AlienVault USM Anywhere: Security in the cloud, for the cloud

alienvault usm anywhereIn this podcast recorded at RSA Conference 2017, Denny LeCompte, SVP, Products at AlienVault, talks about AlienVault USM Anywhere, a SaaS security monitoring solution that centralizes threat detection, incident response, and compliance management across your cloud, hybrid cloud, and on-premises environments.

alienvault usm anywhere

Here’s a transcript of the podcast for your convenience.

Hello, I’m Denny Lecompte, I am the Senior Vice President of Products at AlienVault. Today’s podcast is going to be about threat detection and cloud infrastructure, and how AlienVault’s new product tackles this problem. So, who’s AlienVault? We are a cybersecurity firm that focuses on threat detection, incident response and compliance management. We’re unique in the security market because we focus on organizations that have limited resources, be it time, budget or staff, who can’t deploy heavy, expensive enterprise solutions.

The news that we want to talk about is that we’ve got a new product; we call it AlienVault USM Anywhere and it leverages AlienVault’s unique unified approach to security management. It’s a cloud-based security monitoring platform, and it combines the essential security capabilities that you need to do threat detection, incident response and compliance management.

Unlike other security solutions, USM Anywhere monitors cloud, hybrid cloud and on-prem, all from a single pane of glass. And because it’s a service, it’s just dead-simple to set up and use. AlienVault successfully pioneered this comprehensive approach to security management with our first product that’s been out for many years, Unified Security Manager. We’ve renamed that product to USM Appliance to distinguish the two, and what made USM Appliance really successful is that it opened up effective threat detection and response to organizations of all sizes.

What the Appliance focuses on is, we call it the 5 security essentials: the USM Appliance is a single, on premise appliance; you can deploy it in hours; no professional services required; it’s not a 6-month rollout like some of the bigger players. And what it gives you is not just one point solution. We provide asset discovery, vulnerability management, intrusion detection. We’re also a SIEM – Security Information Event Management, and we do behavior monitoring. All of that is kind of rolled into a single platform and then, on top of it, we provide continuous threat intelligence. We have our AlienVault lab security team; we have another platform called Open Threat Exchange where 50.000+ people throughout the global security community are contributing malware samples and intelligence information. And our security team takes all of that data and turns it into threat intelligence which we put back into the USM Appliance.

USM Appliance is great, so where does this new USM Anywhere fit in? We’ve seen a couple of really big shifts in the IT world. We’re very close to our customers and the two things we’re seeing is one: people are really moving infrastructure to the cloud. Also, we see IT products moving to the cloud. And that kind of shaped what we built.

Let me talk first about this cloud infrastructure shift. At first, when Amazon and then Microsoft came out with their cloud infrastructure, they were interesting and they were experimental and the first folks to glom unto were developers and developers would go out there and they were able to go around IT and just spin up servers in the cloud and do things. And it was not production, so I think IT for a while kind of ignored it. But over the last couple of years, it’s become very much mainstream, at which point, what always happens to IT guys is when the developers make something that’s real and it’s no longer just a fun toy, they’re like ‘Okay, this is hard now, so why don’t we get the IT team to actually secure it because that is boring and we don’t really want to do that?’ And so they’ve handed it off to IT.

alienvault usm anywhere

They can no longer go around the rules – we need those rules to make sure the environment is secure and IT professionals who’ve inherited all this cloud infrastructure are left with a couple of choices. One choice is that they can just kind of cobble together their own, which again – if you’re a Fortune 50 company and you have 500 security guys and they’re all developers and they can build something, that’ great. But the vast majority of companies have like 1 or 2 security people, and they’re probably doing multiple things other than security and they can’t build their own

So then they’re stuck either buying a completely separate cloud monitoring product that monitors cloud security, and there’s not a lot of those. Or they go buy some legacy product that’s says it does cloud monitoring, but it’s really a retrofit, which means that they kind of stick an agent on the cloud server and say ‘See, we’re monitoring it’. But that’s not really what you want. Because the truth is if you think about Amazon web services, it has a whole bunch of entities that are kind of abstractions. Things like S3 Buckets and elastic block storage. You’ve got these things that are not servers, but they’re important entities that have to be secured, and what we realize is if you’re going to get all that, if you’re going to really build it, take care of the cloud, you kind of need to build it from scratch. That was a hard decision for us to not just add on to what we had. It took a lot longer and a lot more people, but in the end, what we created was something that was, you know, all together, a cloud-native monitoring system.

Then, what we wanted to do was, we said ‘Do we really want to make our users have one system for cloud and another system for on prem?’ So that when you monitor security, you have these two disparate systems, like two disparate world – but that’s not how it’s going to be. The way that most networks are going to work is that they’re going to have elements in the cloud, elements on prem, but it’s all meshed together to form one system. What you need is a single view of that security landscape so that you can solve the problem. And so that’s what USM Anywhere does.

