployment-guide/setup/configuring-scans.htm 

http://blog.powershell.no/2010/03/04/enable-and-configure-windows-powershell-remoting-using-group-policy/ 

  • In order to run a vulnerability scan on assets at an offsite subnet a dual-homes bastion host is required. Provide the external IP of the bastion host.
  • Vulnerability Scanning can be performed on the following systems
  • Windows: Windows XP SP3+, Windows Server 2003 SP2+
  • Linux: RHEL 5+, Fedora 14+, SUSE Desktop 10+, SUSE Enterprise Server 9+, Ubuntu 8.10+, Debian 6.0+
  • Apple: OSX Snow Leopard+, iOS 5.1+
  • Cisco: IOS 12.2+, IOS-XE 12.2+, ASA 9.0+
  • Juniper JunOS 8.5R1+
  • IBM AIX 6.1+, RHEL 6+ on System Z
  • Oracle Solaris 8+
  • HP-UX 11.23+
  • FreeBSD 8.4+
  • VMWare ESXi 5.0+









    • Related Articles

    • USM Anywhere - G Suite Setup

      Once the integration is enabled ( G-Suite APP ) the predefined log collection jobs take place and queue the events for analysis. This provides the additional G-Suite Dashboard. Currently, the AlienApp for G Suite supports the connection of one G ...
    • XDRaaS - Quick Start Guide (QSG)

      XDRaaS – Quick Start Guide The following items will help guide you through what CyFlare’s deployment team will be working on with you, to get you ingesting data, and moving to being monitored, by the SOC, as quickly as possible. The main items that ...
    • Alienvault-Advisory

        SolarWinds Orion Supply Chain Attack                        Detections in AT&T Unified Security Management™ and IoCs in the AT&T Alien Labs Open Threat Exchange™ December 16, 2020, 11:15am (CST) TLP: Amber Dear USM Customer, The details of this ...
    • AWS Cloudtrail Integration Guide With Breach Detection

      Overview AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related to actions across your AWS ...
    • Nessus Pro Vulnerability Scanning QSG

      Nessus Pro Vulnerability Scanning Quick Start Guide   Deployment Overview   The SOC will handle the building and configuration of the Nessus scanner.  The building of the scanner can be done with either direct access to the box or, remote access.   ...