This document is intended as a step by step guide for new customer implementations of USM Anywhere with an introduction to the incident ticketing process and interacting with the SOC.
The solution and service are deployed in phases. The methodology is driven around properly assessing what is currently within the customer environment and determining where and how to best deploy the in-scope tools but also gain as much context about the networks and assets as possible to help enrich the quality of service delivered.
The deployment phases are:
Deployment Responsibilities Matrix
Alien Vault USM Anywhere has various requirements and tasks associated in order to properly and fully deploy the solution. The next two sections detail out the deployment tasks with associated owners along with related collateral or directives to aid in completion of the deployment.
|Action Or Task
||Directive Or Collateral
|Provide a static internal IP for appliance management
||Static IP Assigned by you that will be assigned to the sensor(s).
|Enable the sensor(s) within your hypervisor
||Base configuration within your hypervisor
||Download Sensors: CLICK HERE
|Enable port mirror from managed switches
||Requires a managed switch or network packet broker. Copies network traffic to designated port(s) for Network IDS evaluation
||Each vendor has it's own procedure for enabling port mirroring. Below is a list of common switches and links to vendor documentation for port mirroring.
Additionally, please pay special attention to the Network IDS Enablement section within this document
|Deploy Windows / Linux / Mac Agents
||Collects system event logs and forwards to Alien Vault Cloud
|Enable sending of syslog from in scope devices
||Syslog is a standard feature on network devices to forward log data to the sensor for compliance enablement and security correlation
||Send syslog level 2 over UDP Port 514 to the IP Address of your sensor
|Generate and share API Tokens to SOC as needed (OKTA, Office365, AWS, etc..)
||Alien Vault has various API integrations called Alien Apps to allow for logs data to be securely ingested. Once provided, the SOC will configure in the backend to validate the connection succeeded and logs are flowing.
||Alien Apps Guides For How To Get API Keys From Vendors: CLICK HERE
|Modify Firewall Policy per the requirements
||Allows required connectivity to and from the appliance to the CyFlare cloud for data processing and analytics
||This document - see "Firewall Rules"
|Complete SOC Survey
||SOC Survey provides context to your environment and allows the SOC to create properly tune the solution and corresponding playbook so that alerts are not raised that are previously known or authorized by your organization
||SEE ATTACHED TEMPLATE. Once populated please send to email@example.com and the soc will update playbooks accordingly
|Provide a distribution list or email address to be designated as the Incident Handler (IH) for all SOC generated tickets to be sent to
||This is the main contact the SOC will use for sending of all tickets. This is typically an email distribution list if multiple contacts need to be notified at ticket creation time
||Please send this to your assigned CSM
|If a different contact than the IH, identify an email or distribution list that should receive reporting from the SOC
||Identifies the recipient of any automated or manual reporting that is sent from the SOC to your organization
||Please send this to your assigned CSM
|Accept support portal invite
||Your CSM will send you an invite that must be accepted in order to completely setup the support portal account enabling ticket management and knowledge base article review
||Check spam folder as the invite may go to spam. You may see the invite come from "firstname.lastname@example.org"
The following list describes the actions CyFlare will be responsible for when deploying your Alien Vault solution.
|Action or Task
|Send welcome email from Customer Success Manager (CSM)
||Introduction email to you that includes contact information for your Customer Success Manager, project sequencing and several other links to help you get started with the service
|Create Alien Vault Portal account
||Your unique account within the Alien vault cloud
|Create requested user account(s) within the portal
||Individual credentials for users that require access to your portal account
|Assist with sensor(s) to requested location(s)
||CyFlare configures, validates and ships your appliance(s) based on the IP information provided at time of order
|Provide Bulk Deployment Script agent deployments
||The SOC or CSM will provide you with script to be used for bulk agent deployment. This is useful if you use SCCM or another software deployment tool. This custom file is tokenized and specific for your portal.
|Create CyFlare support portal account(s) as requested
||The support portal is where you can create & view tickets as well as search and view the knowledgebase. Your CSM will send invites requiring you to accept and complete your account setup
|Validate SSH access to deployed sensor(s)
||SOC will confirm we can connect via the SSH details provided (public ip and port) to the sensor in the event troubleshooting is required. This is provided to ease the burden on your organization if sensor specific troubleshooting is required
|Validate sensor connectivity
||SOC will confirm that the sensor is connected, sending traffic as expected and working as expected
Deployment Requirements & Dependencies
The following checklist highlights the required changes, validations and configuration needed within the infrastructure to fully deploy the Alien Vault Solution. Any configuration work required within the Alien Vault UI will be completed by the SOC. The deployment team will assist with the sensor build and configuration within your hyper-visor as needed via phone and remote support tools.