To that end, what we’ve done is we architected it so that we have a backend that does all the correlation analysis and vulnerability assessment, and then we have a kind of a generic sensor which can be adapted to different platforms. That generic sensor which does kind of the basics of sending data back to the main backend is the same, but then there’s functionality that’s specific for Amazon AWS, for Microsoft Azure, for VMware’s ESX server and then for Microsoft Hyper-V. Each of those sensor types kind of does all the basics, then it does a lot of specific things so when you drop a USM Anywhere sensor into Amazon, it knows about AWS Cloud Trail and about S3 Buckets, and it automatically starts collecting that data and trying to look for vulnerabilities. That also means that we’ve written a bunch of rules to detect malware and intrusions inside of AWS, right? Cause you’re going to have a mix of the kinds of intrusions that can happen anywhere, and the kinds of intrusions that are specific to problems with AWS.

That’s one big shift. The second big shift that drove our design is that customers are saying ‘Look, we are getting more and more strapped; we have to do more with fewer resources, and as easy as your traditional product is, we would like it to be even easier’. And so when you think about how technology makes things radically more useable, it’s mostly by making them disappear. Back in the early days of automobiles, you had to actually understand how the engine works to sort of get it going and crank it, and you know, early days you had a modem and you had to think about your modem and some modems were easier, and some modems were hard. But today we just turn the key and the car starts, and you don’t have a modem because all the networking has disappeared and unless something really dramatic happens, you don’t think about it.

What we wanted to do is that, we wanted to make the hard part of security monitoring disappear and the hard part is maintaining an appliance. Nobody really wants to deploy an appliance and update it, and just take care of it and make sure the disk doesn’t fill up, and do the upgrades when the new functionality comes out. That is not security. That is not why you’re paying the vendor for the product. We decided to release it in the cloud as a service, so that all of the back end is our problem. The other thing we can do when we do that is that we can do it more cost-effectively. You know, if you as an IT guy download a product and install it and manage it – well, you don’t have any kinds of economies of scale. It’s you dealing with one server. But if we have hundreds of thousands of these things, we can hire a few developers and they can write code that automates all of the deployment, all of the upgrades, all of the upkeep and performance management, and it becomes really cheap for us. We can do 1000 about at the same cost as we can do 100 and we bring that cost down to us, we can then sell it to you cheaper than you can do it for yourself.

That’s one of the things that’s made AlienVault successful, is we market to folks with not a lot of budget, without a lot of staff so the whole idea behind this is to make the product really easy and keep it really affordable, so somebody with a mid-sized enterprise budget can be successful with it and buy it, and pay a subscription and it’s not going to break your budget at all. It’s not an enterprise product in that way.

alienvault usm anywhere

Other things to know about USM Anywhere that would make it attractive? One, and that’s also really different from our traditional product is we built it not on a traditional database, we built it around Elasticsearch. Which means that we can scale horizontally. One of the limitations of USM Appliance is at a certain point, you run out of what the hardware can do. It doesn’t scare horizontally. But Elasticsearch, we can just spinning up nodes in a cluster and get as big as any customer wants to be. Now, we are not interested, as I keep saying, we are not interested in going after the biggest companies. But we don’t want any customer, even mid-sized customers often have pretty large environments, and we want to be able to manage them all in one, and USM Anywhere, because it’s built on elastic search, will allow them to do that.

With the product, you can automatically, will store live data for 90 days so that’s quickly searchable. We include with your subscription every log that you send us, every bit of data that we generate, we’re doing IDS, all of that is stored in cold storage and cold storage means is a WORM interface – write once, read many – so that it’s sort of fit for compliance, and we’ll keep that for a year. So you don’t have to think about it. The whole idea is that you buy this subscription, you deploy a sensor too and you start collecting data, and when your auditor comes, you just give them the reports that they need and you can pull all cold storage data out of cold storage and show it to them. And it all just works pretty seamlessly, and you can just manage alarms and not think about anything else.

Last thing, if you are familiar with us, you’re thinking ‘Wow, this guy really likes this USM Anywhere thing, does that mean that AlienVault is abandoning their existing product?’ And the answer there is No. USM, we’ve renamed it to USM Appliance but it’s not going anywhere and it’s not going into maintenance mode. We are going to continue to add lots of features to it, we have lots of customers on it. 5,000 customers at last count, and we expect to sell a ton of it over the next few years, so that it is a growing product line. Because as awesome as we think the cloud is, we are fully aware by talking to people that there are many customers and companies that cannot go into the cloud. They either don’t want to, or they are regulated or they have policies and they need to have their stuff on prem, and so we don’t want to abandon that market and we didn’t want to create a product that tried to do both, because fundamentally you make sacrificies. So you have one that is on prem, for on prem and one is in the cloud that can do both on prem and cloud altogether.

And if you’d like to try this new USM Anywhere product, you can go to You can sign up for an interactive demo where you can play with the product live and then you can also sing up for a trial for free for 14 days where you can then point your data at it and kind of get a real feel for what the product’s going to be like.

alienvault usm anywhere

RSA Conference 2017

Don't miss