- Configure firewall rules according to the rules table provided below
- Enable sensor(s) within your chosen Hyper-visor per the installation steps
- Create and provide a service account with read permissions to target machines for authenticated vulnerability scanning (enables comprehensive vulnerability reporting)
- Alien Vault EDR Machine Agent requirement
- A 64-bit Windows host system running Windows 8.1 or later.
- TLS 1.2 must be enabled on the host system.
- PowerShell 3 or higher is installed on the host system.
- You have login credentials for the host system with full administrator rights.
Important: Some antivirus software may block the osqueryd service and prevent it from starting. If your service is not starting because of antivirus software, you need to add the \ProgramData\osquery\osqueryd\ path to your antivirus exclusions policy.
Before you deploy a USM Anywhere Sensor, you must configure your permissions to enable the required connectivity for the new Sensor. Initial deployment of a USM AnywhereSensor requires that you open egress/outbound ports and protocols in the firewall for communication with USM Anywhere and AlienVault cloud resources. The USM AnywhereSensor receives no inbound connections from outside the firewall.
Note: To launch the USM Anywhere Sensor web UI during the initial setup, you need to allow inbound traffic to the Sensor IP address through TCP port 80. You can remove access to this port after the Sensor successfully connects to USM Anywhere. You do not need to allow inbound traffic to port 80 from the Internet.
Important: A USM Anywhere Sensor deployed in AWS might require outbound access to specific AWS resources, based on the Sensor App in use. For example, the Amazon Web Services Sensor App must have the ability to connect to the AWS API (port 443). However, the actual API endpoint might be different depending on the service (such as S3 or CloudWatch).
USM Anywhere normally gives systems explicit access to the AWS API.
USM Anywhere cannot deploy the AWS Sensor in an AWS GovCloud region.
Supported Web Browsers
USM Anywhere works best in the latest version back of the following web browsers:
Each USM Anywhere Sensor has unique requirements. See the following topics for detailed information about these sensor-specific requirements:
Note: During the sensor setup process you must have the address of your internal authoritative DNS server ready to add during the installation process. If not it must be provided to your Sales Engineer to add at a later time.
SOC Access to Sensor
Though this step is not required, from time to time the SOC may need to troubleshoot the sensors and can do that without burdening your staff if we are provided SSH access.
The possible options for enabling that are typically the following options though we can adhere to what is normal for your organization:
- Provide the SOC Non-Persistent VPN
- Jump-Box SSH access is preferred for configuration and troubleshooting.
- Direct SSH Access to a provided static public IP
- Direct SSH Access via port forwarding to a static public IP
Scanning for vulnerabilities is a required component for HIPAA and PCI Compliance. It is also a critical component to understanding where addressable vulnerabilities may be within your network so that those can be patched and reduce the risk window of known exploits being leveraged by bad actors.
An authenticated asset scan verifies scanned IPs and detects vulnerabilities, configuration issues, and software. The USM Anywhere Sensor initiates a credentialed SSH (Linux) or WinRM (Windows) connection to the asset and remotely runs a series of commands for host-based assessment.
In order to enable Vulnerability Scanning:
Create and provide an administrative account with READ privileges for vulnerability scanning. For Windows, this is a WinRM connection that must be enabled on each system (port 5985, 5986). For Linux, this is a credentialed SSH connection so SSH must be enabled.
- In order to run a vulnerability scan on assets at an offsite subnet a dual-homes bastion host is required. Provide the external IP of the bastion host.
- Vulnerability Scanning can be performed on the following systems
- Windows: Windows XP SP3+, Windows Server 2003 SP2+
- Linux: RHEL 5+, Fedora 14+, SUSE Desktop 10+, SUSE Enterprise Server 9+, Ubuntu 8.10+, Debian 6.0+
- Apple: OSX Snow Leopard+, iOS 5.1+
- Cisco: IOS 12.2+, IOS-XE 12.2+, ASA 9.0+
- Juniper JunOS 8.5R1+
- IBM AIX 6.1+, RHEL 6+ on System Z
- Oracle Solaris 8+
- HP-UX 11.23+
- FreeBSD 8.4+
- VMWare ESXi 5.0+